It can still probably be leaked. The option not showing on paid plugins probably has nothing to do with Roblox but with the plugin creator trying to not make it so people can steal paid plugins.
Wouldn’t that be putting their own Trello Token at risk. They are sharing their Trello Token to others. The goal is to have 1 database in which the server can check all the people using a certain network. But if is susceptible such stuff, what databse would be the best to use?
The network code itself shouldn’t be the trello key.
This really is a open ended question, because in order to do this in a secure and proper means, it’ll get relatively complex, relatively quick.
Let’s say I open the plugin, and create a network. Upon doing so, you can send a request to your webserver, and create two new keys on the webserver, a authentication token, and a ‘network_id’.
Upon creating both of these things, you also create (on your webserver) a database for the given network_id. This database will be what contains all information the plugin will need, ie; bans, etc…
Now that your database, network id, and authentication code are created, you will want to return the network id and authentication code. Now the authentication code can just be any UUID, it will be a code in which is required to make new requests to the database, for example add a new ban. However, in order to receive information, the authentication code wouldn’t be required; only the network id.
-- The following code is pseudo code; lua.
local networkID, authentication = httpService:PostAsync('https://website.com/networking/create')
-- Now that our network & authentication code is created, we can do multiple things.
httpService:PostAsync(string.format('https://website.com/network/%s/ban?userid=%d&auth=%s', networkID, 1, authentication))
-- https://website.com/network/158215/ban?userid=1&auth=d81Un0jIXK
-- Let's break this down now!
-- Firstly we create a new network, on our server this will create a database!
-- After we create the database, it will return a network ID & a authentication code
-- From there, we can post to our database, with the key being the network, however we want to ensure the owner of the database is the only one who can post!
-- So in order to do so, we create an authentication key, which is required on the server.
-- We then specify the user id and the action, in this case; ban & action 1. Ban UserID 1.
-- Now let's show an open ended response, where everyone can get the ban list!
httpService:GetAsync(string.format('https://website.com/network/%s/bans', networkID))
-- https://website.com/network/158215/bans
-- This should return our batabase of bans, notice how nothing more then the network id
-- will be required; meaning the authentication token remains hidden!
This is a really interesting and unique case to look at, so perhaps I make a elongated tutorial on this, seeing as I really only went over the lua side.
You can use insert service to load the source of plugins which are in your inventory.
game:GetService("InsertService"):LoadAsset(pluginId).Parent = workspace
This does not work with paid plugins.
Can’t anyone access the web server if they know the link? Or use HttpService and paste the same code to get the Token and modify the Trello Board?
There is a public deobfuscator that is paid and it supports IronBrew2, AztupBrew, PSU 4.5.A, MoonSec V2, and MoonSec V3
Every plugin can be leaked very easily by anyone who has it installed, no matter if it costs robux or if it’s free. When someone installs it, they can find the .rbxm file of the plugin’s source code in a folder in appdata with the plugin’s ID, and all they need to do is to drag the rbxm file to roblox studio and then they have your source code