If you are developing a scripting language, it turns out that allowing clients to load and execute arbitrary bytecode is a really bad idea. Lua, the embedded scripting language that ROBLOX uses, unfortunately allows this by default. After some deliberation, we decided to remove this capability from ROBLOX Lua.
What is bytecode?
Bytecode a set of machine-readable instructions. Programming languages like Lua are high-level abstractions that make it easier for humans to write code. Before code can be executed by a computer or a virtual machine (VM), it needs to be translated to low-level instructions – the most very fundamental operations that the CPU or VM supports.
A simple code snippet like this:
print("Hello World!")
Becomes this in bytecode (transformed into a standard hex dump for readability):
00000000 1B 4C 75 61 51 00 01 04 04 04 08 00 12 00 00 00 .LuaQ………..
00000010 3D 57 6F 72 6B 73 70 61 63 65 2E 53 63 72 69 70 =Workspace.Scrip
00000020 74 00 01 00 00 00 03 00 00 00 00 00 00 02 04 00 t……………
00000030 00 00 05 00 00 00 41 40 00 00 1C 40 00 01 1E 00 ……A@…@….
00000040 80 00 02 00 00 00 04 06 00 00 00 70 72 69 6E 74 €……….print
00000050 00 04 0C 00 00 00 48 65 6C 6C 6F 20 57 6F 72 6C ……Hello Worl
00000060 64 00 00 00 00 00 04 00 00 00 02 00 00 00 02 00 d……………
00000070 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 00 …………….
00000080 00 00 ..
In the standard Lua library, there is a function called loadstring that you can use to convert a string into a function. Going forward, this will still work:
fn = loadstring("print('Hello World!')")
fn()
However, if you prefix your argument to loadstring with ASCII character 27, it can load bytecode too:
fn = loadstring('\27\76\117\97\81\0\1\4\8\4\8\0\47\0\0\0\0\0\0\0\114\101\116
\117\114\110\32\102\117\110\99\116\105\111\110\40\41\32\10\112\114\105\110
\116\40\34\72\101\108\108\111\32\87\111\114\108\100\33\34\41\10\10\32
\101\110\100\0\1\0\0\0\4\0\0\0\0\0\0\2\4\0\0\0\5\0\0\0\65\64\0\0\28\64\0
\1\30\0\128\0\2\0\0\0\4\6\0\0\0\0\0\0\0\112\114\105\110\116\0\4\13\0
\0\0\0\0\0\0\72\101\108\108\111\32\87\111\114\108\100\33\0\0\0\0\0\4\0\0\0
\2\0\0\0\2\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0')
fn()
In both cases calling fn() will print “Hello World!”
Last night ROBLOX shipped a release that prevents the standard Lua library function loadstring from loading bytecode. This function was used exclusively by some of our advanced scripters and breaks at most a couple hundred places that were using loadstring to do sinful (and sometimes very clever) things. So why did we do it? Two reasons.
#1. Security – loadstring(bytecode) is impossible to sandbox
ROBLOX sandboxes the Lua execution environment into multiple security contexts. We do this to create functions that only ROBLOX-authored scripts can call, or that only game servers can call. There’s a lot of functions, like loadCharacter(userId) or httpGet(url) that are very useful, but that we don’t want regular users to have access to. For example, loadCharacter would allow widespread identity spoofing and httpGet would allow someone to DDoS ROBLOX.com using our own game servers.
Unfortunately, the version of Lua that ROBLOX uses (5.1) has several virtual machine-level defects that can be exploited with the use of bytecode. ROBLOX user Necrobumpist found this article that discusses some of them. The nastiest one allows you to hijack the stack of another function running in another security context. In short, if you know what you are doing, you can craft a privilege elevation attack using bytecode.
The Lua community at one point was working on a bytecode validator for loadstring to prevent these sorts of shenanigans, but it was eventually deemed infeasible and it is now the responsibility of developers embedding Lua to filter out bad bytecode themselves (presumably by disabling it).
#2. Version Specific – loadstring(bytecode) is not future proof
ROBLOX tries very very hard not to break any of the tens of millions of user scripts that exist in our ecosystem whenever we put out a new release, because we respect the time and effort that coders have spent making those scripts.
The ability of loadstring to ingest bytecode seriously compromises our ability to change anything relating to the underlying Lua internals without breaking client scripts. We could not, for instance, update to a more recent version of Lua than 5.1 or experiment with making our Lua script execution 2-10x faster by implementing LuaJIT. There are very good reasons for us to want to be able to do both of these things.
How does this affect me?
It probably doesn’t affect you. We are aware that a small number of ROBLOX levels are using loadstring(bytecode) as an obfuscation method to protect their source code from theft or modification. These levels won’t function correctly until their creators update their code. If you are interested in learning more about low-level Lua hacks, the ROBLOX scripters forum is a great place to start.
Why Galleons It Has A bytecode T_T i was playing it then my comp. has Blue Screen of death for a while then fixed T_T
Something confusing in thes pictures. :/
id rather have exploiters than messed up games! all exploiters do is take over the server. but when everyone leaves or if it shuts down, the server turns back to normal. id rather have that.. other than permanently ruined games….. :(
All I have to say is:
If people got their game to the front page using bytecode. They can just figure out how to write the code in Lua format. Because, what I seem to be understanding from this is that Bytecode is harder to use than Lua. If thats not the case oh well. Anyways, Games can be fixed. I’m more worried about hackers/exploiters ruining games. Just give the game creater some time fix their scripts. You’ll have your game back soon. Just stop whining about it.
