Hi! This month we’ll focus on the recent developments around the escrow feature. We’ve got more updates lined up for next month.

Asset escrow status

Last week we posted a notice about an escrow exploit. On Saturday we released a patch improving the security of your resources. Today we’ll share more details on all events and how we are mitigating the exploit.

We do ask everyone to stay polite and constructive in your comments. A good part of our community benefits from such a system and we therefore put effort into making it better. The comments are not meant to discuss whether you agree or not with the feature, nor are they the place to start controversy. If you have any direct concerns or sensitive feedback, message @frenzy-renegade directly.

Summary of events

In the second week of July, a proof of concept to dump the bytecode escrowed resources was published on GitHub. This worked by modifying the server binaries and intercepting calls made into the Lua interpreter. In doing so, they were able to dump the Lua script environment when it’s already loaded in memory - in other words, in the step after decryption.

At this point, you only have the bytecode of a resource. And only of Lua code; your 3D models were never affected. Note that we mention bytecode here: this is not source code. At no point was your source code exposed. Bytecode is the compiled part from the Lua VM, which is not humanly readable. You still need a decompiler to turn this into usable code.

Because the community already made the effort to modify an open-source Lua decompiler, making it compatible with the FiveM Lua 5.4 implementation, it turned out fairly trivial to decompile the bytecode. The resulting output code was nowhere close to the original, and relatively unreadable as it’s coming from compiled bytecode. However, it was runnable.

Other community members quickly caught up with the above method, and so it wasn’t long before it was brought to our attention. As soon as we heard of it, which was later that same week, it was immediately an all-hands-on-deck situation. On the Monday following the event, we acknowledged the issue and informed the community we were working on it.

What we changed

On Saturday a patch was released to mitigate the issue. The fix encompasses various changes to how the escrow feature works:

• Server-side and client-side code now use different encryption keys, which means that newer client-side code can no longer be dumped with merely a modified server binary. Existing resources are automatically being converted to this new format, you don’t have to do anything.
• We shuffled around some server-side code involved in loading resources to slightly complicate use of the dumping tool in the near future.
• We improved our monitoring tools to be more vigilant of pirated code, some of which is now being automatically reported to us.
• We blocked numerous servers found to be running pirated assets.

If you find your content to be illegally acquired anywhere, report it immediately or send an email to compliance@cfx.re. A key point of the escrow system is that it keeps a ‘paper trail’ so we can act on reports and build future detections a lot faster.

Next steps

On top of the already implemented changes, we will also be working on the following:

• Obfuscation. We are working on increased complexity of decompiling code; which means that even if you access bytecode, it will require more additional work to decompile or modify a decompiler to support this.
• Continued monitoring. We are actively investigating servers through different methods. Using our database, we can identify which servers are using pirated content.
• Model obfuscation. We are investigating recent claims of model encryption/obfuscation being ‘broken’, and will respond appropriately. Again, the ‘paper trail’ here helps immensely in our effort.
• A way to report exploits privately and get rewarded for it. According to the author of the proof of concept, they just wanted to bring the issue to light with us. However, by doing so publicly, you put other people at risk. If this turns out to be possible from an accounting and legal perspective, we will be setting up a way to report issues to us directly in a private manner, and we will offer some amount of bug bounties.

How asset escrow helps creators and developers

No encryption of this kind can be made uncrackable, since on an open system such as a standard Windows/Linux PC, anyone can effectively run any code. It’s a matter of making it as difficult as possible for bad actors, while also implementing the tools to actively monitor for resource theft. That’s how the asset escrow feature helps content creators. Thanks to these tools we are able to crack down on any servers using illegally acquired code, which would not be possible with custom systems that do not offer an end-to-end solution including client-side platform support.

If you found your server to be blocked over the past couple of days for using pirated content, this is our monitoring in effect. Cfx.re has a zero-tolerance policy against resource theft and it is your responsibility to ensure that all resources on your server are acquired from the rightful owner and that none of the content on your server is stolen/leaked.

Conclusion

There is no doubt that this was an unfortunate event. No encryption is foolproof, but we built the escrow system in a way that even in these events we are able to act on abuse and protect your content. If you need any help, message us any time.

To summarize:

What did happen:

• A modification to the server binaries made it possible to dump Lua bytecode.
• The decompiled version of that bytecode was runnable.

What did not happen:

• No source code was exposed. Only Lua bytecode was accessed and subsequently decompiled.
• 3D models were not exposed. Streamed assets follow a different encryption method, unrelated to Lua code.
• The escrow feature was not “cracked”. The bytecode was dumped from memory. Your original code was not affected, and the escrow system is also designed to enable and simplify steps that happen after people decompile or decrypt code.

What do you need to do:

• If you find your content to be illegally acquired anywhere, report it immediately.
• Your resources are automatically being converted to the new encryption format, so you don’t have to do this. Any new uploads will also make use of the new format.
• You don’t have to do anything else.

Coming soon

With the above taking up much of the month’s priority, we’ll publish more details on the following for August:

• Next GTA DLC: As usual, everyone will be anticipating the latest upcoming DLC. More info whenever this drops.
• Keymaster update: You may have seen it already, but Keymaster has received some stylistic updates to make it easier to navigate.
• New main menu UI: Nearing completion, our in-game UI is going to be more performant than ever. Now written in React paired with some very nice theme updates, we’re looking forward to a release soon.

That’s it for now folks!

As a creator, thank you for being transparent and explaining what happened and the actions that were taken. It really does make a difference to know that you are trying to protect our work as much.

Thanks for the quick investigation and problem solving. Good work!

Thank you very much for solving this problem quickly!

Thank you for the awesome job!

Aw, hell yeah.

3D Assets were actually exposed and runnable without any subscription or any connection to cfx servers right now.

It would be very nice if you could add a column in the “Granted Assets” to see when an asset was last updated

Okay but for the 99% (general playerbase) of us who don’t use shops (as in selling stuff) this update gives us nothing. Imo this is another status update (on the issue) not a Community Update?

Developers are a big part of this community. So imo it is a community update

Big thanks for all the efforts, and for the ui it is very stylistic

Thanks to the whole team for the update. <3

who make the stuff 4 the server where u playing on bro?

Thank you guys, good work!

Any chance we will get teams for the escrow? While yes it protects creators but if you purchase something and end up needing to transfer the file you lose access to it. Those scripts can end up being pretty costly. I heard in the past that there might have been plans for teams.

Great handling of the incident to say the least, also glad to see servers that have these pirates resources being held accountable by Cfx. gg

+1 for keymaster updates, looks great.
Would be cool in the future to see patch notes from assets owners.

Great job, thanks to the whole team!

When will the escrow system support Drawable Dictionarys(YDD’s)?

Thank you for doing a great job with this issue!

I also really like the keymasters visual update. Much better than before.

Few suggestions that would be really nice for our customers and us as creators:

• incorporate the version number from scripts directly on the “granted assets” page
• or maybe a toggleable “detailed” mode to show resource metadata directly (like author, version, description). Example from txAdmin:
  
• or a badge on the side that could show if a resource is outdated that is currently running on a server
• Sorting scripts by name (or column in general)

In an ideal world, customers would check themselves, if there is an update but in reality, most never actually do. This would be an easy way to show them that they got an update

any news on YDD protection for the escrow system.