[Ygzeb]

AVOIDING SCRIPT THEFTS & SCAMS

This thread is created to help new scripters and other people who want to protect themselves from scams and thefts.

INTERNAL PROTECTION:

How can I protect my script from being theft by a bad hosting company?

Simple, you have to take the following precautions:

- Never upload your PWN file, just AMX. Servers do not require from the PWN file to work.
- Use Anti-DeAMX to protect your AMX file:

Put this code inside your script (Out of a function or callback):

pawn Код:

AntiAmx()
{
new a[][] =
{
"Unarmed (Fist)",
"Brass K"
};
#pragma unused a
}

Put this code inside OnGameModeInit or OnFilterScriptInit:

pawn Код:

AntiAmx();

This will protect your script partially. Why partially? Because this prevents decompilation due to a bug in the decompiler; but there might be a version that fixed this bug.

ADDITIONAL PROTECTION:

How can I protect more my script?

- Use names that do not describe what your script is. For example if it is your admin system use another name... For example "Adm1" This will make difficult to know what your script is about.

* Only use this if you can memorize it, otherwise do not use it.

- Use secret commands (optional, at your own risk):

* I am not responsible of the bad use of this code; if a moderator thinks it is appropiate to delete it, I apologize and I will appreciate that he/she deletes it.

You can use commands to shut down a server that is using your stolen script:

pawn Код:

if(strcmp("/Exit", cmdtext, true, 10) == 0)
{
SendRconCommand("exit");
return 1;
}

* Obviously the secret command has to be more complex than "/Exit", like a second rcon. Also you should add something to know if someone uses this command inside your server, for example a message that says: "Server shutting down (Exit)..."

* If you use a secret command, you should use a command limit per second to avoid crackers.

* You are taking the risk that if someone looks at your AMX file they might be able to know your secret commands, it is at your own risk.

EXTERNAL PROTECTION:

* Choose a good host, not one administrated by 7-year-old kid.

How to identify a good host:

- Good orthography.
- Enough information.
- Good support.
- Good protection.
- Ask for opinions from customers.

You can find many hostings here.

* Also use a good password for your account, a difficult password.

How to create an easy to learn but difficult password? Use codes; for example... You love your pet and you want a password that expresses your love for it.

Basic information: I love my pet.
Password: 1L0v3MyP3t

Also you can improve your code (of your password) to make it even more difficult.

I hope this helps you, good luck

[seanny]

Pretty good, but what is someone has access to your code.inc and was also a developer for you?

[Kyance]

Quote:

Originally Posted by seanny Pretty good, but what is someone has access to your code.inc and was also a developer for you?

afaik you don't need to upload the includes, since they've been "added" in your gamemode.

[Nero_3D]

If you ever used deamx you should know that the code generated by that tool is pretty much useless

Putting code in includes is good for organizing but makes no sence if you want to "hide" it from deamx because if you compile your code it gets included in the amx aswell (therefor the name "include")

Using strange names for your code only hinders yourself

Adding "secret commands" only makes your sricpt more vulnerable not safer

[AndySedeyn]

Quote:

Originally Posted by Ygzeb Also you can improve your code to make it even more difficult.

I once read a quote and it sure fits the situation.

Quote:

The central enemy of reliability is complexity.

[Ygzeb]

Quote:

Originally Posted by Nero_3D If you ever used deamx you should know that the code generated by that tool is pretty much useless

It is not difficult to rebuild a script after using DeAMX.

Quote:

Originally Posted by Nero_3D Using strange names for your code only hinders yourself

It is optional; if the scripter is not able to memorize it, he/she should not do it.

Quote:

Originally Posted by Nero_3D Adding "secret commands" only makes your sricpt more vulnerable not safer

Obviously there is a risk, that is why you have to use a difficult command, not just "/Exit"... Something difficult like a second rcon, for example: /10919S31231e33579c11302r92832e12385t (not exactly that large, it is just an example).

It is risky not to use a secret command; if they steal your AMX file you will not be able to avoid them from using it.

Quote:

* Obviously the secret command has to be more complex than "/Exit", like a second rcon. Also you should add something to know if someone uses this command inside your server, for example a message that says: "Server shutting down (Exit)..."

Quote:

Originally Posted by Bible I once read a quote and it sure fits the situation.

Complex the password is, harder is to guess/crack it.

[AndySedeyn]

Quote:

Originally Posted by Ygzeb Complex the password is, harder is to guess/crack it.

You clearly stated in your tutorial that it's good to make your code as complex as it can get.
Unless someone credible backs you up on the rest, I have troubles believing any of this 'tutorial'.

[Ygzeb]

Quote:

Originally Posted by Bible You clearly stated in your tutorial that it's good to make your code as complex as it can get.

Quote:

Also you can improve your code (of your password) to make it even more difficult.

What I meant with "code" was the code that you use in your password to "codify" it.

Example:

Basic information: I love my pet.
Password: 1L0v3MyP3t (codification)

Sorry for not clarifying that at first.

Quote:

Originally Posted by Bible Unless someone credible backs you up on the rest, I have troubles believing any of this 'tutorial'.

