Script Protection Demo

Hey everyone! Some of you have seen that for a while, I have been working on a website that provides tools to sellers. One of those tools being script protection.

Understandably, many have been sceptical, and that’s completely fair. I want to show you guys our progress on the on-game script protection.

On-game is our first type of script protection, and easiest to use for anyone who will be new to our site (so pretty much everyone). It is called on-game because the code is sent to the game. We send the code as normal Lua bytecode, which contains a script which is protected by Ironbrew. Ironbrew, for those of you that do not know, is one of the best obfuscators currently on the market. It takes loads of different measures to protect scripts, which I leant after looking at the source of it, and has never been deobfuscated.

You would be correct in saying that running an interpreter inside an interpreter is inefficient. That’s why using Ironbrew will be optional, however, it is recommended. Ironbrew is incredibly lightweight and it shouldn’t affect script speed too bad. It’s security at the cost of performance.

We currently have a bug-bounty program, where you will get £50 if you manage to crack the script protection. It should be made clear that the script that is sent to the demo game (below) is a script which anyone can use, therefore taking the module and putting it in another game is NOT cracking it. Private scripts will have a snippet of code inserted into them so they can only be used in games that are allowed to use it.

Here are the two things that count as cracking it:

1. You breach our database and take the script from there
2. You convert the script sent to the game into a readable script (not Ironbrew, the script protected by Ironbrew).

Now to the game. Please keep in mind that it takes a little while for the script to run, that’s simply because of all our security measures on the API and we still need to do some serious optimization. I’ll leave working out those security measures up to you. Also please ignore how stupid the game is, it was just a quick joke game to show off the script protection.

You will find the script that loads everything in ServerScriptService. Good luck!

We are about to do a first come first served program in our Discord for beta users. We will be accepting 100 beta users, first to use a command on the bot. You can join our Discord if you’re interested!

Put any questions below!

1. What exactly is this protecting? I see no client scripts anywhere so why are you protecting server scripts when Roblox already protects them???

2. It don’t work
   

   

   image1454×85 5.74 KB

So if I’m understanding correctly, you make the script download an ironbrew’ed (or normal) script’s bytecode from your host and then use FiOne to execute it?

If so, how is it different from running the script itself? It’s not like turning it to bytecode makes it any secure, since tools such as unluac exist.

Not to mention server scripts rarely need this kind of “security”.

P.S. Reselling ironbrew is kinda against their tos

The idea is script protection for sellers, not necessarily just de-compilation. There’s an info page on devable that explains what it serves to do, basically protect sellers’ IP without fear of it being re-produced and sold without creator’s knowing.

Turning your code into bytecode isn’t any protection at all. As for ironbrew, people can obfuscate their scripts with it themselves, without the need to pay someone else to do it for them.

With this, you can easily update it across places that use your script as well as prevent people from even accessing it.

You could also have a public module with an ironbrew obfuscated script.
You can easily retrieve the bytecode by modifying his loader to do something with it (send it to your own server, print it, etc), before executing it.
As Kiriot said, turning the code into bytecode doesn’t make it anymore secure. He’s pretty much just selling ironbrew’s obfuscation.

I am pretty sure @grilme99 have gotten permission to use Ironbrew. It is atleast what I have understood. The goal is to protect ur work to be resold. Forexample you make something you sell and you don’t want thoose who bought it to release the code. Devable uses Ironbrew as a obfuscator and they have a lot of security on their server to confirm that the game is actually allowed to run the script and that it’s an actual roblox server.

For those confused, I’d like to cover some things. [quote=“wravager, post:2, topic:351138”]
It don’t work
[/quote]

Part of one of our security features is making sure the request is from a roblox game. This means that you need to test it from a public game. This security feature will be optional in the final product.

I know that turning code into bytecode isn’t really security. The point is more efficiency. By sending the bytecode straight into FiOne, instead of converting it into bytecode on Roblox means that we skip one step which could slow it down.

Obviously people can buy Ironbrew themselves, but for one the on-game script protection is going to be free. The script protection will also integrate with other planned features such as analytics. The point of Devable is to provide a platform for people to sell their creations without the worry of it being sold on without the owners knowledge.

We specifically made agreements with DefCon (the creator) to use it for Devable. We purchased the original source and have full rights to use it.

I don’t see the reason for such levels of security. Anything that needs to be that obfuscated should not be trusted by developers.

I’m afraid you fail to see the point of this. The protection and obfuscation is for developers who want to sell their product without the buyer being given the ability to steal the code.

The protection and obfuscation is for developers who want to sell their product without the buyer being given the ability to steal the code.

whoops, yeah. I tend to learn towards FOSS. Never knew that module development was so lucrative it’s worth using a service like this.

The plan is to automatically detect and limit what a script can do. For example, let’s take permissions on your phone for example.

An app asks to access your location or your photos, except Devable tells the buyer what the product does, and gives options to limit it. Using a custom interpreter, we can easily sandbox and fine tune what the script is able to affect.

For example, if there is a script that creates a remote event and arbitrarily executes code, it would say on the products page that the product utilises remote events, and in a bold/red to show it is more dangerous, arbitrarily executes code. This would be a sign to the buyer that this could potentially be a back door. Of course we are going to have a manual moderation process for production products that get sold, the technicals of how that will work securely is yet to be decided.

An app asks to access your location or your photos, except Devable tells the buyer what the product does, and gives options to limit it. Using a custom interpreter, we can easily sandbox and fine tune what the script is able to affect.

I would like to point out Roblox is official working on a similar feature and will be potentially releasing it in the near future.

Should this be the case, wouldn’t that make your product obsolete, as Roblox will be providing the same service officially, and for free?

I know no technical details about how they plan to make packages work for sellers. They only briefly mentioned it at RDC.

I have no clue how secure or reliable Roblox’s method will be. If it’s based on the same tech as closed sourced modules, then I don’t imagine it’ll be very good. Roblox literally told people how to crack it on the wiki.

Devable also plans other features such as powerful analytics to track usage as well as a drag and drop store builder.

We are also going to have a free plan, which on-game script protection is included in.

If worst comes to worse we could make something that integrates directly with packages to provide the analytics and everything else.

There are several problems with system though. Firstly, what if the Devable servers are down for some reason (either failure or maintenance), what then? Would games just have to suck it up and deal with non-functionality for the duration of the downtime?

Secondly, there is a matter of inconvenience for end users, would it be worth it to set up an account with a third party, and then go through the hassle of setting up any sort of 3rd-party interface with the servers? Personally, a top-rated and well-reputable free model from the Library would seem more appealing and instant, along with being immune from the previous problem.

All of our script protection APIs will be backed by AWS EC2. It shouldn’t ever really go down unless it’s a really rare occasion.

I wouldn’t really call it an inconvenience. When they buy one of your products they get a download link for it where they then just put it in their game and it works.

Iv gtg for the night I’ll reply to anything else tomorrow.

I’ve made an update that optimizes the script loading time.

It’s gone from about 30 secs for the script to be sent to the game to about 1-2. Awesome.
You’ll now notice everything should be working by the time you can see anything!

If someone sandboxed all your obfuscated third-party code with an environment that looked exactly like a real Roblox game and spoofed the place and creator IDs to gain access to a script that normally isn’t whitelisted for a particular place, what would you do?

That wouldn’t work because we have a special method of verifying a request is from roblox, give it a try if you like, you’ll get an unauthorised error.