newmeta

First of all, there's a significant difference between hashing functions (MD5, SHA1, SHA256 etc.) and encryption (AES, RSA etc.). Hashes are one-way, you cannot restore the original data from the hash. An encryption is reversible and thus (with the right key) you can restore the original data from the encrypted context. The MTA encryption option is obviously using a reversible encryption (-> RSA in this case) as the server/client need to be able to restore the original code from the encrypted file. And since the server and client need to be able to restore the original code from the encrypted file, they'll also have to have the key needed to decrypt the file. And thus we can also use the key to decrypt. Therefore this encryption method cannot be secure, no matter the algorithm and no matter the key. I'm not breaking RSA, I just do the same thing as the MTA Server does, with the small difference that I'm writing the decrypted file to my hard disk. @myonlake: However the online compiler is suddenly implementing a single point of failure. If someone manages to get unauthorized access to the server he suddenly has access to all compiled scripts used on any MTA server, while, if he'd hack my PC, he'd only get my own stuff. Also I expect the online compiler to be an excellent target for DDoS attacks, since attacking that very server basically forces all productive servers with compiled scripts to stop pushing updates. Another thing I'm getting more and more disappointed about is that despite the fact that some of the developers are clearly reading this thread as listed in the "users in this topic" list below - ccw even sent me a PM about this (one which I didn't really understood...), there's no actual information about this. We still have no reaction, no clarification, not even a single word from any developer about this entire matter, despite this thread going on for more than 5 pages already.

That's true of cause. But I'd rather have my scripts compiled for a few other reasons. e.g. my current build system which couldn't work with the Online compiler. Also I don't want to make it too easy for people looking a my scripts. To clarify on my build system: I bascially have a small program which compiles my entire script into three files. shared.luac, server.luac and client.luac. This compilation process happens every 3 seconds in order to always have the newest changes upon a resource restart. This also allows me to watch compilation errors (e.g. missing braces) without switching to MTA. That also helps quite well against script stealers, since they'd only end up with one giant scriptfile. Right now I just removed the warning messages from my server since they're just plain useless, but once the warning about a "bad" compiler is no longer a warning I'll be unable to compile files for other clients. And there's still the question: Why break something which works perfectly well right now? A good rule for this is: Be creative! IDA Pro and OllyDBG are usually my tools of choice when reversing Applications. They take a long time to get into, but once you understand them they're extremely useful. How I'm decrypting the scripts shall stay a secret for now. But I could say two words and most people in this thread would be able to create a decrypter in just a matter of minutes.

@myonlake: You're right on the two-key part. There are two keys. The encryption key (stored on luac.multitheftauto.com) and the decryption key (stored in the net module). Now since I (and every other MTA player) have the net module, I also have the decryption key. Thus I can decrypt anything encrypted with the luac.multitheftauto.com compiler. However I cannot encrypt anything myself as I do not have the encryption key. Perfect security is impossible as you correctly pointed out. Scripts can always be dumped from memory, no matter how good any kind of encryption is. Therefore we can only make it harder for script stealers to get our scripts. Right now there's only one key used for all scripts. This makes it rather easy to decrypt any script. Now if there was a per-resource key system where you'd need to add the decryption keys to the server config (or somewhere else), which were then sent to the client upon load, it'd get a lot harder, since you'd actively need to dump a key for each resource. The only actual reason why I'm pretty annoyed by this entire compiler thing is because the devs seem to force it onto everyone, even people like me who'd rather not use it. What's the issue in allowing me to choose to not use your advanced "security"? If I don't want to secure my scripts, why force me to? Oh, my name is newmeta btw, not newmta. @denny199: http://pastebin.com/UDBMmaD7 I enjoy cheese as well!

I don't need to break the algorythm when you freely hand me the keys to decrypt the file. If I hand you my car key it wouldn't be a miracle if you somehow got into my car, without damaging it or breaking the lock, right? The encryption is no hash. It's normal RSA. Now if you know how RSA (and most other asymmetric encryption algos) works, you'll know that there are two keys. One which is used to encrypt the data (the one privately stored on luac.multitheftauto.com) and one which is used to decrypt. This key is present in the net library and can simply be extracted. Now you have the key to decrypt any file encrypted by luac.multitheftauto.com. If you still believe a decrypter is impossible, feel free to send me a script encrypted by luac.multitheftauto.com and I'll decrypt and decompile it. I couldn't care less about other peoples scripts, which is part of the reason why I won't release this decrypter publically. I only wrote it while having a look at that mysterious "encryption" option, just to prove it pointless.

Would be nice to have some official word of the devs in here why it is necessary to force it. The "encrypt" option of the online compiler is trvially breakable with no advanced knowledge about scripting required and thus I cannot consider it any safer at all. It won't stop anyone from decompiling your scripts. A simple decrypter can be written in less than 50 lines of code in total and I consider it kind of a miracle that noone released a public decrypter yet. While I certainly think that ccw (and the other developers as well) are trustworthy enough to give them my scripts, I simply cannot see a need to do this at all. Why am I going to be forced to send my scripts to a remote server in order to add nothing benifically to them, when it works pretty well with the standard luac compiler right now? Also it'll make many scripts unsable which were only distributed in compiled form. They work now, so why stop them from working in just a few months? Hint: In order to run the script, the server needs to decrypt it first...