5-500k Buying Anti-Exploit Methods

If you are looking for a fast VM, I would reccomend Ironbrew (I’d link but I do not have one). However it is paid so it may not be your best option.

I am frustrated with the quality of responses
Literally on every thread there will be someone who says “don’t trust the client, discussion closed”

The reason for my response is to establish some sort of credibility that I know what I’m talking about

If your statement that he is one of the best members on the devforum is true, and he just missed my entire post, then what will happen with people who DO have the information I want but will be dissuaded to contact me because they will assume I’m some sort of noob like @railworks2 treated me

My primary purpose in the response is to show my credibility to the people who I want to see it
My secondary purpose is to convey my frustration to prevent posts like these (but I guess this backfired)

I’ve been shared an anti-decompile method already and I know there is another which the person hasn’t opened up to share with me yet

I realize I shouldn’t have said that, at that point I just got really frustrated

: /

Add me on discord pls Acreol#0001

EDIT: @Acreol Again, my PMs are open and I am open to discussion.

I feel that it’s important that we remember the fundamentals, even experts can miss a basic thing. I have never intended to refer to you as a “noob”, I gave you some information to remind you of the basics, some other users have chosen to interpret that in their own way which may reflect either positively or negatively.

I would also which to clarify, I would not see myself as an expert in security, even when it’s something I want to look at as a career.

If I have offended you in anyways or otherwise made you feel negative in anyway, I formally and publicly apologize for such.

2 Likes

Any anti decompile method is prone to being fixed or only working on unluac. Anti-decompiling isn’t a very good solution to a cheater problem as you can get the bytecode and analyze it using the Lida disassembler made by @AMD_chan on github. Furthermore, someone with experience in analyzing Lua bytecode (such as AMD_chan) would easily be able to figure out your anti decompilation method.

Attempting to stop decompiling of Lua code generated by luac or a similar subvariation of it is fruitless. You could, quite literally, snip out the chunk of messy bytecode stopping it from decompiling.

Paranoia is key.

Like everyone else said, don’t trust the client at all. Don’t solely rely on client checks. Always have serversided checks, because this will stop 90% of exploits.

For common exploit methods (noclip, flying, speed) there’s many scripts for public use that can prevent that (or make it harder).

2 Likes

The best you can do is to detect velocity changes above what’s expected, and develop a game specific solution for preventing teleporting. These are very hard to make without some margin of error due to network delay.

Personally, I’ve had a lot of success with clientside checks (make sure you read this whole post, I am not reccomending clientside checks in the place of good networking security and server-side checks), while they are of course not going to work in cases where exploiters are experienced, the majority of exploiters are not. Low level exploits are often easily detectable clientside, and things like WalkSpeed, JumpPower, Gravity, Building Tools etc are easily detected. You’re never going to catch every exploiter, but my advice would be:

  1. Secure your backend/ server. This should be relatively easy and is entirely possible. Experienced exploiters will almost always be trying to find a hole in your server > client communications, not performing low level exploits like speedhacking, noclipping and teleporting.
  2. Do lots of clientside checks with hidden and obfuscated code. While this will not catch all exploiters, a large majority of them do not even understand how client > server communications function and will be caught out by these detections. Low level exploiters will not be interested in attempting to breach remotes, and clientside checks will usually do the trick in catching them.

In summary, your game should be secure enough that you are only needing to detect exploits that are being performed clientside, such as speedhacking, teleporting, and noclip. These are very reliably detected clientside, but you should also have very lenient detection server side in case the clientside scripts are disabled.

1 Like

Obfuscation is security through obscurity and is a waste of time in the first place. It only takes one person to release a bypass for your client sided checks before everyone starts using it.

1 Like

I disagree entirely. Clientside checks are once again not to be solely relied on, but avoiding them entirely is a mistake. My game sustains ~1k players and has done for ~6 months. I get 4-5 bans every hour from clientside checks, along with another 2-3 from serverside checks. Aside from this remote communication is entirely secure (afaik).

Also, this isn’t security through obfuscation. Clientside checks should definitely not be used as a replacement for proper network security, but they are a useful tool to use within your anti-exploit arsenal.

5 Likes

“500K”

This seems really high…

2 Likes

Perhaps.

It is a little high though lol.

1 Like

There are methods to prevent some ways of de-compiling, but there is always many many other ways that allow it.

He’s asking for methods, not buying actual anti exploits.

1 Like

I’m a bit confused, it seems as if this thread has moved more towards anti-cheat systems such as detecting velocity, speed, everything else? Is this thread looking for an obfuscator like @3dsboy08 had offered and that’s all? Or is OP looking for an all around anti-cheat as well as an obfuscator?

I have a nice remote event security method that’ll help in protecting against remote event/function exploitation.

Just read @crossStarCross 's article here:

Interesting coming from you

1 Like

Unlisting because request too vague and this devolved into a noisy discussion thread. Please file a new thread if you’d like, taking feedback of posters above in consideration.

For other posters: please keep in mind collaboration categories are not for discussion.