Jump to content

something to protect my resources for sale


CrosRoad95

Recommended Posts

i'm writing because in mta there is impossible to make safe shop with resources, to improve this, mta team should implements one of my example solution or come up with your own, better ones.

  1. Resource as `executable file` - lua.mtasa.com should allow to pack every script with meta into 1 file `myResource.mtaexe` which is recognize as normal resource but you cant add your own code before/after resource start. You can't overwrite my functions, you can't change meta.xml. If you want to use files. Also tag <file> should receive attribute `checksum` to verify external files. This executable file could be simple obfuscated .zip file.
  2. function `restoreOriginalFunction( functionName )` - this function resource original function, but if you have N lua script, then for each script this function will be overwritten, currently example function `outputChatBox` is registered once per resource and other script can overwrite them in other file. This function allow to protect other functions before overwriting

For both should be added function to disable addDebugHook for this resource. 

Edited by CrosRoad95
Link to comment
On 14/1/2018 at 17:53, PolskiSebek12 said:

i'm writing because in mta there is impossible to make safe shop with resources, to improve this, mta team should implements one of my example solution or come up with your own, better ones.

  1. Resource as `executable file` - lua.mtasa.com should allow to pack every script with meta into 1 file `myResource.mtaexe` which is recognize as normal resource but you cant add your own code before/after resource start. You can't overwrite my functions, you can't change meta.xml. If you want to use files. Also tag <file> should receive attribute `checksum` to verify external files. This executable file could be simple obfuscated .zip file.
  2. function `restoreOriginalFunction( functionName )` - this function resource original function, but if you have N lua script, then for each script this function will be overwritten, currently example function `outputChatBox` is registered once per resource and other script can overwrite them in other file. This function allow to protect other functions before overwriting

For both should be added function to disable addDebugHook for this resource. 

You can go to luac.multitheftauto.com and obfuscate the actual script files.

People can only steal the client files, though. It's the only thing they download. If someone downloads your server files, then you should focus on securing your server or computer, because they've just hacked you.

Just add cache="false" after the client file entry of the meta.xml file:

<script src="clientfile.lua" type="client" cache="false"/>

That will load the file directly to the RAM, so script stealers can't just go and snatch the client file from the hard drive like every other dumbass does.

Also, this disables the addDebugHook function:

addDebugHook( "preFunction", onPreFunction, {"addDebugHook"} )
function onPreFunction( sourceResource, functionName, isAllowedByACL, luaFilename, luaLineNumber, ... )
    return "skip"
end

 

  • Thanks 1
Link to comment

i mean protect my resources after sold in order to someone don't give that resource anyone else

until meta.xml isn't compiled, i can crack EVERY resource on the internet

i can modify meta.xml and add script which overwrite all security functions

function addDebugHook()end
function fetchRemote() return true end
function checkResourceLicense() return true end

 

Link to comment
  • MTA Anti-Cheat Team
4 hours ago, PolskiSebek12 said:

i mean protect my resources after sold in order to someone don't give that resource anyone else

you could make the clientside script rely heavily on serverside, and then make the serverside perform remote calls to your external host (''command & control'') so that the script only functions when said server returns a positive response. This way, you can keep a list of script buyers, and add unique ID's for each customer into your server's DB and the serverside script, so you can stop the script from working for specific customers/users who didn't  buy it.

Make the server that runs the resource forward its IP to your webserver. If you see multiple server IP's are using a resource with just one ID (or you made the system detect this automatically), you can disable it from working, trace said ID back to a customer, and inform them they breached your policy because their version of the resource somehow ended up leaked/spread, and that the consequence is their script to be forcefully disabled. (add it to your disclaimer..)

Then, in order to shut down their script from working, you simply make the webserver return a negative response to the resource contacting with said ID, leading to end end end : )

Keep in mind that in order for this approach to work, you'll need to make each script file for customers unique (add the ID as key in code) and ofcourse compile all of it so that they can't just strip the security checks to interrupt the resource from working.

 

Ofcourse this is theoretically possible and the solution, but the question is: do you really want to go into these lenghts just to secure a bunch of resources? Creating a whole API just for that? @PolskiSebek12

 

Link to comment
5 minutes ago, Dutchman101 said:

you could make the clientside script rely heavily on serverside, and then make the serverside perform remote calls to your external host (''command & control'') so that the script only functions when said server returns a positive response. This way, you can keep a list of script buyers, and add unique ID's for each customer into your server's DB and the serverside script, so you can stop the script from working for specific customers/users who didn't  buy it.

Make the server that runs the resource forward its IP to your webserver. If you see multiple server IP's are using a resource with just one ID (or you made the system detect this automatically), you can disable it from working, trace said ID back to a customer, and inform them they breached your policy because their version of the resource somehow ended up leaked/spread, and that the consequence is their script to be forcefully disabled. (add it to your disclaimer..)

Then, in order to shut down their script from working, you simply make the webserver return a negative response to the resource contacting with said ID, leading to end end end : )

Keep in mind that in order for this approach to work, you'll need to make each script file for customers unique (add the ID as key in code) and ofcourse compile all of it so that they can't just strip the security checks to interrupt the resource from working.

 

Ofcourse this is theoretically possible and the solution, but the question is: do you really want to go into these lenghts just to secure a bunch of resources? Creating a whole API just for that? @PolskiSebek12

 

The real question here is, is it worth at all trying to secure it that highly? To make such API is matter of 5 to 10 minutes but what's point? Lua, is such an easy language, especially in MTA. There's not much effort needed to make anything really, just lots of research if you are new. For experienced player it's just matter of the mood, at least for me. Other question is, why you want to make such security for a resource? If you sell it, then give buyer full uncompiled version, unless price is really, really low. Like 1$. But if it's quite expensive, buyer deserves a source code.

Link to comment

Price depends on things the customer wants if the want is more special rate will be high $ but as you said why this much of security for resource I agree ,instead I hope MTA developers will make meta.XML also be compile  so that resource will be safe now  by not removing owner rights and By using cache future there will be no chance of stealing resources also !!

Edited by Khadeer143
Link to comment
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...