1. Post #1

    February 2017
    14 Posts
    Hello, so there is a script been going around for a while now called Scripthook which pretty much when injected into your game will download all of a servers clientside files upon joining. This is annoying since most of my custom VGUI panels have to be clientside, meaning people can take these and reverse engineer it to their own creations.

    Currently when I scripthook my own server it gives me the following paths with client side files...



    Inside the gamemode folder it has all client files and when you open them it shows the actual code from them.

    On another server I know when you script hook their server it gives you only the gamemode folder but all the client files which were downloaded have loads of random text inside of them instead of the real code.

    I just wanted to know if anyone knew how they did that since it would be much appreciated.

    Thanks :D
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events Agree Agree x 1 (list)

  2. Post #2

    July 2014
    70 Posts
    https://github.com/darkjacky/pwnscripthook

    Don't expect your clientside files to be completely secure. After all, they have to be sent to the client in order to be executed.
    Someone who wants to reverse engineer your stuff can just decrypt the cache and get the files from there, but most use scripthook because it organizes everything so they can just put it on their server.
    In addition, the fact that scripthook is unreliable and can be easily fucked with is a well known fact. There's a chance someone will release a fixed version (creator posted source code somewhere).
    Reply With Quote Edit / Delete Windows 10 Chrome Slovenia Show Events Informative Informative x 1 (list)

  3. Post #3

    February 2017
    14 Posts
    https://github.com/darkjacky/pwnscripthook

    Don't expect your clientside files to be completely secure. After all, they have to be sent to the client in order to be executed.
    Someone who wants to reverse engineer your stuff can just decrypt the cache and get the files from there, but most use scripthook because it organizes everything so they can just put it on their server.
    In addition, the fact that scripthook is unreliable and can be easily fucked with is a well known fact. There's a chance someone will release a fixed version (creator posted source code somewhere).
    I will take a look at that GitHub post. Thanks man!
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events

  4. Post #4

    July 2014
    70 Posts
    I will take a look at that GitHub post. Thanks man!
    Do so, but know that the concern someone will just reuse your code is trivial. Skids will always be skids, and if someone is so bad at coding they have to steal menus I don't think they'll know how to code the serverside part of it.
    What I'm trying to say is, don't go to extreme measures to protect your server (such as sending all your code in one massive chunk and executing it with RunString) because you'll simply be wasting your time.
    Reply With Quote Edit / Delete Windows 10 Chrome Slovenia Show Events

  5. Post #5

    February 2017
    14 Posts
    Do so, but know that the concern someone will just reuse your code is trivial. Skids will always be skids, and if someone is so bad at coding they have to steal menus I don't think they'll know how to code the serverside part of it.
    What I'm trying to say is, don't go to extreme measures to protect your server (such as sending all your code in one massive chunk and executing it with RunString) because you'll simply be wasting your time.
    I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side.

    Edited:

    I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side.
    Nevermind my bad! I just checked its code lol it only stops sending client if the person joining is running scripthook

    Edited:

    I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side.

    Edited:



    Nevermind my bad! I just checked its code lol it only stops sending client if the person joining is running scripthook
    I think a simple tweak making it perma ban the person will be needed to make this 100% enforceable.
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events Dumb Dumb x 4 (list)

  6. Post #6

    July 2014
    70 Posts
    I took a look at this script from GitHub and it appears it completely stops all client files from being sent causing my gamemode to not even function correctly xD. You mentioned something about being able to send everything in one chunk using RunString. Is there a GMod Wiki page explaining this? I know it seems extreme these depths i'm going to protect client files but I believe they are just as valuable as server side.
    There's no wiki page you can copypaste from, and unless you want to change the addons so that they don't rely on include I wouldn't advise doing it. A lot of work and in the end, useless. Simple script like the one I linked should keep the skids away, if you really value your clientside scripts for some reason just install !cac so people don't just print out the code (you should have it on your server anyways) and send them via runstring.
    The general concept is to send the code via net or retreive it from a website then just RunString it, simple as that. You can also include a data folder in your addon, put encrypted code there and only send the decryption key via net.
    You can't stop anyone dedicated to stealing your files but you can stop the village idiots.

    Edited:

    Fuck, ninja'd
    Reply With Quote Edit / Delete Windows 10 Chrome Slovenia Show Events

  7. Post #7

    August 2015
    16 Posts
    People can steal the code without scripthook. All they have to do is decrypt the cache, which there are many free programs that do, this can not be stopped.
    Reply With Quote Edit / Delete iPhone Safari United Kingdom Show Events Agree Agree x 1 (list)

  8. Post #8
    gmoddertr's Avatar
    December 2014
    113 Posts
    Atlaschat makes it not work. There is a file named cl_expression.lua which has a line with 1000+ words in it like
    Code:
    local EMOTICONS = ....
    and it crashes the client who is trying to hook scripts. There is still a solution that you prevent this file from loading so you will have the files without being crashed.
    Reply With Quote Edit / Delete Windows 10 Chrome Turkey Show Events

  9. Post #9
    0V3RR1D3's Avatar
    August 2014
    696 Posts
    People can steal the code without scripthook. All they have to do is decrypt the cache, which there are many free programs that do, this can not be stopped.
    As this guy said, if the code exists on the client (In which it has to in order to be run) you really cannot prevent them from reading it. Scripthook is just one of many ways to do this, and scripthook itself if a simple thing to create, so even if you prevented against scripthook if people wanted your stuff that bad they would just use/create an alternative.
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events Agree Agree x 1 (list)

  10. Post #10
    TrailerDorken's Avatar
    February 2017
    12 Posts
    There really is no use in doing this, the best you can do is find anything you want to keep somewhat hidden and RunString it and make its source un-writable. As for storing that string somewhere other than your clientside code there are several ways. You could also obfuscate your code to make it more difficult to read should they steal it but in the end there is always a way to do it and there's nothing you can do about that.

