Hackers Wanted

Binary_Coder

I have been working on a collaboration project with @Jibberjay to improve Vault. Using one of Owokoyo's methods we were able to make a new, improved security library that can block both Game Lab and App Lab, called Radon.

Install Radon on a new game or app with the library ID: mILMRqN5JUzprsVSeETMmG-flKCQrwD1xnNqpBp5oE4

New Features

Full support for blocking the debug console in Game Lab and App Lab. Using a project in any way other than presentation mode will cause it to crash.
Improved remix protection now allows you to disable startWebRequest() in App Lab. There's also a new option for crashing remixes.
New views counter (this was Jibberjay's idea) evades the "this project stores data" warning, so you can track views on a project secretly.
Game Lab projects automatically have data browser protection added. App Lab doesn't support it yet due to issues with the built-in browser.

gZany

Binary_Coder Hmm, I used the data browser to hack the keyvalues/tables... Was that what you meant by 'hack'?

gZany

Binary_Coder New views counter (this was Jibberjay's idea) evades the "this project stores data" warning, so you can track views on a project secretly.

Actually, very useful! Whenever the warning pops up it's not even a warning. Code.org might as well change the warning to say 'Please hack all of this project's data using this URL: data-browser.vercel.app'

Letti42

everybody making these elaborate security systems just for me to download your app and edit your code directly on my computer 😭

Letti42

gZany in the to-do list it says to create a block against data-browser so im sure they're working on that

Binary_Coder

gZany So in every project there are three main vulnerabilities: the debug console, the data browser, and the inspect console. The debug console is how most hackers on CDO do their thing. By using the built-in debugging tools in Game Lab, or manipulating the URL, you can change variables and even edit the source code locally (which makes the if (window.getURLPath()[3] == "view") code basically useless). Vault and Xenon both are designed to block this kind of hacking.

The data browser can be blocked easily, but (as far as I know) not through code. So at the moment, Xenon is vulnerable to data browser attacks. As @Letti42 pointed out I am working to try to fix this, but I'm not sure if it's possible.

Then there's the inspect console, which is a debugging tool built into your web browser. It has supreme power and is basically unstoppable.

Varrience

Letti42 to my knowledge i have my own which fixes databrowsers issues along with allowing multiple connections to multiple tables through simple API requests, though that'll probably stay between the people i trust to use it

not to mention that you can stop a gamelab or applab instance from running and rewrite modified code for it to execute in the following project, if your plan is to improve upon vault or add more features to such a project then go right ahead but know that your project will always be vulnerable with enough knowledge you can make what i did

ackvonhuelio

lol i had an idea
what if u just mak a bajillion useless keyvalues
var chars = 'abcdefghijklmnopqrstuvwxyz1234567890QWERTYUIOPASDFGHJKLZXCVBNM'; var c = ''; var r = ''; for(var i = 0; i < random(6,6); i++){ c+=chars[floor(random(0,chars.length-1))]; } for(var j = 0; j < random(5,5); j++){ for(var i = 0; i < random(5,5); i++){ r+=chars[floor(random(0,chars.length-1))]; } r+=r+' '; } if(random(0,1)>0.5){ setKeyValue(r,random(0,1000000000)); }else{ setKeyValue(r,r+c); }
ugliest code i have ever written but i threw it together in about 10 minutes
run this in ur draw function for about a minute and the data browser users will never be annoyed

DragonFireGames

Proceeds to open inspect console

redacted

Binary_Coder it's not possible to block data browser with code.org because trying to set hte column makes it named column1 because of the way proto works

Binary_Coder

redacted Interesting, that's what kept happening when I tried to make a new table. Thanks for confirming that.

redacted

because proto doesnt count as a string but its an object property which disapears when set

Binary_Coder

gZany Exactly! The warning is just begging for hackers to come by and wipe your data, so a hidden views counter can be very useful. It also only logs the number of views to the console if you’re in the editor, so no one else can see it besides you.

MonsterYT_DaGamer It’s a neat trick Owokoyo came up with. The warning shows up only if it detects setKeyValue() in your code, so if you write the function name as a string and break it up as ”setKey” + “Value”, you can trick the program into thinking that setKeyValue() is never called. @Jibberjay realized this would be very handy for an “invisible” views counter and wrote most of the code for it. If this is something people are interested in, I could add functions to Xenon to get and set hidden key values.

MonsterYT_DaGamer

How the hecc do you even evade that warning lol

Varrience

Binary_Coder actually i had already implemented this in an older library i have to, thing is CDO uses regex on the project to figure out if setKeyValue or getKeyValue exists, by simply referencing the instance window with the array property manager you can reference any function without having to use the full property value thus allowing the bypass to work

Jibberjay

Ok so I got some important news about the security library
The name has officially been change to Radon
Don't bother asking why

MonsterYT_DaGamer

Jibberjay next name is going to be ununoctium (real)

Binary_Coder

Radon is finished! Here's the library ID: mILMRqN5JUzprsVSeETMmG-flKCQrwD1xnNqpBp5oE4. The library has been updated again to fix some minor issues and add data browser protection in Game Lab.

Radon.remix("id"); - Add in the channel id of your project, and anyone running a remix will be notified and given the original link.
Radon.remix("id", true, false); - All functions for using cloud data will be disabled on remixes.
Radon.remix("id", true, true); - All remixes will crash instantly.
Radon.log(); - Tracks the views on a project without launching a "this projects stores data" warning.
Radon.log(42) - If the counter is hacked, it can be reset to remember the last number of views.