• Making scripthook not work on your server
    21 replies, posted
  • Hello, so there is a script been going around for a while now called Scripthook which pretty much when injected into your game will download all of a servers clientside files upon joining. This is annoying since most of my custom VGUI panels have to be clientside, meaning people can take these and reverse engineer it to their own creations. Currently when I scripthook my own server it gives me the following paths with client side files... [IMG]https://i.imgsafe.org/ee9e918c4d.png[/IMG] Inside the gamemode folder it has all client files and when you open them it shows the actual code from them. On another server I know when you script hook their server it gives you only the gamemode folder but all the client files which were downloaded have loads of random text inside of them instead of the real code. I just wanted to know if anyone knew how they did that since it would be much appreciated. Thanks :D
  • [url]https://github.com/darkjacky/pwnscripthook[/url] Don't expect your clientside files to be completely secure. After all, they have to be sent to the client in order to be executed. Someone who wants to reverse engineer your stuff can just decrypt the cache and get the files from there, but most use scripthook because it organizes everything so they can just put it on their server. In addition, the fact that scripthook is unreliable and can be easily fucked with is a well known fact. There's a chance someone will release a fixed version (creator posted source code somewhere).
  • [QUOTE=maksimiljan;51983797][url]https://github.com/darkjacky/pwnscripthook[/url] Don't expect your clientside files to be completely secure. After all, they have to be sent to the client in order to be executed. Someone who wants to reverse engineer your stuff can just decrypt the cache and get the files from there, but most use scripthook because it organizes everything so they can just put it on their server. In addition, the fact that scripthook is unreliable and can be easily fucked with is a well known fact. There's a chance someone will release a fixed version (creator posted source code somewhere).[/QUOTE] I will take a look at that GitHub post. Thanks man!
  • [QUOTE=LucasStone;51983809]I will take a look at that GitHub post. Thanks man![/QUOTE] Do so, but know that the concern someone will just reuse your code is trivial. Skids will always be skids, and if someone is so bad at coding they have to steal menus I don't think they'll know how to code the serverside part of it. What I'm trying to say is, don't go to extreme measures to protect your server (such as sending all your code in one massive chunk and executing it with RunString) because you'll simply be wasting your time.
  • [QUOTE=maksimiljan;51983834]Do so, but know that the concern someone will just reuse your code is trivial. Skids will always be skids, and if someone is so bad at coding they have to steal menus I don't think they'll know how to code the serverside part of it. What I'm trying to say is, don't go to extreme measures to protect your server (such as sending all your code in one massive chunk and executing it with RunString) because you'll simply be wasting your time.[/QUOTE] I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side. [editline]19th March 2017[/editline] [QUOTE=LucasStone;51984156]I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side.[/QUOTE] Nevermind my bad! I just checked its code lol it only stops sending client if the person joining is running scripthook [editline]19th March 2017[/editline] [QUOTE=LucasStone;51984156]I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side. [editline]19th March 2017[/editline] Nevermind my bad! I just checked its code lol it only stops sending client if the person joining is running scripthook[/QUOTE] I think a simple tweak making it perma ban the person will be needed to make this 100% enforceable.
  • [QUOTE=LucasStone;51984156]I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side.[/QUOTE] There's no wiki page you can copypaste from, and unless you want to change the addons so that they don't rely on include I wouldn't advise doing it. A lot of work and in the end, useless. Simple script like the one I linked should keep the skids away, if you really value your clientside scripts for some reason just install !cac so people don't just print out the code (you should have it on your server anyways) and send them via runstring. The general concept is to send the code via net or retreive it from a website then just RunString it, simple as that. You can also include a data folder in your addon, put encrypted code there and only send the decryption key via net. You can't stop anyone dedicated to stealing your files but you can stop the village idiots. [editline]20th March 2017[/editline] Fuck, ninja'd
  • People can steal the code without scripthook. All they have to do is decrypt the cache, which there are many free programs that do, this can not be stopped.
  • Avatar of gmoddertr
  • Atlaschat makes it not work. There is a file named cl_expression.lua which has a line with 1000+ words in it like [CODE]local EMOTICONS = ....[/CODE] and it crashes the client who is trying to hook scripts. There is still a solution that you prevent this file from loading so you will have the files without being crashed.
