I don’t trust ChatGPT for everything here but based on the response I got I’d have to say you are out of luck my friend(Lua.rh and other heavily trusted obfuscators do work but otherwise this would have been true). This is not secure unless there’s other hidden checks that are extremely difficult for exploiters to discover on their own. The reason is because the system you are using matches what I described… it falls into 4 different vulnerabilities. If you can work to secure it from all of these vulnerabilities than perhaps you should seek employment in this field because it seems you are very passionate for it and I think you would be very good at it. Your script is incredibly smart but it is definitely bypassable.
Memory Editing: An exploiter could use tools to read and modify the game’s memory, changing the value stored for the string before sending it back to the server.
Code Injection: By injecting custom scripts into the game, an exploiter could automate the response to always match the server’s expected value.
Network Manipulation: They could intercept and modify the data being sent between the client and server, changing the response to whatever value they choose.
Automation Scripts: Exploiters might create scripts that listen for the server’s random value and automatically send back the correct response without user intervention.
I hope this helps! Sorry for the bad news but unfortunately it is a part of life and if security were easy… everyone would be doing it.
The best way to go about what I just said is to either try and do what is impossible to most people and continue gaining more knowledge into the field of security or you can always take the server sided approach / trickster approach and apply things to the client that aren’t easily readable and make it super difficult for an exploiter to figure out(the less info that can be logged by them the better because remote event loggers just make it too darn easy for them to figure out)
I appreciate your feedback the reason i posted it on there is so that people could tell me about vulnerabilities i did not know about.
But number 4 would not happen because as i said the random value that its sending is encrypted before its sent to retrieve the random value the message containing the random value must first be decrypted
this answer also makes number 2 wrong as the exploiters would be unable to retrieve the expected value without first decrypting the message that has the expected value
but in complete honesty i appreciate your feedback and will take more of a look into all of your stated points.
I’ve personally used deobfuscation in the past and can definitely confirm it is possible and the more devs that use such a system the more deobfuscating will be learned until eventually it will be so popular that just like exploiting itself, would become unstoppable(the stuff I mentioned is still entirely immune to exploits which is why I would take my approach instead but that’s only my approach I don’t expect everyone else to follow it)
Yes that is true that is why i will be using Lua.rh its originally an obfuscator that every paid exploit uses and has proven to be reliable in the past so for any obfuscation i will be using the market standard in roblox which is lua.rh
Perfect. That is exactly what you should do and this will be my last message because it concludes this conversation. Your approach with Lua.rh is a valid and secure way to anti cheat using a server to client to server model. My approach is also a viable option and would be the much easier route to take. I made a post not too long ago
about how I would go about it and I have so many tricks up my sleeve. I would be happy to privately show you a place file where I demonstrate my knowledge of anti cheat. I would gladly do this for you because you are an asset to this community and you took much time out of your day to help the community understand exactly how to approach encryptioned based anti cheat.
Custom encryption? So you have encryption systems available LOCALLY?
No point in doing that, I come with specific software and I decompile your system. Then I read through it and understand everything. I could also change the behavior of remotes to do custom stuff as an exploiter can basically modify raw instances
There are ways to counteract that, I didn’t read through all of it, I’m sure you did a good job. I still think it’s better to have some sort of SAFE system of course, as the vast majority of people won’t care about anti cheats, and will try to exploit blindlessly.
Don’t bother trying to elaborate things that are too complex though
I understand the deobfuscation issues but Lua.rph has never been deobfuscated unless the actual script had blind security vulnerabilities within it I also understand the concern for having encryption on the local side but it’s obfuscated I know that only helps a little bit but I have plans to make the encryption third party so it is more secure I cannot guarantee that my methods are unbypassable but with this scheme it makes client sides anti cheats incredibly hard to bypass in terms of normal client sided anti cheats but I simply do not know as I haven’t had it stress tested but if any vulnerabilities come up when I allow it to be stress tested I am dedicated to finding alternatives and fixing them.
