Custom encryption? So you have encryption systems available LOCALLY?
No point in doing that, I come with specific software and I decompile your system. Then I read through it and understand everything. I could also change the behavior of remotes to do custom stuff as an exploiter can basically modify raw instances
There are ways to counteract that, I didn’t read through all of it, I’m sure you did a good job. I still think it’s better to have some sort of SAFE system of course, as the vast majority of people won’t care about anti cheats, and will try to exploit blindlessly.
Don’t bother trying to elaborate things that are too complex though
I understand the deobfuscation issues but Lua.rph has never been deobfuscated unless the actual script had blind security vulnerabilities within it I also understand the concern for having encryption on the local side but it’s obfuscated I know that only helps a little bit but I have plans to make the encryption third party so it is more secure I cannot guarantee that my methods are unbypassable but with this scheme it makes client sides anti cheats incredibly hard to bypass in terms of normal client sided anti cheats but I simply do not know as I haven’t had it stress tested but if any vulnerabilities come up when I allow it to be stress tested I am dedicated to finding alternatives and fixing them.
To add onto this although the encryption systems are local they are obfuscated
Addressing that other concern about the remotes It does not matter how the remote is changed by an exploiter modified or viewed because in any case that the anti cheat does not respond with the custom encryption ensuring it’s the actual anti cheat replying it will disconnect the player
Decompiling the anti cheat is essentially useless as the original source code will not be displayed when decompiled because of the obfuscation I use you can view the specific obfuscator here: https://lura.ph/ it is paid with a one dollar per obfuscation or a monthly fee depending on the plan
Obfuscation is useful whenever users attempt to read the raw content of a script you wrote. I have witnessed people decompiling scripts I have written. The result were a complete reformatted script generated by the decompiler. It chose variable names automatically & reformatted the code with indents.
The fact the naming scheme used by the software does not match the names of the original variables/functions you wrote implies that you lose some context if you properly named your variables, but it also implies that obfuscation (variable name change & function reassignment) is basically useless. Same goes with uglification.
Great idea! I’ll also make the randomized time kicking from the server so it’s not tampered with I also have a randomized ping interval so they exploiters will not be able to differentiate between ping requests and requests for kicking them.
Why using client random code validation with remotes is useless:
Exploiters can preserve that part of code. It will still work. That’s all.
They can modify other part of script, and not touching that one.
You cant modify the script because its obfuscated so they cant pick and choose what to keep within the code. you cant just delete one part. i suggest people look more into the details in which i have provided with you guys i feel like i am just restating stuff i have said.
i am completely aware exploiters can view client scripts but with obfuscation they cannot edit it nor view the actual source or modify it because its impossible to differentiate between different parts of the code because ITS OBFUSCATED
Obfuscation does not prevent your code from being modified, it just delays the inevitable. The information about what your code does is still there, it just awaits de-obfuscation. An exploiter can decompile and deobfuscate your script. It has been done many times before.
It is bypassable, but not in a way you can patch it.
Your anti-cheat is not hard to bypass; it’s just bothersome. The only hard part is the deobfuscation part which requires time. After deobfuscation, your encryption and the main anti-cheat system will be revealed.
An exploiter can look into these two systems, find the points in which they are connected, and carefully disconnect or modify those connections in a way that allows them to get rid of the anti-cheat part completely. Which is pretty easy considering they just have to find the breaking point. Then, they would just inject a modified version of the anti-cheat script without the anti-cheat part, or modify yours (memory modification), so that the encryption still remains, which allows the Handshake system to continue functioning, but they would no longer have any restrictions on the client. A complete bypass.
Deobfuscation is not possible using lura.ph its the exact same system that exploiters use to obfuscate their own paid scripts there are scripts that make thousands of dollars that use lura.ph’s obfuscation and there has not been one successful deobfuscation attempt in the latest most secure version of it. if this were to occure i can always reobfuscate the script which will produce an entirely different obfuscation result i can even make it so it does this every hour or so. ensuring it wont be enough time to deobfuscate it even then im sure i wouldnt have to ever reobfuscate it because this obfuscation has not been cracked.
obfuscation isnt just making things confusing lura.ph’s have built in anti tamper measures in place along with what they call some type of “lua vm” that runs with it with the anti tamper ensuring the obfuscation is not being tampered with
note: if you personally think you can crack a lura.ph i’d invite you to try i’d be happy to obfuscate a script for you and allow you to attempt to deobfuscate it if u actually could i bet people would pay you some good money to deobfuscate lura.ph’s scripts
Every single point you’ve made has already been proven false multiple times in the past, deobfuscation is possible. It’s just the fact that those obfuscated scripts are not in experiences with enough players that they’re being noticed by exploiters. No one is going to waste their time on deobfuscating a script with no real value.
(Either in an experience with no or very low amount of players)
Lua VM is the internal virtual machine that runs the Lua code itself. It is not detectable nor bypassable. Lura.ph runs on this machine, they have no access to it or anything outside of it. This is what “sandboxed” means, by the way.
And yes, by modifying the Lua VM itself, I can change the behavior of your own anti-cheat. Simple: Your code and its memory are located in my computer, if I wanted to, I could just skip to the bytecode and work on that instead. Not the obfuscated part.
i wasnt talking about developers using the obfuscation im talking about exploits paid exploits every single exploit script known to man uses lura.ph luarmor which is a whitelisting service for exploit developers uses lura.ph obfuscation because lura.ph is reliable and makes people real money because when people buy an exploiting script they dont give them the source code they give them the lura.ph obfuscated code and you cant modify the behavior of my anti-cheat if its obfuscated because u dont even know what your modifying
the exploiting world is literally ran by lura.ph exploiting wouldnt exist without the obfuscation from it if deobfuscating it was so easy these paid scripts wouldnt exist and people wouldnt be able to exploit people try deobfuscating and bypassing lura.ph’s obfuscating techniques every single day to try and obtain paid exploit scripts for free and they are unable to
and im really happy to provide you with the game link and you can try to personally bypass the anti-cheats handshake method i am not being argumentative or being passive aggressive im really just trying to get feedback for what i can patch and what i should be looking out for whilst improoving the anti-cheat
An obfuscated code keeps the same amount of information than its non-obfuscated counterpart. Compilation also keeps the same amount of information since you are just writing some piece of code that you transform into bytecode so that machines understand it. For example, in C, whenever you compile a source file (gcc -S to get a readable assembly snippet for example) to get its partial machine code, you just get a direct 1:1* translation of your source code into machine code. You did not lose any information in between.
You cannot write code that will be “encrypted” in such a way that you somehow LOSE information between the source code & the encrypted one. If you lose information, then you basically lose the workflow you actually want to have. Due to that, decompiling an obfuscated file IS DEFINITELY POSSIBLE.
*: 1:1 yes, but it is way harder to decompile code due to compiler optimizations levels that will definitely add an extra layer of difficulty.
UPDATE LOG
Punishment requests are now synced with ping requests, so every ping response includes a table of reports. This change prevents exploiters from filtering out punishment requests while allowing pings to go through. With punishment and ping requests combined, exploiters can no longer easily distinguish between the two, enhancing overall security.
For some games this system could work I guess but there’s currently certain genre’s of games that are basically vulnerable indefinitely to being exploited and honestly it’s to a point that there’s really no use for anti cheat whatsoever in such games and if anything the amount of time I spent trying to secure projectiles just to realize it’s impossible without degrading performance was far worse and unnecessary.
