How Reliable is Obfuscation?

Hello, I’ve been trying to script a license system for my products that I’ll be selling in the future. However I don’t want the user to be able to avoid this license system by just removing the license confirmation part of the code which I will probably use obfuscation for. And I’m wondering if obfuscation is a good way to accomplish that. Please let me know your thoughts!

It depends on what methods were used for obfuscation.

No script is impossible to crack, anybody with enough motivation and knowledge can perfectly crack it.

Obfuscation will deter plenty of people, but won’t stop anyone who is willing to reverse engineer it. Though, I personally would suggest to sell your scripting services, instead of selling pre-written scripts for money.

Hello and thank you for your reply! Even tho I’m aware that reverse engineers could just crack the script, I don’t think somebody would spend money and time just to crack my script and share it on toolbox for free (while I can just get it moderated) though.

Obfuscation is not reliable at all in lua and in most case scenarios as it is vulnerable to getting reverse engineered and de-obfuscated using multiple sources as @Daw588 mentioned

But I noticed that it also presents a compilation delay and sort of lag when the server starts up

Short answer:

No, don’t use it.

Long answer:

Okay so, let’s start with the “why” of why you would want to obfuscate a script.
It seems like you want to sell a licensed product and avoid stealing / reselling, correct?

Just adding a license should be enough, if they remove that license they’re technically already committing a felony for which you can request a take-down if you find your assets re-uploaded somewhere without permission.

Now on with the cons.

1. Obfuscation can result in performance loss due the script compiler being unable to detect certain patterns or actions that are normally optimized.

2. Why would someone buy your product if they can’t even read what functions do what? You’d have to include a whole documentation along with examples and guides on how to use your modules.

3. Why would someone buy your product if they can find another module made by someone else who didn’t obfuscate it and left all their code to be readable an better optimized?

4. A dedicated thief will just de-obfuscate your hard work and resell / redistribute it anyways.
   And they might even profit more of it because the de-obfuscated code is easier for the Luau compiler to optimize with pattern detection and whatnot and easier for other users to read.

5. You’ll shoot yourself in the foot.
   No seriously, try maintaining some code that is so obfuscated that even you can barely read it.

   Even with non-obfuscated code, if I don’t add comments I have to search through all my modules to remember what I wrote them for.

   You of course could add comments to what piece of obfuscated code does what but that defeats the point of obfuscation and if you don’t use comments, it’s gonna be a matter of months or possibly even weeks before you forget what the structure of your code was and end up having to de-obfuscate your own code just to update and maintain it.

6. You’re giving yourself extra work and wasting valuable time to make your code hard to read and maintain, just for the sake of preventing some petty thief to steal it.

The post-writing edit:

Oh crap sorry in forgot to include this.
Obfuscation actually DOES have one pro or good usecase.

I still do not recommend it but, you could obfuscate client-side anti-exploit and security code to give exploiters extra work.

You’re still gonna have to deal with all the cons that I have mentioned, but it can be used as an extra layer of defense when developing client-sided anti-exploits in case server-sided anti-exploits doesn’t cut it for you.

There’s some plugins out there I recall that can obfuscate scripts after writing them, just keep a non-obfuscated version as a backup and you should be good to go.

Just adding a license should be enough, if they remove that license they’re technically already committing a felony for which you can request a take-down if you find your assets re-uploaded somewhere without permission.

Yes, you are right that I can take down any re-uploaded versions by other people. However they can just export the model/script into their computer storage and share it everywhere they want (except the toolbox). Also I’m not sure if it is exactly possible to add a license for my Roblox scripts.

I don’t see why you couldn’t add licensing information.
Everything you create and post on the internet is copyrighted, even if it’s some written code on Roblox.

It is true that any thief could steal your work and keep it on their computer.
They could just share Roblox model files with their friends through an non-Roblox app or drop it into Google Drive.

But even if those models and scripts never end up in the toolbox, remember that they’re ONLY usable in Roblox.

So it may not show up in the toolbox, but it’ll definitely show up in a game.
And from the outside it may be hard to tell what scripts a game is using.

But in theory, you could recognize possible behavior or things printed in the output.
Not sure how exactly you’d detect if a game uses stolen assets but there may be a way.

Perhaps Roblox will one day implement some copyright-detection feature for experiences even which would be useful.

You actually convinced me about adding a license instead of just obfuscating the code which will make it all harder. Thanks.

That’s not true, unless you are naive, and you’re writing obfuscated code yourself instead of using a build tool. For example, companies have their private codebase, which is the plain raw source code, and the public version of their product is obfuscated. It doesn’t hurt readability for the maintainers at all, but it does hurt debugging, as it makes it more tedious.

Yes, I mentioned that there are obfuscation tools in my original post after a quick edit.

Well aware of them, but it still requires you to manually back up scripts in their original source and after every edit you want to publish you have to re-obfuscate everything again, making publishing new updates a bit slower if you’re selectively obfuscating.
And debugging like you said might become a bit of an pain on it’s own.

Outside of client-sided anti-exploits I don’t see a huge point in obfuscating if you care about script performance and whatnot or are selling the script as a product to someone else.

If I were a person paying others for writing me scripts I would personally never buy something from someone else if they obfuscated the code to a point where I can’t properly see how it works or make edits to make it fit personal needs.

I’m paying them to provide me with usable code and if I cannot read or edit the code then embedding it or making it part of a larger / essential framework would be a huge pain and only cost more time and resources.

I think you’d understand that too.

a lot of people here are wrong.

obfuscation is a good way to prevent people from viewing or stealing your source code.
if you don’t want people to see your code, that’s your decision.

obfuscators like luarph & others have never been cracked as there is just layers and layers of obfuscation and patterns that just can’t be debugged or worked through with lua. i even made my own obfuscator that i believe is pretty uncrackable & has about 2000 layers of obfucation.

the thing is people won’t really trust your model as obfuscation can lead to a simple backdoor or virus in the game.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.