Would you be able to send me a link for Lauraph?
1 Like
I myself run a service. If I were you, I wouldn’t open source it if you plan on selling. You will loose all your sales, etc, and people will steal your scripts and take credit. Personally, I would obfuscate and download the code from an external server (which is what I do)
2 Likes
Don’t have a link, sorry. I use Synapse Xen, but Lauraph is $1 per obfuscation, so if you plan on doing lots of updates, Synapse Xen is far more cost effective in the long run.
1 Like
Oh, so I’d host the obfuscated code on a server and then download/run it with loadstring?
edit: and yeah, I’ll consider the Synapse one
So when someone tries to exploit your game by looking through localscripts, they can’t figure out how things work.
6 Likes
Pretty much. But don’t use normal loadstring, use a custom implementation. DM me on Discord (grilme99#9830) and I can get you a link to the custom loadstring. I would use the custom loadstring over the built in one because then people don’t need to enable it in their games.
Edit: for those interested, take the loadstring module from this https://www.roblox.com/library/359948692/Adonis-MainModule
5 Likes
Okay, thanks for help, I’ll send you a discord request 
1 Like
I know what ‘obfuscation’ is. I just would rather implement a ‘Never trust the client’ system. And do as many things on the server as possible. And I wanted to know why he wanted to obfuscate anyway.
2 Likes
Do you mind if you could get me something like that too? (If I dm you on discord)
2 Likes
It’s for a potential paid service, so people can download a script/model that runs something in their game for a fee, and it’s to protect the code so people can’t just re-use it themselves as I’d virtually make nothing
1 Like
Updated my solution
2 Likes
LocalScript obfuscation is pointless. Exploiters have access to any code that is kept on the client or is replicated to them and they can deobfuscate it as well. There’s only two benefits to obfuscation for code that the client can also see; those are fending off exploiters who won’t deobfuscate (typically an undedicated exploiter who only takes but doesn’t do anything further) and a headache.
There was a long debate on a related topic regarding selling ModuleScripts and even more threads around regarding code obfuscation as a result of the removal of support for third party closed source modules. Have you read any of those threads or considered any of the advice raised there?
In either case, as the solution suggests, one of the “best” ways to “obfuscate” your code is by “not including it on Roblox at all”. You can load it out from an external web server or from a GitHub repository (which may expose you to a few issues that come with either public or private repositories).
5 Likes
Thats exactly what I already do, and if you do it right, its very difficult to get the source.
like very
Make sure that, if you plan on doing this, you still follow the same rules as on Roblox (NEVER TRUST THE CLIENT). Make sure you check all requests and validate them properly.
1 Like
If you’re talking about LocalScript obfuscation, then it’s only going to be difficult for those who don’t put in the effort (which is thankfully a good chunk of exploiters, but don’t ignore the other chunk as well as those who do deobfuscation as a service). Security through obscurity isn’t real security. Anything you do on the client can be reversed to its original state. You can’t beat an exploiter on their own machine.
2 Likes
No, I’m talking about downloading your code from an external server.
1 Like
What is a loadstring module btw?
1 Like
Thing is, the amount of effort you would have to put into it makes it completly pointless.
Iirc VM obfuscators work by creating a custom lua vm in lua, then turning your script’s compiled bytecode into instructions that the vm supports.
So in order to “deobfuscate” such a script, you need to have some bytecode knowledge, reverse and understand the minified custom vm, and then turn the instructions into a readable code, which I guess you can kinda compare to turning assembly to C++.
(I might’ve got some details wrong so correct me if I said something false)
5 Likes
“Never trust the client” is definitely a design philosophy that you should take when creating any piece of software, but obfuscation is a quick and easy way to make an exploiters job much harder in the case that you have a security hole.
3 Likes
Obfuscation should not be used to patch security holes. You should only put obfuscation on top of an already secure system to confuse and slowdown exploiters even more.
3 Likes
I’m of course not talking about patching security holes that you are aware of, I more mean that if there is a security hole in your software that you are unaware of, it’s going to be a lot harder for an attacker to find/notice it
3 Likes