    Also any changes you would make to stop stealing it could just stopped from ever being created on the client since the client can control the load order of the scripts.
    Reply With Quote Edit / Delete Windows 10 Chrome Sweden Show Events Late Late x 1 (list)

  11. Post #11
    txike's Avatar
    December 2016
    390 Posts
    RunString it and make its source un-writable.
    You can literally just print _SCRIPT and/or save _SCRIPT to a file with file.Write to stop that.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United Kingdom Show Events

  12. Post #12
    TrailerDorken's Avatar
    February 2017
    12 Posts
    You can literally just print _SCRIPT and/or save _SCRIPT to a file with file.Write to stop that.
    You can, but it would keep some of the idiots that simply download and inject and then try to pay someone to fix it from taking it.
    Reply With Quote Edit / Delete Windows 10 Chrome Sweden Show Events

  13. Post #13

    February 2017
    14 Posts
    [UPDATE] We modified the GitHub script and made it permanently ban people when they try. It also replaces all the text in their Client Lua with "GET FUCKED". As for the RunString, I am yet to have a look into this. I will also take a look at making the code harder to read using your suggestions. Thanks for the responses.

    Edited:

    [UPDATE] We modified the GitHub script and made it permanently ban people when they try. It also replaces all the text in their Client Lua with "GET FUCKED". As for the RunString, I am yet to have a look into this. I will also take a look at making the code harder to read using your suggestions. Thanks for the responses.
    As for the Atlas Chat response. It's all good we made our own chat system so that does not effect the Script :)
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events

  14. Post #14
    txike's Avatar
    December 2016
    390 Posts
    If a client is using Scripthook you can overwrite any .lua file they have using '../' to escape the current folder. If you wanted you could even create a file on their desktop with a nice message inside.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United Kingdom Show Events Funny Funny x 1 (list)

  15. Post #15

    February 2017
    14 Posts
    If a client is using Scripthook you can overwrite any .lua file they have using '../' to escape the current folder. If you wanted you could even create a file on their desktop with a nice message inside.
    Even better put 1000 files on their desktop with a nice message inside ;) XD

    Also, I thought it can only manipulate files inside the game folder?
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events Zing Zing x 1 (list)

  16. Post #16

    July 2014
    70 Posts
    You won't get anywhere with putting shit on the desktop, however you can overwrite the lua files used for singleplayer and scripthook.lua (the file used to control scripthook) to make them do whatever you want.
    Reply With Quote Edit / Delete Windows 10 Chrome Slovenia Show Events Late Late x 1 (list)

  17. Post #17

    July 2013
    96 Posts
    TBH, if you're doing this to prevent people from using scripthook to get your clientside lua, you're A) Wasting your time, and B) Being a huge douche for fucking people over like that, which is probably against the TOS. People with common sense WILL be able to steal your clientside lua, you're never going to be able to stop it.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United States Show Events Agree Agree x 1Late Late x 1 (list)

  18. Post #18
    txike's Avatar
    December 2016
    390 Posts
    TBH, if you're doing this to prevent people from using scripthook to get your clientside lua, you're A) Wasting your time, and B) Being a huge douche for fucking people over like that, which is probably against the TOS. People with common sense WILL be able to steal your clientside lua, you're never going to be able to stop it.
    Going on what this dude said: any bozo with any slight coding knowledge can make their own file stealer.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United Kingdom Show Events

  19. Post #19
    Puzzle's Avatar
    September 2012
    287 Posts
    Man I want to see this 'amazing, epic, super omg special proprietary' clientside VGUI. You realize you don't even need a 3rd party tool to get at client lua, right? Nothing you care about should be in clientside code, especially not simply AddCSLuaFile'd.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events

  20. Post #20
    Promptitude's Avatar
    November 2015
    220 Posts
    This still doesnt solve the problem, they can just not load that file and continue to steal.
    Reply With Quote Edit / Delete iPad Safari Australia Show Events

  21. Post #21
    txike's Avatar
    December 2016
    390 Posts
    This still doesnt solve the problem, they can just not load that file and continue to steal.
    Put it in init.lua
    Reply With Quote Edit / Delete Windows 8.1 Chrome United Kingdom Show Events

  22. Post #22
    Promptitude's Avatar
    November 2015
    220 Posts
    Put it in init.lua
    don't load init.lua :)
    Reply With Quote Edit / Delete Windows 10 Chrome Australia Show Events Lua King Lua King x 5Dumb Dumb x 2 (list)