Client-Server Anti-Cheat System with Custom Encryption

I completely understand. So here’s the algorithm you are using if I understand correctly.

Server(String Value randomize the value to a random number let’s say it’s 5) -----> Client(Now my string value the value is 5)

Client(Now I must pass this string value with value 5 back to the server because if I fail to respond to the server without the instructions I will get kicked) ----> Server(Success! The client’s string value is 5 and if it wasn’t changing to the exact number the server generated, the client would have been kicked)

Correct me if I’m wrong

Yes that is what happens except all the responses are encrypted so for the client to retrieve the instructions from the server it must first decrypt the message that the server sent them to retrieve the unencrypted instructions

it then encrypts those same instructions with a different encryption key and sends it back to the server the server then unencrypts that messsage and checks if the instructions are the same ones that the server originally sent them and if they arent it kicks the client

(And to clear up any future confusion these messages are sent using remote events which would usually be unsecure but with encryption the messages they send to eachother are now secure as the messages are encrypted)

im going to provide the randomizer i use to generate the what i call “prompts” the prompts that the client got from the server and decrypted that they then encrypt and send back to the server

local SecureSentenceModule = {}

local words = {
	"alpha", "beta", "gamma", "delta", "epsilon", "zeta", "eta", "theta", "iota", "kappa",
	"lambda", "mu", "nu", "xi", "omicron", "pi", "rho", "sigma", "tau", "upsilon",
	"phi", "chi", "psi", "omega", "zenith", "quasar", "neutron", "galaxy", "binary",
	"quark", "vector", "matrix", "lambda", "omega", "quantum", "flux", "nucleus", "cosmos",
	"void", "stellar", "nebula", "particle", "helium", "argon", "neon", "photon", "plasma",
	"electron", "proton", "neutron", "fusion", "gravity", "blackhole", "singularity", "event",
	"horizon", "celestial", "supernova", "darkmatter", "antimatter", "subatomic", "frequency",
	"velocity", "entropy", "dimension", "parallel", "photon", "alphaWave", "gammaRay", "betaDecay",
	"ion", "oscillation", "muon", "meson", "boson", "tachyon", "lepton", "gluon", "atom", "molecule",
	"crystal", "spatial", "energy", "velocity", "momentum", "galactic", "vortex", "interstellar"
}


local function randomizeCapitalization(word)
	local randomizedWord = ""
	for i = 1, #word do
		if math.random() > 0.5 then
			randomizedWord = randomizedWord .. string.upper(word:sub(i, i))
		else
			randomizedWord = randomizedWord .. word:sub(i, i)
		end
	end
	return randomizedWord
end


function SecureSentenceModule.generateSecureSentence()
	local sentenceLength = math.random(12, 16) 
	local selectedWords = {}
	local sentence = ""

	for i = 1, sentenceLength do
		local word
		repeat
			word = words[math.random(#words)]
		until not selectedWords[word] 

		selectedWords[word] = true

		
		if math.random() > 0.7 then
			word = randomizeCapitalization(word)
		end
		if math.random() > 0.5 then
			word = word .. tostring(math.random(0, 9))
		end
		if math.random() > 0.5 then
			word = tostring(math.random(0, 9)) .. word
		end
		if math.random() > 0.5 then
			word = word .. string.char(math.random(33, 47)) 
		end

		sentence = sentence .. word .. " "
	end

	return sentence:sub(1, -2) 
end

return SecureSentenceModule

Note: I’m really sorry it took like this long and this many responses to explain to everybody how it worked its just really complicated explaining how this process is because of how many moving parts are involved in it

I appreciate your feedback the reason i posted it on there is so that people could tell me about vulnerabilities i did not know about.

But number 4 would not happen because as i said the random value that its sending is encrypted before its sent to retrieve the random value the message containing the random value must first be decrypted

this answer also makes number 2 wrong as the exploiters would be unable to retrieve the expected value without first decrypting the message that has the expected value

but in complete honesty i appreciate your feedback and will take more of a look into all of your stated points.

Yes that is true that is why i will be using Lua.rh its originally an obfuscator that every paid exploit uses and has proven to be reliable in the past so for any obfuscation i will be using the market standard in roblox which is lua.rh

Perfect. That is exactly what you should do and this will be my last message because it concludes this conversation. Your approach with Lua.rh is a valid and secure way to anti cheat using a server to client to server model. My approach is also a viable option and would be the much easier route to take. I made a post not too long ago

about how I would go about it and I have so many tricks up my sleeve. I would be happy to privately show you a place file where I demonstrate my knowledge of anti cheat. I would gladly do this for you because you are an asset to this community and you took much time out of your day to help the community understand exactly how to approach encryptioned based anti cheat.

Custom encryption? So you have encryption systems available LOCALLY?

No point in doing that, I come with specific software and I decompile your system. Then I read through it and understand everything. I could also change the behavior of remotes to do custom stuff as an exploiter can basically modify raw instances

There are ways to counteract that, I didn’t read through all of it, I’m sure you did a good job. I still think it’s better to have some sort of SAFE system of course, as the vast majority of people won’t care about anti cheats, and will try to exploit blindlessly.

