Jump to content

MTA Lua Compiler

NeonBlack

By NeonBlack
in Scripting

Recommended Posts

newmeta Vic

newmeta

Posted
Posted

@myonlake:

Quote
As far as I know, RSA, or any two-key auth algorithm requires two keys. In this case you have access to the net module's key, but not the one on luac.multitheftauto.com, so not sure how you've decrypted much anything so far.

You're right on the two-key part. There are two keys. The encryption key (stored on luac.multitheftauto.com) and the decryption key (stored in the net module). Now since I (and every other MTA player) have the net module, I also have the decryption key. Thus I can decrypt anything encrypted with the luac.multitheftauto.com compiler. However I cannot encrypt anything myself as I do not have the encryption key.

Perfect security is impossible as you correctly pointed out. Scripts can always be dumped from memory, no matter how good any kind of encryption is. Therefore we can only make it harder for script stealers to get our scripts.

Right now there's only one key used for all scripts. This makes it rather easy to decrypt any script. Now if there was a per-resource key system where you'd need to add the decryption keys to the server config (or somewhere else), which were then sent to the client upon load, it'd get a lot harder, since you'd actively need to dump a key for each resource.

The only actual reason why I'm pretty annoyed by this entire compiler thing is because the devs seem to force it onto everyone, even people like me who'd rather not use it. What's the issue in allowing me to choose to not use your advanced "security"? If I don't want to secure my scripts, why force me to?

Oh, my name is newmeta btw, not newmta. ;)

@denny199:

http://pastebin.com/UDBMmaD7

I enjoy cheese as well! ;)

Link to comment
  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

denny199 Road Dawg

denny199

Posted
Posted
newmeta said:
@myonlake:
Quote
As far as I know, RSA, or any two-key auth algorithm requires two keys. In this case you have access to the net module's key, but not the one on luac.multitheftauto.com, so not sure how you've decrypted much anything so far.

You're right on the two-key part. There are two keys. The encryption key (stored on luac.multitheftauto.com) and the decryption key (stored in the net module). Now since I (and every other MTA player) have the net module, I also have the decryption key. Thus I can decrypt anything encrypted with the luac.multitheftauto.com compiler. However I cannot encrypt anything myself as I do not have the encryption key.

Perfect security is impossible as you correctly pointed out. Scripts can always be dumped from memory, no matter how good any kind of encryption is. Therefore we can only make it harder for script stealers to get our scripts.

Right now there's only one key used for all scripts. This makes it rather easy to decrypt any script. Now if there was a per-resource key system where you'd need to add the decryption keys to the server config (or somewhere else), which were then sent to the client upon load, it'd get a lot harder, since you'd actively need to dump a key for each resource.

The only actual reason why I'm pretty annoyed by this entire compiler thing is because the devs seem to force it onto everyone, even people like me who'd rather not use it. What's the issue in allowing me to choose to not use your advanced "security"? If I don't want to secure my scripts, why force me to?

Oh, my name is newmeta btw, not newmta. ;)

@denny199:

http://pastebin.com/UDBMmaD7

I enjoy cheese as well! ;)

Hihi, now we know enough, the encryption isn't good, the scripts matches 100%. How do you actually do this? I'm learning next year on my school about security and I want to know how hackers/crackers are getting everything, just don't give me all the steps just say how you start on all this stuff, are you using a program or something? Which OS are you running on? etc.

I know the part that you have the decryption key from the net module, now what, you just write in python a script or something? :P

Link to comment
newmeta Vic

newmeta

Posted
Posted
MTA doesn't force you to compile your scripts.

That's true of cause. But I'd rather have my scripts compiled for a few other reasons. e.g. my current build system which couldn't work with the Online compiler. Also I don't want to make it too easy for people looking a my scripts.

To clarify on my build system: I bascially have a small program which compiles my entire script into three files. shared.luac, server.luac and client.luac. This compilation process happens every 3 seconds in order to always have the newest changes upon a resource restart. This also allows me to watch compilation errors (e.g. missing braces) without switching to MTA. That also helps quite well against script stealers, since they'd only end up with one giant scriptfile. Right now I just removed the warning messages from my server since they're just plain useless, but once the warning about a "bad" compiler is no longer a warning I'll be unable to compile files for other clients.

