"License Script"

IdiomicLanguage · August 10, 2019, 9:25pm

If you try to hide your source - either by obfuscating it, using an interpreter, or any other way - you will lose some of the trust of your customers. The security issue is the reason private modules went away, and developers have become wary to trust unknown code with all the backdoor issues as of late. The solution? Have a trusted third party review the unseen code. For absolute security, the script cannot be executed in an environment where the game developer has control.

To prove the security of RBXMods to you, I’m putting my money where my mouth is and offering $1,000 USD to whoever can get the source of this RBXMod. To run the RBXMod simply place this in a script with HTTPService enabled:

print(require(14405521){
	['user-token'] = 'FydU21Q_WWAQwhfbAGcLF-5y1od_amsQw1ncX9mZG0c'
}(31):join(1)())

This code requires the RBXMod loader, sets the user token to a user who only has ‘view instance’ and ‘call’ permissions, requires RBXMod 31, joins instance 1, and then calls it and prints the result. The string returned by the RBXMod has more details. You have until the end of the month: August 31, 2019, at midnight MDT. Only the first winner gets the prize. I even have a new version of the website I’ll be publishing soon, so maybe you’ll get lucky and catch a bug! Or not.

For those interested I’ve recently posted some documentation at https://docs.rbxmod.com. It has some information about how RBXMods work that may be useful to try and break in. Note that the functions on the loader are actually all lowercase, not upper case. I’ll be fixing that soon.

Note:

No one who offers these "loader" services will match this offer, because they are not that secure. If they did, I would soon be $1,000 richer.

T0ny · August 10, 2019, 11:48pm

The point is, there’s no official means in any official capacity to this platform to support this type of transaction. You’re better of waiting for collaboration tools and just removing people from the collab list if they don’t pay. Then viciously DMCA’ing them if they don’t cease the usage of it. If you have to spend more time covering up very product you want to sell, you should probably rethink your product.

Honestly its not even worth going this route simply due to the lack of support from the platform.

IdiomicLanguage · August 11, 2019, 1:20am

I agree, RBXMods are not replacements for local scripts. With a up to 16ms round trip connections to Roblox servers however, they will often run faster than running an interpreter for server scripts in Lua. Not to mention with better security, more features, and more user trust because they are reviewed. RBXMods can deliver payloads like the loader services however require substantially less time to setup. I know you can send post requests, however there is value in SaaS vs PaaS or IaaS.

There are layers of security and safeguards. If one fails, another takes over. For example, passwords are hashed so no one can see user passwords if the service was hacked (even I can’t). RBXMod never even sees payment information and will use PayPal’s secure service for that functionality. Scripts are running in a VM in their own process as a restricted user (think: OS level protection). For the loader services, if their interpreter is reverse engineered or a deobfuscator is written their security is lost.

Where did you get the idea that RBXMods are slow? It runs LuaJIT unlike Roblox and can scale up as demand increases. Lua can only run on a single thread so there is a theoretical cap to how fast single scripts can execute but this is broken by RBXMods by allowing multiple instances to run at once. Roblox doesn’t allow multi-threading and has only hinted that maybe sometime in the future they’ll work on a JIT compiler but it wouldn’t be as fast as LuaJIT.

I appreciate the ad hominem attack. RBXMod has been in development for roughly 8 months now, and will be for much longer. I hope that my track record will prove to you that I am trustworthy. From your heated response it sounds like you have a personal stake in this, or did I do something to anger you?

I agree that Roblox’s lack of support makes it difficult. If users have a service they believe is worth it, I want to try and help them. Hopefully Roblox will relax some of their restrictions in the future and allow the “private sector” to take over a bit more.

Riddevan · August 11, 2019, 1:50pm

It has no connection to how it will work. If you used or maybe saw check Me in the script is not in the model, either there’s a problem being free as a model cause we will have a require script in order to work.

Riddevan · August 11, 2019, 1:51pm

It won’t use Third party.

(30chars)

Enomphia · August 15, 2019, 10:54am

What I do with my system and it works well is make them buy a Game Pass. No need for storing data on websites like Trello (I’m pretty sure your not even meant to store data on there.)

