ROBLOX HAS BLOCKED THIS SCRIPT FROM THE MARKETPLACE BECAUSE OF THEIR NEW RULES. STOP THIS POLICY CHANGE. IF YOU HAVE A DEVFORUM ACCOUNT LEAVE A REPLY HERE: Creator Marketplace: Improving Model Safety. IF NOT THEN SHARE.
I have recently made a new api called the encrypt api. It can encrypt and decrypt strings for any purpose.
DISCLAIMER: Don’t use this as a single security method. This is more of a hash generator.
How it works:
This api can convert strings into jibberish text and then back into a readable string.
How to use it:
You can require the module then use the api function
-- Call The API
local api = require(5574188332)
-- Set Your Key
local key = 1023921391233933
--Encode Text
print(api.encode(key, "test"))
--Decode Text
print(api.decode(key, "84cd84f3"))
--Encrypted Remote
game.ReplicatedStorage.RemoteEvent.OnServerEvent:Connect(function(plr, text)
print(api.decode(key, text))
end)
As you can see the remote is decrypting the jibberish back into the word “hello”.
Important Extras:
There is no way to run the api on the client.
Documentation:
module.encode(key, string) - encodes the string
module.decode(key, string) - decodes the string
Security through obscurity won’t keep your game safe for long. This kind of approach to an anti-exploit will just end with someone taking maybe half an hour to find your encryption key and leaking it to everyone.
I know this is just some extra security for heavily targetted games. Its not made to be the only thing you have. If someone does the find the key the changing of the key can patch all the exploits for the game for a little bit.
This doesn’t make sense. Server side checks fix the trust issue whether or not an exploiter can read what’s being sent.
The title is also misleading. “A New Way To Stop Exploiting” implies it’s both new and that it stops exploiting. Key systems have been around forever and used in many games. They have also never stopped exploiting.
if an exploiter decompiles this the result would roughly be
local v1 = require(script["YWR1aXdhZHVod25kcw=="])
local v2 = 1023921391233933
print(v1.encode(v2,"test"))
game.ReplicatedStorage.RemoteEvent:FireServer(v1.encode(v2,"hello"))
so the code is literally working for the exploiter since it is sending the encoded result and they can see that the key is static. even if it were dynamic what prevents them from hooking :FireServer so they can just send over the key your game scripts send over?
Like I said in the post use https://obfuscator.aztupscripts.xyz/Home for obfuscating the script so they can’t see the key. It uses homebrew which has never been cracked.
What prevents them from dumping constants? There are also tools to deobfuscate. It is possible for exploiters to reverse engineer any obfuscation attempts. It just isn’t all worth it when your backend can be secure.
The problem with implementing “extra protection” is that it gives the developer extra work (sending a key through every remote and verifying on the server) for practically zero returns, as mentioned multiple times above it can be easily sidestepped.
There is really no point in this as it’ll get bypassed and released, which everyone will then use.
There are ways to make exploiting really, really annoying on client-side to the point where developers of the exploits have to implement functions to help out / bypass those anticheats (cough rogue lineage), but those are way more complex , while this just encrypting a key (which you can grab anyway, I’m unsure why you’re saying this prevents remote spies) which doesn’t even seem to be dynamic?
You’re implying this is hard to bypass when it’s not: you can grab that key in under 5 minutes.
Please do not try to secure the client, as it just makes it worse in the end.
P.S: obfuscating doesn’t really matter anyway, as even if you were to obfuscate both the module and the localscript & even have the keys be dynamic, exploiters could still just call the module to encrypt it themselves…
I’m not sure encryption plays a special part in securing roblox’s remote network.
The server is perfectly capable of verifying if requests are valid; likewise the client can assume the communication from the server is also valid. Any sensitive information should never be sent to client; so there shouldn’t actually be any risk in players seeing data sent from server.
Also why obfuscate the encryption module’s source code?
Hey, could you please include the original source and not some obfuscated mess? I don’t think anyone wants obfuscated code doing who knows what to their game
This is useful, a lot of “geniuses” try using Remote Spy and Firing any event. For someone who owns a simulator game, this is very useful.
The only reason why I won’t add it is because the API is obfuscated. I don’t wanna call you a malicious reason but who knows what the code could be doing?
If they are using the obsfucator I added in the post then you can’t just grab the key and the module doesn’t work without your key so they can’t just call it
It’s obfuscated cause if someone sees the full source they could reverse engineer the whole api and make it so it no longer protects anything. They are 2 other keys build into the api code.
. It is not a helpful community resource , it just promotes bad habits