Hey, you know byte code causes hacks? It do worth although some byte code scripts are malfunctional now.
Goodbye all dragonball online adventure games T.T
thats sad
well all since they remove the code thing my games are back to normal because they where always hacked and i really like the idea that it was removed thanks roblox.
Well, at least I had never heard of bytecode when I started my place. And it’s almost finished :3
Grate, if they don’t bring it back I can’t use my suit for my Place now!
Please bring it back half of my games are partially broken because they used ()loadstring and many famous games are now broken and not working at all.
And just about all of these comments are bad feedback about taking away bytecode.
ROBLOX please remove this update now, I am tired to hearing bad things because people worked hard to build thngs, ROBLOX agan Pleasr remove this update!
Thanks ALOT Roblox… The fort I made for my new group was just trashed because of this update… Now I (ME MYSELF) HAVE TO GO EXPLAIN THAT TO OUR LEADER (who was highly anticipating it to be done by this friday) -.-
Shut up about this. For god sake. They will never listen to you.
ROBLOX, you messed up, big-time. So many games were broken because of this update. This is sad.
Wow, All these game’s are now broken…
And it’s funny that every single person on here commented about it being bad and not good.
You can still hack ROBLOX with something called “No Clipping” I have no idea what it is, but my friend said you can still hack from that.
I’ve left roblox before due to poor development by stealing someone else idea. Now I hear bytecode is more secure? Not really. I’ve seen a lot of places hacked due to some injectors. I would rather have some encryption on the severs. Or some type of VAC sever.
Thanks, ROBLOX. You ruined half of the GOOD games. I’d rather have exploiters than broken games.
Wow roblox think about the hard work of people done of scripting it could tooked a day and you broked all the best games like Ultimate Build and like 70% of people left roblox and 30% of people still in roblox just wow.
This was a bad idea roblox. you might soon have another player gone. :(
Well, ROBLOX, why? The loadstring() function famous people used. Example, Merely (aka Seranok) THE CREATOR OF CATALOG HAVEN, and many others. What are you trying to do? CHASE US AWAY? That’s the end of ROBLOX, not the end of the world.
You destroyed pretty much all of the games that were my favorite. Like wingmans checkpoint racing,
and armored ship battle! You should’ve thought about this before you did it, because I am getting very close to quiting roblox.
We should make a Mario Party 9 because it will be so much fun if we do that
Thanks roblox, you really did it this time. You do realize 68% of roblox counts on scripting? You take away scripts just for exploiters, but that doesnt mean they stop. They will find out how to exploit with other hacks like hacking into DLL servers and loading illegal scripts. This is serious, you broke roblox, your own jobs, all broken. You see, scripting is 68% of roblox, so you just took away more than half the fun we have on roblox. Roblox is turning into a horrible game each update, and it has to stop.
Hacking into a dll server? What? A dll is a
C module. It’s not a server? Illegal scripts? What does that mean? LIke things that werent meant in roblox? Coregui scripts are the strongest you can get without totally reprogramming roblox from the ground up and every robloxian would need that reprogrammed roblox and the roblox site too, for it to work. Scripting still works. Contact me on roblox for j1my3p1x. Your honestly just an idiot that doesn’t even know what they are saying.
I’d rather have exploiters ruining servers than have tons of games that are BROKEN.
Well, thanks for ruining games for not only us, but also the users who put their time and effort into building them.
Thanks for removing whats left of great games. You ruin so many games, it not funny.
Ruined. You ruined it.
You broke to many games. I’d rather have exploiters than this.
This broke alot of the great games. Even Script Builder. Alot of people devoted alot of time to collecting rare scripts to use on script builder. Including me. Now, thanks to this, some of my rarest scripts have been broken… This code was pretty much the core that powered Roblox.
Roblox… ARE YOU MAD?
I BET THEY KNEW IT WOULD BRAKE HALF THE GAMES!
I miss armoured ship battle!
I bet they didn’t even think before they did this!
they removed it because to my exploiters where using it with DLL injection
Bring it back! It ruined some games on ROBLOX! :(
bye bye favorite game
I kinda wish Bytecode was back, because removing it broke lots of games, like Survival Finale D:
Lol,Poor BCGames.
BRING IT BACK ROBLOX
Why, people are NOT talking about exploiters, THEY ARE TALKING ABOUT GAMES! sorry did I said that loud? anyways, People games are breaking 1 by 1 every day We need to remove it because people work hard to build things.
I rather have this than the risk of exploiters ruining Game Survers/Personal Build Survers…
There goes my admin script.
This broke about half the well-scripted games. ARRGH! Armored Patrol, Armored Ship Battle, Call of Robloxia, all broken!
This broke a LOT of ROBLOX’s favourite games, thankyou ROBLOX… You ruined some of our lives. PLEASE BRING BYTECODE BACK D: (I’ll miss you Armored Ship Battle, this broke your game)
This broke some games like Armoured ship battle and Gearomino.
This update is just plain terrible!If it was good, it wouldn’t have disabled peoples games.If Roblox wanted to make a good update, they should have disabled other types of exploits like plugin exploits, etc.After they disable those then they should do the update to disable bytecode but disabling bytecode first was the stupidest idea Roblox has ever had.If you’re reading this Roblox, undo this update immediately before Minecraft takes over!It already has more than half of the Roblox population including me.Roblox is losing propularity because of stupid updates.I suggest change this Roblox.