|
I have no idea what any of this, except the last 5 words mean.
|
|
Elopus001Join Date: 2011-08-28
Post Count: 482 |
I think Crazyman32 knows how to do this. loadstring and a couple other commands involving _G in a ServerScriptService folder... :) Still testing. |
|
Elopus001Join Date: 2011-08-28
Post Count: 482 |
Wait. This seems like a bad idea. I don't want to be unable to test my games... |
|
|
Elopus001Join Date: 2011-08-28
Post Count: 482 |
If there is an exploit that allows you to view scripts in workspace then make a script that moves everything from ServerScriptService to workspace. |
|
Elopus001Join Date: 2011-08-28
Post Count: 482 |
If it adds it there...I have no clue. Someone else should do this. |
|
|
@Elopus001
what are you talking about?...
he's not asking for you to move a modulescript to the workspace and read the source... he's asking you to get the source of a COPYLOCKED modulescript -- one you load by the Asset ID... via require(assetid) |
|
KrauzzJoin Date: 2012-09-24
Post Count: 104 |
^LOL |
|
|
SeranokJoin Date: 2009-12-12
Post Count: 11083 |
I updated my ModuleScript to return a table like so:
return {
test = function() end
}
This made it possible to get a reference to the ModuleScript:
getfenv(require(165456864).test).script.Parent = Workspace
oxcool1 discovered that you could then call :SavePlace and voila, you have the ModuleScript.
So we tried this in the ModuleScript:
script:Destroy()
return {
test = function() end
}
It is still possible to get a reference to the ModuleScript, but since you can't re-parent the ModuleScript you can't serialize it.
The only other known possibility, which has been mentioned by numerous people, is to use string.dump to get the bytecode for methods of the ModuleScript. However it is easy to get around this by wrapping your functions or using metatables and the __call metamethod.
|
|
SeranokJoin Date: 2009-12-12
Post Count: 11083 |
Oh and oxcool1 suggested using ScriptContext.Error so if the ModuleScript errored you could get a reference to the script and then parent it to the Workspace. This won't work with the ModuleScript:Destroy() method. |
|
SeranokJoin Date: 2009-12-12
Post Count: 11083 |
Update:
It looks like ScriptContext.Error will never fire for ModuleScript. It will always fire with a reference to the script which ultimately called the ModuleScript function. So setting script = nil should suffice in making it impossible to ever get a reference to the ModuleScript.
RenderSettings pointed out that :Clone() works on deleted objects, so as long as one has a reference to the ModuleScript, you can clone it, parent the clone to the Workspace, and call :SavePlace().
So if there is a method to get a reference to a ModuleScript, then its source can be stolen, plain and simple. |
|
SeranokJoin Date: 2009-12-12
Post Count: 11083 |
How to write a secure ModuleScript [preliminary]:
* Upload it on an account which has no active places. This will prevent an exploiter from joining one of the creator's places and then calling InsertService:LoadAsset to get the ModuleScript.
* Make sure your ModuleScript sets script = nil and doesn't keep any references to iself.
* Use local variable so that if the caller calls setfenv on the functions in your ModuleScript it will be unaffected.
* Wrap your functions somehow so that string.dump won't be able to steal sensitive parts of your code. |
|
|
Are you going to RobloxLocked ModuleScripts required via assetId?
That would prevent it from being parented, right? |
|
SeranokJoin Date: 2009-12-12
Post Count: 11083 |
That's not necessary. Setting script = nil removes all references to the ModuleScript so the calling script reparent it. |
|
|
True, but it would remove the possibility for all ModuleScripts, and not just those whose creators are aware that they have to say script = nil. |
|
DiittoJoin Date: 2011-03-08
Post Count: 92 |
1) The string.dump function is currently broken in online mode(probably due to security reasons), so you can't steal that way.
2) It seems that in some update, ROBLOX removed doing getfenv(Function).script, so that's taken care of.
Now, here's the issue. What if you wished to execute code safely on the client? You cannot require(assetId) via a LocalScript, and if you send the module, the reference could lead to module theft.
Excuse me for the necro bump. |
|
cntkillmeJoin Date: 2008-04-07
Post Count: 49450 |
Why did you bump this, it's months old...
And also #2 worked like 2 weeks ago, you're probably doing something wrong. |
|
gskwJoin Date: 2013-01-05
Post Count: 1364 |
@cnt Really? That is a serious problem for Valkyrie... |
|
gskwJoin Date: 2013-01-05
Post Count: 1364 |
Excuse my stupidity, setfenv() exists and nuking stuff is already taken care of. |
|
|
@Luc
That key is fully visible to Fiddler. If you were to get data and then send a request with the changed value. It would update it on the server.
Total Posts: 404 ---------- Not Found |
|
eLunateJoin Date: 2014-07-29
Post Count: 13268 |
Lol gskw forgetting I already nuked all the external environments. |
|
cntkillmeJoin Date: 2008-04-07
Post Count: 49450 |
Yeah elunate is better than that :( |
|
DiittoJoin Date: 2011-03-08
Post Count: 92 |
@cnt 9 months old thread == 1 second old thread |
|
cntkillmeJoin Date: 2008-04-07
Post Count: 49450 |
@Diitoo 9 month old threads shouldn't be bumped unless the OP has more questions and doesn't want to create another thread. |
|