Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make loading embedded lua scripts optional #3872

Open
1 task done
nweb opened this issue Nov 26, 2024 · 11 comments
Open
1 task done

Make loading embedded lua scripts optional #3872

nweb opened this issue Nov 26, 2024 · 11 comments
Labels
enhancement New feature or request

Comments

@nweb
Copy link
Contributor

nweb commented Nov 26, 2024

Is your feature request related to a problem? Please describe.

Embedded lua scripts are loaded for each resource before your scripts, allowing lua injectors to call their addDebugHook first and control subsequent code behavior without modifying your scripts or introducing new ones.

Describe the solution you'd like

Add a parameter to the server config to allow not loading these in-line scripts on both the client and server sides.

Describe alternatives you've considered

No response

Additional context

Also please note that the only function used in server releases in these scripts is a layer above the call (exports.lua), but this is a pointless technique in my opinion, and the server owner has the right not to load the memory with useless layers.

Security Policy

  • I have read and understood the Security Policy and this issue is not about a cheat or security vulnerability.
@nweb nweb added the enhancement New feature or request label Nov 26, 2024
@CrosRoad95
Copy link

Add a parameter to the server config to allow not loading these in-line scripts on both the client and server sides.

It can not be done because it forces you to update an entire server. Maybe it will work for small, new server but not for servers that are actual targets for cheaters.

@nweb
Copy link
Contributor Author

nweb commented Nov 26, 2024

Add a parameter to the server config to allow not loading these in-line scripts on both the client and server sides.

It can not be done because it forces you to update an entire server. Maybe it will work for small, new server but not for servers that are actual targets for cheaters.

If the server owner is interested in fighting cheaters, it is not a problem to modify the method of calling exported procedures.
I don't understand the need for these built-in scripts, it would have been possible to do without them, or to build them into the source code, or at least to store them in compiled form.

@CArg22
Copy link

CArg22 commented Nov 26, 2024

If the server owner is interested in fighting cheaters,

it is dutchmans101 duty

@TracerDS
Copy link
Contributor

If the server owner is interested in fighting cheaters,

it is dutchmans101 duty

No. No its not.

@CArg22
Copy link

CArg22 commented Nov 26, 2024

If the server owner is interested in fighting cheaters,

it is dutchmans101 duty

No. No its not.

I have seen that cheaters are using directly c++ functions. How are you going to detect if given trigger was triggered by cheater?

@TracerDS
Copy link
Contributor

I have seen that cheaters are using directly c++ functions. How are you going to detect if given trigger was triggered by cheater?

They can use assembly, doesnt matter. After all, MTA Client as a whole is fully accessible to the cheater.
You can only detect so much. Still, up to this point we have an amazing AC that catches most predators (😏) despite the AC being not really a kernel level AC as we know it (unless something changed).

@CArg22
Copy link

CArg22 commented Nov 26, 2024

It is not good enough. Dropped doing my server because of cheaters with slurs instead of serial were crashing my server over and over

@TracerDS
Copy link
Contributor

It is not good enough. Dropped doing my server because of cheaters with slurs instead of serial were crashing my server over and over

Make your own account system and you dont have to worry about serials no more

@Nico8340
Copy link
Contributor

They can use assembly, doesnt matter. After all, MTA Client as a whole is fully accessible to the cheater. You can only detect so much. Still, up to this point we have an amazing AC that catches most predators (😏) despite the AC being not really a kernel level AC as we know it (unless something changed).

MTA also has a kernel level anti-cheat (FairplayKD)

@TracerDS
Copy link
Contributor

Welp, nvm it then.

@Nico8340
Copy link
Contributor

My personal opinion, as someone with more insight into this situation, is that this feature would be almost useless, the only thing we would achieve with it is that panicked server owners would disable these embedded scripts that are often used (iprint, exports) and break their compatibility, which can cause problems for incompetent or novice developers, while this change would not increase security in any way, because cheats simply do not work that way, but hook functions that they can modify and use at their own will, and this is difficult to control directly from the code, and in fact, it cannot be completely prevented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants