No no no no. Obfuscating Code is against the community standards and will be punished.
2 Likes
That makes no sense, If im selling a plugin, I don’t want people to be able to just copy paste its code, if roblox won’t provide security, then I will take it into my own hands.
1 Like
Then roblox will simply moderate your account?
If roblox says ‘do not do this’ and you proceed to do it, you are practically asking for the consequence.
4 Likes
If you “take it in your own hands” then you will simply get banned. That is how it is.
If ROBLOX says there is a CHANCE and that it may be accidental, its not saying that’s it is DIRECTLY against the rules. Note how it says “may” and not “will”
1 Like
It’s completely unfair this Plugin Ripper exists on the Roblox website, in this case. “View source code” as advertised. You can’t obfuscate, but developers can still rip the source only using provided APIS. No!
Hot take edit: If you publish a plugin, paid or unpaid, intend for it to be copied. Do note, if someone rips a paid plugin, this is considered a violation. If you ultimately want to protect your plugin source, don’t publish or distribute under any circumstance
There is a chance to get away with breaking any rule on Roblox. It still doesn’t mean you can/should break them… Roblox is not saying it’s allowed just because they cannot guarantee every plugin uploaded will result in moderation.
Then how are you supposed to make money if you can’t publish or distribute?
If you wish to make money, then publish it. If you want to protect the source code, don’t. And I should add that even if you get away with obfuscation, most people who steal source code just re-publish it under their own name. And removing security barriers, even obfuscated ones, is a cake walk in Lua.
2 Likes
This. It’s also just like making a game on the platform. Local and module scripts’ sources are always loaded in memory from the client in some form, so you accept the risk of having it stolen by publishing a game (through means of exploiting). Same concept with plugins, they’re in memory and thus are retrievable in some way. Sure, taking its source and re-uploading it may violate copyright laws and whatnot but that doesn’t mean stealing won’t happen.
1 Like
First, as obfuscators become more and more advanced, and AI progresses this argument becomes less and less true. A strong obfuscator backed by AI is a serious roadblock.
Second, I find it absolutely infuriating that roblox refuses to protect our intellectual property, then moderates us for trying to do so ourselves. I understand the argument about malicious code but its pretty simple, if you dont trust a script dont execute it. Same rule exists everywhere on the internet. Not sure why roblox feels the need to play parent here and tell us what we can and cant do. Furthermore, not sure why im being barred from revenue because some other clown wants to misuse a legitimate programming principle.
For games, I can maybe understand but my case resolves around plugins. It is overwhelmingly easy for someone to just scrape out my entire plugin file and from there its all over. Once its on the marketplace I can kiss any chance of monetization goodbye. Of course roblox makes the argument “oh we will moderate the people stealing plugins” but once its out its out.
TLDR: not sure why roblox cares about obfuscation when my 80 year old grandmother understands to not execute scripts if you dont trust their source.
Plugin Ripper uses InsertService:LoadAsset() which will only work if you own the plugin or it is free. Also by free, on any free plugin page there’s literally a download button which downloads the source of the plugin.
1 Like
That’s such a useless rule! Obfuscation is for security reasons! Why does Roblox not care about security
Because you can’t know what obfuscated code is doing unless you de-obfuscate it, which can be time consuming, thus making it a security risk. How can anyone know there isn’t a virus hidden in there? Too bad, it’s obfuscated, so the plugin developer can literally run malicious code without anyone knowing.
1 Like
Its very simple. Do not download plugins if you do not trust the owner. This is literally a basic rule of using a computer. My grandmother understands this. If you’re unsure of somethings source, do not download it. Roblox does not need to come in and parent developers who are trying to protect their hard work from people who are trying to steal it. As a plugin developer, its frankly absurd and one of the most frustrating things ive encountered on this platform, to date…
This is like arguing anti-viruses shouldn’t exist, only download from people you trust!
How can you even determine if someone is “trustworthy”? Just because they’re well known doesn’t mean they’re good people (and this is also kind of anti-small-developer, I’m sure everyone trusts the well-known more than the unknown), and I could list hundreds of examples of that off the top of my head specifically in the Roblox community. Even then, what if a well-meaning Plugin Developer uses someone else’s code as part of their Plugin as a Module, with the Module having malicious code and also being obfuscated? Are you suggesting people should audit every single dependency a Plugin has to make sure their owners are “trustworthy”? What if they’ve obfuscated their dependencies somehow, and don’t credit them? How can you check then?
