Even if you don’t think you’d want to sell something, please lets still talk about it ; p

I am most interested in anti-decompiling & VMs that don’t drop FPS from 60 to 30

If you have something cool, please add me on discord: Acreol#0001

Thanks

Hi there.

Quite simply, don’t trust the client

Also I would recommend you take a peak at this post along with any help you get.

Along with a ton of exploit posts here on the DevFourms.

EDIT: As random as this may be, let’s ensure we get the fundamentals sorted and then we can work into some of the more advanced topics which may or may not work. (While keeping an eye on the fundamentals)

If you wish to DM me futher, I’m happy to speak there to reduce overflow here.

Firstly,

Please take the time to review the DevForums guidelines to ensure you don’t violate the rules.

If it on the client, expect decompiling to be possible.
You can learn more about that @ Exploiting Explained

With LuaVMs, they can be helpful but if you are looking at a LuaVM doing obfuscation.
Roblox security export @3dsboy08 can and has proven the effectiveness of these methods, you can learn what he said @ Removing Support for Third Party Closed Source Modules

No matter your method, the fundamentals still stand. If you refer to my original post, you can see

You don’t trust the client

It’s a clear fundamental that I must repeat to be clear. Server sides checks will help you much more, and I want you to save your money.

I am happy to have a dialog, however you must follow the basics.

This user isn’t new to the devforums?

The harsh reality is that anything that replicates to the client is vulnerable, and prone to be stolen.

On the topic of security, no matter what exploit you encounter, there’s always a way to patch it. Likewise, no matter what patch you write, there will always be a way to exploit it. This is the reality that you have to face security-wise. There’s no ultimate patch for anything.

-Zenuvius
Source: Avoiding the Workspace to replicate from server to client

Zen has a job regarding cybersecurity, and has learned that from experience.

The thread has started to go out of control

I thank the other people for responding but I would not want to derail the thread.
Please DM me and I would love to chat it out with you and not get into an argument.

If you would like to work with @Acreol please do message him on his Discord

If you are looking for a fast VM, I would reccomend Ironbrew (I’d link but I do not have one). However it is paid so it may not be your best option.

I am frustrated with the quality of responses
Literally on every thread there will be someone who says “don’t trust the client, discussion closed”

The reason for my response is to establish some sort of credibility that I know what I’m talking about

If your statement that he is one of the best members on the devforum is true, and he just missed my entire post, then what will happen with people who DO have the information I want but will be dissuaded to contact me because they will assume I’m some sort of noob like @railworks2 treated me

My primary purpose in the response is to show my credibility to the people who I want to see it
My secondary purpose is to convey my frustration to prevent posts like these (but I guess this backfired)

I’ve been shared an anti-decompile method already and I know there is another which the person hasn’t opened up to share with me yet

I realize I shouldn’t have said that, at that point I just got really frustrated

: /

Add me on discord pls Acreol#0001

EDIT: @Acreol Again, my PMs are open and I am open to discussion.

I feel that it’s important that we remember the fundamentals, even experts can miss a basic thing. I have never intended to refer to you as a “noob”, I gave you some information to remind you of the basics, some other users have chosen to interpret that in their own way which may reflect either positively or negatively.

I would also which to clarify, I would not see myself as an expert in security, even when it’s something I want to look at as a career.

If I have offended you in anyways or otherwise made you feel negative in anyway, I formally and publicly apologize for such.

Any anti decompile method is prone to being fixed or only working on unluac. Anti-decompiling isn’t a very good solution to a cheater problem as you can get the bytecode and analyze it using the Lida disassembler made by @AMD_chan on github. Furthermore, someone with experience in analyzing Lua bytecode (such as AMD_chan) would easily be able to figure out your anti decompilation method.

Attempting to stop decompiling of Lua code generated by luac or a similar subvariation of it is fruitless. You could, quite literally, snip out the chunk of messy bytecode stopping it from decompiling.

Paranoia is key.

Like everyone else said, don’t trust the client at all. Don’t solely rely on client checks. Always have serversided checks, because this will stop 90% of exploits.

For common exploit methods (noclip, flying, speed) there’s many scripts for public use that can prevent that (or make it harder).

The best you can do is to detect velocity changes above what’s expected, and develop a game specific solution for preventing teleporting. These are very hard to make without some margin of error due to network delay.

Personally, I’ve had a lot of success with clientside checks (make sure you read this whole post, I am not reccomending clientside checks in the place of good networking security and server-side checks), while they are of course not going to work in cases where exploiters are experienced, the majority of exploiters are not. Low level exploits are often easily detectable clientside, and things like WalkSpeed, JumpPower, Gravity, Building Tools etc are easily detected. You’re never going to catch every exploiter, but my advice would be:

1. Secure your backend/ server. This should be relatively easy and is entirely possible. Experienced exploiters will almost always be trying to find a hole in your server > client communications, not performing low level exploits like speedhacking, noclipping and teleporting.
2. Do lots of clientside checks with hidden and obfuscated code. While this will not catch all exploiters, a large majority of them do not even understand how client > server communications function and will be caught out by these detections. Low level exploiters will not be interested in attempting to breach remotes, and clientside checks will usually do the trick in catching them.

In summary, your game should be secure enough that you are only needing to detect exploits that are being performed clientside, such as speedhacking, teleporting, and noclip. These are very reliably detected clientside, but you should also have very lenient detection server side in case the clientside scripts are disabled.

Obfuscation is security through obscurity and is a waste of time in the first place. It only takes one person to release a bypass for your client sided checks before everyone starts using it.

I disagree entirely. Clientside checks are once again not to be solely relied on, but avoiding them entirely is a mistake. My game sustains ~1k players and has done for ~6 months. I get 4-5 bans every hour from clientside checks, along with another 2-3 from serverside checks. Aside from this remote communication is entirely secure (afaik).

Also, this isn’t security through obfuscation. Clientside checks should definitely not be used as a replacement for proper network security, but they are a useful tool to use within your anti-exploit arsenal.

“500K”

This seems really high…

Perhaps.

It is a little high though lol.

There are methods to prevent some ways of de-compiling, but there is always many many other ways that allow it.

He’s asking for methods, not buying actual anti exploits.