And there's still the question: Why break something which works perfectly well right now?

Hihi, now we know enough, the encryption isn't good, the scripts matches 100%. How do you actually do this? I'm learning next year on my school about security and I want to know how hackers/crackers are getting everything, just don't give me all the steps just say how you start on all this stuff, are you using a program or something? Which OS are you running on? etc.

I know the part that you have the decryption key from the net module, now what, you just write in python a script or something? :P

A good rule for this is: Be creative! IDA Pro and OllyDBG are usually my tools of choice when reversing Applications. They take a long time to get into, but once you understand them they're extremely useful.

How I'm decrypting the scripts shall stay a secret for now. But I could say two words and most people in this thread would be able to create a decrypter in just a matter of minutes.

Link to comment
.:HyPeX:. Lil' G

.:HyPeX:.

Posted
Posted
MTA doesn't force you to compile your scripts.

That's true of cause. But I'd rather have my scripts compiled for a few other reasons. e.g. my current build system which couldn't work with the Online compiler. Also I don't want to make it too easy for people looking a my scripts.

To clarify on my build system: I bascially have a small program which compiles my entire script into three files. shared.luac, server.luac and client.luac. This compilation process happens every 3 seconds in order to always have the newest changes upon a resource restart. This also allows me to watch compilation errors (e.g. missing braces) without switching to MTA. That also helps quite well against script stealers, since they'd only end up with one giant scriptfile. Right now I just removed the warning messages from my server since they're just plain useless, but once the warning about a "bad" compiler is no longer a warning I'll be unable to compile files for other clients.

And there's still the question: Why break something which works perfectly well right now?

Hihi, now we know enough, the encryption isn't good, the scripts matches 100%. How do you actually do this? I'm learning next year on my school about security and I want to know how hackers/crackers are getting everything, just don't give me all the steps just say how you start on all this stuff, are you using a program or something? Which OS are you running on? etc.

I know the part that you have the decryption key from the net module, now what, you just write in python a script or something? :P

A good rule for this is: Be creative! IDA Pro and OllyDBG are usually my tools of choice when reversing Applications. They take a long time to get into, but once you understand them they're extremely useful.

How I'm decrypting the scripts shall stay a secret for now. But I could say two words and most people in this thread would be able to create a decrypter in just a matter of minutes.

I'd like to know the two words for rather creating my own encryption, how could i do this? (I just know lua and nothing more)

Link to comment
.:HyPeX:. Lil' G

.:HyPeX:.

Posted
Posted
I'm looking indeed foolish after asking it, I'm just curious how a hacker/cracker goes to work, I don't want to steal any script, why should I, I'm loving to create everything on myself, because it's just funnier....

I agree with you, its just not about stealing, how are we supposed to ever be capable of doing this ourselves or getting the knowledge for doing it and creating a method in the future (if ever needed, like denny needs it for school), since i myself couldnt find any useful topic about it in the internet (spent about 2 hours just passing pages to find anything, but couldnt), and here comes, im a foolish for actually asking when i couldnt find it myself, just for the fact of asking someone who knows it and can explain it in a better way?

Link to comment
Atton Chump

Atton

Posted
Posted
I'm looking indeed foolish after asking it, I'm just curious how a hacker/cracker goes to work, I don't want to steal any script, why should I, I'm loving to create everything on myself, because it's just funnier....

I agree with you, its just not about stealing, how are we supposed to ever be capable of doing this ourselves or getting the knowledge for doing it and creating a method in the future (if ever needed, like denny needs it for school), since i myself couldnt find any useful topic about it in the internet (spent about 2 hours just passing pages to find anything, but couldnt), and here comes, im a foolish for actually asking when i couldnt find it myself, just for the fact of asking someone who knows it and can explain it in a better way?

It's done in lua some of the functions can be used to decrypt RSA.

Newmeta did it by taking info from the mta files.

Link to comment
denny199 Road Dawg

denny199

Posted
Posted

Newmeta explained good enough.

