Forbid obfuscation in the scripts category.
-
I'd like to use this opportunity to again advocate for the banning of obfuscation. It delays discovery of any malicious code more than is tolerable. See my previous post on the subject.
@Gabriel
Firstly, fully automatic deobfuscation is not currently possible. Heck, we can't even detemine whether a script even is obfucated yet.Secondly, automatically determining whether a script is malicious is very, very, difficult. We might look at the amount of reflection it uses, but that can be circumvented by adding more native code.
Thirdly, using an automated system, even if it was perfect, to determine whether a user may upload their content is shit.
@natalka Yeah, I agree. While I personally don't see the point of obfuscation, some people might want those elite hax0r points. I personally am opposed to that and think it harms the overall community, however, I don't think it should be banned completely, as people might have valid reasons to obfuscate their code. IMO, manual approval is a good goal, but it's very time-consuming.
@Aftery I mostly agree with you. While a manual approval process would be ideal, it's also timewasteage. A temporary ban on obfuscated scripts, and temporary locking of any threads that post them without prior review, is preferable to me.
@idk-my-name Honestly, I'm convinced you're unfamiliar ith obfuscation,writing code in general, and running a forum. Not only is reliably checking anything for obfuscation pretty much impossible, it isn't even guaranteed that the deobfuscation even works. The only thing that's even remotely viable is run-time analysis, I have no idea on how we would implement this though. Aftery, as one of the most based people here, is once again correct.
-
liqudbounce antivirus
-
-
@Gabriel
Firstly, fully automatic deobfuscation is not currently possible. Heck, we can't even detemine whether a script even is obfucated yet.Secondly, automatically determining whether a script is malicious is very, very, difficult. We might look at the amount of reflection it uses, but that can be circumvented by adding more native code.
Thirdly, using an automated system, even if it was perfect, to determine whether a user may upload their content is shit.
@natalka Yeah, I agree. While I personally don't see the point of obfuscation, some people might want those elite hax0r points. I personally am opposed to that and think it harms the overall community, however, I don't think it should be banned completely, as people might have valid reasons to obfuscate their code. IMO, manual approval is a good goal, but it's very time-consuming.
@Aftery I mostly agree with you. While a manual approval process would be ideal, it's also timewasteage. A temporary ban on obfuscated scripts, and temporary locking of any threads that post them without prior review, is preferable to me.
@idk-my-name Honestly, I'm convinced you're unfamiliar ith obfuscation,writing code in general, and running a forum. Not only is reliably checking anything for obfuscation pretty much impossible, it isn't even guaranteed that the deobfuscation even works. The only thing that's even remotely viable is run-time analysis, I have no idea on how we would implement this though. Aftery, as one of the most based people here, is once again correct.
@cancernameu hehe, i have my own github with my own repos & hacked clientbase using javaagents, also i code my own obfuscator for java bytecode (github.com/xWhitey)
-
I'd like to use this opportunity to again advocate for the banning of obfuscation. It delays discovery of any malicious code more than is tolerable. See my previous post on the subject.
@cancernameu i think if js had sth like ObjectWeb ASM, we could automatically deobfuscate js scripts
-
@6sence sth like onUpload event:
check the script for obfuscation and if it is obfuscated - use .jar or .exe (idk, thats just suggestion) to deobfuscate it.@idk-my-name well yeah but how are you going to get the jar or exe to deobf it lol, you would have to detect the type of obfuscation and then automatically deobf it. it best way to do it is literally not deobf the script just run it on a server and test if it tries to do anything malicious
-
@Gabriel
Firstly, fully automatic deobfuscation is not currently possible. Heck, we can't even detemine whether a script even is obfucated yet.Secondly, automatically determining whether a script is malicious is very, very, difficult. We might look at the amount of reflection it uses, but that can be circumvented by adding more native code.
Thirdly, using an automated system, even if it was perfect, to determine whether a user may upload their content is shit.
@natalka Yeah, I agree. While I personally don't see the point of obfuscation, some people might want those elite hax0r points. I personally am opposed to that and think it harms the overall community, however, I don't think it should be banned completely, as people might have valid reasons to obfuscate their code. IMO, manual approval is a good goal, but it's very time-consuming.
@Aftery I mostly agree with you. While a manual approval process would be ideal, it's also timewasteage. A temporary ban on obfuscated scripts, and temporary locking of any threads that post them without prior review, is preferable to me.
@idk-my-name Honestly, I'm convinced you're unfamiliar ith obfuscation,writing code in general, and running a forum. Not only is reliably checking anything for obfuscation pretty much impossible, it isn't even guaranteed that the deobfuscation even works. The only thing that's even remotely viable is run-time analysis, I have no idea on how we would implement this though. Aftery, as one of the most based people here, is once again correct.
-
@6sence I do not think, that it is needed to run the script. I think just find for "Runtime" or "System" or getenv or http(s) things
-
@6sence I do not think, that it is needed to run the script. I think just find for "Runtime" or "System" or getenv or http(s) things
@idk-my-name That won't fucking work.
-
@cancernameu i think if js had sth like ObjectWeb ASM, we could automatically deobfuscate js scripts
@idk-my-name How is WebAssembly going to help us with this?!?
-
@bobismymanager skids, ac devs trying to patch the script...
-
@bobismymanager skids, ac devs trying to patch the script...
@ender1355 NOOOOOOOO I NEED MY LEET HAXOR POINTS NOOOOOOO
-
@bobismymanager no one really loves skids, the skids have gone too far that they only renamed liquidbounce and called it own client.
-
@bobismymanager well i didnt ask but okay
-
@bobismymanager they are forks as they said, I'm talking about skids that don't even give credit to CCBlueX
-
@aftery yes like on unkowncheats
@faaatpotato said in Forbid obfuscation in the scripts category.:
unkowncheats
unknowncheats? csgo moment
-
@aftery yes like on unkowncheats
@faaatpotato @Aftery manual approval of scripts should be done only when its obfuscated, like there should be an API that should check if the script is obfuscated or not, and for deobfuscated scripts, no one would make a malicious script that is not obfuscated