  • Avatar of CODE BLUE
  • [QUOTE=MaxT09;51984634]People can steal the code without scripthook. All they have to do is decrypt the cache, which there are many free programs that do, this can not be stopped.[/QUOTE] As this guy said, if the code exists on the client (In which it has to in order to be run) you really cannot prevent them from reading it. Scripthook is just one of many ways to do this, and scripthook itself if a simple thing to create, so even if you prevented against scripthook if people wanted your stuff that bad they would just use/create an alternative.
  • Avatar of TrailerDorken
  • There really is no use in doing this, the best you can do is find anything you want to keep somewhat hidden and RunString it and make its source un-writable. As for storing that string somewhere other than your clientside code there are several ways. You could also obfuscate your code to make it more difficult to read should they steal it but in the end there is always a way to do it and there's nothing you can do about that. Also any changes you would make to stop stealing it could just stopped from ever being created on the client since the client can control the load order of the scripts.
  • Avatar of Moosicorn
  • [QUOTE=TrailerDorken;51987541]RunString it and make its source un-writable.[/QUOTE] You can literally just print _SCRIPT and/or save _SCRIPT to a file with file.Write to stop that.
  • Avatar of TrailerDorken
  • [QUOTE=txike;51987552]You can literally just print _SCRIPT and/or save _SCRIPT to a file with file.Write to stop that.[/QUOTE] You can, but it would keep some of the idiots that simply download and inject and then try to pay someone to fix it from taking it.
  • [UPDATE] We modified the GitHub script and made it permanently ban people when they try. It also replaces all the text in their Client Lua with "GET FUCKED". As for the RunString, I am yet to have a look into this. I will also take a look at making the code harder to read using your suggestions. Thanks for the responses. [editline]20th March 2017[/editline] [QUOTE=LucasStone;51988071][UPDATE] We modified the GitHub script and made it permanently ban people when they try. It also replaces all the text in their Client Lua with "GET FUCKED". As for the RunString, I am yet to have a look into this. I will also take a look at making the code harder to read using your suggestions. Thanks for the responses.[/QUOTE] As for the Atlas Chat response. It's all good we made our own chat system so that does not effect the Script :)
  • Avatar of Moosicorn
  • If a client is using Scripthook you can overwrite any .lua file they have using '../' to escape the current folder. If you wanted you could even create a file on their desktop with a nice message inside.
  • [QUOTE=txike;51988093]If a client is using Scripthook you can overwrite any .lua file they have using '../' to escape the current folder. If you wanted you could even create a file on their desktop with a nice message inside.[/QUOTE] Even better put 1000 files on their desktop with a nice message inside ;) XD Also, I thought it can only manipulate files inside the game folder?
  • You won't get anywhere with putting shit on the desktop, however you can overwrite the lua files used for singleplayer and scripthook.lua (the file used to control scripthook) to make them do whatever you want.
  • TBH, if you're doing this to prevent people from using scripthook to get your clientside lua, you're A) Wasting your time, and B) Being a huge douche for fucking people over like that, which is probably against the TOS. People with common sense WILL be able to steal your clientside lua, you're never going to be able to stop it.
  • Avatar of Moosicorn
  • [QUOTE=RileyGuy1000;51989205]TBH, if you're doing this to prevent people from using scripthook to get your clientside lua, you're A) Wasting your time, and B) Being a huge douche for fucking people over like that, which is probably against the TOS. People with common sense WILL be able to steal your clientside lua, you're never going to be able to stop it.[/QUOTE] Going on what this dude said: any bozo with any slight coding knowledge can make their own file stealer.
  • Avatar of Puzzle
  • Man I want to see this 'amazing, epic, super omg special proprietary' clientside VGUI. You realize you don't even need a 3rd party tool to get at client lua, right? Nothing you care about should be in clientside code, especially not simply AddCSLuaFile'd.
  • Avatar of Badger
  • This still doesnt solve the problem, they can just not load that file and continue to steal.
  • Avatar of Moosicorn
  • [QUOTE=Promptitude;51989433]This still doesnt solve the problem, they can just not load that file and continue to steal.[/QUOTE] Put it in init.lua :v:
  • Avatar of Badger
  • [QUOTE=txike;51990973]Put it in init.lua :v:[/QUOTE] don't load init.lua :)