Thats exactly what I already do, and if you do it right, its very difficult to get the source.
like very
Make sure that, if you plan on doing this, you still follow the same rules as on Roblox (NEVER TRUST THE CLIENT). Make sure you check all requests and validate them properly.
If you’re talking about LocalScript obfuscation, then it’s only going to be difficult for those who don’t put in the effort (which is thankfully a good chunk of exploiters, but don’t ignore the other chunk as well as those who do deobfuscation as a service). Security through obscurity isn’t real security. Anything you do on the client can be reversed to its original state. You can’t beat an exploiter on their own machine.
No, I’m talking about downloading your code from an external server.
What is a loadstring module btw?
Thing is, the amount of effort you would have to put into it makes it completly pointless.
Iirc VM obfuscators work by creating a custom lua vm in lua, then turning your script’s compiled bytecode into instructions that the vm supports.
So in order to “deobfuscate” such a script, you need to have some bytecode knowledge, reverse and understand the minified custom vm, and then turn the instructions into a readable code, which I guess you can kinda compare to turning assembly to C++.
(I might’ve got some details wrong so correct me if I said something false)
“Never trust the client” is definitely a design philosophy that you should take when creating any piece of software, but obfuscation is a quick and easy way to make an exploiters job much harder in the case that you have a security hole.
Obfuscation should not be used to patch security holes. You should only put obfuscation on top of an already secure system to confuse and slowdown exploiters even more.
I’m of course not talking about patching security holes that you are aware of, I more mean that if there is a security hole in your software that you are unaware of, it’s going to be a lot harder for an attacker to find/notice it
I’m starting to make many ways to protect scripts. Once I thought you could use a minimizer to minimize a certain code and paste it into the obfuscated script. For example: if the un-obfuscated script has a credits, and the credits, for example the variable name is ‘Credits’, and the text is “Made by Creator”, then make a new local script and put a script in there saying like “if Credits.Text == “Made by Creator” then
(script here)
else
local Warning = Instance.New(“TextFrame”)
(warning stuff here like text etc.)
Warning.Text = “STOLEN SCRIPT!”
wait(0.3)
print “Script Stolen.”
then minimize that script and paste it into the obfuscated script as a like backup if they try and rename or rebrand something.
i just made that script sry if there are errors and if it sounds confusing but i hope you get what i mean
While minimizing your scripts can work, they can easily be unminified or beautified (even automatically), using a website like this. Then you just go through the code and change variable names to something that describes them well, and the code is easily-readable again.