Jump to content

Resource protection


Kaarpas

Recommended Posts

  • Scripting Moderators
7 minutes ago, Kaarpas said:

How best to protect resources?
Is it possible for someone to steal a decompiled client side script even with a false cache?

Related topic:

 

  • Like 1
Link to comment
5 minutes ago, majqq said:

Related topic:

 

Thank you, but you have not helped me yet. It is because I believe that the code has to be sent to the client for it to run, I do not know if with some type of proxy it is possible to intercept it and read it, I do not understand much of proxys. And good, since you cite in your topic, what is the best way to compile a script, having three options in luac?

Link to comment
  • Scripting Moderators
1 minute ago, Kaarpas said:

Thank you, but you have not helped me yet. It is because I believe that the code has to be sent to the client for it to run, I do not know if with some type of proxy it is possible to intercept it and read it, I do not understand much of proxys. And good, since you cite in your topic, what is the best way to compile a script, having three options in luac?

I'm not expert at this, but yes, compiling with highest level of obfuscation. Since i don't get answer yet for my topic, one more possible way is sending client scripts with loadstring and triggerClientEvent, i've saw it somewhere, but i don't know if at the moment is worth to add this kind of protection, or if it's working at all.

  • Like 1
Link to comment
1 minute ago, majqq said:

I'm not expert at this, but yes, compiling with highest level of obfuscation. Since i don't get answer yet for my topic, one more possible way is sending client scripts with loadstring and triggerClientEvent, i've saw it somewhere, but i don't know if at the moment is worth to add this kind of protection, or if it's working at all. 

It's something that worries me a lot, since I spend a lot of time in scripting, just as you should do.

Link to comment
17 hours ago, Kaarpas said:

How best to protect resources?
Is it possible for someone to steal a decompiled client side script even with a false cache?

You can add at the end of client side script code

fileDelete("client-script-name.Lua") 

 

Edited by Sisqo0
  • Like 1
Link to comment
  • Scripting Moderators
3 hours ago, Sisqo0 said:

You can add at the end of client side script code


fileDelete("client-script-name.Lua") 

 

What's the point for that? If cache="false" does same?

  • Like 1
Link to comment
  • Moderators

Sending code with triggerClientEvent's and loading it with loadstring can give the stealer not just the code, but the exact same code as you wrote it.

Note: If a stealer has stolen compiled code (event without obfuscation), the variable names you gave before are gone.

 

 

Edited by IIYAMA
  • Like 2
Link to comment
  • Scripting Moderators
1 hour ago, IIYAMA said:

Sending code with triggerClientEvent's and loading it with loadstring can give the stealer not just the code, but the exact same code as you wrote it.

Note: If a stealer has stolen compiled code (event without obfuscation), the variable names you gave before are gone.

 

 

As i thought, i wasn't sure about that. So at the moment, there's no any other extra possibility to "secure them more", excluding cache="false" and compiling with highest level of obfuscation?

  • Like 1
Link to comment
  • Moderators

@majqq

Using triggerClientEvent you can actually making it harder as you can create your own keys to secure the scripts. But it will comes at a huge price.

  1. You are risking your variable names.
  2. You have to create your own security.
  3. You are risking your security keys.
  4. Converting your encrypted code to loadstring code comes at a cost of performance. (+ it is done in Lua and not C++)
  5. The download speed isn't optimised as you are requesting files per resource.
  6. The start sequence of the files for all resources in total is something you do not have full control over.
  7. ...

 

My recommendation for high security:

  1. compile them (losing variable names +) (Optimised +)
  2. obfuscation (secure layer +) (decrypt time - )
  3. disable cache (not available as file) (download time - )

 

But if you want to give high load/download time to the players. Do only step 1.

 

 

Edited by IIYAMA
  • Like 1
Link to comment
  • Scripting Moderators
13 minutes ago, IIYAMA said:

@majqq

Using triggerClientEvent you can actually making it harder as you can create your own keys to secure the scripts. But it will comes at a huge price.

  1. You are risking your variable names.
  2. You have to create your own security.
  3. You are risking your security keys.
  4. Converting your encrypted code to loadstring code comes at a cost of performance. (+ it is done in Lua and not C++)
  5. The download speed isn't optimised as you are requesting files per resource.
  6. The start sequence of the files for all resources in total is something you do not have full control over.
  7. ...

 

My recommendation for high security:

  1. compile them (losing variable names +) (Optimised +)
  2. obfuscation (secure layer +) (decrypt time - )
  3. disable cache (not available as file) (download time - )

 

But if you want to give high load/download time to the players. Do only step 1.

 

 

That's what i am doing, compiling script with highest obfuscation level, and also i use cache="false" in meta.xml for client-side scripts, thanks for explaining.

  • Like 1
Link to comment
16 hours ago, IIYAMA said:

@majqq

Using triggerClientEvent you can actually making it harder as you can create your own keys to secure the scripts. But it will comes at a huge price.

  1. You are risking your variable names.
  2. You have to create your own security.
  3. You are risking your security keys.
  4. Converting your encrypted code to loadstring code comes at a cost of performance. (+ it is done in Lua and not C++)
  5. The download speed isn't optimised as you are requesting files per resource.
  6. The start sequence of the files for all resources in total is something you do not have full control over.
  7. ...

 

My recommendation for high security:

  1. compile them (losing variable names +) (Optimised +)
  2. obfuscation (secure layer +) (decrypt time - )
  3. disable cache (not available as file) (download time - )

 

But if you want to give high load/download time to the players. Do only step 1.

 

 

Thanks for the help, it's something like @majqq I've already done in my scripts!

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...