Jump to content

MTA Lua Compiler


NeonBlack

Recommended Posts

The MTA Lua Compiler (https://luac.multitheftauto.com) is an online serverside application required to compile (and optionally encrypt) Lua scripts used for resources. This process seems to only happen on the official MTA servers, even when using one of the downloadable applications (mta_luac(.exe)).

Apart from the fact that this means one will not be able to compile(/encrypt) scripts when the official server is unreachable or offline and that this builds up an infrastructure for collecting all scripts their authors mostly compile for the reason of protecting them from being stolen and/or abused I do not see the reason for why this procedure shouldn't be voluntary.

The only reason to make it mandatory would be if the official MTA server/team/whatever took damage from something that's possible when using the default Lua compiler. I strongly doubt that.

Your efforts to make MTA a secure and hardly hackable software are highly laudable, but professional scripters will definitely dislike having to do it this way.

I would like to get to know the intention and the thoughts behind this system.

Link to comment
  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

I'm totally backing up Neon's opinion here. I'm spending very very much time in developping complex and very unique scripts that are making our servers the thing they are. Of course I trust the MTA team, but honestly what if someone is able to (and the effort would be totally worth it) to break somehow into the MTA server on which the compiling API is stored? This person would be able to add some dirty stuff there and then collect all server and client script sources that are being used on any MTA server who uses compilation and could steal them.

And I'm sorry if I can't be sure that my scripts are only stored uncompiled locally and compiled only on a server I totally trust and if I've to worry about maybe other persons gaining access to my work, then I will stop putting time in MTA and scripting because the risk is just too high that it could be all for nothing which I can't control…

Link to comment

So far the possibility to precompile Lua scripts has mostly been used to prevent clientside scripts from getting stolen and modified or even distributed as own work. If a scripter desires, they should be the only one deciding who is allowed to have and/or use script sources they created. If they want it to be open source, a valid alternative is leaving scripts uncompiled, yes.

MTA opens a wide variety of creating really good effects and stuff clientside and more and more scripters use that to offer their players good experiences on their servers. However, they at least would like to have cool things they put much effort into exclusively on their servers or the servers they're scripting for, which is fully understandable.

One of the most demotivating things is when a scripter puts lots of effort and time into a script for their server, only to have it stolen from someone, who makes his own server much more popular with the help of the stolen script.

Thus leaving scripts uncompiled isn't a real option in most cases.

On one hand the new MTA Lua compiler offers the possibility to encrypt scripts, on the other hand clients and servers will hold an unencrypted version anyway, as they'll need a decrypted version to be able to execute it, so the encryption might add another security layer, but it isn't breakable at all. In contrast to that it adds a very scripter-unfriendly system making them dependent on the official MTA server not only at compile-time, but also when servers and/or clients need to decrypt their scripts.

This is a huge disimprovement that has the potential to seriously damage the MTA scripting scene. It's no loss offering this system optionally to those who want to use it, but making it mandatory is a very very bad idea.

If anyone doesn't want to discuss that here or whatever I'm usually reachable in the IRC. My nick is Neon.

Link to comment

In addition to that, compiling can be used to make the code run faster and more efficiently (this is what I understood). I rarely compile my scripts unless there is a reason for doing it, however. I don't have my scripts cached on the client's computer, so unless they know where the code is, they won't be able to copy them either. But I think copying code is a very lame way of doing things and honestly I don't care. They will still be unable to use the code I am using as the code is running most on server-side and has server-side triggers, exported functions and stuff. So it'll be useless. You just have to design your code structure so that it will be harder for the clients to copy stuff.

Link to comment
In addition to that, compiling can be used to make the code run faster and more efficiently (this is what I understood). I rarely compile my scripts unless there is a reason for doing it, however. I don't have my scripts cached on the client's computer, so unless they know where the code is, they won't be able to copy them either. But I think copying code is a very lame way of doing things and honestly I don't care. They will still be unable to use the code I am using as the code is running most on server-side and has server-side triggers, exported functions and stuff. So it'll be useless. You just have to design your code structure so that it will be harder for the clients to copy stuff.

What about maps which are using scripts, like I have made a CnR map with some client&server scripts, this map is free for downloading, but I have compiled the code for those who want to copy my code, or just simpely change the author name to their name, since theres some credits inside it, I have compiled it now with the mta's compiling tool, but most of the server owners/downloaders of my map aren't going to update the map. And ofcourse the scripts which are sold by scripters, which they have compiled, these scripts won't work anymore in future versions, like MTA says when you are running a compiled script.

I like the new compiler, but please, let it be optional, there will be so much work lost in everything, community scripts, and even other scripts. :)

Link to comment

I wholeheartedly agree with this post.

We run quite a few client scripts, and because we put a lot of time and effort into them we want to keep our competitors from trying to steal or copy our hard work ( even if it's just client code ) and using it for themselves.

This latest development that forces us to use lua.mtasa.com is something I am strongly against, I will never upload my scripts to any server other than my own, It does not matter how good the MTA Team is, this is a security flaw which I don't want to have.