To add onto this although the encryption systems are local they are obfuscated
Addressing that other concern about the remotes It does not matter how the remote is changed by an exploiter modified or viewed because in any case that the anti cheat does not respond with the custom encryption ensuring it’s the actual anti cheat replying it will disconnect the player
Decompiling the anti cheat is essentially useless as the original source code will not be displayed when decompiled because of the obfuscation I use you can view the specific obfuscator here: https://lura.ph/ it is paid with a one dollar per obfuscation or a monthly fee depending on the plan
Obfuscation is useful whenever users attempt to read the raw content of a script you wrote. I have witnessed people decompiling scripts I have written. The result were a complete reformatted script generated by the decompiler. It chose variable names automatically & reformatted the code with indents.
The fact the naming scheme used by the software does not match the names of the original variables/functions you wrote implies that you lose some context if you properly named your variables, but it also implies that obfuscation (variable name change & function reassignment) is basically useless. Same goes with uglification.
Great idea! I’ll also make the randomized time kicking from the server so it’s not tampered with I also have a randomized ping interval so they exploiters will not be able to differentiate between ping requests and requests for kicking them.
Why using client random code validation with remotes is useless:
Exploiters can preserve that part of code. It will still work. That’s all.
They can modify other part of script, and not touching that one.
You cant modify the script because its obfuscated so they cant pick and choose what to keep within the code. you cant just delete one part. i suggest people look more into the details in which i have provided with you guys i feel like i am just restating stuff i have said.
i am completely aware exploiters can view client scripts but with obfuscation they cannot edit it nor view the actual source or modify it because its impossible to differentiate between different parts of the code because ITS OBFUSCATED
Obfuscation does not prevent your code from being modified, it just delays the inevitable. The information about what your code does is still there, it just awaits de-obfuscation. An exploiter can decompile and deobfuscate your script. It has been done many times before.
It is bypassable, but not in a way you can patch it.
Your anti-cheat is not hard to bypass; it’s just bothersome. The only hard part is the deobfuscation part which requires time. After deobfuscation, your encryption and the main anti-cheat system will be revealed.
An exploiter can look into these two systems, find the points in which they are connected, and carefully disconnect or modify those connections in a way that allows them to get rid of the anti-cheat part completely. Which is pretty easy considering they just have to find the breaking point. Then, they would just inject a modified version of the anti-cheat script without the anti-cheat part, or modify yours (memory modification), so that the encryption still remains, which allows the Handshake system to continue functioning, but they would no longer have any restrictions on the client. A complete bypass.
Deobfuscation is not possible using lura.ph its the exact same system that exploiters use to obfuscate their own paid scripts there are scripts that make thousands of dollars that use lura.ph’s obfuscation and there has not been one successful deobfuscation attempt in the latest most secure version of it. if this were to occure i can always reobfuscate the script which will produce an entirely different obfuscation result i can even make it so it does this every hour or so. ensuring it wont be enough time to deobfuscate it even then im sure i wouldnt have to ever reobfuscate it because this obfuscation has not been cracked.
obfuscation isnt just making things confusing lura.ph’s have built in anti tamper measures in place along with what they call some type of “lua vm” that runs with it with the anti tamper ensuring the obfuscation is not being tampered with
note: if you personally think you can crack a lura.ph i’d invite you to try i’d be happy to obfuscate a script for you and allow you to attempt to deobfuscate it if u actually could i bet people would pay you some good money to deobfuscate lura.ph’s scripts
Every single point you’ve made has already been proven false multiple times in the past, deobfuscation is possible. It’s just the fact that those obfuscated scripts are not in experiences with enough players that they’re being noticed by exploiters. No one is going to waste their time on deobfuscating a script with no real value.
(Either in an experience with no or very low amount of players)
Lua VM is the internal virtual machine that runs the Lua code itself. It is not detectable nor bypassable. Lura.ph runs on this machine, they have no access to it or anything outside of it. This is what “sandboxed” means, by the way.
And yes, by modifying the Lua VM itself, I can change the behavior of your own anti-cheat. Simple: Your code and its memory are located in my computer, if I wanted to, I could just skip to the bytecode and work on that instead. Not the obfuscated part.
