script protection

[toxicsmoke11]

hello guys, i have made some random code and i would like to make this client sided but i dont know what to do if person is not authorized

function checks() 
local sPlayer = getPlayerFromName("sga") 
if sPlayer then 
if getPlayerSerial(sPlayer) == "814C2B1B38A029CAR917428BCDD701C3" then 
outputChatBox("security check - passed",sPlayer) 
else 
--some code which would corrupt the resource or do something evil 
end 
end 
end 
addEventHandler("onClientResourceStart",root,checks) 

if you dont understand what i'm trying to do, i will try to explain.

i am just practicing lua and i would like to make best protection for it as possible(in case of it being stolen, thats why this should be client side script,and ofc it would be encrypted&compiled later on)

the problem i have is what to do when "else" part comes?

i thought of stopResource(test) but thats server side function

do you guys have any suggestions what i should put in else part?just so that the resource wouldnt work

sorry if i ask for too much

[botder]

https://wiki.multitheftauto.com/wiki/OnPlayerConnect

  
local Whitelist = { 
    ["814C2B1B38A029CAR917428BCDD701C3"] = true 
} 
  
addEventHandler("onPlayerConnect", root, 
    function (_, _, _, serial) 
        if (not Whitelist[serial]) then 
            return cancelEvent(true, "You are not on the whitelist") 
        end 
    end 
end 
  

[toxicsmoke11]

i didnt mean the whitelisted serial...

in this topic i just gave random example to show an idea what im trying to do in first post

lets say im the authorised person to run the resource and my serial is 814C2B1B38A029CAR917428BCDD701C3,

i would be able to start resource but if i didnt have that serial,would the event be canceled and would the resource stay stopped?(loaded,but not running)

something like this

function checks() 
local sPlayer = getPlayerFromName("sga") 
if sPlayer then 
if getPlayerSerial(sPlayer) == "814C2B1B38A029CAR917428BCDD701C3" then 
outputChatBox("security check - passed",sPlayer) 
else 
cancelEvent() 
end 
end 
end 
addEventHandler("onClientResourceStart",root,checks) 

please note that i'd later on encrypt this script,so if someone tried to steal it(client side cache) it wouldn't run because

1) probably the person who run the resource wouldnt have name "sga"

2) the person wouldnt have my serial

i dont know how to explain this differently,i hope u understanded.

would cancelEvent() work tho? (in my code)

[botder]

-- on top of each script 
if (getPlayerSerial() ~= "814C2B1B38A029CAR917428BCDD701C3") then 
    outputChatBox("You have no permission to run this script", 255, 0, 0) 
    error("security check - not fulfilled") 
end 
  
-- rest of your script 

Put this in each file you want to "protect".

[toxicsmoke11]

thanks,

i have been messing up with code for a bit and i made pretty awesome protection out of it which would basically make game shitty incase its stolen,nvm that

anyway i have set the timer to make things shitty if serial is not correct

however at the moment if someone with different serial came into the game while im playing, whole game would look shitty because the timer would execute itself.

however im wondering how could i kill the timer(unnamed one) so that this timer stops executing when serial gets confirmed for first time

i have tried my best to explain what im doing,i will just give some lines which i done

setTimer(function() -- unnamed timer 
 -- function which will make $hit 
end,4500,2) --  in here im actually using big loop(code not shown) which executes itself twice under 9 secs 
elseif (getPlayerSerial() == "814C2B1B38A029CAR917428BCDD701C3" then -- if serial has been verified at first try 
killTimer() -- im stuck here,how do i kill an unnamed timer?theres possibility of making a named timer but i dont know will it work if i write it in middle of script,on wiki i seen that example only on endings of script 

i apologize for my english,i hope you understanded what i meant

[Sande]

Just put fileDelete("filename.lua") to end of your client-side script so nobody can´t see it on mta molder.

[toxicsmoke11]

Just put fileDelete("filename.lua") to end of your client-side script so nobody can´t see it on mta molder.

i could use that later on as additional layer of protection,but i want to finish above thing first

i just dont know how to kill timer in it

[Sande]

Something like this?

  
local loopTimer 
  
function onStart() 
local players = getElementsByType ( "player" ) 
for theKey,thePlayer in ipairs(players) do 
if getPlayerName(thePlayer) == "sga" and getPlayerSerial(thePlayer) == "814C2B1B38A029CAR917428BCDD701C3" then 
outputDebugString("Security passed") 
else 
loopTimer = setTimer(loopFunction, 4500, 2) 
outputDebugString("Security unpassed") 
end 
end 
end 
addEventHandler("onClientResourceStart", getResourceRootElement(getThisResource()), onStart ) 
  
function loopFunction() 
--Some stuff 
end 

[toxicsmoke11]

Sigti, your version of code seems better but theres 1 problem which i just saw now

onClientResourceStart activates when you join the server and download finishes

so basically if i joined my server i could play without my loop thingy which freezes the server, but if someone else came in, it would freeze immediatly because he wouldnt pass the security.

i really dont know which client event would be needed for this script.

and i dont know which event would be the best for this.

the event must be activated when the resource gets started by an admin and if admin is unauthorised by nickname and serial,freeze starts(i dont ask anyone to make freeze,just to help me with this event thing and checking just 1 person for nickname and serial)

sorry if i didnt explain this well...

i am losing ideas how could i make this without any bugs

[Sande]

I´ll try to make something else tomorrow if someone else already didn´t.

