|
| 03 Aug 2012 12:48 AM |
They rolled out the loadstring() update!
Trying valid bytecode returns a nil value instead of a function value.
WE CAN HAVE NO MORE NICE THINGS. |
|
|
| Report Abuse |
|
|
TheMyrco
|
  |
| Joined: 13 Aug 2011 |
| Total Posts: 15105 |
|
| |
|
|
| 03 Aug 2012 12:55 AM |
Yep. We tested it, like, just now. We're probably the first to realize it, since bytecode was still working like 15 minutes ago.
loadstring will now refuse to load bytecode and give you nil instead, as if your function had a syntax error.
Every single place with obfuscated code is now officially broken.
The exploit will now not work either. |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
| |
|
TinpotOps
|
  |
| Joined: 22 Jul 2012 |
| Total Posts: 813 |
|
|
| 03 Aug 2012 12:58 AM |
:( no more goody goody :(
~swagmuscles represent |
|
|
| Report Abuse |
|
|
Sucors
|
  |
| Joined: 31 Jul 2012 |
| Total Posts: 1 |
|
|
| 03 Aug 2012 12:58 AM |
Sorcus, you really need to be herin a scripter. You should feel bad about this: >if result == true then result = "true" else result = "false" end
BAD SORCUS, BAD
~Sucors |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 03 Aug 2012 12:59 AM |
That looks fine to me.
~Sorcus |
|
|
| Report Abuse |
|
|
TheMyrco
|
  |
| Joined: 13 Aug 2011 |
| Total Posts: 15105 |
|
|
| 03 Aug 2012 12:59 AM |
I said inb4xLEGOx, not inb4Sorcus >:o
But this update does fix the bytecode exploit as it cannot load anymore, but places will break :/ |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 01:00 AM |
@Sorcus
I didn't know you could do this without rolling an update... well, I knew you could on the servers but not without a maintenance.
Anyway, good job. Although I did have fun with the exploit, I am much more happy as a scripter that it was patched than I am sad of not being able to play with it anymore.
The wiki is already being updated (by Legend26) and I've just notified the Scripting Helpers forum of it (some of them probably have obfuscated places).
Thank you for removing bytecode. We didn't need it, it was an unneeded load on the code and it also caused security flaws. |
|
|
| Report Abuse |
|
|
Solotaire
|
  |
| Joined: 30 Jul 2009 |
| Total Posts: 30356 |
|
| |
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 03 Aug 2012 01:01 AM |
Very nice summary, Julien. Expect all security patches to go out in a matter of days. Block all skiddies and make ROBLOX, exploit plague, free again.
~Sorcus |
|
|
| Report Abuse |
|
|
oxcool1
|
  |
| Joined: 05 Nov 2009 |
| Total Posts: 15444 |
|
| |
|
klkl
|
  |
| Joined: 29 Aug 2007 |
| Total Posts: 887 |
|
|
| 03 Aug 2012 01:02 AM |
GGNoReRe
you win this time :( |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 01:03 AM |
@Sorcus
YAY!
How much days until it's all patched?
Also, the source of script has already stopped replicating, right?
If so, that means already 2 fixes are there. Bytecode loading + script source replication.
We just need that replication filter and client-studio separation and exploiting will become an unknown word on ROBLOX! :D |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 01:04 AM |
@Sorcus: >Block all skiddies and make ROBLOX, exploit plague, free again.
>implying separating studio and optional replication fixes everything
nop nop h4x0rs like popinman322 will find new and more exciting ways to inject dlls
I'm glad things turned out this way. I look forward to thousands of people having to modify their code in some way because ROBLOX killed a standard Lua 5.1 feature :3 The very notion of this gives me a sick, twisted pleasure. |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 01:04 AM |
"But you still can load bytecode in client-side..."
They just need to roll an update and it'll be patched.
No problem there. |
|
|
| Report Abuse |
|
|
3543
|
  |
| Joined: 03 Dec 2011 |
| Total Posts: 121 |
|
|
| 03 Aug 2012 01:05 AM |
The anti-exploit script messed up code stuffz: if result == true then result = "true" else result = "false" end
is the same as,
result = tostring(result)
The loadstring/bytecode fix:
Thanks for fixing it before it got out to everyone (besides just us), Very very good.
And then soon there'll be the replication control with lua and the client and studio separation and most of the commonly used exploits will be fixed, along with all future ones.
You guys are doing a great job. Roblox seems to be getting better all the time now.
|
|
|
| Report Abuse |
|
|
oxcool1
|
  |
| Joined: 05 Nov 2009 |
| Total Posts: 15444 |
|
| |
|
coplox
|
  |
| Joined: 07 Jun 2008 |
| Total Posts: 3252 |
|
|
| 03 Aug 2012 01:06 AM |
@Sorcus, You said that the security patches will roll out in a matter of days.
Does that mean RobloxPlayer.exe and RobloxStudio.exe will be different now?
Well, as a wise man recently said; "YAY!" |
|
|
| Report Abuse |
|
|
Legend26
|
  |
| Joined: 08 Sep 2008 |
| Total Posts: 10586 |
|
|
| 03 Aug 2012 01:07 AM |
"Expect all security patches to go out in a matter of days. Block all skiddies and make ROBLOX, exploit plague, free again."
:D When can we FINALLY use the security API? It's been 3 MONTHS! O_O
"I look forward to thousands of people having to modify their code in some way because ROBLOX killed a standard Lua 5.1 feature :3"
Yea, I have to fix the place we were just at (alt acc) as well as one of this account's places. Besides that though...nothing much. |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 03 Aug 2012 01:08 AM |
Necro, I can't wait to see! These are but the first of few security patches to come. To be honest, Popin or Stravant are way more sophisticated than Expoop dudes. And loading bytecode was a useless feature. No reason to have it around. And your point of restricting client being valid, we are just going to leave it to teh Game Designer to do it for his own game. Makes perfect sense to me.
Client update will be soon.
~Sorcus |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 01:10 AM |
@Sorcus
Since you're at it, can you tell us about the other security changes we don't know about yet?
Or is there even any?
Even just these would make me extremely happy. |
|
|
| Report Abuse |
|
|
oxcool1
|
  |
| Joined: 05 Nov 2009 |
| Total Posts: 15444 |
|
| |
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 03 Aug 2012 01:14 AM |
Can't reveal specifics at this moment. Need to make sure everything is bullet proof.
~Sorcus |
|
|
| Report Abuse |
|
|
3543
|
  |
| Joined: 03 Dec 2011 |
| Total Posts: 121 |
|
|
| 03 Aug 2012 01:16 AM |
| That means more security updates soon/later? YES! |
|
|
| Report Abuse |
|
|