It’s still on the client, it’s still a string value in Roblox’s memory, so it’d still be accessible no matter how much you try to obfuscate it.
Then dont store it in roblox’s memory
ill make a hidden encryption key that can only be used for hiding your url’s and encrypt it so you can hide your keys
Then it simply wouldn’t exist. Everything needs to be on memory or on hard disk or on SSD to be accessible, and you can’t store variables on the last two.
store it on a url, ill make a hidden encryption no one can encode or decode, so you can just have a secret cryptostring
and what are the odds a exploiter meets someone who uses this, they wont know what to do with it they will think its random numbers and strings
As long as it’s on the client, it’s fully accessible to exploiters.
Anyway, I’m not going to keep replying to this. It’s a waste of time to try and “secure” the client with “encryption”, because the client needs the key for the encryption and decryption.
An exploiter could use Fiddler to look for network traffic, not to mention you can’t even use HttpService on the client, so you’re back to square one, where the server sends the client the CryptoString through RemoteEvents/RemoteFunctions, which exploiters can simply hook.
There’s always atleast one who’s curious or determined enough to find out what it means. Not to mention, if you’re using the “encryption” system for anything important, there’ll be more exploiters looking for ways to circumvent it.
2 Likes
Please don’t post useless string encryption as an anti exploit tool when it does nothing at all to prevent any level of exploit whatsoever. It would be fine to give it as a resource but to claim it prevents exploits helps nobody. Reading the last few replies it is very clear you are unknowledgeable on the topic so I’ll just leave it at that. Don’t take arguments on subjects you clearly are uneducated on because now the entire post is cluttered with baseless replies from you.
5 Likes
Its better saying something like e992-d0391nd3m1312 then https://whateveryoururlis
Cool but it isn’t useful or practical as has been said several times. Let’s go over your claims.
If it exists on the client, it isn’t something that can’t be decompiled. Sure, it can cause a bit of a roadblock but it isn’t something that can’t be circumvented. The exploiter’s going to see the modules on the client anyway, so it really doesn’t matter whether the script’s unreadable or not. Since the “key” to decompile it exists on the client, and so do the compile and decompile functions, it really isn’t something that’s completely foolproof.
Further, you say to obfuscate code but any code, no matter how ugly or seemingly unreadable, can be reverse engineered. Also as @Judgy_Oreo said, it’s really easy to run a function that just returns the values of variables.
With the combination of a LocalScript’s source, they will. Especially when the dump looks like "1234; hgvwrWEGRIOUHEHBIRF458943128UYTR3IHDIHBIUH; hi; 123456; ReplicatedStorage
Unless you’re creating decoy variables which is bad memory management, which presents itself as another issue.
Source? This is a bold claim, it is very unlikely that they do this. They’re likely relying on the server to do sanity checks, I don’t know why a dev would use hidden or seemingly indecipherable strings to use hide something that exists on the client which is accessible anyway if you dig deep enough.
It’s also pretty easy to get into a module script and get these values anyway, assuming the client can get access to the module script before any script, which is pretty easy to do since many exploits have an autoexec folder. Requiring it and setting the require to return a function that outputs the variables is easy enough, especially when they can directly modify the source at runtime.
It doesn’t matter whether the string looks like “obwergohebrgeqrgqoiherouiqsfehbgori372tq3907t5h3ouithgo384wh7t5290ergfhbwefhbwqefugywqeiyufqwhbeqefiwouoiuywqgeroi34uo83urgdhbvgoiewhbgv24897389523754128934” or google.com, it’s very easy to monitor network traffic with a program like fiddler, and that’s only if they could access HTTP requests on the server, normally they can’t.
So you might suggest that they invoke the server to return the website’s content which brings us to another issue, the client can invoke the server at any time, and take the returned values and do with them what they please.
And sure, the server could check that the client invoked the server already, but if you invoke the server before any other script does with the autoexecute thing I mentioned above, that completely invalidates these checks, no matter what you do. You can spoof things no matter what.
So unless you’re banning someone on the very first offence (which is going to lead to tons of false bans), you really can’t do anything to prevent exploits by solely doing checks on the server. Even more, if you have a script whose source is just a string, it’s going to error, so you can’t even compile it anyway.
You should look at the plenty of resources that are available that explain how exploiting works, common exploiting tactics, and how to create an actual anti-cheat before making these false, uncorroborated and egotistical claims to validate yourself, okay? 
2 Likes
This is completely useless and ineffective to what you claim to advertise. You claim to advertise that this product in question ‘EncryptV1’ is able to prevent your game from being exploited. No, it doesn’t.
This encryption system runs on a fairly simple module which only takes one argument to use (that being a string value). The decryption module is also a module too, and since module scripts can be viewed on the client, this makes your encryption and decryption system fairly useless in the terms of “preventing exploiters”.
Also, what makes this system more useful than the other encryption systems on roblox?
Disagree. They can simply use this module to translate to readable code ?
No, you would change out your crypto encryption key
In V2 the CryptoKey will be encrypted and set on an interval to automatically change quickly so no one can leak string.
It was never an anticheat, it was a way to encrypt.
Yet, you literally expose a function to decrypt it.
Just for anyone who was thinking about using something similar like this for secret player inputted data (such as an in-game PIN system) you should be looking for something that can hash data, not an encryption system as hashes cannot be decrypted.
1 Like
This script will not secure your game from exploiters, at most it’ll just make exploiting your game take slightly longer
I can appreciate the effort of introducing an encryption module for Roblox (after all, we only recently got HashLib), but this is a really poor attempt.
It looks like you put together your own encryption algorithm here. I have no reason to believe that it’s in any way cryptographically secure. It makes sense to pivot away from asymmetric cryptography in Roblox (at least thus far) and to stick with symmetric algorithms like AES.
Why try and create your own instead of making an implementation of AES for Roblox? I could be wrong, but I do not suspect you are a world renowned mathematician and cryptographer. AES is backed by many institutions like NIST and NSA- all who have independently verified the integrity of the algorithm.
If you are adamant on creating your own algorithm- so be it. Nobody can stop you, but please publish an actual cryptanalysis about it.
Your encryption code is rather weird.
But after debugging and stepping through it, it dawned on me: this is just a Base64 encoder.
The input is your “encrypted” string, minus the “jv” you appended to the end.
CryptoString was ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/.
Like, come on…