Don’t bother trying to elaborate things that are too complex though

I understand the deobfuscation issues but Lua.rph has never been deobfuscated unless the actual script had blind security vulnerabilities within it I also understand the concern for having encryption on the local side but it’s obfuscated I know that only helps a little bit but I have plans to make the encryption third party so it is more secure I cannot guarantee that my methods are unbypassable but with this scheme it makes client sides anti cheats incredibly hard to bypass in terms of normal client sided anti cheats but I simply do not know as I haven’t had it stress tested but if any vulnerabilities come up when I allow it to be stress tested I am dedicated to finding alternatives and fixing them.

To add onto this although the encryption systems are local they are obfuscated

Addressing that other concern about the remotes It does not matter how the remote is changed by an exploiter modified or viewed because in any case that the anti cheat does not respond with the custom encryption ensuring it’s the actual anti cheat replying it will disconnect the player

Decompiling the anti cheat is essentially useless as the original source code will not be displayed when decompiled because of the obfuscation I use you can view the specific obfuscator here: https://lura.ph/ it is paid with a one dollar per obfuscation or a monthly fee depending on the plan

Screenshot 2024-11-04 at 5.08.20 PM2834×514 339 KB

Obfuscation is useful whenever users attempt to read the raw content of a script you wrote. I have witnessed people decompiling scripts I have written. The result were a complete reformatted script generated by the decompiler. It chose variable names automatically & reformatted the code with indents.
The fact the naming scheme used by the software does not match the names of the original variables/functions you wrote implies that you lose some context if you properly named your variables, but it also implies that obfuscation (variable name change & function reassignment) is basically useless. Same goes with uglification.

I urge you to look at the specific details of my obfuscation it’s not just uglification luaralph has never been decompiled

What if you kick the exploiter in a random interval after their tampering so it takes them longer to realize what caused them to be kicked?

Great idea! I’ll also make the randomized time kicking from the server so it’s not tampered with I also have a randomized ping interval so they exploiters will not be able to differentiate between ping requests and requests for kicking them.

Everything is bypassable, your anti-cheat requires a little bit more effort. And has been done many times before.

Why using client random code validation with remotes is useless:
Exploiters can preserve that part of code. It will still work. That’s all.
They can modify other part of script, and not touching that one.

You cant modify the script because its obfuscated so they cant pick and choose what to keep within the code. you cant just delete one part. i suggest people look more into the details in which i have provided with you guys i feel like i am just restating stuff i have said.

i am completely aware exploiters can view client scripts but with obfuscation they cannot edit it nor view the actual source or modify it because its impossible to differentiate between different parts of the code because ITS OBFUSCATED

Explain how it is bypassable dont just say its bypassable and not provide an example i may have overlooked

im incredibly frustrated with saying things over and over again please look at my entire thread before you respond.

Obfuscation does not prevent your code from being modified, it just delays the inevitable. The information about what your code does is still there, it just awaits de-obfuscation. An exploiter can decompile and deobfuscate your script. It has been done many times before.

It is bypassable, but not in a way you can patch it.

Your anti-cheat is not hard to bypass; it’s just bothersome. The only hard part is the deobfuscation part which requires time. After deobfuscation, your encryption and the main anti-cheat system will be revealed.

An exploiter can look into these two systems, find the points in which they are connected, and carefully disconnect or modify those connections in a way that allows them to get rid of the anti-cheat part completely. Which is pretty easy considering they just have to find the breaking point. Then, they would just inject a modified version of the anti-cheat script without the anti-cheat part, or modify yours (memory modification), so that the encryption still remains, which allows the Handshake system to continue functioning, but they would no longer have any restrictions on the client. A complete bypass.

Deobfuscation is not possible using lura.ph its the exact same system that exploiters use to obfuscate their own paid scripts there are scripts that make thousands of dollars that use lura.ph’s obfuscation and there has not been one successful deobfuscation attempt in the latest most secure version of it. if this were to occure i can always reobfuscate the script which will produce an entirely different obfuscation result i can even make it so it does this every hour or so. ensuring it wont be enough time to deobfuscate it even then im sure i wouldnt have to ever reobfuscate it because this obfuscation has not been cracked.

obfuscation isnt just making things confusing lura.ph’s have built in anti tamper measures in place along with what they call some type of “lua vm” that runs with it with the anti tamper ensuring the obfuscation is not being tampered with

note: if you personally think you can crack a lura.ph i’d invite you to try i’d be happy to obfuscate a script for you and allow you to attempt to deobfuscate it if u actually could i bet people would pay you some good money to deobfuscate lura.ph’s scripts

Every single point you’ve made has already been proven false multiple times in the past, deobfuscation is possible. It’s just the fact that those obfuscated scripts are not in experiences with enough players that they’re being noticed by exploiters. No one is going to waste their time on deobfuscating a script with no real value.
(Either in an experience with no or very low amount of players)

Lua VM is the internal virtual machine that runs the Lua code itself. It is not detectable nor bypassable. Lura.ph runs on this machine, they have no access to it or anything outside of it. This is what “sandboxed” means, by the way.

And yes, by modifying the Lua VM itself, I can change the behavior of your own anti-cheat. Simple: Your code and its memory are located in my computer, if I wanted to, I could just skip to the bytecode and work on that instead. Not the obfuscated part.

Read my last statement in the first part.