Jump to content

Lua Tutorial - System Login and Register Online PHP and Lua


DarkingCheater
 Share

Recommended Posts

  • Moderators
27 minutes ago, CmP said:

This approach looks good, but it won't guarantee protection against leechers. With some knowledge a potential leecher can easily get "ID" that is generated for his device, then just share this ID and the password to someone else. After this, "someone else" will be able to use the script by modifying "makeRequest" function to perform a "valid" (with correct ID and password) request to the server. The "leecher" even won't need to be bothered by how the ID and the request is generated, because simple modification of "makeRequest" function to print received arguments will do everything for him.

Their isn't a "perfect" protection. But if you make it advanced enough, those that are skilled enough to bypass it all, are more than likely skilled enough to create their own similar hacks too.

 

47 minutes ago, BadCase said:

I am not sure if you can retrieve the Device ID in script but if not I think the best way would be to read /system/build.prop and any other files that store values unique to the device type at the very least

and to generate a relatively unique ID from a combination of the info there, that way even if you cant get the actual device id it will add entries for every different device type that uses the password and in php you can script that if the number of ID's exceeds say 5 devices the password will be disabled.

_______________________________________________
added 3 minutes later

most people are just freaked out by Enyby's scary warning lol

In regards to device id, it shouldn't be difficult. For I think each game stores device id in memory. Could work on some things with you on it. 

Link to comment
Share on other sites

2 hours ago, BadCase said:

nice, idea, I Use a database to store my Donor passwords in, a more secure way to do this would be to have your script data stored in a database and once password and username are matched against the database have the page you are querying return the code for the script and then load the content as lua into the script.

I will be doing exactly that once someone gets around my current setup.

 

Also log device ID's for each password so if you see a big list of ID's you know who is sharing their password

how to get device id??.
I have created a database but I don't know how to get the id device.

then how to detect it?

to enter / register and log in with the database that I can.

but I'm still confused about how to call a function to get a device id

Link to comment
Share on other sites

29 minutes ago, NoFear said:

Their isn't a "perfect" protection.

Of course not, but in this case it does not even require medium level of "skill" or something.

52 minutes ago, BadCase said:

used in combination with things like logging the IP or other values which would be handled server side im fairly confident that they would not be able to bypass it

I agree, the protection will be stronger, but.. you forgot to consider one thing. Potential "leecher" will be able to get the code received from the server by either modifying "makeRequest" function to print/save to a file returned value or by modifying "load" function to print/save to a file it's first argument. That's all, requesting info from the server is no more required, since the "leecher" got it. After this, it can be shared with anyone.

Link to comment
Share on other sites

7 minutes ago, CmP said:

Of course not, but in this case it does not even require medium level of "skill" or something.

I agree, the protection will be stronger, but.. you forgot to consider one thing. Potential "leecher" will be able to get the code received from the server by either modifying "makeRequest" function to print/save to a file returned value or by modifying "load" function to print/save to a file it's first argument. That's all, requesting info from the server is no more required, since the "leecher" got it. After this, it can be shared with anyone.

then if makerequest uses the .x.jpg.png extension can it still be loaded? by compiler.

I use the .x.jpg.php extension if I upload the script to call it from makerequest.

I tried it if I opened the script file I uploaded hosted.

blank screen

but to run and load it he functions. script can be used

_______________________________________________
added 0 minutes later
53 minutes ago, NoFear said:

Their isn't a "perfect" protection. But if you make it advanced enough, those that are skilled enough to bypass it all, are more than likely skilled enough to create their own similar hacks too.

 

In regards to device id, it shouldn't be difficult. For I think each game stores device id in memory. Could work on some things with you on it. 

but I think it's easier by detecting ip bro. but I'm confused how to get the ip, I want to make it on my host

Link to comment
Share on other sites

5 minutes ago, CmP said:

Of course not, but in this case it does not even require medium level of "skill" or something.

I agree, the protection will be stronger, but.. you forgot to consider one thing. Potential "leecher" will be able to get the code received from the server by either modifying "makeRequest" function to print/save to a file returned value or by modifying "load" function to print/save to a file it's first argument. That's all, requesting info from the server is no more required, since the "leecher" got it. After this, it can be shared with anyone.

yes if they have a password and it passes that first check with the SQL server they can then log the values retrieved from the database as the script runs, without a correct password the server would not return any of the variables, 

Link to comment
Share on other sites

1 minute ago, Krojzanovic said:

then if makerequest uses the .x.jpg.png extension can it still be loaded? by compiler.

