Jump to content

MTA Lua Compiler


NeonBlack

Recommended Posts

Arran, Maybe be someone from your staff team has taken all the resources than he started selling them. It may be a high ranked staff left CIT and still have the resources. CIT resources are spreading every day, from one to one and from server to server. [CF]Sensacion aka SmartBoy is a hacker. He has a serial changer as well, I banned him more than 10 times from my server and he still joining. How the :o they did that! These hackers are idiots, they can be even punished by law.

First, there are many ways for evading a ban, for example a VMware Player, or just more computers, so you are probally just failing with the admin-panel and setting costum options for your server(changing mta server config), IP bans are too easy to evade, proxy's. So please stop accusing people for "hacking" because using your mind just for evading bans isn't hacking, sorry to say, you just lack the knowledge for good administrating your own server. Now keep it on-topic

Link to comment
  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

I do not lack the knowledge to administrate my server, I have one year scripting and learning how to script. The guy I'm talking about cause problems for many servers including CIT. I'm just saying it to be careful of his moves. You can find players accusing him here. Hacking is a bad action even using your mind to cheat, it breaks the game rules as well. Anyway, how to protect my scripts then?

Link to comment

Yes yes, but this topic is about the MTA's Lua Compiler, not about script stealing people. If you really want to protect your script from not be added to some other dudes server, then add an server side part which is really needed to let the client run, or just use the cache function. Even after compiling they can add your scripts, now stop discussing about script stealing people and go back on the main purpose of this topic. A compiler's purpose is to make the code unreadable so that some people can't read to code and edit it,and thats the purpose of this topic, discuss about the mta's compiler.

The old Lua compiled scripts will be lost in further versions, so most of the servers with leaked/stolen scripts will be forced to script their own, this is good. Now let's take at some mapping tools, like Nextreme tools, all the maps who are using that script will not work anymore in further versions, because it's been compiled with a default compiler, or just other maps with a bunch of scripts which is too compiled.

In my opinion is the MTA Lua Compiler a good idea, but sometimes it isn't. I have wrote some + and - points here down:

+Better compiled

+Encrypting is added

+No-one can decompile it (?? - Not sure yet if someone found a way.)

+It's hosted by the MTA Team, so it should be trustable.

-The compiler webserver needs to be up and running ( luckely we got a good person in the MTA team )

-If hacker(s) have hacked the server, and then will add little sh*t things in it we will be doomed

-You can't compile your code in offline-mode

-Compiled scripts that were uploaded to community for free use are now useless. ( in my opinion they all should not be compiled since it's shared, but whatever. )

-Awesome made compile programs doesn't work anymore (like dzek's one, some friends have tried with serveral decompilers and they couldn't decompile it)

-You are forced to upload their script on a hackable website(everything can be hacked in my opinion).

So, this is about the compile + and - points, now let's make another one for server owners:

+They can upload their own scripts with better compiling methods

-They are forced to upload their script on a hackable website(everything can be hacked).

-Other scripts which are compiled with an old compiler will not work in further versions

Kindly regards,

-Danny

Link to comment

I'm agreeing with Arran and Danny, firstly someone from the MTA team had come up with a unique system that compiles (with the option of encrypting) codes, seems like it's moreover trustworthy than any compiler out there. Secondly, it's better to enhance a single unique compiler rather 100 other compilers which get recognized by the MTA system which have nil trust. This system is a great experience, it's going well and I appreciate ccw allot for this. Those people who have doubt in this system or would like to use their own compilers, think of this as an advantage to you guys, those thieves will get the dis-benefit.

Link to comment
I'm agreeing with Arran and Danny, firstly someone from the MTA team had come up with a unique system that compiles (with the option of encrypting) codes, seems like it's moreover trustworthy than any compiler out there. Secondly, it's better to enhance a single unique compiler rather 100 other compilers which get recognized by the MTA system which have nil trust. This system is a great experience, it's going well and I appreciate ccw allot for this. Those people who have doubt in this system or would like to use their own compilers, think of this as an advantage to you guys, those thieves will get the dis-benefit.

What if the server will be hacked, or the server is down, or people are scripting offline and then want to decompile it? I like the compiler, but there are some downsides on the compiler.

