-
Notifications
You must be signed in to change notification settings - Fork 0
FAQ
I got tired of getting nuked by assetbundle crashers.
BundleBouncer acts like a bouncer at a bar for downloaded assetbundles.
BundleBouncer is a plugin for MelonLoader that intercepts VRChat avatar assetbundles before they download, so that it can scan them for issues. If the assetbundle passes the tests, it is permitted to load.
BundleBouncer is available to the public free-of-charge, is not hidden behind an invite-only Discord, and is not part of a larger client. In addition, many existing avatar hiders only block the avatar after download and do not effectively protect against assetbundle crashers.
The VRCMG Discord, which provides the dataset for VRCMelonAssistant, the auto-updater and update checker plugins, and other package management systems, requires a manual review for every uploaded change. Because BB is still in very active development, it's not wise for us to put it up for review yet. We will be making a VRCMG listing soon.
Unity is a 3D game development platform, so developers need a way to store all their assets (meshes, textures, rigs, animations, etc) in an efficient manner. An AssetBundle is Unity's standardized answer to this puzzle, by providing a simple API by which developers can load assets from a single file.
This file contains a set of built-in avatar and assetbundle blacklists.
The shitlist DLL uses optimized if-trees to match SHA256 checksums efficiently. These if-trees are generated at compile time from a trie (sic) in order to optimize lookups, and to provide mild obfuscation. Similar structures are used in many parsers due to their efficiency.
We wish to make it difficult for skiddies to try and scrape avatar IDs from our code. While it is possible to find the IDs, it requires that the actor in question already know the ID.
Due to VRChat's closed-source nature, their use of IL2CPP, and their unwillingness to work with security researchers, we have to guess at how they are loading avatar assetbundles. We therefore make use of a shotgun approach and hook as many possible ingress routes for assetbundles.
BundleBouncer needs to intercept AssetBundles just after they are downloaded, but before they are parsed by Unity. Because of how Unity works, we have had to actually implement our own modified download stream so that bytes are saved to disk before they are sent to the Unity AssetBundle loading infrastructure, otherwise we would only be getting small snippets with zero context.
Because of their design, VRChat is particularly weak to a vulnerability in Unity where a maliciously-crafted assetbundle will throw an assertion in Unity's native code. This causes Unity to crash to desktop without giving managed code the opportunity to catch an exception.
VRChat cannot fix this issue, it is a problem with Unity itself.
Yes.
- Petition Unity to fix the problem. Unity has rejected this solution so far, since assetbundles were not intended for UGC.
- Stop using AssetBundles for UGC, as they have many similar problems. Unfortunately, this solution cannot be easily made due to the vast amount of existing UGC.
- Run a small Unity program that checks assetbundles after upload. If the program attempts to load assets from an assetbundle and then crashes or freezes, the assetbundle is rejected. We are working on a public, CLI, scriptable tool for this purpose.
Make the asserts trigger an exception that can be caught by managed code.
Yes, and we are making an automated system for this purpose.
Because it's funnier, and the list will eventually contain multiple kinds of rules.
We don't want skiddies getting access to a large list of known-malicious avatar IDs.
Add a line containing just the avatar ID to UserData/BundleBouncer/My-Blocked-Avatars.txt.
You should then send the ID to us via the email provided in the README.
Our list is regularly checked by an automated script that attempts to load samples into a small Unity program. If it crashes during the process, the sample is listed as an ABC.
If you think we're wrong, please send an email to Scott (scgriffin213@outlook.com).
In the meantime, you can add the Avatar ID to UserData\BundleBouncer\My-Allowed-Avatars.txt and/or the assetbundle SHA256 hash to UserData\BundleBouncer\My-Allowed-Asset-Hashes.txt.
Your friend was blocked by BundleBouncer and automatically added to a user shitlist in case they eventually found a way to crash you that worked. To fix this, tell them to stop being a client monkey, then close your game and remove their user ID from UserData/BundleBouncer/Player-Blacklist.json.
Tell us the avatar ID via the process described in the README file.
- Check your version of VRChat.
- Check your version of MelonLoader.
- Make sure you have VRChatUtilityKit and UIExtensions installed.
- Make sure you have the latest core DLL from the releases page.
If all else fails, hop onto Discord and ask for help in the #bundlebouncer channel.
Yes. You can submit PRs against our public codebase and help triage bugs.
No. We don't want anyone to have access to the avatar shitlist database. Only people I know and trust have access.
You may fork the public codebase.
Sure, as long as you provide credit and aren't using it for malicious purposes.
Email me. Beware, lots of the build process involves self-made tools and hacks.
- Skiddie
- Skiddies
- Low-skill malicious actor, frequently using someone else's tools rather than making their own. Many are young teens or children. From *script kiddie*.
- Client
- A large injected plugin for VRChat that usually contains a large set of features. Term generally used in reference to malicious clients.
- Client monkey
- Slang for a VRChat user obviously and blatantly using malicious features. Generally low-skilled and confrontational.