prometheus-lua
Antitamper vulnerability found
I have found a vulnerability in the Antitamper. By simply replacing pcall and making it return a metatable, you can take advantage of the way the antitamper validates error messages.
do -- ANTI-ANTITAMPER
local unpack = unpack or table.unpack
local oldPcall = pcall
pcall = function(f, ...)
local result = { oldPcall(f, ...) }
local message = result[2]
if (not result[1] and type(message) == "string" and string.find(message, "attempt to perform arithmetic")) then
local sourcePos = message:find(":(%d*):")
local source = message:sub(1, sourcePos).."1:"
local spoof
spoof = setmetatable({ gsub = function() return spoof end }, {
__eq = function() return true end;
__tostring = function() return source.." attempt to perform arithmetic (pow) on string and number" end
})
return false, spoof
end
return unpack(result)
end
end
(Tested on Roblox without UseDebug)
What do you expect from an open source obfuscator?
To at least validate the type of the thing the antitamper needs to check?
What do you expect from an open source obfuscator?
To at least validate the type of the thing the antitamper needs to check?
The Problem with antitamper is, that everybody can see the source code, so it is relatively trivial to find a workaround. If you want secure antitamper, you should write your own custom code, that you don't share with anyone. This is a general Problem with having an open source obfuscator. If you want to make Prometheus secure, you should make some custom modifications to it.
What do you expect from an open source obfuscator?
To at least validate the type of the thing the antitamper needs to check?
The Problem with antitamper is, that everybody can see the source code, so it is relatively trivial to find a workaround. If you want secure antitamper, you should write your own custom code, that you don't share with anyone. This is a general Problem with having an open source obfuscator. If you want to make Prometheus secure, you should make some custom modifications to it.
That's right!
What do you expect from an open source obfuscator?
To at least validate the type of the thing the antitamper needs to check?
The Problem with antitamper is, that everybody can see the source code, so it is relatively trivial to find a workaround. If you want secure antitamper, you should write your own custom code, that you don't share with anyone. This is a general Problem with having an open source obfuscator. If you want to make Prometheus secure, you should make some custom modifications to it.
hi, which modules you would suggest to make changes on?
What do you expect from an open source obfuscator?
To at least validate the type of the thing the antitamper needs to check?
The Problem with antitamper is, that everybody can see the source code, so it is relatively trivial to find a workaround. If you want secure antitamper, you should write your own custom code, that you don't share with anyone. This is a general Problem with having an open source obfuscator. If you want to make Prometheus secure, you should make some custom modifications to it.
hi, which modules you would suggest to make changes on?
You can start by creating your own Antitamper. After that, I would not modify anything, but rather create additional custom obfuscation steps.
What do you expect from an open source obfuscator?
To at least validate the type of the thing the antitamper needs to check?
The Problem with antitamper is, that everybody can see the source code, so it is relatively trivial to find a workaround. If you want secure antitamper, you should write your own custom code, that you don't share with anyone. This is a general Problem with having an open source obfuscator. If you want to make Prometheus secure, you should make some custom modifications to it.
hi, which modules you would suggest to make changes on?
You can start by creating your own Antitamper. After that, I would not modify anything, but rather create additional custom obfuscation steps.
Exactly what I did with my version of prometheus!
