R$1000 Bounty to whoever

Help and Feedback Creations Feedback
#1

Can “break into” this closed source module I made, and run the method ‘p’.

Here’s some sample code:

local module = require(219856863); module:GrantAccess(); -- Checks to see if you're allowed to use it module.p(); -- Will throw a warning and an error if you're not allowed to use it. Should print 'hello world' if you're deemed allowed

This is the code for the module being returned, security aside

local module = { p = function() print'hello world'; end; }
So nothing out of the ordinary with the ‘p’ function itself.

More information can be requested but I want [whoever’s attempting this] to know as much as some random person trying to access someone else’s module that they made protected.

I can give a higher/lower bounty if the breach is big/low enough.

#2

It’d be useful to know the place you’re using this module in. It would allow us to attempt to impersonate your game.CreatorId or game.PlaceId.

It may be more secure to hide your methods through the metamethod __index.
If you remove the possibility of people discovering elements in your module by just looping through them, it’ll be harder to use without looking at the source.

#3

I use PlaceId.

#4

I use PlaceId.[/quote]

I can’t really test this for you right now, but I do know that PlaceId can be edited within studio, so your module could be run if the person had the correct PlaceId. PlaceId cannot be edited of course in an online game, so they couldn’t do too much with your code.

I’ve edited my above post with a suggestion.

#5

I use PlaceId.[/quote]

I can’t really test this for you right now, but I do know that PlaceId can be edited within studio, so your module could be run if the person had the correct PlaceId. PlaceId cannot be edited of course in an online game, so they couldn’t do too much with your code.

I’ve edited my above post with a suggestion.[/quote]

Everything you’ve suggested and more were all ready implemented, but I like the way you think. The big issue for me is so it can’t work online.

#6

I’m sure, by the nature of this challenge, that obtaining the source will also qualify for “winning” because the code will then be able to be run online.

#7

If you somehow obtain the source of the closed module, ROBLOX will give you more than anything I could.

#8

Not even a challenge.

local module = require(219856863)
Game = newproxy(true)
getmetatable(Game).__newindex = function()
	error("")
end
getmetatable(Game).__tostring = function()
	return ""
end
getmetatable(Game).__index = {
	IsA = function() return true end,
	PlaceId = 12345
}
module:GrantAccess()
module.p()
#9

[quote] Not even a challenge.

local module = require(219856863) Game = newproxy(true) getmetatable(Game).__newindex = function() error("") end getmetatable(Game).__tostring = function() return "" end getmetatable(Game).__index = { IsA = function() return true end, PlaceId = 12345 } module:GrantAccess() module.p() [/quote]

Well all right then. Would you like the robux?

Edit: I actually did try to prevent what you did from happening at some point but I didn’t even bother to finish it. Thanks :slight_smile:

Edit two: I was over complicating a lot of stuff. Wow.

#10

No reward necessary. I just hope that you realize patching this particular vulnerability doesn’t mean your module is secure. It just means you’ve patched all the exploits you know about.

#11

I knew about the exploit you presented, I just didn’t perform it myself correctly and wasn’t handling it correctly in the first place. Thanks for the insight though, it’s appreciated.

Edit: Since Seranok didn’t want the reward, anyone else who finds anything has the option to redeem it.

#12

I have programmed some security I would like to test as well. Same offer as OP.

The module will return a function that will print the state of completion.

require(220109065)()

The objective is to get it to not say “you have not completed the challenge”
If you want to know, the security is 3 lines long

#13

Don’t take this the wrong way, but you guys are terrible at securing your modules.

if game.CreatorId == 78114 or game.CreatorId == 0 or game.CreatorId == 10271988 then
	return function() print("you win 8765rfghj") end
else
	return function() print("you have not completed the challenge") end
end
#14

how then, does one secure a module?

[size=1]and also wtf how did you get the source[/size]

#15

Why would 1 need to secure a script module? I use them only for holding wep info and commonly used functions, what valuables do you guys put in em?

#16

What about this

require(220123882)()

#17

How did I do it?

local module = require(220109065)
getfenv(module).script.Parent = workspace
game:GetService("AssetService"):SavePlaceAsync()

To prevent a module’s source from being stolen, the only thing you have to do is put this at the top of your module:

script = nil

This will make it infeasible to get a reference to the ModuleScript object.

1 Like
#18

[quote] How did I do it?

local module = require(220109065)
getfenv(module).script.Parent = workspace
game:GetService("AssetService"):SavePlaceAsync()

To prevent a module’s source from being stolen, the only thing you have to do is put this at the top of your module:

script = nil

This will make it infeasible to get a reference to the ModuleScript object. [/quote]

Cry. What if I have stuff packaged with it that I need to access?

stuff = script
script = nil

?

#19

Then just set up variables to the objects and remove them from the script:

local stuff = script:FindFirstChild("Stuff")
stuff.Parent = nil

script = nil

-- rest of code

And Echo, your second module is also vulnerable:

script.Parent = nil

Game = newproxy(true)
getmetatable(Game).__metatable  = function()
	error("Bad boy")
end

return function()
	if workspace.Parent.CreatorId == 1273918 then
		print("Pass")
	else
		print("Fail")
	end
end
#20

The moral of the story is if you want a secure private module, you should have me audit your code.