Link to comment
I'm agreeing with Arran and Danny, firstly someone from the MTA team had come up with a unique system that compiles (with the option of encrypting) codes, seems like it's moreover trustworthy than any compiler out there. Secondly, it's better to enhance a single unique compiler rather 100 other compilers which get recognized by the MTA system which have nil trust. This system is a great experience, it's going well and I appreciate ccw allot for this. Those people who have doubt in this system or would like to use their own compilers, think of this as an advantage to you guys, those thieves will get the dis-benefit.

What if the server will be hacked, or the server is down, or people are scripting offline and then want to decompile it? I like the compiler, but there are some downsides on the compiler.

And what if this feature had a downloadable version? Wouldn't that solve pretty much everyone's doubts? Or is there something else that doesn't suit the public's choice..

Link to comment
Arran, Maybe be someone from your staff team has taken all the resources than he started selling them. It may be a high ranked staff left CIT and still have the resources. CIT resources are spreading every day, from one to one and from server to server. [CF]Sensacion aka SmartBoy is a hacker. He has a serial changer as well, I banned him more than 10 times from my server and he still joining. How the :o they did that! These hackers are idiots, they can be even punished by law.

No, most of the resources that I made such as the login panel have never been accessible to my own developers and I know for a fact that this guy ain't smart, he can't even make his own resources let alone 'hack' access to our scripts. Also it's only the client side files (a load of their server side stuff is buggy and doesn't even work) so it's pretty obvious it was decompiled.

It's actually a FACT that they're decompiled or not even decompiled but simply copied:

CFnmisc/GUIutils.luc

The file contains "C:\Users\Nvreformat\Desktop\Repos\CITNvreformat\CITnvremisc\GUIutils.lua"

That is one of our old developers and that was the location where he compiled it and that location is written to the top of the luac file.

And there were loads more examples but now he's started to encrypt the stolen work which I suppose is a good thing as it prevents people stealing our stuff via his server. One script wasn't even compiled and guess what it had throughout the script...

"-- decompiler error"

Link to comment
And what if this feature had a downloadable version? Wouldn't that solve pretty much everyone's doubts? Or is there something else that doesn't suit the public's choice..

It should, but what if a experience person is getting the encryption method and compiling method of the compiler?

Link to comment
And what if this feature had a downloadable version? Wouldn't that solve pretty much everyone's doubts? Or is there something else that doesn't suit the public's choice..

It should, but what if a experience person is getting the encryption method and compiling method of the compiler?

Wouldn't that chance be very rare, if the feature was set in a way none else can crack just like how MTA's system is put together.

Link to comment
And what if this feature had a downloadable version? Wouldn't that solve pretty much everyone's doubts? Or is there something else that doesn't suit the public's choice..

It should, but what if a experience person is getting the encryption method and compiling method of the compiler?

Wouldn't that chance be very rare, if the feature was set in a way none else can crack just like how MTA's system is put together.

Well, if it's the case it's a šhitty design, seriously.

This system is not more secure than compilation anyway. Hypothetically: One could simply access the MTA memory after the decryption or before execution to get the bytecodes. Or maybe someone could call the decryption functions from net.so directly . Or someone could maybe try to use Raknet::DataBlockEncryptor and the MTA keys (this could partially be used to encrypt a script too).

It's just another layer of difficulty (which is great). But the implantation could be better.

I will never upload my scripts to any server other than my own

This and this alone is enough reason for me to agree unconditionally.

I totally agree, even if the new system makes it more difficult to "steal" a script.

Anyway,

If you do not want your scripts stolen, code your clients-side scripts to work as much as possible with your server-side scripts (= when possible make the logic server-side). Most of the time, people will steal your scripts and not use them since they would actually need to write some code. And if someone steal something simple like a "login panel", it should not bother you. 99.98% chances their server will still sucks with it.

Link to comment
we want to keep our competitors from trying to steal or copy our hard work

I will never upload my scripts to any server other than my own

Ok so you've got 2 options:

Option 1: Default compiling which has virtually no security benefit. Just join this guys server:

I agree with NeonBlack, luac.multitheftauto.com should be optional

And you'll notice how EVERY SINGLE script on the CF server is stolen from CIT. They're so lazy they don't even rename the resources! You can go on there and see CITchecking CITsettings etc but you can tell the instant you join the server that it's a copy because every GUI is a clone from the moment you see the login panel, you don't even need to look inside their client files to know for definite it's all copied.

