Client-Server Anti-Cheat System with Custom Encryption

deIuxor · January 14, 2025, 1:24am

3.1415926535897932384626433832795028841971

HexadecimalLiker · January 14, 2025, 6:39am

I would show that if it wasnt for the fact that my obfuscator is still under development.

What I meant by losing information is removing, for example, argument count and make every function variadic, that way there’s no way for sure to know how many arguments are passed without looking at other calls to that function

Varonex_0 · January 14, 2025, 10:26am

Yes, this is AGAIN a method to make the code less clear. You never remove any information from the code since the function you call can be examined thoroughly, in such a way that you can figure out the argument count afterwards.

It’s a good technique to make it hard to reverse it, NOT theoretically impossible. That’s the whole point.

If you decide to make a game, and your game becomes famous, someone will definitely try to look at the different security measures you put in place, whether you obfuscated them or not

HexadecimalLiker · January 14, 2025, 4:17pm

It really depends on what you mean by “removing information.” In a practical sense, it might be impossible, but in the context of my example, it’s effectively removing information about the Prototype.

0786ideal · January 14, 2025, 5:10pm

Ik it’s old, but this anticheat for me provides more harm to players than good, your encryption may be eventually bypassed by someone, idk how but it can be, every anticheat can be

Another thing is that your methoods may increase network overload which can cause problems to players with slower internet, sending ping every 2 second seems unnecesary, and increases network overload if this encrypted message is string (remember that each letter have 1 byte, usually you want to send less than 8 bytes to prevent lag soo if those strings are long…)

Also, with those encrypted messages, group of cheaters may crash entire servers because your script, even without anti-spam is vulnerable to heavy work

Soo in summary, no matter how good your anti cheat will be, it will never be perfect, sometimes simplier is better, and making anti-spam checks or some quick math is easier than encrypting messages and making game unplayable for many players

sangolemango · January 14, 2025, 5:50pm

They are trying to say that you are not removing information about what the code is fundamentally doing

caneeeeee · January 14, 2025, 7:47pm

this uses modern AES encryption which is unbypassable literally this is the only thing that is unbypassable without the encryption key

and there was another person saying 2 seconds the ping requests are sent every 8 seconds and the client has a window of 5 seconds to respond to them. they are allowed 2 missed responses before being kicked this can be modified and i think i was pretty lenient with it

lots of games send wayyyy more network traffic then this at this point i think some of you are just trying to find reasons against me

0786ideal · January 15, 2025, 2:18pm

No i don’t try to find reason against you, but anti-cheats in general have simplier and much better alternative which is simple security checks and debounce

From design perspective, it’s impressive, but for project management and overall gameplay idea it’s pointless to secure your client if it cannot do harm to server in any dangerous way

About pings, if they are sent occasionally like you said it shouldn’t be that much of a problem, i posted under your another post that some optimization methoods like buffers can slow down cheaters even more without any cost

In conclusion, i really appreciate your work, but again and again it’s overcomplication, devs should aim for simple and working solution rather than complex one to solve unimportant problem of some guy reading how you’ve made your gui buttons work

deIuxor · January 16, 2025, 3:30am

I would like for you to make your game available to android devices.

Please open it up to android for testing.

Edit: Thank you for opening it up for testing!

I truly apologize for being rude. I will delete what I had said earlier. Sometimes I get carried away. I am really passionate about this stuff.

caneeeeee · January 16, 2025, 1:34pm

lol, ill open it to android devices i didint turn it off intentionally when u create a game on roblox ios is already disabled by default

and relaying the correct response is possible but u wont be able to tell which one u are relaying is a ban ping request

adding onto your point further any android executors are free and what i assume is skidsploits so thats why i didint add them i dont respect anyone who uses an executor on android

and the sheer fact that u said u wont be sharing the detection methods to improove it is that you literally are just on this forum to find anything against me go ahead and read what the devforum is supposed to be about and get back to me

ps: android is now open

i’d like to hear proof of you bypassing it because relaying the requests is not bypassing it because when u are relaying the request it is impossible to differentiate between a request to ping and a request to ban you due to encryption. saying people like yourself learned how to bypass it without even being able to play the experience is diabolical

UPDATE

obfuscated the test place code finally
pushed the last bypass patch to the main place
and increased features for the enviorment to break down on detection
added logging so i can monitor the anti-cheats activity and debug
removed bans from the test place so u can still test even after being detected
added buttons that simulate a detection so u can check if for example a relay bypass actually works when a detection occurs
And obviously enabled android support

i’m currently working on a way to where if communication is blocked the client can still communicate to the server that its detected idk maybe by moving the players character to a certain position and the server can periodically check the characters location and if it matches this specific location the client is breached. - obviously i wont be implementing this exact method because if you know how an anti-cheat works bypassing it is incredibly easy.

Expertcoderz · January 16, 2025, 2:12pm

Reading through this post, there are several glaring points of concern that immediately come to me.

“Custom encryption”

Lots of people with more years of experience in the field of cryptography than you and I have developed encryption algorithms that would later go on to be proven insecure (read: broken). I don’t know where or how you got the idea of making your own encryption algorithm from, when both existing algorithms (e.g. AES) and existing implementations (e.g. libraries that provide AES primitives in Lua(u)) are available for your use.

EDIT:

Sorry, I just read this. That means you’re not using “custom encryption”, but rather an established standard. Not going to comment on the implementation of it, though, other than the general observation that AES and other encryption algorithms can be difficult to get right in terms of the code.

Relying on security through obscurity

Any encryption algorithm or protocol that relies on an adversary not knowing how it works in order to achieve reliable security is far from secure. While in practice there’s nothing wrong with obfuscating your code to make life somewhat harder for exploiters, relying solely or heavily on obfuscation makes your approach no different from that of (almost) any of the existing anti-cheat solutions that are already available on the market.

Replay attacks

This is the point that was emphasized by @deIuxor. You have not mentioned any current or planned mitigations against simple replay attacks. This a matter of protocol design and has nothing to do with the specific encryption algorithm being used.

A possible approach is to have the server generate a single-use nonce that is sent encrypted to the client with the expectation that the client will include the nonce within its next encrypted communication with the server.

(No, this does not address the problem itself, which is that of valid messages being replayed. After all, how can you ban someone before detecting their exploit?)

Overall, while you’ve put in time and effort into developing this anti-cheat system, it’s important to be aware of its security shortcomings and make adjustments where necessary to achieve the objective of security.

caneeeeee · January 16, 2025, 3:20pm

Hi! The reason replay attacks are useless is because u cannot replay a ping response more then one time meaning once its sent its no longer valid every ping request from the server includes an encrypted message that must be encrypted and sent back the server stores every response along with creating a ping id it then checks if the encrypted message is the one it just sent and checks previous responses thus making replay attacks useless and even if you are getting the ping from the anti cheat and sending it back it won’t matter because u can’t tell the difference between a ping request sending ban information because they are sent together with then the ping request if you are just seeing this message I’ll respond to the rest I’m in school right now.

I already have that implemented I just refer to it as a prompt inside the post not a nonce

As you said in your post the obfuscation is just to make it harder you can sift through the post to find any more technical information on how replay attacks are prevented I think I implemented enough preventions to the point in which they are an unviable bypass I’ll go more in depth in how a ping request is verified by the server when I get home

To confirm the anti cheat is using AES encryption

Overall like stated in your post the entire reason of me posting this is so I could improve it and eventually release it

VaderTwin831 · February 19, 2025, 9:06pm

be careful when putting obfuscated code in your assets because Roblox may terminate accounts that publish spam or assets with malicious or obfuscated code