Encrypt Api (Free)

Resources Community Resources
#42

Here would be a good addition to this post (I actually have an experimental plugin which I’ve slowly been developing which employs this and makes it much easier to reverse and apply and I call it “StringProtect” of which the actual product is better for most other things than this but is nonetheless relevant :cry:)

(Unrelated to StringProtect) I’d also look at a cryptographic key exchange like the Diffie Hellman Key Exchange. I implemented a remote system that uses this exchange. Here’s a very neat trick: Use this exchange to generate an identical key on both the client and the server (without transmitting it). Next, apply it to a Random.new object, and use random:NextInteger(1, 9e13) as your key for this module! This should always generate a key that can fit in Roblox numbers without getting simplified, and the key will “roll” just like a rolling key. This is a not-so-secure way to do it, but, for remote security, this is incredible because it means an exploiter won’t be able to forge requests without trouble or it will quite literally break their game (and send garbage to your server but they can do that anyway). Here’s a very old implementation I wrote for a working Diffie Hellman Key Exchange in Roblox.

For best use, the rolling key should roll when the server sends a request on both sides, and roll when the client sends a request on both sides, and it should periodically roll on a synced timer (using os.time() for this is what I’d recommend). This means duplicated or invalid requests won’t work at all and will be garbage on the server and will desync the real client code unless the exploiter hooks into your local value and changes it every time. This requires that they listen for remotes, hooks into your callbacks, and syncs where it needs to sync. It also requires that they respect the synchronized clock rolls.

As for the concept behind StringProtect (which isn’t really in a usable state and probably won’t see a release anytime soon, it’s one of my “dream” projects)
By using StringValues in a Strings Folder, you can remove your strings from the source, and thus, decompilation. I personally prefix strings with a nul byte and reverse their contents. This simply makes it slightly harder to debug without too much effort in the chance that an exploiter intercepts the string content (which is entirely possible and easy for them, but, this adds a decent measure against decompilation as it requires timing). The StringProtect plugin actually uses unreversed copies to access necessary functions (mainly string.reverse).

This basically just takes unique strings in the order they are defined, and (in a simplified way for understanding) does something functionally similar to strings[stringNumber] = string.reverse(Strings:GetChildren()[stringNumber][strings[valueStringId]) in the most secure way possible. It limits the number of times strings can be accessed based on content and hangs the client if the limit isn’t strictly followed. In necessary cases strings are given local variables wrapped in a do end. This also tricks Synapse’s decompiler not to apply any actually helpful names (since they rely on string content).

As a dummed down version of this, you can do something like this for your password stuff, and, it won’t really help in this case because you’ll need to keep accessing that password:

local getPassword
do
	local passwordValue = script:FindFirstChild("PasswordValueName")
	local password = passwordValue.Value

	-- Cleanup to help reduce leaking
	passwordValue.Value = ""
	passwordValue:Destroy()
	passwordValue = nil

	local content = api.decode(password, input)
	
	do
		local password = setmetatable({password}, {
			__index = function()
				-- Not a valid index, probably do something
			end
			-- Other stuff if you want, it'll EASILY be bypassed
		})
		getPassword = function()
			-- Employ your checks as you will, exploiters can, again, EASILY get around them though
			return password
		end
	end

	password = nil
end
2 Likes
#43

This script sounds so fishy.

I am unsure to use this.

2 Likes
#44

This exactly. Its so easy to add server validation and people spend hours making obscurity systems that can be bypassed in 2 seconds.

3 Likes
#45

Your arguments seem to be based off the fact that “hey, this prevents skids, so it’s not useless!”. This is a very stupid argument.
First off, ‘skids’ will just use free scripts that exploiters with actual knowledge have made, which would easily bypass this module.
Also, OP has really flawed knowledge when it comes to anti-cheats and encryption; please don’t state stuff while being ignorant of the actual answers.

1 Like
#46

Just a note that you shouldn’t use aztupbrew (https://obfuscator.aztupscripts.xyz/Home) as it is fully deobfuscated.

2 Likes
#47

There are no public tools to deobfuscate IB2. Ironbrew scripts cannot be decompiled, so constant dumping isn’t an option either.

#48

There’s some weird notion that obfuscation will somehow protect your files from being stolen. This is completely false. Exploiters can see all things client & even the least experienced exploiters use tools designed by seasoned ones. Having a key won’t do anything for you.

This isn’t correct at all. The server is already “secure” because code access to it is restricted & away from the client’s view. You should be using sanity checks on the server by default so, I’m not entirely sure what this actually entails.

I have no idea what “remote event spying” is. I don’t actually know if this is a real or made up term. Part of me wants to know & the other part is like: Sanity checks. Sanity checks. Sanity checks.

The irony in this statement. Nice.

Exploiters can access local scripts through pre-compiled byte code & then, decompile it into something readable. Every check you put on the client can be bypassed. Random naming schemes in the grand scheme of things doesn’t amount to anything. It’s more of a mental false sense of security. If they’re exploiting, they know what it is. Not themselves but, the code of which was copied from a site knows what your game is & where to exploit it.

From what I can tell, you’re storing the key on the client & encrypting it based on the key provided. This is probably the worst thing you could do. No, no. It’s definitely the worst. Apart from leaking your code willingly.

What.

There’s another key. I’m kinda confused. This is like a locked door that’s meant to be locked but, everyone has the code to the door so now, it’s just a door. An empty & generic door.

More irony.

That site looks incredibly sus. I’m surprised that it’s allowed to be posted here.

This isn’t documentation. I’m not sure what this is classified as. Documentation has a specific style & universal context. There’s no return, parameter types or in-depth detail on what this does besides three words that are all lowercase.

I felt like I did a cinema sins video on a movie. I strongly do not advise using this in production code or games. Stick with server-based sanity checks. We need to get rid of posts like these. They’re misleading & promote horrid habits.

Edit: The actual module is obfuscated & is placed in community resources…? Why would you obfuscate your code & publish it as a “public resource”?

3 Likes
#49

Hey! This is an interesting module. I did not crack this, but here’s what the source of the obfuscated code is if you’re wondering:

L0_0 = {}
function L0_0.encode(A0_1, A1_2)
  local L2_3, L3_4
  if not L2_3 then
    L2_3 = L3_4
    for _FORV_6_ = 0, 127 do
      repeat
      until (-1 + 2) * (2 * _FORV_6_ + 1) % 256 == 1
      L2_3[_FORV_6_] = -1 + 2
    end
  end
  return (A1_2:gsub(".", function(A0_5)
    local L1_6, L2_7, L3_8, L4_9
    L1_6 = _UPVALUE0_
    L1_6 = L1_6 % 198292304344
    L2_7 = _UPVALUE0_
    L2_7 = L2_7 - L1_6
    L2_7 = L2_7 / 198292304344
    L3_8 = L2_7 % 128
    L4_9 = A0_5.byte
    L4_9 = L4_9(A0_5)
    A0_5 = L4_9
    L4_9 = _UPVALUE1_
    L4_9 = L4_9[L3_8]
    L4_9 = A0_5 * L4_9
    L4_9 = L4_9 - (L2_7 - L3_8) / 128
    L4_9 = L4_9 % 256
    _UPVALUE0_ = L1_6 * _UPVALUE2_ + L2_7 + L4_9 + A0_5
    return ("%02x"):format(L4_9)
  end))
end
function L0_0.decode(A0_10, A1_11)
  if _UPVALUE0_:IsClient() then
    error("Decode Cannot Be Called From The Client")
    return
  end
  return (A1_11:gsub("%x%x", function(A0_12)
    local L1_13, L2_14, L3_15, L4_16
    L1_13 = _UPVALUE0_
    L1_13 = L1_13 % 198292304344
    L2_14 = _UPVALUE0_
    L2_14 = L2_14 - L1_13
    L2_14 = L2_14 / 198292304344
    L3_15 = L2_14 % 128
    L4_16 = tonumber
    L4_16 = L4_16(A0_12, 16)
    A0_12 = L4_16
    L4_16 = L2_14 - L3_15
    L4_16 = L4_16 / 128
    L4_16 = A0_12 + L4_16
    L4_16 = L4_16 * (2 * L3_15 + 1)
    L4_16 = L4_16 % 256
    _UPVALUE0_ = L1_13 * _UPVALUE1_ + L2_14 + A0_12 + L4_16
    return string.char(L4_16)
  end))
end
return L0_0

The reason it looks a bit wack is because all debugging information is removed once it’s obfuscated. But here’s the best of deobfuscation as of present day.

3 Likes
#50

It’s correct that there aren’t any public tools to deobfuscate IB2, but constant dumping is extremely easy and anyone can do it. Also, there are private deobfuscators/decompilers for IB2/Aztupbrew.

#51

Constant dumping is easy if you know your way around a VM. Not everybody can do it. There’s no such thing as a private decompiler that only works on Ironbrew.

#52

There’s no such thing as a private decompiler that only works on Ironbrew.

If you look about 2 posts above yours there is the code deobfuscated from the module. I also would know they exist as I was involved with the creation. The only non deobfuscated obfuscators right now are PSU and Luraph.

1 Like
#53

Luraph deobfuscator is privately maintained after the owner filed a DMCA takedown on the public version. I don’t believe PSU has been deobfuscated.

#55

Luraph’s already been changed after deobfuscation;

#56

Thanks for decoding this. Im taking all this feedback into account and updating how this works.

1 Like
#57

I never said don’t do sanity checks I said secure the server in the top of the post. You’re acting like I said only use this its just extra protection chill dude.

#58

Keep in mind, I did not decode this. But always remember, ALL obfuscation CAN be undone. There’s no exception to this rule. Some may be harder than others, but you can never truly hide your source code. There’s always someone who will find a work around.

1 Like
#59

This shouldn’t be at the top of your post when this is misleading to the point of security & sanity checks. Instead, you provide a module that gives exploiters direct access to the server with a key that’s shared on both the server & client.

There is no protection with this. This is essentially a free ticket for exploiters to hack your game. This is equivalent to a backdoor that’s concealed & obfuscated for the purpose of “extra security”. Not only is this misleading but, it promotes bad habits in a place where people come to learn & model their own style from.

There’s a clear lack of experience & terms from what you offer & what you claim to know. Perhaps, you should look into how security actually works, understand the concepts & best practices and then attempt to model an open-source version from what you learned.

1 Like
#60

How does this give them direct access to the server?

#61

The key is in the local script, so they can easily get it

1 Like
#62

Can I make de-obfuscator a script?