I already know something about encryption like MD5, some SHA256 and SHA251, but not much, I'm still on my secondary school which means (vmbo-tl) in the netherlands, so I don't learn anything about computers, but i'd like to... I know that I have could searched the internet for it, but I don't want to, because i'd like to ask you guys how you actually did it, I'd always like to show some respect, and again I only asked for the procedure how he did it, I don't asked for the way how he was getting the encryption key, but now lets get back on-topic.

Now someone has proven that it can be "cracked"(actually he just uses the 'public key' for decrypting, so it's not "cracking"), but some people who don't know where the encryption key is nor how they can decrypt/decompile it can't get our scripts, but if theres one smart guy or if this stuff gets leaked, well goodluck on making another compiler. Also, on the luac page is there an option "Anti-decompile", well I used that in my post where someone decrypted, and decompiled it, so the whole compiler doesn't matter anymore. But now lets make a list which are our problems right now, since the problem is getting bigger and bigger:

1. We DON'T want to upload files to a webserver since it might be hacked or we want to work OFFLINE

2. If compiled scripts can't be used in future mta's anymore then all the maps with original compiled scripts can't be used anymore

New:

3. The encrypted files can be decrypted with the public key

4. The "anti-decompile" doesn't work since it's proven to be decompiled by someone.

1. We DON'T want to upload files to a webserver since it might be hacked or we want to work OFFLINE

As it says, we don't want to upload files to a webserver, since it might be hacked or not, what if it does. But I'm really thinking of that this isn't happening so quick :roll:, Also some people are developing offline and want to compile their files directly, so that they can compile it quicker, plus you don't have the security problem.

So what if the compiler would be an executeable program, what are the plus and min points:

[+] We can compile/encrypt offline

[+] We don't need to upload the files to a webserver anymore

[-] People can get now the encryption key easy.

[-] People can get the compiling source easy.

So using a offline compiler isn't a option.

2. If compiled scripts can't be used in future mta's anymore then all the maps with original compiled scripts can't be used anymore

Nothing much to say anything about it, the old scripts which are in maps, etc. doesn't work anymore, we are compiling our scripts to make it unreadable to other people, so caching the scripts doesn't work too, because it still needs a source where it needs to come from (like a .txt file) but then that file is open source too, else if you got a smart brain ofcourse which will encrypt everything etc, etc... Nothing more to say and again, the plus and min points:

[-/+] Stolen script files can't be used anymore in future versions of mta, so people can't use it, but there's a problem, they can go to the server again and steal it and then put it back into their folder, so nothing is actually good with it.

[-] We can't use any scripts from any maps anymore(race maps etc).

[-] We can't use our old scripts anymore, if we lost the not compiled files.

So disabling the scripts in future versions does matter for some race servers, but not for default servers who has stolen scripts.

3. The encrypted files can be decrypted with the public key

As proven by newmeta, you can get the public key and then decrypt the files with some knowledge.

4. The "anti-decompile" doesn't work since it's proven to be decompiled by newmeta.

Well, same as encryption, mta provide "anti-decompile",( :lol: ) there isn't such thing as "anti-decompile" :roll: well, this is so bad, if someone already get pass the encryption and then can decompile it then it doesn't matter.

Conclusion:

Well, at the start of this topic people didn't wanted to upload their files to a webserver, because it might be hacker, but later on there was a easier way to get acces to the source code, still there are no things in the world what you can't hack, but it is indeed pretty smart to just use the default acces key for decryption and then just decompile it... Well, you hear it everyone, you can only protect your stuff from little kids who don't have any computer knowledge...

So guys, we already know that everything can be hacked/cracked (the last 2 points), as for the first two points (point 2 especially) we got a problem with.

Kindly regards,

Danny

Link to comment
myonlake Shooter

myonlake

Posted
Posted
We DON'T want to upload files to a webserver since it might be hacked or we want to work OFFLINE

Even your phone can be hacked, whether or not was it connected to internet. There's no way you can protect anything from being hacked, really, unless you have a fully self-contained local network and everything wired up inside steel-reinforced rooms with very good protection against incoming electromagnetic radiation from outside of your building.

Also, there's not really such thing has SHA251. And it's quite difficult to "crack" the decryption for data encrypted with RSA - never even done before.

