You mentioned that you didn’t think my method of running your scripts off of the game server would work. May I ask why? It is one of the few 100% secure options I see.
Using a parser with dead code elimination, constant substitution, and finally outputting Lua source easily defeats obfuscation even by Xen. If needed, some semantic actions can be added to convert between workspace 'GetChildren' and workspace:GetChildren(). If your assets aren’t worth doing this for, then I’d consider it reasonably secure. If your assets are very valuable, you need stronger, guaranteed protection.
CheckMeIn, RBXMod, and other solutions require finding a hosting service. You can either get IaaS (AWS EC2, Google Cloud) or PaaS (GoDaddy, DreamHost) to build on, resulting in your service which is a SaaS (CheckMeIn, RBXMod). IaaS solutions mean they give you hardware and a connection and you install a server, database, and application yourself. With PaaS providers you simple install your application which is usually written in Node.js, PHP, or Java. The road requires a lot of knowledge and is a good learning experience but no one has the time to walk you through all of it. RBXMod was created with the assumption that one person (me) doing that for everyone who wants a service to secure their scripts is valuable. It hides the complexities of creating your own SaaS.
CheckMeIn has a leaked source which is completely nulled (all license checks are removed). This proves that nothing is bulletproof (unless Roblox will release something, like a revision on third-party private modules). But, those are an infringment on the Intellectual Property of CheckMeIn and so they’ve the permission to file a takedown.
I’m also providing services and I’m looking for a strong solution to secure my services so I can license them using my database (external hosted on our servers). The options I’ve got now is:
Obfuscation (not a huge fan, nothing is bulletproof and I don’t know good solutions for it)
Authentication and a Lua VM in Lua: The code is dynamically generated and needs a security key to access the code. Then it’ll execute using the Lua VM. This is probably still easy to reverse engineer.
RBXMod is something I heard, but I’ve not seen any documentations or guides. When there’s one, @IdiomicLanguage, please link me. Maybe I’ll go to rely on your service, when your service is compatible with HttpService-heavy models.
Even if you obfuscate your scripts, people can literally deobfuscate it. So it’s impossible to make an automated subscription service that’s fully protected.
Obfuscation doesn’t encrypt your scripts, it only hides it, so your scripts can still be taken.
If you’re set on Obfuscating your code. I can give you a look at what one looks like. What it does is uses HttpService to get code from Pastebin and then runs it using loadstring.
I’d recommend you to use a Lua VM over loadstring. Loadstrings has to be enabled when your module is used in other games (for allowed usage) and could provide a security risk for other games with low-quality code. Your customers will probably don’t like the idea to enable it when they’ve not so much knowledge about the loadstring function, because it has a warning message which could lead into confusion of the customer. Further, loadstrings can’t be used on the client.
Roblox API changes have been pointing to a SubscriptionService, right? I remember seeing “leaks” recently.
After that comes out, would you be able to use that to check if they have a license and only execute code after the check passes? I don’t think we have enough info on the API yet to know if it allows checking the subscriptions of other universes, but maybe!
Here’s my two cents on the issue (this is based on what Polymatic Labs, the company who made SyncAdmin do/did)
Have a web server, customers provide a licence key to said web server and the server gives them the appropriate code (e.g. licence version, standard vs. enterprise)
The server returns bytecode, which you can then put into a Lua VM and execute as normal code.
Yes, someone will be able to leak your code, but it will stop the 99%. Not to mention, with DMCA tools, it is very easy to get leaks taken down.
Just, do not do what CheckMeIn do. They check a trello list for licences, this check is really easy to override, not to mention that Trello is not a database.
I don’t think you can check subscriptions in other games (no way of knowing without information) and there still lies the problem for OP to “hide their code”. Even with SubscriptionService, they’d still have to open source their code.
Yes, I put leak in quotes because it hasn’t been officially announced as far as I’ve seen.
Without info, it’s hard to say. Maybe each subscription will have a unique ID that can be queried from any game, much like marketplace assets.
