Script Protection Demo

Turning your code into bytecode isn’t any protection at all. As for ironbrew, people can obfuscate their scripts with it themselves, without the need to pay someone else to do it for them.

1 Like

With this, you can easily update it across places that use your script as well as prevent people from even accessing it.

You could also have a public module with an ironbrew obfuscated script.
You can easily retrieve the bytecode by modifying his loader to do something with it (send it to your own server, print it, etc), before executing it.
As Kiriot said, turning the code into bytecode doesn’t make it anymore secure. He’s pretty much just selling ironbrew’s obfuscation.

I am pretty sure @grilme99 have gotten permission to use Ironbrew. It is atleast what I have understood. The goal is to protect ur work to be resold. Forexample you make something you sell and you don’t want thoose who bought it to release the code. Devable uses Ironbrew as a obfuscator and they have a lot of security on their server to confirm that the game is actually allowed to run the script and that it’s an actual roblox server.

1 Like

For those confused, I’d like to cover some things. [quote=“wravager, post:2, topic:351138”]
It don’t work
[/quote]

Part of one of our security features is making sure the request is from a roblox game. This means that you need to test it from a public game. This security feature will be optional in the final product.

I know that turning code into bytecode isn’t really security. The point is more efficiency. By sending the bytecode straight into FiOne, instead of converting it into bytecode on Roblox means that we skip one step which could slow it down.

Obviously people can buy Ironbrew themselves, but for one the on-game script protection is going to be free. The script protection will also integrate with other planned features such as analytics. The point of Devable is to provide a platform for people to sell their creations without the worry of it being sold on without the owners knowledge.

We specifically made agreements with DefCon (the creator) to use it for Devable. We purchased the original source and have full rights to use it.

4 Likes

I don’t see the reason for such levels of security. Anything that needs to be that obfuscated should not be trusted by developers.

I’m afraid you fail to see the point of this. The protection and obfuscation is for developers who want to sell their product without the buyer being given the ability to steal the code.

1 Like

The protection and obfuscation is for developers who want to sell their product without the buyer being given the ability to steal the code.

whoops, yeah. I tend to learn towards FOSS. Never knew that module development was so lucrative it’s worth using a service like this.

1 Like

The plan is to automatically detect and limit what a script can do. For example, let’s take permissions on your phone for example.

An app asks to access your location or your photos, except Devable tells the buyer what the product does, and gives options to limit it. Using a custom interpreter, we can easily sandbox and fine tune what the script is able to affect.

For example, if there is a script that creates a remote event and arbitrarily executes code, it would say on the products page that the product utilises remote events, and in a bold/red to show it is more dangerous, arbitrarily executes code. This would be a sign to the buyer that this could potentially be a back door. Of course we are going to have a manual moderation process for production products that get sold, the technicals of how that will work securely is yet to be decided.

3 Likes

An app asks to access your location or your photos, except Devable tells the buyer what the product does, and gives options to limit it. Using a custom interpreter, we can easily sandbox and fine tune what the script is able to affect.

I would like to point out Roblox is official working on a similar feature and will be potentially releasing it in the near future.

Should this be the case, wouldn’t that make your product obsolete, as Roblox will be providing the same service officially, and for free?

I know no technical details about how they plan to make packages work for sellers. They only briefly mentioned it at RDC.

I have no clue how secure or reliable Roblox’s method will be. If it’s based on the same tech as closed sourced modules, then I don’t imagine it’ll be very good. Roblox literally told people how to crack it on the wiki.

Devable also plans other features such as powerful analytics to track usage as well as a drag and drop store builder.

We are also going to have a free plan, which on-game script protection is included in.

If worst comes to worse we could make something that integrates directly with packages to provide the analytics and everything else.

There are several problems with system though. Firstly, what if the Devable servers are down for some reason (either failure or maintenance), what then? Would games just have to suck it up and deal with non-functionality for the duration of the downtime?

Secondly, there is a matter of inconvenience for end users, would it be worth it to set up an account with a third party, and then go through the hassle of setting up any sort of 3rd-party interface with the servers? Personally, a top-rated and well-reputable free model from the Library would seem more appealing and instant, along with being immune from the previous problem.

1 Like

All of our script protection APIs will be backed by AWS EC2. It shouldn’t ever really go down unless it’s a really rare occasion.

I wouldn’t really call it an inconvenience. When they buy one of your products they get a download link for it where they then just put it in their game and it works.

Iv gtg for the night I’ll reply to anything else tomorrow.

3 Likes

I’ve made an update that optimizes the script loading time.

It’s gone from about 30 secs for the script to be sent to the game to about 1-2. Awesome.
You’ll now notice everything should be working by the time you can see anything!

1 Like

If someone sandboxed all your obfuscated third-party code with an environment that looked exactly like a real Roblox game and spoofed the place and creator IDs to gain access to a script that normally isn’t whitelisted for a particular place, what would you do?

That wouldn’t work because we have a special method of verifying a request is from roblox, give it a try if you like, you’ll get an unauthorised error.

1 Like

Is it just a user-agent check or something? aka Roblox/WinInet

No it’s far more than that. We get the real ip of the game server and compare it to the requesters ip

From what Meta_data’s question suggests, does an obfuscated script that was just downloaded check back with a server for verification that a game is authorized?

If so, what happens if someone sandboxed it and then later spoofed responses from its HttpService to make it work?

Speaking of sandboxes, do you plan on integrating sandbox functionality in the future? Not being able to read third-party code is discomforting.

Good question. Still not 100% sure how exactly I’ll do it, but my plan is to not just have a “yes” or “no” response. I’ll need to somehow incorporate a dynamic response which is required for the script to work. That way, simply sandboxing it won’t help you, as you need to know the random response.

And yes, the plan for sandboxing is the following:

  • sandbox the running script so the game owner can control and track exactly what the script does
  • automatically detects things the script could do, and provide it as a warning on the products store page