Hi! I recently released a service where I provide auto-ranking application centers and such. As of now, I have it to where I keep the source code and the user gets no source because the system gets access to account passwords and such. (ROBLOSECURITY)
I absolutely hate that I can’t provide users with satisfaction because of security issues but I don’t want people to get access to the source code and all that.
I could use require(module), but they can easily just get the module from the id.
Any ideas on how I could possibly hide the require(module) or hide the module itself?
I am aware there is many unneeded words in this paragraph. Also I am sorry if there was another post like this, I probably didn’t see it when I searched.
I understand your concern. However, making your module open sourced will allow anyone to take it. Roblox prevented devs from requiring not available modules for security reasons. If you hide the code, you could do anything malicious and easily get away with it without anyone knowing. That is a huge security issue, this why this patch was created. In summary, if you find a way to hide your code it will most likely be fixed due to the security issues related to it. The best you could do is obfuscate your code.
I understand that Roblox did it for security reasons, and I agree with em.
I can’t find a plugin or way to obfuscate my code. I’ve tried online obfuscators for Lua, but it doesn’t work at all. Do you know any plugins or ways I could obfuscate the code?
Deobfuscating a script is just as easy (if not easier) than obfuscating one. The tiny amount of security you get from it isn’t really worth the effort.
I ended up just filling in 99% of the script with space and bull stuff and hid a loadstring within it.
just gotta hope my studio doesn’t keep crashing >.<
That does not make it safer at all. If anything one can just do Ctrl/Cmd + F and just search loadstring and run it through a decompiler. Why does your system get access to someone’s .ROBLOSECURITY. Better yet, why do you have it in raw form?
I’m a pretty big advocate for services and this business-model on Roblox. This is why I do a similar answer for each of these questions when I see them pop up. Before I get into an answer, there are a few things I’d like to address.
This isn’t at all true, actually (depending on your method). For example, the most simple but secure way of doing it is using an external server to send an obfuscated script for the game to execute. Executing the code is fairly simple, you can either use the official loadstring (which requires it to be enabled) or a loadstring module like the one found in Adonis. Those basically work by taking the Lua code passed to it, then converting it to bytecode and then interpreting that bytecode and running it.
That cannot be patched. Roblox might not like it, but patching that method is impossible.
That is not at all true. Just like before, it depends on your method. Once again, adding junk code is obviously not going to do much. But there are some really advanced ones out there that have literally never been deobfuscated. For example, Ironbrew has a $420 deobfuscation bounty.
There are lots of method of doing it, here is a flow chat of how I do it currently. It works by executing most of your code on an external server, and only sending small snippets to the game when you need to interact with it. This makes it literally pointless to get the source of the small snippets cause you can’t do anything with them. Leaking the entire source is impossible because the code is never sent to the game, the only way someone could leak it is getting access to where you’re storing the scripts.
@BxPanxi First of all, getting the ROBLOSECURITY is a big no no in my book. I’m pretty sure alot of people don’t like it when someone just has a book of all your passwords and usernames. You shouldn’t even be messing with player’s data in the first place even if its to get the right player to automatically rank them. That in itself, is not very secure since if someone were to somehow hijack your service, they have access to ALOT of accounts. There honestly is no reason for you to get the ROBLOSECURITY. If you want to check the player by doing auto-ranking application centers.
You should first check the player’s UserId then compare it in the group. Next, you can verify if its the actual person and if they’re capable of being ranked up. If so, continue your process. Once its confirmed, you can send a message to a ranker or the owner of the group via messages from another website or so.
EDIT: Reposted since accidently replied to wrong person lol.
I don’t recommend it because roblox might not like it, but you could make a webserver that keeps the roblosexurity on the place ID. By default, roblox sends the placeID PostAsync() was sent from, so just take advantage of that.
Not true, again. Read my post above and look at the first few parts of the flowchart I sent. Unless you can proxy through a roblox server then its almost impossible to spoof.
The Roblox API returns the IP of the server that is running that game. If that IP matches the request IP you let it through, if not do something else like ban the IP or just deny the request with a 500.
Oh, I didn’t see the part where you are using ROBLOXSECURITY. Thats a bad idea and you should stop doing it right now, literally. Thats an amazing way to get a ton of account hacked into.
I’m the maintainer of noblox.js and noblox.js-server. I still don’t understand why you’re storing these .ROBLOSECURITY keys like this. Instead of doing all that, I’d recommend just using 1 .ROBLOSECURITY key and 1 account which is in the groups that need the auto-promotion system. You can’t use noblox.js-server like it’s ClanLabs.
Bit late to reply now, use aztup brew, its basically the new iron brew. Right click on a script in roblox, press save, input it into the aztup brew, put a custom string in, press obfuscate and bam, you have an obfuscated piece of code that can be de-obfuscated but still is secure!
I’m the maintainer of noblox.js and noblox.js-server. I still don’t understand why you’re storing these .ROBLOSECURITY keys like this. Instead of doing all that, I’d recommend just using 1 .ROBLOSECURITY key and 1 account which is in the groups that need the auto-promotion system. You can’t use noblox.js-server like it’s ClanLabs.