How do you detect dark dex?

Don’t know why this is even a debate. You can’t patch gui exploits unless your game has no guis at all.
You also can’t give your gui a special boolvalue that allows it to bypass, because the exploiter can find this boolvalue and just add it to their ui.

In conclusion, don’t worry about something you can’t fix. Worry about your remote event security.

3 Likes

Can you send me a list of all the functions you know that does not have any CoreGui checks at DMs?

(it would help so much!)

IIRC obfuscation does nothing, the code is compiled to bytecode before being ran, so there’s no whitespace, and variable names are lost, so decompilers need to automatically beautify the code to make it readable.

1 Like

Ok but they can’t “unobfuscate” the code just beautify it still won’t be readable but you never know I heard synapse v3 basically makes obfuscations useless but those claims haven’t been backed up .

1 Like

A beautifier will not help in a scenario like this, as obfuscated code uses random-mixed bytecode.

1 Like

You can’t directly compile to bytecode, you give the normal, human-readable code (or not, if it’s obfuscated) to Roblox through a script, who then compiles it to bytecode so it can be run. Bytecode doesn’t contain spaces, tabs, variable names, comments and a whole bunch of other stuff because you don’t need those for code to work, so decompilers need to substitute them with tabs and spaces. Obfuscated code and normal code will look exactly the same in bytecode, therefore look the same when decompiled, if you haven’t change the overall structure.

2 Likes

I’m not sure who informed you Synapse v3 makes obfuscation obsolete.

Synapse is a exploit, not a script deobfuscator. Script obfuscators utilise a variety of techniques to render the script unreadable, making it nearly difficult to deobfuscate them all. It would take much too much time and effort to break them all. Many obfuscators, such as Luraph, have yet to be cracked or deobfuscated.

Please take into account that is possible for scripts to be completely deobfuscated via reverse engineering. The outcome of a deobfuscated script is a result of time and patience.

4 Likes

I find it amusing that people go to such lengths to build dex patches that are then readily overcome. People on this post, for example, were bragging about how they detected dark dex using memory spikes, and what do you know? A new version of dex was released shortly after that bypassed all of these tests and is now undetected.

The circle of misery will repeat itself. More game creators will patch dex and teach them something new until it becomes very hard to discover something that makes dex identifiable, at which point what will you do?

1 Like

In short, there’s little you can do to prevent these sorts of vulnerabilities; instead, store the majority of your stuff on server where exploiters won’t be able to access it. “Save instancing” is inevitable.

1 Like

I agree I think the only patch would be if Roblox did something about it, which is a long shot. I doubt they have any ideas of how to patch, which is why they haven’t done anything. It sucks how Roblox is easy to exploit, wish they’d make it more difficult.

2 Likes

They can just hook function preloadAsync . Not hard :confused:
Proves my point, no point trying to patch these scripts as your patches can easily be bypassed.

1 Like

But how will they know that they need to hook the function, if they can’t even see the script.

1 Like

I dont know what dark dex is but if you havent figured it out yet then i dont think its possible

1 Like

It’s possible, a year or so ago one of my friends told me synapse x doesn’t work on roller coaster tycoon 2. And I know Denis is a mad scripter so he probs found a way round it

1 Like

I’m not exactly sure what you are trying to prove here or how what I said is related but ok.

1 Like

They will be able to see the script?? It is local.

1 Like

I already knew it was b.s. but I’ve heard rumors about it.

1 Like

Decompiling, save instance, many ways.

1 Like

I’m trying to say that code is already kinda obfuscated by Roblox, as, again, it’s compiled to bytecode to be run, it’s not human-readable when you get the executed code of a script.

Unless you get an exploiter to use an exploit like Synapse or Krnl to decompile an obfuscated and a non-obfuscated script, and the obfuscated one actually looks obfuscated (being on one line etc), I’m just going to say that obfuscation does NOTHING in the long run for preventing exploits. There’ll always be someone determined enough, and there’s always Lua code beautifiers online.

1 Like

I’ve seen a few solutions that reccommend you checking on the client, please DON’T.

All your checks should be server-sided and soley on the server.
Use the client to recieve information / send least important information and that is it.

Exploiters cannot access ServerScripts because they’re not replicated.

2 Likes