LUA Injection

Miguel_Lopez · May 1, 2018, 10:33am

Hello, I’m a Developer of a Server in Fivem, lately we’re having problems with people who are injecting LUA code with external scripts like this: snip . I need help because the server is about Roleplay and these “hackers” are using this for add money to other accounts. The gamemode that we are using is EssentialMode with ESX. I hope your answer

IceHax · May 1, 2018, 10:48am

This is something FiveM devs can do absolutely nothing about… The only way to prevent this from happening is to fix ESX, which is FULL of vulnerabilities.

Syntasu · May 1, 2018, 10:51am

Only way you are going to combat this is by not assuming that every event is network safe.

alberto2345 · May 1, 2018, 10:52am

Based on that video, and like IceHax has said, esx seems to be scripted poorly and has relied on the client for things that should 100% be done server sided.
If you want to stop this from happening, either go through all the esx scripts and fix the vulnerabilities or stop using them altogether.

Syntasu · May 1, 2018, 10:53am

Or make a pull request to the esx_* repositories, so other people don’t suffer from this fate either.

alberto2345 · May 1, 2018, 11:13am

That would definitely be the desired case if the Miguel goes with fixing the issues.

SaltyGrandpa · May 1, 2018, 11:44am

I’m working on a gutted version of ESX that will fix a lot of this (for my use case). It’s a heavy framework with a lot of code I don’t need. I’ll throw my “version” on GitHub once completed for people that want a lightweight version, though I guarantee it will break resources for lots of people so it will be with no support.

Syntasu · May 1, 2018, 11:45am

Why not start from scratch and make your own? Semi-porting everything to “your version of ESX” seems like a hassle.

SaltyGrandpa · May 1, 2018, 11:58am

That’s the end goal. When I started programming FiveM, I went the easier route and chose to not reinvent the wheel and use ESX. Now that I’ve found that wheel to be slightly wobbly, I want to make it work for now. And then as time allows, make my own lightweight framework. That just would require a rewrite of several of my resources, and I don’t have the time right now between work and starting master’s classes

Dominic1337 · May 1, 2018, 8:39pm

Make sure you are handling everything player related (money, inventory, etc) server side.

Hawaii_Beach · May 5, 2018, 7:06am

How stable do you think ESX is when basicly no one is contributing anything? I’m the only maintainer at the moment as the other developers got sick and tired of people who use ESX, improve all aspects of it and don’t contribute jack shit back.
What I mean is that ESX has bigger problems if there’s no maintaining it, I’ve been pumping out commits like a horse but there’s so much more I’d like to improve (hi reality). I hear way too many people who say that they got an bug fix for x, but are not willing to share their information, which kinda kills my motivation working in the FiveM community as this is it has become: a forum full with inexperienced people spamming away and developers not sharing anything.

Coming to the abuse of triggers, the real fix is to move heavy things to server side, which is a lot of functions and scripts. You can also develop a program that scrambles trigger names if you want em’ scambled.
One guy I know manging a rather big RP community even made so that if you attempt to call the old trigger names you get banned instantly.

Tanoshi · May 5, 2018, 8:07am

Yeah i agree with this. i came from gmod after 6 years on running severs there and the community is the same. and it sucks to see it coming over to FiveM. but as for help with ESX i haven’t changed much in the core but for resources i have a few fixes for different ones that i need to make a pull request for them.

IceHax · May 5, 2018, 1:10pm

i made some prs to esx, but no one checks the github anymore, it’s a dead project, they will never be merged unfortunately

SaltyGrandpa · May 5, 2018, 1:32pm

That’s actually a really smart approach. If I can get a working program for this, I’ll release an anticheat resource.

Don · May 6, 2018, 4:06am

I really believe that it doesn’t matter what framework people are using, it matters what communities offer and how they run them. There will always be drama in every community.

I’m ready to help where it’s needed. I’m for open source because people have the ability to grow it. If we all worked together to help not only esx grow but the fivem community grow as a whole, better things will come of it.

It has always amazed me how smart people are when it comes to developing and coding like this. I’ve known several people from our community that has worked on private projects grow from not knowing shit to picking it up in a heartbeat. Unfortunately I am not one of those people lol.

Moral of the story, without these awesome developers working their ass off, there would be no community. So I praise all of you that have put in countless hours for a free project. Don’t let the shitlords tear you down, there are people like me out there that extremely appreciate all of the hard work that has been put into this project.

So from the EdgeGamers community we thank you entirely!

Hawaii_Beach · May 6, 2018, 5:09pm

Great @Gizz has developed an awesome fxserver-resource-scrambler

Miguel_Lopez · May 8, 2018, 10:08pm

This is a detector of LUA injections, isn’t it?

SaltyGrandpa · May 12, 2018, 6:46pm

Sort of. It gives all of your resources new event trigger names (randomized) and then listens for the old triggers. If someone uses an old trigger, it means it was injected, so you can then handle it however you want.

RowDog · May 12, 2018, 10:26pm

can’t injectors just inject natives though? just had someone attaching entities on my server

SaltyGrandpa · May 12, 2018, 10:38pm

Yeah, they could. The main goal (at least for me) is to prevent them from triggering server side actions and getting items, money, etc.