"License Script"

Yeah, I personally wouldn’t use loadstring just in case there was a harmful model that relies on loadstring to execute code on the server.

1 Like

Not a leak. The API is already being added in.

I don’t think you can check subscriptions in other games (no way of knowing without information) and there still lies the problem for OP to “hide their code”. Even with SubscriptionService, they’d still have to open source their code.

1 Like

Yes, I put leak in quotes because it hasn’t been officially announced as far as I’ve seen.

Without info, it’s hard to say. Maybe each subscription will have a unique ID that can be queried from any game, much like marketplace assets.

To hide the code, could it be hosted securely externally and sent through an HTTP request and run via loadstring()? I’m not sure how viable that it, but it sounds plausible.

1 Like

It could be but I’m unfamiliar with that practice and how truly reliable it is. I don’t invest my time in the whole “closed-source asset sales” business thing, only interested in open-source free assets. I never really fancied selling closed-source ModuleScripts.

1 Like

Same. You know me :man_shrugging:

I just give stuff away :stuck_out_tongue:

2 Likes

As far as I can tell, as long as a model is free to take, you can’t realistically file a DMCA complaint?

I think this means that if you want to use a Roblox model to store your code, then anyone is free to copy (and “leak”) it?
@ElliottLMz
@Exsolutus_rbx

Also, see @IdiomicLanguage’s post:
For more context on what happened to closed sourced modules:

Removing Support for Third Party Closed Source Modules

That would only pertain specifically to the model that you open source. The idea is placing the loader in the public domain which every loader is fairly the same (require statement, sometimes with settings) while the actual code isn’t.

If you try to hide your source - either by obfuscating it, using an interpreter, or any other way - you will lose some of the trust of your customers. The security issue is the reason private modules went away, and developers have become wary to trust unknown code with all the backdoor issues as of late. The solution? Have a trusted third party review the unseen code. For absolute security, the script cannot be executed in an environment where the game developer has control.

To prove the security of RBXMods to you, I’m putting my money where my mouth is and offering $1,000 USD to whoever can get the source of this RBXMod. To run the RBXMod simply place this in a script with HTTPService enabled:

print(require(14405521){
	['user-token'] = 'FydU21Q_WWAQwhfbAGcLF-5y1od_amsQw1ncX9mZG0c'
}(31):join(1)())

This code requires the RBXMod loader, sets the user token to a user who only has ‘view instance’ and ‘call’ permissions, requires RBXMod 31, joins instance 1, and then calls it and prints the result. The string returned by the RBXMod has more details. You have until the end of the month: August 31, 2019, at midnight MDT. Only the first winner gets the prize. I even have a new version of the website I’ll be publishing soon, so maybe you’ll get lucky and catch a bug! Or not.

For those interested I’ve recently posted some documentation at https://docs.rbxmod.com. It has some information about how RBXMods work that may be useful to try and break in. Note that the functions on the loader are actually all lowercase, not upper case. I’ll be fixing that soon.

Note:

No one who offers these "loader" services will match this offer, because they are not that secure. If they did, I would soon be $1,000 richer.
2 Likes

i, too, can send post requests every time a function call is needed

saying “guys i’ll give you a thousand dollars if you can find a local file inclusion vuln on my server1!11!!!1” will not get people to use this given that it takes away the point of having a script on the client to begin with; things like input responses and UI.

if you take away that ability there is, like i said, no reason to have the script on the client to begin with

EDIT: a friend of mine pointed out that if a vulnerability is found then LITERALLY EVERYBODY’S DATA IS COMPROMISED. there is, quite frankly, a much higher likelyhood of this happening to you than it is to roblox.

EDIT 2: using this for free models is an even dumber idea because putting all logic on the server like that is incredibly slow and still really shady, no matter who you say you are

5 Likes

The point is, there’s no official means in any official capacity to this platform to support this type of transaction. You’re better of waiting for collaboration tools and just removing people from the collab list if they don’t pay. Then viciously DMCA’ing them if they don’t cease the usage of it. If you have to spend more time covering up very product you want to sell, you should probably rethink your product.

Honestly its not even worth going this route simply due to the lack of support from the platform.

1 Like

I agree, RBXMods are not replacements for local scripts. With a up to 16ms round trip connections to Roblox servers however, they will often run faster than running an interpreter for server scripts in Lua. Not to mention with better security, more features, and more user trust because they are reviewed. RBXMods can deliver payloads like the loader services however require substantially less time to setup. I know you can send post requests, however there is value in SaaS vs PaaS or IaaS.

There are layers of security and safeguards. If one fails, another takes over. For example, passwords are hashed so no one can see user passwords if the service was hacked (even I can’t). RBXMod never even sees payment information and will use PayPal’s secure service for that functionality. Scripts are running in a VM in their own process as a restricted user (think: OS level protection). For the loader services, if their interpreter is reverse engineered or a deobfuscator is written their security is lost.

Where did you get the idea that RBXMods are slow? It runs LuaJIT unlike Roblox and can scale up as demand increases. Lua can only run on a single thread so there is a theoretical cap to how fast single scripts can execute but this is broken by RBXMods by allowing multiple instances to run at once. Roblox doesn’t allow multi-threading and has only hinted that maybe sometime in the future they’ll work on a JIT compiler but it wouldn’t be as fast as LuaJIT.

I appreciate the ad hominem attack. RBXMod has been in development for roughly 8 months now, and will be for much longer. I hope that my track record will prove to you that I am trustworthy. From your heated response it sounds like you have a personal stake in this, or did I do something to anger you?

I agree that Roblox’s lack of support makes it difficult. If users have a service they believe is worth it, I want to try and help them. Hopefully Roblox will relax some of their restrictions in the future and allow the “private sector” to take over a bit more.

2 Likes

It has no connection to how it will work. If you used or maybe saw check Me in the script is not in the model, either there’s a problem being free as a model cause we will have a require script in order to work.

1 Like

It won’t use Third party.

(30chars)

1 Like

What I do with my system and it works well is make them buy a Game Pass. No need for storing data on websites like Trello (I’m pretty sure your not even meant to store data on there.)

And to check if they own the game pass just see if game.CreatorId owns it.
Hope this helps!
If you need help to get the UserId of a group games creator message me. :slight_smile:

2 Likes

I don’t think this could work for him. If someone can get the model then they can also change the script to a different gamepass ID that the user owns.

1 Like

Then the service wouldn’t work.

1 Like

Everything is provided in the “require” script. If he changes it then he won’t have the UI, intoduction, or anything working. Basically just a monitor screen doing nothing.

1 Like

Check Me In relied on closed source third party modules, for which support was removed for. If someone has the ModuleScript, it’s not hard to get rid of the restrictions and just make it work.

Have you been following discussions on modules, especially throughout the thread, or am I misunderstanding what point you’re trying to make?

1 Like

If he makes it work then it means he made his own system, so that’s where we don’t mind cause everyone can make it. I actually followed lot of discussions about but it’s also misunderstanding.

1 Like

No, I seriously don’t understand what you’re trying to say here or prove. Most of these systems ran off of closed source private modules for which support is removed for, which is part of why the discussion in the main thread happened.

Please clarify what you’re intending to say.

1 Like