Anti-Decompile technique for Konstant v2.1 decompiler

muhohogo · July 3, 2025, 11:22pm

Hello again, everyone!

Edit: Uh oh, just use obfuscation.

as pIusgiant5 mentioned, this method will be patched by the dev. Do not use it for new projects

Unlimited_Objects · July 4, 2025, 1:10am

Now I can securely hide my Roblox cookie on client scripts without it being decompiled!

31oq · July 4, 2025, 1:14am

They can’t stop my client-sided anticheat after this one!

AverageOnionUser · July 4, 2025, 1:15am

Yes! This is so tuff!

Thank you for mangocoded release! I hope we will see more of these releases against the diddybludden hackers.

I’m tired of them ddosing my servers and killing everyone in game, I hope if i put this method into every script of mine it will fix the issue.

knightmb1 · July 4, 2025, 1:20am

The function is put into a for loop, which references a table, where the function actually executes. Is that strictly to protect where the execution code takes place from the de-compiler? Does this setup cause any scope issues? It’s interesting technically that is messes with the de-compiler, but is it something that the de-compiler developers couldn’t patch or fix on their own quite easily?

plusgiant6 · July 4, 2025, 1:22am

I’m pretty sure Konstant V2 is the only decompiler that breaks with this, but it won’t break in the V3 release coming soon with rewritten control flow analysis. I guess this works for something very niche but still kind of pointless for protecting scripts. A smaller version, which focuses on what actually breaks it, is while true do x() break end _ = 0, with any code replacing x(). _ = 0 is included because without it Luau replaces the break with a return.

TheRealANDRO · July 4, 2025, 1:32am

I’m getting reports that this has managed to stop 98.7% of the new reverse engineers and skids! Thank you.

HexadecimalLiker · July 4, 2025, 2:24am

No offense, but method is ultimately pointless, and while what follows is opinionated, it makes your source code much harder to read.

Even if you were to develop a post-processor that would automatically integrate this, it would result in more bugs than anything due to the fact that the call stack grows implicitly without any indication in the source-code.

Besides, just like you said, an attacker could still manually read the bytecode to understand what’s going on.

If you want to truly hide your source code, you should consider using an obfuscator. Relying on such methods is unreliable and does more harm than good.

roalex2008 · July 4, 2025, 3:08am

the only anti decompile technique you can use is script deletion, no script, no bytecode to decompile.

Now outta jokes, it’s pointless, just storing the Byteocde and using Medal, which may their developers rest in peace, already beats this. All major exploiters will aim for Medal 2 instead of Konstant, since it’s what’s better, V3 looks promising though.

and regardless, Luau OpCodes are so simple that disassembly is enough most of the time for RE or cheating anyway

VisualPlugin · July 4, 2025, 7:48am

I’m doubtful. If you’re defining a Rōblox cookie (and not obfuscating it), we can still look through that script’s string references.

Even if you do obfuscate your cookie, we pentesters can still use tools such as Remote Spy to monitor communication to the server and track where that cookie goes.

If you encrypt your cookie with something like AES or DSA, we’ll eventually find the module that deals with string encryption.

I don’t know any uses of storing secret information in the client. Most HttpService methods are disabled for the client. Best to store your cookie on the server. People have been doing it like that for years.

VisualPlugin · July 4, 2025, 7:54am

I use many programming frameworks, including Rust and Python.

I’m used to seeing lines in the call stack which don’t make sense (this is completely normal).

If I were to build a post-processor, here’s the changes I’d expect to see in my error logs:

Some mention of a call to "a:Z(...)" (per the original post), and
A constant offset in the affected scripts’ line numbers. For example, an error in line 103 of the original script may be moved to line 108 of the processed script.

1xayd · October 2, 2025, 7:45am

just use medal konstant is so bad

Serieko · October 2, 2025, 8:49am

openly admitting to using a decompiler as a developer is crazy to me

weakroblox35 · October 2, 2025, 9:03am

How do you think they gain access to animations, ui features and such?

1xayd · October 2, 2025, 9:38am

broski im literally making anticheat for my game and not only

1xayd · October 2, 2025, 9:42am

really simple theres a lua explorer for roblox dex and its forks original one was discontinued in 2022 but there are newer ones. original one is easily detectable by a few lines of code.
there are also externals which access roblox memory instead of running code and then deobfuscate whats in it so they arent detectable.

weakroblox35 · October 2, 2025, 9:46am

is that getgc I see, are you calculating sudden memory spikes and garbage allocation?

1xayd · October 2, 2025, 9:48am

no it detects cloneref references that shouldnt be in the game
also anti tampering with game metamethods

0ysf4 · October 2, 2025, 1:30pm

You’re allowed to use exploit in games, where you have edit access in.

Kizylle · October 2, 2025, 2:49pm

how would decompiling your own game help you figure out how to make an anti cheat..?