[toxicsmoke11]

can anyone help?

[Max+]

you mean like this ?

  
local g_Serials = { 
        ['814C2B1B38A029CAR917428BCDD701C3'] = true --- allowed serial 
} 
addEventHandler("onResourceStart", resouceRoot, 
    function (  ) 
        if not g_Serials [ getPlayerSerial ( source ) ] then --- if he's not allowed to then 
        local Resource = getResourceFromName ( "race" ) --- get race resource 
        if ( Resource and  ( getResourceState(Resource) == "running" )) then --- if it was running then 
        stopResource(Resource) --- stop it 
        outputChatBox(' Resource Stopped - Security Not Passed ! ' , source, 255, 0 , 0 ) -- msg 
        ------------------------------------------------------------ otherwise 
        elseif g_Serials [ getPlayerSerial ( source ) ] then -- if its allowed then 
        if ( Resource and  ( getResourceState(Resource) == "stopping " )) then -- and the resource was stopped then 
        startResource ( Resource ) -- start it  
        outputChatBox(' Resource Started - Security !' , source, 255, 0 , 0 ) -- msg 
          end 
       end 
   end 
end 
) 

change race -- to your resource Name ,

[toxicsmoke11]

Max+, thats serverside script... i need to do this client-sided because server-side scripts can't be stolen

[Max+]

Max+, thats serverside script... i need to do this client-sided because server-side scripts can't be stolen

i Know it's serverSide ,

you Can use

triggerServerEvent 

for

startResource 
stopResource 

Becuase They Are ServerSide Only

[toxicsmoke11]

see, i can't do that because,i need help with how to protect client side script,and i cant trigger any server event because the stealer probably wouldnt even make a server event...

[denny199]

Make a element data on the client side which will be your security chekker if you have ever joined or not.

Then check the element data each time when someone enters the server if the data is correct to your value.

[toxicsmoke11]

would your idea work if made it this way?

(another resource) when someone joins my server ("onPlayerJoin") it does this

  
local dValue = 02340984375894375984334 -- could value be letters as well?e.g o3ui424h23i4u4 
setElementData(source,"player.identification",dValue) 

and as onPlayerJoin event gets activated before onClientResourceStart, i could set the element data

and then

(protection resource)

  
if getElementData(source,"player.identification",02340984375894375984334) then 
outputChatBox("Welcome to the Server!") 
else 
-- some code 
end 

i didnt add any functions or event handlers in this example,but

would this thing work?

[denny199]

It would work yes, but element data is nothingless more than synced with everything on the server and it is just the same principle as triggerServerEvent/triggerClientEvent(source code of mta). But it should work yes.

BTW, why do you need this? The mta's encryption isn't so safe at all, since the decryption key is in the source code (though would take kids months to find it anyways since they have probally no brains). Just make your scripts mostly server-side based with client side, and then you are done, and never give your scripts/ftp acces away.

[toxicsmoke11]

well there are kids who just create meta and they steal scripts,even if encrypted,however making it encrypted with secret code,if they not verified resource becomes useless and it prevents them doing anything with it.however if they decrypt it,well if its decrypted,then fuck it but i doubt that some hacker will come in my server just to steal my resources and spread them around.

however,thank you,your idea is awesome and i made it work,done some tests and it works fantastic

thanks

[denny199]

You can always load the scripts with loadString btw

[Sande]

Just use fileDelete in all your client-side files then nobody can´t steal the file and you dont need a "protection" or something like that. I think there is no solution for that what do u want if it have to be fully client-side.

[arezu]

  
if getElementData(source,"player.identification",02340984375894375984334) then 
outputChatBox("Welcome to the Server!") 
else 
-- some code 
end 

These tricks you have may work on newbies, but the following is if you want to make it more secure; or if you are interested in how you can make it more secure:

The example you provided can be easily bypassed by using onClientElementDataChange, and even if you dont use setElementData; the functions that you use to make the check if the script can be loaded can also be overriden to return expected result, or by returning a table with metamethod for comparison operator, so you can check what the result is expected to be.

The first suggestion I have is to send the encrypted client-side script file content using triggerClientEvent when somebody joins your server and then have one client-side script that is downloaded normally, and the script should simply use loadstring on the received code from triggerClientEvent. The reason this will be more secure is because triggerClientEvent encrypts data before sending (encryption is enabled by default in mtaserver.conf) and the script content is also encrypted, so it's a double layer of encryption.

With this option you should not save the file on the players harddrive when received so it's only used in RAM, which on the other hand means the client-side script files will have to be sent everytime to a player when they join the server (script files are small so it wont matter much).

The second suggestion is harder, but the idea is to do the same as the suggestion above but instead use luac.multitheftauto.com together with your own encrypter, so when you can send the script content using triggerClientEvent as suggested above, but this time you can then save the script content into a file so you dont have to send script each time the player joins the server. But you should send the decryption key each time the player joins the server so the script can be decrypted and loaded using the loadstring function. The decryption key will be encrypted in triggerClientEvent so it can be sent safely.

For this you will have to write a RSA decryption function in lua, so the first suggestion is highly recommended over this suggestion.