People that don’t want to pay for your Plugin, aren’t going to pay for it, no matter what. People can and will create cracked copies, assuming there’s demand for one, maybe they won’t distribute it on the Creator Hub, they’ll probably go through other routes on other websites, but more often than not I sincerely believe they are simply not able to pay for the Plugins they want due to living in poor economic situations (but you’ll have to ask Elttob that, they ran a survey on it for their Access Anywhere).
Not to mention obfuscation isn’t going to stop people from trying to reverse-engineer your Plugin code just in case, and you can find examples of that on this Forum. Believe it or not, people would rather know that they can check what some arbitrary code on their machine is doing, and going out of your way to obfuscate your code when it doesn’t need to be (unlike compiled .EXEs which need special reverse-engineering programs regardless of international obfuscation) is an easy way to raise suspicion.
I really don’t even think obfuscation was useful in the slightest before Roblox implemented their rules against it. Anything interesting a Script can do, such as accessing Instances or sending HTTP requests, is very easy to detect.
Wasting your time trying to implement such systems won’t lead to more sales on your original version. Everyone would rather take the easier route, and if that means paying for it, they will.
The difference is that you can opt into and configure an antivirus to your liking, and then bypass it if you want to download something that you know is safe but its flagging.
Im not saying roblox shouldn’t warn users about this im saying it should be the users choice.
Abstract: I distribute my plugin as an RBXM file ever since roblox updated this dumb guideline, and just check an endpoint in that RBXM to see if the current user is whitelisted to use the plugin.
And for the whole obfuscation argument doesnt work. I made a plugin, and offered 10k robux to any white hat who could crack my obfuscation/encryption. Tens of attempts, 0 success. If you think this obfuscation/encryption(ish) is so easy to bypass I will offer you that same 10k to bypass it and show me how you did it.
Reverse engineering, possible, but would be time consuming beyond belief because my plugin is pretty complex and not the original thing.
So long story short, obfuscation can and does work well for my plugin. Literally the only drawback is the huge performance toll and its slightly more time consuming to push updates.
Showing me you can constant dump some other obfuscated code does not mean you can crack my plugin, lets use some common sense. Heres the file, ill happily give the 10k if you can crack it and use it for free.
EasyLS_PR_Distributable (1).rbxm (427.7 KB)
Hi, sorry for the delay, I was busy with other stuff.
Anyway, after wasting a bunch of time going a much slower route by accident, I’ve managed to get it to trigger a :UserOwnsGamePassAsync for this Pass:
, a StudioService:GetUserId, a message saying “Retrieved EZLS whitelist from gamepass”, and right now I seem to have somehow gotten it to spit out some of the original code as it errors?
So, I guess Luraph doesn’t get rid of variable names? It’s also called DockWidgetPluginGuiInfo.new twice, both with different settings, and called plugin:CreateToolbar. I’m not entirely sure how far I am in the Plugin’s initialization, but I would think I’m post-authentication if it’s trying to create the GUIs? Even if I’m not, I feel like I’m pretty close.
Oh, I’m just looking at the logs and it looks like I found a HttpService:RequestAsync call to the endpoint “https://api.onpointrblx.com/vendr/v2/licences/getlicence/roblox/USER_ID/RH9gSQf0ed/EasyLS Plugin”
, and the warning “EasyLS_VER_B0.7.420” in the Output. I haven’t gotten the actual plugin to work yet though, I haven’t even been running it as a plugin.
UPDATE An hour later, I got a different log, that being “Retrieved EZLS whitelist from vendr”, and it started doing a ton of UI stuff, like connecting to .MouseButton1Click and setting a version textlabel, as well as requireing a “KeyframeCompiler”, so I think the actual plugin has attempted to load. I think I’ll end off here for now though.
To clarify, I haven’t gotten it to actually work yet. From my previous experience with plugins, I think it’ll be very tedious to constantly get an error and have to re-load the plugin, because I’m playing with a blackbox. It’s still obfuscated, it’s just that I’ve tricked the ownership verification part.
1 Like