Why using client random code validation with remotes is useless:
Exploiters can preserve that part of code. It will still work. That’s all.
They can modify other part of script, and not touching that one.
You cant modify the script because its obfuscated so they cant pick and choose what to keep within the code. you cant just delete one part. i suggest people look more into the details in which i have provided with you guys i feel like i am just restating stuff i have said.
i am completely aware exploiters can view client scripts but with obfuscation they cannot edit it nor view the actual source or modify it because its impossible to differentiate between different parts of the code because ITS OBFUSCATED
Explain how it is bypassable dont just say its bypassable and not provide an example i may have overlooked
im incredibly frustrated with saying things over and over again please look at my entire thread before you respond.
Obfuscation does not prevent your code from being modified, it just delays the inevitable. The information about what your code does is still there, it just awaits de-obfuscation. An exploiter can decompile and deobfuscate your script. It has been done many times before.
3 Likes
It is bypassable, but not in a way you can patch it.
Your anti-cheat is not hard to bypass; it’s just bothersome. The only hard part is the deobfuscation part which requires time. After deobfuscation, your encryption and the main anti-cheat system will be revealed.
An exploiter can look into these two systems, find the points in which they are connected, and carefully disconnect or modify those connections in a way that allows them to get rid of the anti-cheat part completely. Which is pretty easy considering they just have to find the breaking point. Then, they would just inject a modified version of the anti-cheat script without the anti-cheat part, or modify yours (memory modification), so that the encryption still remains, which allows the Handshake system to continue functioning, but they would no longer have any restrictions on the client. A complete bypass.
Deobfuscation is not possible using lura.ph its the exact same system that exploiters use to obfuscate their own paid scripts there are scripts that make thousands of dollars that use lura.ph’s obfuscation and there has not been one successful deobfuscation attempt in the latest most secure version of it. if this were to occure i can always reobfuscate the script which will produce an entirely different obfuscation result i can even make it so it does this every hour or so. ensuring it wont be enough time to deobfuscate it even then im sure i wouldnt have to ever reobfuscate it because this obfuscation has not been cracked.
obfuscation isnt just making things confusing lura.ph’s have built in anti tamper measures in place along with what they call some type of “lua vm” that runs with it with the anti tamper ensuring the obfuscation is not being tampered with
note: if you personally think you can crack a lura.ph i’d invite you to try i’d be happy to obfuscate a script for you and allow you to attempt to deobfuscate it if u actually could i bet people would pay you some good money to deobfuscate lura.ph’s scripts
Every single point you’ve made has already been proven false multiple times in the past, deobfuscation is possible. It’s just the fact that those obfuscated scripts are not in experiences with enough players that they’re being noticed by exploiters. No one is going to waste their time on deobfuscating a script with no real value.
(Either in an experience with no or very low amount of players)
Lua VM is the internal virtual machine that runs the Lua code itself. It is not detectable nor bypassable. Lura.ph runs on this machine, they have no access to it or anything outside of it. This is what “sandboxed” means, by the way.
And yes, by modifying the Lua VM itself, I can change the behavior of your own anti-cheat. Simple: Your code and its memory are located in my computer, if I wanted to, I could just skip to the bytecode and work on that instead. Not the obfuscated part.
Read my last statement in the first part.
i wasnt talking about developers using the obfuscation im talking about exploits paid exploits every single exploit script known to man uses lura.ph luarmor which is a whitelisting service for exploit developers uses lura.ph obfuscation because lura.ph is reliable and makes people real money because when people buy an exploiting script they dont give them the source code they give them the lura.ph obfuscated code and you cant modify the behavior of my anti-cheat if its obfuscated because u dont even know what your modifying
the exploiting world is literally ran by lura.ph exploiting wouldnt exist without the obfuscation from it if deobfuscating it was so easy these paid scripts wouldnt exist and people wouldnt be able to exploit people try deobfuscating and bypassing lura.ph’s obfuscating techniques every single day to try and obtain paid exploit scripts for free and they are unable to
and im really happy to provide you with the game link and you can try to personally bypass the anti-cheats handshake method i am not being argumentative or being passive aggressive im really just trying to get feedback for what i can patch and what i should be looking out for whilst improoving the anti-cheat
This ^
An obfuscated code keeps the same amount of information than its non-obfuscated counterpart. Compilation also keeps the same amount of information since you are just writing some piece of code that you transform into bytecode so that machines understand it. For example, in C, whenever you compile a source file (gcc -S to get a readable assembly snippet for example) to get its partial machine code, you just get a direct 1:1* translation of your source code into machine code. You did not lose any information in between.
You cannot write code that will be “encrypted” in such a way that you somehow LOSE information between the source code & the encrypted one. If you lose information, then you basically lose the workflow you actually want to have. Due to that, decompiling an obfuscated file IS DEFINITELY POSSIBLE.
*: 1:1 yes, but it is way harder to decompile code due to compiler optimizations levels that will definitely add an extra layer of difficulty.
3 Likes
I will be sure to note that.
UPDATE LOG
Punishment requests are now synced with ping requests, so every ping response includes a table of reports. This change prevents exploiters from filtering out punishment requests while allowing pings to go through. With punishment and ping requests combined, exploiters can no longer easily distinguish between the two, enhancing overall security.
1 Like
website doesnt seem to be up? could u check it
The website is down and I do not plan to enable it until I optimize and make it more advanced
3 Likes
Please let me know when the site is back up, I am really interested.
ill give you studio access and you can view everything if you want message me if you are interested.
2 Likes
Update
I’m enhancing our security protocols by implementing a more sophisticated method for managing encryption keys between the client and server. Here’s how im going to implement it:
- Dynamic Key Generation: The server creates 50 string values, each assigned a unique, random 30-character name. Both the names and values are refreshed every 0.4 seconds to maintain high security and prevent predictability.
- Secure Key Retrieval: The client uses a specially encrypted default key to securely request the next encryption key from the server. This process allows the client to access one of the 50 dynamically generated strings stored in replicated storage.
- Protected Communication: The client must obtain one of these randomly generated encryption keys to decrypt the server’s pings. This ensures that attackers cannot intercept or access the encryption keys to decode the special prompt needed to respond to the server’s ping requests.
This layered encryption mechanism significantly strengthens our system’s security, ensuring that communication between the client and server remains secure and resilient against potential attacks.
im really excited to see an exploiters reaction to seeing a replicatedstorage folder with 50 string values that change their names every 0.4 seconds
1 Like
have you checked to see if this has any hit on performance for both the server and the client, I can imagine it does to an extent.
I thought of that i came up with a solution so that everything will update in batches of 10 so it doesnt update all 50 at once therefor causing lag
1 Like
beware Roblox may terminate accounts that publish spam or assets with malicious or obfuscated code
Gets bypassed in zero seconds using any exploit that doesnt inject