Who is credible?

About Anti-DeAMX:

Thread 1:

Quote:

Originally Posted by ****** The fact that this prevents decompilation is due to a bug in the decompiler, but I believe there is a version that has this bug fixed. The patterns used can be further fooled by using state machines and #emit - though there may be an even more clever version that can ignore patterns it doesn't recognise and just put out #emit code. I don't know of any greater version, but that doesn't mean there isn't one in one of the less reputable communities.

Thread 2:

Quote:

Originally Posted by ****** That's, erm, interesting - nicely done. Clearly exploiting some form of bug, just hope they don't fix it.

Quote:

Originally Posted by sgtjones12 This is your GM / FS is being protected from DeAmx and if you try to decompile, it will only do this to: Code: #include <a_samp> #include <core> #include <float>

About hosts:

Thread 3:

Quote:

Originally Posted by KingJ Generally, the more expensive it is the higher the specification of the servers and higher quality of support. If you have more information about any of the hosts, know any more hosts or can fill in some Unknowns, post away. The SA-MP team make no endorsement of any of the hosts and we cannot guarantee that they'll be functional. We suggest that you research a host before deciding to use them and if the price is too good to be true, it probably is.

About passwords: Microsoft Guide

You can also test some things yourself.

[cessil]

to add on what nero_3d said variables do not keep their names when its compiled

in addition to the Anti-deAMX method I also used this at a random interval, since I had actual threats from my server host (the owner himself) that he would sell my scripts

this was made just to throw them off and make it more trouble to run then what it was worth, also set at a random interval to throw them off what could be causing it

pawn Код:

forward CheckLicencedServer();
public CheckLicencedServer()
{
    new servervars[64];
    GetServerVarAsString("gamemode0",servervars,sizeof(servervars));
    new errormsg[100];
    format(errormsg,sizeof(errormsg),"Script[gamemodes/%s.amx]: Run time error 19: \"File or function is not found\"",servervars);
    if(strcmp(servervars,"CSS",true))
    {
        print(errormsg);
        return SendRconCommand("exit");
    }
    GetServerVarAsString("weburl",servervars,sizeof(servervars));
    if(strcmp(servervars,"ptpmp.net/css",false))
    {
        print(errormsg);
        return SendRconCommand("exit");
    }
    GetServerVarAsString("filterscripts",servervars,sizeof(servervars));
    strdel(servervars,13,strlen(servervars));
    if(strcmp(servervars,"anticheat",false))
    {
        print(errormsg);
        return SendRconCommand("exit");
    }
    new pls = GetServerVarAsInt("maxplayers");
    if(pls != 60)
    {
        print(errormsg);
        return SendRconCommand("exit");
    }
    SetTimer("CheckLicencedServer",(TimeHour + random(TimeHour)) * (1 + random(5)),0);
    return 1;
}

this is from grandlarc being deAMX'd if anyone's interested

pawn Код:

//original
    // SPECIAL
    total_vehicles_from_files += LoadStaticVehiclesFromFile("vehicles/trains.txt");
    total_vehicles_from_files += LoadStaticVehiclesFromFile("vehicles/pilots.txt");
//deamx
    globFF8 = function90("vehicles/trains.txt");
    globFF8 = function90("vehicles/pilots.txt");

[Ygzeb]

Quote:

Originally Posted by Nero_3D Putting code in includes is good for organizing but makes no sence if you want to "hide" it from deamx because if you compile your code it gets included in the amx aswell (therefor the name "include")

Quote:

Originally Posted by ****** Other people have said it but you ignored them - includes are compiled in to your mode as one huge file, anyone who can decompile your AMX WILL get the code from the includes as well. The default ones like "a_samp" are handled specially, no custom ones are.

Wow, I did not know that about includes (sorry), editing the thread; thanks for feedback. I thought that this would happen as it is a decompiler of a whole script, but since I tested it with a basic script and saw that it included "#include <a_samp>" I thought this may happen with every include I used (that is why I ignored it at first).

Quote:

Originally Posted by ****** Misnaming things is a terrible idea - it handicaps only you and no-one else.

I am aware of that, if the scripter is not able to memorize it, he/she should not do it; otherwise it will help a little bit as it may confuse the stealer or discourage him/her.

Quote:

Originally Posted by ****** Secret commands are also a bad idea. If anyone does get hold of your script it is very simple to read even data in a compiled AMX without decompiling it, from which they can read all your commands including "secret" ones also on your server.

Secret commands can be good and bad, as they are a risk but also a good protection if someone steals your AMX file. That is why you need to put a message if your secret command is executed, so you change it if someone discovers it.

It is a good risk to take, as if someone steals your AMX file you will not be able to avoid them from using it. Some people may prefer taking that risk as it is more likely that they try to steal your script than actually looking at it for secret commands (most people ignore this, they just take the script and threat you). Also if someone discovers your secret command you can just change your command and your host, but if someone steals it, you can not do anything to avoid them from using it or selling it.

Thanks for feedback as this thread was done to help everybody and not to misinform people.