Clearly default compilation is virtually ineffective at stopping people from blatantly stealing all your work, as proven above.

Option 2:

You send your client side files to luac.multitheftauto.com ran by the MTA team, probably ccw's server, he just happens to be the person who makes running a server on MTA even possible. When angry kids could ASE flood a server and cause the CPU usage to go to 100%, who fixed that? ccw did. Who sacrificed their free time to even make luac.multitheftauto.com? ccw did. When anything went wrong in MTA, who fixed it? ccw did.

In a way I feel sorry for you, because you actually think that default compilation is more secure than something that actually prevents kids with luadec stealing your resources, just because it has to be sent to luac.multitheftauto.com, even though it's probably hosted by ccw who is one of the most trust-able people you'll come across on the Internet. Which means all your "hard work" is getting decompiled by people like [CF]Sensacion who are too lazy to make their own scripts.

I am yet to be notified about my hard work being stolen that was compiled through luac.multitheftauto.com though. I guess they'll have to steal from you instead since you've got your ideas of security all wrong.

Worst case scenario is every file uploaded to luac.multitheftauto.com is leaked... SO WHAT? That is VERY unlikely to happen and if it did, it's not much easier for the script kiddies than for them to just luadec your default luacs.

Even though I like to stay with my original opinion, I have to agree upon some of the points you made.

However simply stating that CCW is trustworthy does not make a breach of security unlikely.

I've never said I don't trust CCW, it's merely the fact that I have to upload my scripts to a server which is owned by MTA, this indeed on its own is not a big issue.

However this very server does form one big weak security link, all it really takes is one proper hacking attempt into this single server, and the client scripts of basically all major MTA servers are wide open.

I agree with you that my opinion is a tad radical, however I am a sucker for control, and when things such as security are out of my reach it simply does not sit right.

Link to comment
I agree with you that my opinion is a tad radical, however I am a sucker for control, and when things such as security are out of my reach it simply does not sit right.

I can see myself in EaroX's story, not everyone is able to handover their files to a server which can be hacked. And don't tell us the story you tell all the kids around; 'It can not be hacked, the security is the best there is'. 'Cause, everything can be hacked. People are even getting paid for this sh*t.

Personally I think they should allow us to use our own compilers, if they get stolen or ripped off then. So be it, it's our own fault. But don't take down luac. Some people do use it and you don't want to force them to use another one.

Link to comment
  • 1 month later...
  • 1 month later...

Would be nice to have some official word of the devs in here why it is necessary to force it.

Clearly default compilation is virtually ineffective at stopping people from blatantly stealing all your work, as proven above.

The "encrypt" option of the online compiler is trvially breakable with no advanced knowledge about scripting required and thus I cannot consider it any safer at all. It won't stop anyone from decompiling your scripts. A simple decrypter can be written in less than 50 lines of code in total and I consider it kind of a miracle that noone released a public decrypter yet.

While I certainly think that ccw (and the other developers as well) are trustworthy enough to give them my scripts, I simply cannot see a need to do this at all. Why am I going to be forced to send my scripts to a remote server in order to add nothing benifically to them, when it works pretty well with the standard luac compiler right now?

Also it'll make many scripts unsable which were only distributed in compiled form. They work now, so why stop them from working in just a few months?

If they release the source code of the compiler, a decompiler can be made...

Hint: In order to run the script, the server needs to decrypt it first...

Link to comment
A simple decrypter can be written in less than 50 lines of code in total and I consider it kind of a miracle that noone released a public decrypter yet.

You don't understand what encryption means or did you write this at night? No one has written a decrypter, because the encryption within the compiled code is based on hash, or multiple hashes. You need to first unlock the hash (which is kind of a problem since it's either using a long MD5 or SHA with some private and public key produced by the MTA's compile server; or then it's RSA, which is currently proven as unbreakable - until someone breaks it, of course).

If you have made a decrypter, good job, but I think you should write a whole Lua script of your own thousand times better than what they have out there. Good luck.

Link to comment

There is a big problem with removing compatibility with other compilers, and that is that there are a lot of maps that has compiled scripts (for example maps that uses puma markers), and i've tested and the official compiler isn't much better than any other (except if you also use the encrypt option), it is often easily decompilable.

If you really want to force people to change to it, then at least have a setting in mtaserver.conf to remove that, like:

"Only change this if you want to take the risk of having your scripts stolen".

Link to comment

Why don't people use the encryption option then? I think it's obviously the only way to protect your code right now. If you're not using it and you're commenting on this thread about "your code is stolen", then perhaps you should just use encryption and no cache.

Link to comment
Why don't people use the encryption option then? I think it's obviously the only way to protect your code right now. If you're not using it and you're commenting on this thread about "your code is stolen", then perhaps you should just use encryption and no cache.

I'm using both and its pretty good, but if someone is going for the no cache stuff, then the encryption is just another step..

Link to comment
You don't understand what encryption means or did you write this at night? No one has written a decrypter, because the encryption within the compiled code is based on hash, or multiple hashes.

I don't need to break the algorythm when you freely hand me the keys to decrypt the file. If I hand you my car key it wouldn't be a miracle if you somehow got into my car, without damaging it or breaking the lock, right? ;)

You need to first unlock the hash (which is kind of a problem since it's either using a long MD5 or SHA with some private and public key produced by the MTA's compile server; or then it's RSA, which is currently proven as unbreakable - until someone breaks it, of course).

The encryption is no hash. It's normal RSA. Now if you know how RSA (and most other asymmetric encryption algos) works, you'll know that there are two keys. One which is used to encrypt the data (the one privately stored on luac.multitheftauto.com) and one which is used to decrypt. This key is present in the net library and can simply be extracted. Now you have the key to decrypt any file encrypted by luac.multitheftauto.com.

If you still believe a decrypter is impossible, feel free to send me a script encrypted by luac.multitheftauto.com and I'll decrypt and decompile it. ;)

If you have made a decrypter, good job, but I think you should write a whole Lua script of your own thousand times better than what they have out there. Good luck.

I couldn't care less about other peoples scripts, which is part of the reason why I won't release this decrypter publically. I only wrote it while having a look at that mysterious "encryption" option, just to prove it pointless.

Link to comment
You don't understand what encryption means or did you write this at night? No one has written a decrypter, because the encryption within the compiled code is based on hash, or multiple hashes.

I don't need to break the algorythm when you freely hand me the keys to decrypt the file. If I hand you my car key it wouldn't be a miracle if you somehow got into my car, without damaging it or breaking the lock, right? ;)

You need to first unlock the hash (which is kind of a problem since it's either using a long MD5 or SHA with some private and public key produced by the MTA's compile server; or then it's RSA, which is currently proven as unbreakable - until someone breaks it, of course).

The encryption is no hash. It's normal RSA. Now if you know how RSA (and most other asymmetric encryption algos) works, you'll know that there are two keys. One which is used to encrypt the data (the one privately stored on luac.multitheftauto.com) and one which is used to decrypt. This key is present in the net library and can simply be extracted. Now you have the key to decrypt any file encrypted by luac.multitheftauto.com.

If you still believe a decrypter is impossible, feel free to send me a script encrypted by luac.multitheftauto.com and I'll decrypt and decompile it. ;)

If you have made a decrypter, good job, but I think you should write a whole Lua script of your own thousand times better than what they have out there. Good luck.

I couldn't care less about other peoples scripts, which is part of the reason why I won't release this decrypter publically. I only wrote it while having a look at that mysterious "encryption" option, just to prove it pointless.

Okay, decrypt, and decompile this script (which is encrypted an compiled) with mta's compile system:

https://www.mediafire.com/?5612a254bney5hg

(I wrote some lines of codes really quick)

I'd like to see if it's possible like you said.

Edit: If it's possbile like you said, then I know enough about the compiler, and then we have another reason why we should use the cache function. :roll:

Link to comment

Cache doesn't fix too much. It can still be accessed if you know enough of memory addressing.

@newmta: As far as I know, RSA, or any two-key auth algorithm requires two keys. In this case you have access to the net module's key, but not the one on luac.multitheftauto.com, so not sure how you've decrypted much anything so far.

And please let us know on what would be a better solution, since you're the expert. I find the current algorithm as good as it can get. Of course you could always encrypt it yourself, but that's not practical and you'd still have to share a key with the client. Though, they don't have access to the server key.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...