Yep, file extension does not matter.

2 minutes ago, Krojzanovic said:

I use the .x.jpg.php extension if I upload the script to call it from makerequest.

I tried it if I opened the script file I uploaded hosted.

blank screen

Show the code and contents of the file. Without this info noone will be able to help in this case.

Link to comment
Share on other sites

2 minutes ago, BadCase said:

yes if they have a password and it passes that first check with the SQL server they can then log the values retrieved from the database as the script runs, without a correct password the server would not return any of the variables, 

You are right. then we can see who is logged in to our hosting. and we can block her ip

Link to comment
Share on other sites

3 minutes ago, Krojzanovic said:

but I think it's easier by detecting ip bro. but I'm confused how to get the ip, I want to make it on my host

As it checks the password you can use

<?php
$userip = $_SERVER['REMOTE_ADDR'];
echo $userip;
?>

to get the server to retrieve the IP the user is connecting from

https://crashreporter.000webhostapp.com/getip.php

Link to comment
Share on other sites

2 minutes ago, BadCase said:

yes if they have a password and it passes that first check with the SQL server they can then log the values retrieved from the database as the script runs, without a correct password the server would not return any of the variables, 

That's what I was writing about, making it possible to "leech". But you probably don't need to worry about it, until there will be high demand on the code stored at the server.

Link to comment
Share on other sites

3 minutes ago, CmP said:

Yep, file extension does not matter.

Show the code and contents of the file. Without this info noone will be able to help in this case.

I think I want to make it by detecting ip. maybe I will learn first about php and sql

_______________________________________________
added 3 minutes later
5 minutes ago, BadCase said:

As it checks the password you can use

<?php
$userip = $_SERVER['REMOTE_ADDR'];
echo $userip;
?>

to get the server to retrieve the IP the user is connecting from

https://crashreporter.000webhostapp.com/getip.php

ok thanks. 

make a new extension with getid.php
then enter the code?

and how to detect it with a database, do we edit again in our database with num row?

Link to comment
Share on other sites

1 minute ago, Krojzanovic said:

You are right. then we can see who is logged in to our hosting. and we can block her ip

well its a bit more complicated than that but you can have it give slightly different variables returned  for things like amounts of currency you are increasing for each password

say 
password1cashvariable = 10125364

password2cashvariable = 10237546

if whoever  logged functions does not bother  changing these variables and leaks your script you can figure out what password was used to log functions and disable it, then they would have to pay you every time they want to log functions:P

Link to comment
Share on other sites

1 minute ago, BadCase said:

well its a bit more complicated than that but you can have it give slightly different variables returned  for things like amounts of currency you are increasing for each password

say 
password1cashvariable = 10125364

password2cashvariable = 10237546

if whoever  logged functions does not bother  changing these variables and leaks your script you can figure out what password was used to log functions and disable it, then they would have to pay you every time they want to log functions:P

??? capitalism :v

Link to comment
Share on other sites

13 minutes ago, Krojzanovic said:

I think I want to make it by detecting ip. maybe I will learn first about php and sql

_______________________________________________
added 3 minutes later

ok thanks. 

make a new extension with getid.php
then enter the code?

and how to detect it with a database, do we edit again in our database with num row?

Add a LONGBLOB column after the column storing the password and whenever they login string match the ip against the data in the LONGBLOB field, if its found do nothing if its not found append the new ip to the data already in the LONGBLOB with a separator character at the end of it like a _ so each IP is easily searched later, you can also set it to change or remove a password if the total length of the LONGBLOB  exceeds a certain length of characters which would mean multiple IP's are using the password

Edited by BadCase
Link to comment
Share on other sites

8 minutes ago, BadCase said:

Add a LONGBLOB column after the column storing the password and whenever they login string match the ip against the data in the LONGBLOB field, if its found do nothing if its not found append the new ip to the data already in the LONGBLOB with a separator character at the end of it like a _ so each IP is easily searched later, you can also set it to change or remove a password if the total length of the LONGBLOB  exceeds a certain length of characters which would mean multiple IP's are using the password

oh ok I'll try it, I'll contact you if I'm confused.
thank you for helping me

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.