Help needed with basic understanding of encrypting stuff in Roblox

bro_proxiomFun · April 23, 2025, 8:12pm

You say you know “A LOT about exploits.” Great. Then you should understand that it is impossible to completely protect the client code from modification. The only thing you can do is make it harder. Obfuscation, encryption, and dynamic code generation are all useful tools, but none of them are silver bullets. And saying that you “keep an eye on any important information" is not a strategy. You need to prevent modification, not just react to information leaks. If you don’t understand these fundamental principles, then I’m afraid your anti-cheat is bound to fail.

I don’t understand. You’re saying that you’re hiding information so that the cheaters won’t get the code? But doesn’t the client anti-cheat work on the client side? Doesn’t this mean that cheaters will see the code anyway as soon as they start playing? What’s the point then?

GE_0E · April 23, 2025, 8:16pm

I don’t think that I can help much with that but here is some stuff that I know

use anonymous functions because they don’t keep their name when compiled

--do
local HI = function()
	
end
--instead of
local function HI()
	
end

try to avoid strings as much because they will be decompiled with the same on the client even when they are obfuscated the client can run the code that obfuscated them to DE obfuscate them

most importantly make sure to have a server anticheat in case the client anti cheat got bypassed

client anti cheats can stop a lot of exploiters but all it takes is 1 good to exploiter figure out how to get around the anticheat then he would release the exploit for people to use

deIuxor · April 23, 2025, 8:32pm

absolutely not

Hey if they want a free chocolate chip cookie for bypassing mine… they deserve it after all of the torment they will have to go through to get there.

I appreciate your anonymous functions idea and I think it’s really smart so thank you for helping me!

I welcome all exploiters who decide to pen test my game and try to come up with a bypass.

Only the most daring of people will ever try and to be honest… unless they give it 100% of their time and effort they will likely fall short lol

deIuxor · April 23, 2025, 8:40pm

I think your curiosity is laced with some bad intentions but I felt like I need to clarify this one and the simple answer is no they cannot view it with dex explorer

sfgij · April 23, 2025, 9:14pm

I mean there is a method with saveinstance to get it to skip specific scripts, but hackers can still decompile it. Like for example all you have to do is get a normal script, and set the runcontext to local. it’ll work ig

sfgij · April 23, 2025, 9:21pm

I forgot to mention, you can “hide” them with unicode (or utf8) sequences like apple will turn into \x61\x70\x70\x6c\x65 which when printed will return apple, so its a very slight deterrent but will make it annoying for less experienced exploiters.

I used this to encode UTF-8 Encode - Convert Text to UTF-8 - Online - Browserling Web Developer Tools

deIuxor · April 23, 2025, 9:31pm

Thank you so much! You have a brilliant mind

sfgij · April 23, 2025, 9:32pm

No worries, the main reason I found out this quirk of roblox (and other systems possibly), was because I was looking into exploits people used with them for data roll-backs for utf8 strings and stuff.

XoifailTheGod · April 23, 2025, 9:54pm

Had a similar predictment of protecting tables on the client a few years back and my idea was similar to what you’re thinking with encryption but slightly different. What i did was firstly make a table to string function then i took the output and hashed it with sha256 and sent that to the server along with its HMAC.

Then on the server I had an identical table which I also turned into a string and hashed the string which I then compared against the client and check the HMAC to make sure it wasn’t spoofed midcall + a step counter so if the client stopped the call the counter would be desynced between the client and server - see Valkyrie.

This is you’re best bet but if you want soley client sided protection you can check metamethod calls or use CRC integrity check and of course obfuscation.

deIuxor · April 23, 2025, 10:07pm

Both of you are very intelligent but @XoifailTheGod had the best answer because decompiling isn’t something I am afraid of as my anti cheat is very strong the only thing I needed is various ways of improving it further and I find his solution to be the most complex

XoifailTheGod · April 23, 2025, 10:45pm

While I don’t usually reply to the whole client sided debate and while you are techinally right that no client sided system can be made invulnerable but that doesn’t mean it’s useless. That’s the same logic as saying “locks can be picked, therefore doors are pointless.” In security, impossibility of perfection is not a reason to stop defense.

While yes, the client can be tampered with. This is not unique to Roblox. Every operating system, AAA game, and secure app in existence runs on a client side machine that is physically owned by the end user. Windows? You own the hardware. Riot Vanguard? You own the hardware. iPhone security checks? Local. The Secure Enclave, the TPM, the Secure Boot, and kernel level anti cheats, they all run on hardware physically owned by the attacker.

But so why do they work? Because they are part of a layered security model, often referred to as defense in depth. Their job is not to eliminate cheating; it’s to detect, slow down, or raise the cost of cheating, ideally enough that it becomes nonviable at scale.

Correct. But so can everything on a server, given physical access or a vulnerability. Your argument is about trust boundaries, not invincibility. The point of a client side anti cheat is to operate within the client trust boundary. You can’t detect injected memory manipulation from the server. You can’t detect hardware assisted aimbots or hypervisor level manipulation from the server. Only the client can see these behaviors in real time.

Not if the anti cheat watches for tampering. Not if its telemetry system notices missing heartbeats. Not if you combine server enforced heuristics, client side monitoring, and redundant code paths. Every commercial anti cheat knows this and they don’t stop trying just because a cheat can theoretically interfere. That’s the entire point of obfuscation, sandboxing, and integrity verification: not to be perfect, but to be effective enough.

The same point as encrypting your bank credentials before sending them across the network the attacker still sees the message, but they don’t understand it. Obfuscation and packing are delay-and-confuse tactics, not silver bullets. Every extra hour spent reversing is an hour less spent cheating.

Also: real client side systems dynamically mutate. Functions can self delete, unpack in memory, load from encrypted tables, verify each other’s behavior, and even set traps that intentionally crash the game under modification. This isn’t new tech this is what Vanguard, BattleEye, and Easy Anti-Cheat do every day. And they’re not made useless by the fact that they run on clients.

Let me put it this way: if clientsided anti cheats are so flawed they shouldn’t exist… then how come every major competitive game uses one? Why doesn’t Riot just do all their anti cheat on the server? Why does Windows Defender run on your machine, not in the cloud?

Because client sided security isn’t optional it’s essential. It’s imperfect, yes. But it’s still the first and most immediate line of defense against local manipulation, sure its alot harder in Roblox and 90% of what a kernel anticheat does can’t be done but that 10% is more than enough because just like how the client is never perfectly secure theres also no perfect hook + many exploits simply don’t have the techinal know how to bypass a well made anti cheat.