Link to comment
denny199 Road Dawg

denny199

Posted
Posted
On 11/03/2014 at 17:46, myonlake said:

Even your phone can be hacked, whether or not was it connected to internet. There's no way you can protect anything from being hacked, really, unless you have a fully self-contained local network and everything wired up inside steel-reinforced rooms with very good protection against incoming electromagnetic radiation from outside of your building.

Also, there's not really such thing has SHA251. And it's quite difficult to "crack" the decryption for data encrypted with RSA - never even done before.

I was meaning SHA256 ;-) little typo, and as I said before, everything can be hacked/"cracked" (like arezu was showing, awesome article).

Link to comment
newmeta Vic

newmeta

Posted
Posted

First of all, there's a significant difference between hashing functions (MD5, SHA1, SHA256 etc.) and encryption (AES, RSA etc.). Hashes are one-way, you cannot restore the original data from the hash. An encryption is reversible and thus (with the right key) you can restore the original data from the encrypted context.

The MTA encryption option is obviously using a reversible encryption (-> RSA in this case) as the server/client need to be able to restore the original code from the encrypted file.

And since the server and client need to be able to restore the original code from the encrypted file, they'll also have to have the key needed to decrypt the file. And thus we can also use the key to decrypt. Therefore this encryption method cannot be secure, no matter the algorithm and no matter the key. I'm not breaking RSA, I just do the same thing as the MTA Server does, with the small difference that I'm writing the decrypted file to my hard disk.

@myonlake:

However the online compiler is suddenly implementing a single point of failure. If someone manages to get unauthorized access to the server he suddenly has access to all compiled scripts used on any MTA server, while, if he'd hack my PC, he'd only get my own stuff. Also I expect the online compiler to be an excellent target for DDoS attacks, since attacking that very server basically forces all productive servers with compiled scripts to stop pushing updates.

Another thing I'm getting more and more disappointed about is that despite the fact that some of the developers are clearly reading this thread as listed in the "users in this topic" list below - ccw even sent me a PM about this (one which I didn't really understood...), there's no actual information about this. We still have no reaction, no clarification, not even a single word from any developer about this entire matter, despite this thread going on for more than 5 pages already.

Link to comment
Saml1er Hard-@ss

Saml1er

Posted
Posted

You guys gave speeches like a president seriously, there's no support from any developer because they'll do what pleases them nor we can do anything it..... :|

It might sound stupid but I keep the original script in my inbox ( email ) because if I ever lost the original one then I'll be able to recover it back.

Link to comment
myonlake Shooter

myonlake

Posted
Posted
arezu said:

Not everyone has funds to buy a quality shotgun microphone and a case like that, not like the case is necessarily needed, but it makes the sounds way clearer than if it was on an open table in a silent room.

Interesting article though, and thanks for proving me wrong with something else than a quantum computer article.

Link to comment
.:HyPeX:. Lil' G

.:HyPeX:.

Posted
Posted

As i've posted and couldnt get re-answered this might look like an idea to protect client-side stuff... not sure if viable thought

So came in with the idea, could i generate a copy of RSA Keys in the game? (Lets say that the script has my stuff encrypted in my own way lets say A is represented as MM, and that upon working it sends the stuff to another script wich is server-side only with an exported function wich descrypts and sends back MM into A, as supponsing like: Script = exports.etc). Could it be possible to call that return as a function itself or how could i do it? this is of course, talking about a client side script, since the call function is client and server side, the client would only have access to my code wich would look like rubbish stuff with an export to a resource they will never have download or access to in any way.

Thanks in Advance

HyPeX

Link to comment
myonlake Shooter

myonlake

Posted
Posted

Like newmeta explained earlier, the network module contains the decryption key. So, if you have your own key and your own encrypter, then yes, it'll be slightly more difficult for the client to get the key. However, as the client needs some key to read the code, the client can catch the server packet and read it. And that way they also have the decryption key to the code. Though it requires a little bit more experience and knowledge in networking to pull that off.

Link to comment
myonlake Shooter

myonlake

Posted
Posted
.:HyPeX:. said:

If ur pulling that off, then ur on a level that you woud'be rather hacking big companies than small mta scripts.

It's actually quite low level hacking procedure. People do that all the time and it's not even hard, I recall there are applications that do that for you. Point is, that your code is never safe with this kind of approach on MTA.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...