To hide the code, could it be hosted securely externally and sent through an HTTP request and run via loadstring()? I’m not sure how viable that it, but it sounds plausible.
It could be but I’m unfamiliar with that practice and how truly reliable it is. I don’t invest my time in the whole “closed-source asset sales” business thing, only interested in open-source free assets. I never really fancied selling closed-source ModuleScripts.
That would only pertain specifically to the model that you open source. The idea is placing the loader in the public domain which every loader is fairly the same (require statement, sometimes with settings) while the actual code isn’t.
If you try to hide your source - either by obfuscating it, using an interpreter, or any other way - you will lose some of the trust of your customers. The security issue is the reason private modules went away, and developers have become wary to trust unknown code with all the backdoor issues as of late. The solution? Have a trusted third party review the unseen code. For absolute security, the script cannot be executed in an environment where the game developer has control.
To prove the security of RBXMods to you, I’m putting my money where my mouth is and offering $1,000 USD to whoever can get the source of this RBXMod. To run the RBXMod simply place this in a script with HTTPService enabled:
This code requires the RBXMod loader, sets the user token to a user who only has ‘view instance’ and ‘call’ permissions, requires RBXMod 31, joins instance 1, and then calls it and prints the result. The string returned by the RBXMod has more details. You have until the end of the month: August 31, 2019, at midnight MDT. Only the first winner gets the prize. I even have a new version of the website I’ll be publishing soon, so maybe you’ll get lucky and catch a bug! Or not.
For those interested I’ve recently posted some documentation at https://docs.rbxmod.com. It has some information about how RBXMods work that may be useful to try and break in. Note that the functions on the loader are actually all lowercase, not upper case. I’ll be fixing that soon.
Note:
No one who offers these "loader" services will match this offer, because they are not that secure. If they did, I would soon be $1,000 richer.
The point is, there’s no official means in any official capacity to this platform to support this type of transaction. You’re better of waiting for collaboration tools and just removing people from the collab list if they don’t pay. Then viciously DMCA’ing them if they don’t cease the usage of it. If you have to spend more time covering up very product you want to sell, you should probably rethink your product.
Honestly its not even worth going this route simply due to the lack of support from the platform.
I agree, RBXMods are not replacements for local scripts. With a up to 16ms round trip connections to Roblox servers however, they will often run faster than running an interpreter for server scripts in Lua. Not to mention with better security, more features, and more user trust because they are reviewed. RBXMods can deliver payloads like the loader services however require substantially less time to setup. I know you can send post requests, however there is value in SaaS vs PaaS or IaaS.
There are layers of security and safeguards. If one fails, another takes over. For example, passwords are hashed so no one can see user passwords if the service was hacked (even I can’t). RBXMod never even sees payment information and will use PayPal’s secure service for that functionality. Scripts are running in a VM in their own process as a restricted user (think: OS level protection). For the loader services, if their interpreter is reverse engineered or a deobfuscator is written their security is lost.
Where did you get the idea that RBXMods are slow? It runs LuaJIT unlike Roblox and can scale up as demand increases. Lua can only run on a single thread so there is a theoretical cap to how fast single scripts can execute but this is broken by RBXMods by allowing multiple instances to run at once. Roblox doesn’t allow multi-threading and has only hinted that maybe sometime in the future they’ll work on a JIT compiler but it wouldn’t be as fast as LuaJIT.
I appreciate the ad hominem attack. RBXMod has been in development for roughly 8 months now, and will be for much longer. I hope that my track record will prove to you that I am trustworthy. From your heated response it sounds like you have a personal stake in this, or did I do something to anger you?
I agree that Roblox’s lack of support makes it difficult. If users have a service they believe is worth it, I want to try and help them. Hopefully Roblox will relax some of their restrictions in the future and allow the “private sector” to take over a bit more.
It has no connection to how it will work. If you used or maybe saw check Me in the script is not in the model, either there’s a problem being free as a model cause we will have a require script in order to work.
