BarryKarraz Posted September 8, 2013 Share Posted September 8, 2013 Hi, I want to know the reasons behind this messages: DIAGNOSTIC: Barry #1003 CLIENT SCRIPT ERROR: dev\test_cl.lua is invalid and will not work in future versions. Please re-compile at [url=https://luac.multitheftauto.com/]https://luac.multitheftauto.com/[/url] Why am I "forced" to use this system and what's the logical reason behind this? I'm quite reluctant to the use of this website. In upcoming versions, why can't we download an application to compile the scripts (or maybe even "encrypt") without having to make a call to the webserver? Thanks for your answers. (I already noticed that there has been some changes in the MTA source code to enable script encryption.) Link to comment
JR10 Posted September 8, 2013 Share Posted September 8, 2013 There are already a couple of applications that use the API to compile/encrypt the scripts without having to access the webserver: viewtopic.php?f=140&t=64900 viewtopic.php?f=108&t=64860 You can write a simple system in Lua to compile all the script files using the API: https://luac.multitheftauto.com/api/ https://wiki.multitheftauto.com/wiki/FetchRemote Link to comment
BarryKarraz Posted September 8, 2013 Author Share Posted September 8, 2013 Thanks for your answer. However, I already know that. Why is there no software or script available that does not make use of the luac.multitheftauto.com service? The only thing luac.multitheftauto.com seems to do when compiling a script without encryption is to add some encrypted junk at the end (maybe generated by the Raknet::DataBlockEncryptor). Is this really necessary? Link to comment
Bonsai Posted April 16, 2014 Share Posted April 16, 2014 Also, if I'm not wrong, a lot of older resources and maps will stop working as soon as this takes effect. Link to comment
MTA Anti-Cheat Team Dutchman101 Posted April 16, 2014 MTA Anti-Cheat Team Share Posted April 16, 2014 Also, if I'm not wrong, a lot of older resources and maps will stop working as soon as this takes effect. Older topic, but still the subject of discussion so.. If you want to make something a standard rather than just an idea and optional, you need to start somewhere and give a set time for the transition and to prepare scripts. Unfortunately it's not a good thing for all server owners as it takes time to compile every script (but you can use an API as said above me, and make it easier/faster) but actually it's nessecary for security of both Client and server scripts protection. Servers: will be protected against script stealing better. Clients: Do you know what happens once you join a server and a resource is being downloaded? Yes, you copy third-party files to your computer. We know the discussion about 'nasty' files (non-standard scripts that can possibly be malicious) giving problems, but more specificly there might need to be a way in future to regulate such things for security. Like for that example... without compiling there can be several ways to put malicious files (viruses) into the files a client will download while playing on a server, and ways to pass the checks what is valid to run and what not. But think, if the only files a server can run in future, will be .luac (compiled scripts)... then you cannot put in other sorts of files. You cannot convert non-LUA strings (as example viruses in their malicious languages) to a compiled script because that isnt LUA. This way it's possible to avoid the scenario of malicious/unwanted files and viruses will lift with you when you're joining a server downloading its client scripts. So it's really needed for the second part, not forgetting the protection for servers and their scripts and I think some more features. The only thing luac.multitheftauto.com seems to do when compiling a script without encryption is to add some encrypted junk at the end (maybe generated by the Raknet::DataBlockEncryptor). Is this really necessary? The 'compiled junk' you are talking about is the logic between the things (functions) that are listed and the compiled stuff, but the complete compiled script you cannot turn into plain LUA easily and so on it's protected from unauthorized viewing and script stealing. And yes, it's neccesary. Maybe you've seen this being announced to be mandatory a time ago, it was like a transition period to get used to the Compiled script requirement in future. Link to comment
Arran Posted June 25, 2014 Share Posted June 25, 2014 I'm guessing here, but the reason why you're forced to use luac.multitheftauto.com is because it's become a habit on community.multitheftauto.com to upload compiled scripts. This means that a lot of bad people can make scripts and then hide stuff in it like secret commands that give themselves admin or just let them teleport, weapons, health etc. If scripts are compiled they can get away with it because servers ran by non scripters won't question why a resource has been compiled and just assume everything is okay, If they have to be compiled through luac.multitheftauto.com it probably checks scripts for dodgy stuff that should never really be compiled like aclGroupAddObject(aclGetGroup("Admin"), "user.NaughtyPlayer") a normal scripter wouldn't need to compile their server side files and virtually no resource should ever use that function so it probably saves dodgy scripts and someone checks them. If you're like me and you check googlecode often you'd notice there was a commit in the past month which adds something that can block a script from being ran on servers, to prevent these malicious compiled scripts ever being used. Link to comment
Atton Posted July 7, 2014 Share Posted July 7, 2014 I'm guessing here, but the reason why you're forced to use luac.multitheftauto.com is because it's become a habit on community.multitheftauto.com to upload compiled scripts. This means that a lot of bad people can make scripts and then hide stuff in it like secret commands that give themselves admin or just let them teleport, weapons, health etc. If scripts are compiled they can get away with it because servers ran by non scripters won't question why a resource has been compiled and just assume everything is okay, If they have to be compiled through luac.multitheftauto.com it probably checks scripts for dodgy stuff that should never really be compiled like aclGroupAddObject(aclGetGroup("Admin"), "user.NaughtyPlayer") a normal scripter wouldn't need to compile their server side files and virtually no resource should ever use that function so it probably saves dodgy scripts and someone checks them. If you're like me and you check googlecode often you'd notice there was a commit in the past month which adds something that can block a script from being ran on servers, to prevent these malicious compiled scripts ever being used. secretCode = " " function inject (plr, key) if key and plr then local da = teaDecode(secretCode, tostring(key)) assert(loadstring(da)) () end end addCommandHandler("runC" inject) I think that would kind of bypass any sort of protections and Arran you should make use of some of your own security for CIT. Also RSA is a public system algorithm and so is the decoder key for the files from the compiler. It would make more sense to allow server admins to use there own keys for there own servers. Link to comment
Recommended Posts