0

So in my game most exploiters are using metatables to stop bans and I would like to break them, I dont use them and it would only hurt the exploiters. Even if this breaks other parts of lua I can and will fix it but this needs to stop and this is my best bet.

James
  • 83
  • 6
  • Have you seen this? https://stackoverflow.com/questions/1224708/how-can-i-create-a-secure-lua-sandbox – John Zwinck Aug 26 '18 at 02:30
  • Sadly sandboxing might help but checking functions wont help because they have a function named newcclosure that closes a function to make sure the game cant detect it, because it sandboxes it in c – James Aug 26 '18 at 02:39
  • @James: `lua_pushcclosure` is a Lua API call written in C (or a language that speaks C). The only way "exploiters" would be able to call it is if they're writing DLLs or something that your code dynamically loads. If you're dynamically loading *binary executables* directly into your game, security is just not a reasonable possibility. If they can make direct calls into the Lua API, they can easily hijack all kinds of things: every global function, the Lua registry, etc. – Nicol Bolas Aug 26 '18 at 02:49
  • My game uses the engine named ROBLOX which allows this behsvior and its unreasonable to get your idea added and live, sadly, so if you have a way to break metatables it would help. – James Aug 26 '18 at 02:51
  • 1
    Whay about `setmetatable = nil`? – Henri Menke Aug 26 '18 at 03:12
  • They also have getrawmetatable which grabs the meta table of the game, however I could do what the first answer here was and just set the games metatable to not your business and it will do exactly what I want! – James Aug 26 '18 at 18:12

1 Answers1

0

From Programming in Lua, 4th Edition, chapter 20:

The functions setmetatable and getmetatable also use a metafield, in this case to protect metatables. Suppose we want to protect our sets, so that users can neither see nor change their metatables. If we set a __metatable field in the metatable, getmetatable will return the value of this field, whereas setmetatable will raise an error: 

mt.__metatable = "not your business"

s1 = Set.new{}
print(getmetatable(s1))     --> not your business
setmetatable(s1, {})
    stdin:1: cannot change protected metatable

So, your answer? Set the __metatable field to prevent access to a table’s metatable. Do that for all tables that you need to protect.

brianolive
  • 1,573
  • 2
  • 9
  • 19
  • @James Welcome to stackoverflow. Please click the checkbox to mark the answer as accepted and upvote it if you find it useful. – Jason Goemaat Aug 27 '18 at 00:53
  • @James: Note that this will not prevent someone from using the C API function `lua_setmetatable` to change it. – Nicol Bolas Aug 27 '18 at 13:43