If I want to compile my scripts the way I used to, please MTA, let me do it the way I always have, and do not enforce your own method over which I have no control whatsoever.

- AeroXbird, SAUR Co-owner

Link to comment

Also, compiled scripts that were uploaded to community for free use are now useless and have no meaning whatsoever. I find this also somewhat insulting that I have been forced to use someone else's service in order to compile my scripts - especially because of the fact that whatever goes in, stays in. Anybody with the slightest idea on how to decrypt and decompile the code can do it whenever they like and the rule "don't accuse others of stealing" is not helping anyone. By the way, adding to that, how secure do you think a server owner can make their server if they have a 30 character long password with random generated letters, numbers and special characters in it and their database has another totally different password, yet still the same length, however, the hacker hacks in and steals all resources and data. How more secure can you make your VPS than that, explain me, please. Your rule is sometimes nothing else than an illogical obstacle on dealing with people that ruin MTA. If you, MTA team had your own server and someone hacked your server just to get the resources and databases, how would you feel? I doubt very well. Not sure if evidence is taken as a wildcard to bypass the rule, but so far what I've seen it never really matters anyways since it appears you expect everybody to have a password that the NSA super computers made just for your own use. Don't even start giving me an option such as "don't allow anyone else to enter the server than your IP". If you really don't give a single sunflower on how big the damage is after it has been done, then I don't know who is the person that can change your minds.

Link to comment
  • 1 month later...
we want to keep our competitors from trying to steal or copy our hard work

I will never upload my scripts to any server other than my own

Ok so you've got 2 options:

Option 1: Default compiling which has virtually no security benefit. Just join this guys server:

I agree with NeonBlack, luac.multitheftauto.com should be optional

And you'll notice how EVERY SINGLE script on the CF server is stolen from CIT. They're so lazy they don't even rename the resources! You can go on there and see CITchecking CITsettings etc but you can tell the instant you join the server that it's a copy because every GUI is a clone from the moment you see the login panel, you don't even need to look inside their client files to know for definite it's all copied.

Clearly default compilation is virtually ineffective at stopping people from blatantly stealing all your work, as proven above.

Option 2:

You send your client side files to luac.multitheftauto.com ran by the MTA team, probably ccw's server, he just happens to be the person who makes running a server on MTA even possible. When angry kids could ASE flood a server and cause the CPU usage to go to 100%, who fixed that? ccw did. Who sacrificed their free time to even make luac.multitheftauto.com? ccw did. When anything went wrong in MTA, who fixed it? ccw did.

In a way I feel sorry for you, because you actually think that default compilation is more secure than something that actually prevents kids with luadec stealing your resources, just because it has to be sent to luac.multitheftauto.com, even though it's probably hosted by ccw who is one of the most trust-able people you'll come across on the Internet. Which means all your "hard work" is getting decompiled by people like [CF]Sensacion who are too lazy to make their own scripts.

I am yet to be notified about my hard work being stolen that was compiled through luac.multitheftauto.com though. I guess they'll have to steal from you instead since you've got your ideas of security all wrong.

Worst case scenario is every file uploaded to luac.multitheftauto.com is leaked... SO WHAT? That is VERY unlikely to happen and if it did, it's not much easier for the script kiddies than for them to just luadec your default luacs.

Link to comment

Compiling is still optional, you aren't forced to compile them, you can leave it uncompiled.

But if you mean that using the MTA compiler should be optional, then you're wrong, after seeing that your server stole at least one of our resources ( the HUD ), I realized that using the MTA compiler can't be that bad after all.

Link to comment

First , I removed the hud and the most of the stealed resources I made my own :D check if you want

Second , I mean when you compile your resources with any compile methode except mta one you get a WARNING that it may not work in future versions and I think MTA team should remove it

Link to comment

"The mta team" should actually start a voting what the scripters want,

-Make it for servers OPTONAL to load the scripts, so no warning pops up with the text that it may not work in future versions

=OR=

-Leave it like this with much lost community (https://community.multitheftauto.com/) work, if you stay it like this, then I might be able to decompile all the compiled work which is NOT compiled nor encrypted with the MTA:SA's compiler. to let the community work still compability with the new versions.

And you guys should stay a bit more on-topic if it was me (I can't say this due forum rules here, yes I know them), the guy who's stealing is indeed a retard, yes. But even after compiling your client resource, then it would be still addable to his server, if the whole resource is client-side based ofcourse.

Link to comment
But even after compiling your client resource, then it would be still addable to his server, if the whole resource is client-side based ofcourse

That's a good point, one solution might be to only start the resources after an event has been received from the server or another encrypted client side file, and if it's compiled and encrypted the event name won't be known to anybody else, or some other really random stuff in it like only working if getSizeSun() returns 1.07

Link to comment

Arran, Maybe be someone from your staff team has taken all the resources than he started selling them. It may be a high ranked staff left CIT and still have the resources. CIT resources are spreading every day, from one to one and from server to server. [CF]Sensacion aka SmartBoy is a hacker. He has a serial changer as well, I banned him more than 10 times from my server and he still joining. How the fuck they did that! These hackers are idiots, they can be even punished by law.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...