And to check if they own the game pass just see if game.CreatorId owns it.
Hope this helps!
If you need help to get the UserId of a group games creator message me.

blushclips · August 18, 2019, 7:24pm

I don’t think this could work for him. If someone can get the model then they can also change the script to a different gamepass ID that the user owns.

Riddevan · August 18, 2019, 7:32pm

Then the service wouldn’t work.

Riddevan · August 18, 2019, 7:33pm

Everything is provided in the “require” script. If he changes it then he won’t have the UI, intoduction, or anything working. Basically just a monitor screen doing nothing.

colbert2677 · August 18, 2019, 7:42pm

Check Me In relied on closed source third party modules, for which support was removed for. If someone has the ModuleScript, it’s not hard to get rid of the restrictions and just make it work.

Have you been following discussions on modules, especially throughout the thread, or am I misunderstanding what point you’re trying to make?

Riddevan · August 18, 2019, 9:02pm

If he makes it work then it means he made his own system, so that’s where we don’t mind cause everyone can make it. I actually followed lot of discussions about but it’s also misunderstanding.

colbert2677 · August 18, 2019, 9:04pm

No, I seriously don’t understand what you’re trying to say here or prove. Most of these systems ran off of closed source private modules for which support is removed for, which is part of why the discussion in the main thread happened.

Please clarify what you’re intending to say.

Riddevan · August 18, 2019, 9:08pm

If the support is removed, how Check Me In didn’t shutdown or still exist without it being copied, or been copied yet. I’m trying to say that there is something that they do, which as I saw is a require script.

loertis · August 18, 2019, 9:28pm

They have it running off of a irl server.

Enomphia · August 19, 2019, 7:31am

Not if he obfuscated it. And handles it all in the module.

WonderfulDoob2 · November 29, 2019, 5:08pm

The user couldn’t reproduce it as it would check for the GamePassID. The ID of the fake one will be different to the real one.

IdiomicLanguage · November 30, 2019, 12:35am

While that may be true, if the check is done in the script, then the check can be taken out. Or, even as @CottonCandyInc was suggesting, check the ID that the script checks for so that the original ID doesn’t work but a new one does. Here was CottonCandy’s post:

This post died off without a solution for a reason: it isn’t possible unless you use a service like the one I suggested and the original poster seems arbitrarily against.

Hexcede · November 30, 2019, 1:11am

I would personally recommend routing any http requests you make through your own service. Most of your service should be handled by your web side of things. Users will have to pass an API key to your server with any and all requests you make. Your service can automatically include their API key in requests by having them pass it through a function and then your API can store it for later use. You’d probably also want an endpoint on your website to verify the API key first so when they call the function they can get an error message.

Next you’ll want to verify their API key in your website’s storage for each request. This ensures that they can use your service. Each API key can be revoked if necessary and can contain extra permissions (e.g. payed permissions). You could even allow users to use a public “free trial” API key if you’d like which would have very limited access.

By making your code rely on the website you protect your script without the need for obfuscation. That allows users to see what your code is doing and they’ll be less suspicious of code which means people are more likely to use it.

WonderfulDoob2 · November 30, 2019, 1:06pm

Couldn’t you just make it serversided and not clientsided

IdiomicLanguage · November 30, 2019, 6:13pm

The issue is that if the check is performed server side, then the client needs to stop functioning if it fails. In other words, some of the functionality must be on a the server to leave the script non-functioning. When only a small piece of functionality is missing, developers can easily replace it. This means that a significant portion of functionality must be hosted on another server.

This is why I made RBXMod. In theory people can copy what it does for their own private service, but it is a lot of work. The value of RBXMod isn’t that it is making the impossible possible, but that it is saving developers from the work of setting up their own server with enough resources to support their games, handling communication and sockets, creating Lua instances read to and from files, saving persistent data, logins, purchases, ext. A single shared service.

So yes, someone can do this on their own server. However I don’t believe it will allow other developers to see the source of your scripts and trust them more. They must be missing a significant chunk of functionality.