Zandronum

I just stopped a start of some objects in binary contained within a file called adminscriptsdoomv10.pk3, where from LOADACS is intended to load from the directory ACS 3 files objects '.o', whose content contains encrypted binary chains of which I'm not wanting to translate.

It's the first time that I see that these mods are possible to load arbitrary codes, as simple as loading objects of objects.

...these are ACS modules and this is completely normal.

Yes, and the term is "compiled", not "encrypted". ACS is a large part of how all those mods you play do their fancy things, and is well-documented. Mods typically include the source code for their ACS as well, but it's the author's choice whether to do that.

Sean wrote: ↑

Mon Feb 24, 2025 8:45 pm

Yes, and the term is "compiled", not "encrypted". ACS is a large part of how all those mods you play do their fancy things, and is well-documented. Mods typically include the source code for their ACS as well, but it's the author's choice whether to do that.

I mean "encrypted" in the "compiled" binary.
It's the first time that I see this binary in modules. Then with more reason allows the execution of arbitrary codes through exploits or all kinds of malwares. Why they ruin everything allowing the execution of binary codes by means of entry of modules that should be all harmless data and scripts?

EDIT:
Before they think that they are only meaningless complaints because all ACS are harmless scripts, with JS the same thing has happened, and to this day everyone thinks that it is harmless when you can even open and modify any file on disk, allowing until the more basic malware of chapter 1 of the book 'How to build your own malware for Newbies'.

RmBeer wrote: ↑

Tue Feb 25, 2025 12:55 pm

Sean wrote: ↑

Mon Feb 24, 2025 8:45 pm

Yes, and the term is "compiled", not "encrypted". ACS is a large part of how all those mods you play do their fancy things, and is well-documented. Mods typically include the source code for their ACS as well, but it's the author's choice whether to do that.

I mean "encrypted" in the "compiled" binary.
It's the first time that I see this binary in modules. Then with more reason allows the execution of arbitrary codes through exploits or all kinds of malwares. Why they ruin everything allowing the execution of binary codes by means of entry of modules that should be all harmless data and scripts?

EDIT:
Before they think that they are only meaningless complaints because all ACS are harmless scripts, with JS the same thing has happened, and to this day everyone thinks that it is harmless when you can even open and modify any file on disk, allowing until the more basic malware of chapter 1 of the book 'How to build your own malware for Newbies'.

The paranoia is real. There's not even really a point of comparison there. Javascript is a lot more of a general language than ACS is, and as such it has a set of libraries that allow for things like opening files, but ultimately the fault is down to apps that don't trim it as necessary and make sure to sandbox it appropriately. ACS doesn't have any way of reading, let alone modifying arbitrary files on disk, it can only access those loaded into the VFS by the user (and can't write anything there).

The ACS VM has a lot of checking and at this point there's no known way to access anything outside of the memory allocated to it, add that on top of the very limited set of instructions and functions it has and about the worst thing an ACS module could do to you is mess with your config with ConsoleCommand. Extremely scary, I know. As an aside, I really can't understand your logic here. So binary files are bad and a security risk by themselves? This isn't arbitrary x86 code or anything, it's just bytecode for the (highly specialized) ACS VM. And it's not like this is the only scripting ZDoom supports.

we should ban all mods that contain “.o” files

↓↓ start with these ↓↓

This is one of the reasons why Windows hides file extensions by default XD