Best way to obfuscate my client checks?

Okay I have a localscript that handles my anti-dex. I know very well that you should never trust the client so don’t be throwing that at me. I would like to obfuscate my script so exploiters can’t find the thing I use to check if the script is there from the server. What is the best way to do this?
(please note that lua beatifying isn’t enough for me)

You should stop investing so much time trying to implement something that they could easily delete. Exploiters aren’t limited to Dex, they could easily use getchildren and find out the game tree themselves. Dex just makes it easier to view. You should be focusing your time in improving your game and securing your remotes, don’t waste your time trying to prevent these exploits. If its on the client the exploiters will find a way to bypass it, no matter what security measures you put in the client

But if you really want to obfuscate Lua, you can use this website:
Visit with caution: This is a website thats commonly used to obfuscate scripts that run in exploits, visit at your own risk

Just looking at the link I notice it has an .xyz domain which is commonly used in virus websites. So I am going to take your advice and just not do this.

Actually, you can keep doing this.
Not all exploiters know how to bypass anti-cheats, because they can be very complex, or simple but with extreme implementations.

First to start,

You can have anti-cheats that are on client, but it has to be really hidden and very hard to detect. There is even anti-cheats that are on the server, not client.
Let’s take Ro-Ghoul for example, the developers have patched farm scripts, speed scripts, and many more, and it’s helping the community, and most of the patches are on the server.

So, right now your best bet would just make anti-cheats/checks on the server, but you can still do it on the client, but it’s not recommended. For the client, you can obfuscate the code using that link(I used it myself), but you have to take precautions. Think of how a exploiter would’ve bypassed your code.

And also, this post (not exactly) relates to another post, where anti-exploits were discussed, argued, and then came to a solution.

1 Like

What does this mean?
Also 99% of my anti-exploit is on the server this is the only client script.

Thank you so much for your help! :smile:

Trust me I don’t think it is even possible for the client AE to be more hidden.

What I mean by “you have to take precautions” is that a exploiter can still bypass your code in someway, so by making a client check, if one finds out the solution, multiple people would abuse it. And there can still be a flaw in your code somewhere.

1 Like

Quick question: does lua still work if you AES encrypt it?

I highly doubt it lol

I don’t really know, I never tried it.
But if you are trying to use another obfuscator, just make sure it’s lua compatible.

No I wrote my own AES encryption python script for passwords and I was wondering if it worked.

Maybe. You’d have to rename variables to something random, and see if any of the code relied on that variable, to rename that part too.
And you’d have to rename functions, etc etc.

1 Like

Do you know if that website saves the code it encrypts?

I have no idea honestly. Best bet would just be to make your own obfuscator, since most of them are shady or overpriced, etc.

1 Like

I think this is the best response to this post. The fact of the matter is, if your game is drawing exploiters that are good enough to get around generic obfuscation methods (especially considering the current state of decompilers), then you might as well stop there. You can try to add as much security as you wish to the client, but at some point you are just wasting your time and resources.

Just a small note: Lua VM-based obfuscators originated from exploit creators. Most of them keep some information on what they used to generate the VM and actively work against game developers using their methods. You could, however, fork your own version on github, but as I said… You would be wasting time and resources.

Did I not say in the post that is is my only client script in the game and the rest of the anti-exploit is server sided? If I didn’t then oof.

This does not matter. I can gaurantee you that however much time you put into this client-security project would not match the time it would take to write a viable bypass.

1 Like