In the last few weeks, I researched obfuscation out of pure interest and as a learning process.
I saw many ways to obfuscate Lua code with python, c# even some ways with c++ and java.
However, I thought; would it be possible to obfuscate Lua with Lua? and do it safely and securely?
Please share your opinion on the matter if you’re experienced with such things.
Off the top of my head you can use plugins that simply format the string and set the .Source file. Granted this would be pretty difficult to do. Whats the point of making an obfuscator though? They are useless when it comes to roblox development.
Well not really, if there’s a script you want to protect from being viewed by exploiters or mass-sell a script that you don’t want its methods leaked (such as an anti-exploit), it’s pretty useful to obfuscate it.
obfuscation is still not that usefull, as you can de-obfuscate code. It will take some time, but it can be done.
I agree with this, but most people are lazy and it will work on a lot of people(not everyone though)
Honestly obfuscation is making code harder to read right? isn’t something like sus helpful, yes I know it is really only for printing but don’t tell me most exploiters will take their time doing this
I could return a string into a module and have it be real complicated. Now obviously if it is required by a local script they can see the module, but most won’t take time to do that
local module = require(module)
module:run([[
•/•—_{3000}
:/:—_{"aGVsbG8gd29ybGQh"}
]])
While a Lua-based Lua obfuscator is definitely possible, I have a few notes to make
And anyway, obfuscation isn’t the most secure thing out there since its easy to run a constant dumper on the script.
Good obfuscators such as PSU & Moonsec obfuscators have proven themselves over and over again against exploiters and attempts of cracks.
For example, there’s a roblox company called MSI (Military Simulator Industries) which are in charge of securing mass-sold scripts, they currently exist for around 2 years and were only cracked once, and even that crack was taken care of.
It’s true that obfuscation is far from perfect but since closed modules arent a thing anymore that’s the best option nowadays.
psu source was leaked and its literally ironbrew lol
This assumes that you have bad practice and create anti-exploits client-sided for some reason, there are tons of resources to teach you on how to prevent exploiting through simply good coding practices. Also you need to always assume that client has total control over the client so the server should be where majority of your logic is and gets verified that way.
Obfuscators are only so effective till someone decides to crack it, you should only use it in a line of defense and not overcomplicate it so you can actually work on the place rather than worrying about preventing exploits.
Regarding the first paragraph, you must have misunderstood, I mainly meant for example;
If I sell an anti-exploit script for multiple clients and implant a line that it will check with an outside server if the game id is allowed to use the script or not, 99.9999% of people won’t bother trying to crack it, and even those who will try, they will probably give up midway or not bother leaking it.
I’ve been working on mass-selling products from tech companies for quite a while and so far; obfuscation has been really effective, as the saying goes; “Security through obscurity”.
thats false, the only code that is dangerous when found out is the server code but that is not avalaible to be looked at. Now its only the client code, which should be designed to work even if they know how to use it it doesnt work. If your client scripts are that dangerous its an issue of deisgn with your code and not obfuscators
If there is a will, there is a way. Unless you write your own obfuscator you will definetly struggle to find one that someone somewhere doesn’t have a potential crack to it.
Obfuscation is NOT a valid way of securing your client scripts… Roblox has a very simple Server/Client model that allows you to block many exploits without even trying. Obfuscated client scripts are a sign of bad practice and indicate that you need to redesign your system. As for the question, of course you can make your own obfuscator in Lua, but there are languages better fitted for this kind of task and there’s also existing obfuscators. I think some people who only coded in Roblox don’t realize that Lua is a very very basic language with not much features compared to almost any other popular language.
it is also a pretty old language
version 1.0 being unpublished in 1993 and then finally releasing in 1994 in version 1.1
though other popular languages are also old such as Python and JavaScript, so this isn’t a good point to make
honestly I don’t think you need a lua obfuscator, there are better options and you are only making it harder on yourself
seriously do you want to read messed up looking code and be confused on what parts of the code even do, you will make coding far more annoying(especially if the code is long)
I feel like people really didn’t understand my purpose for making this or the reason I’d want to even use an obfuscator;
my purpose in making an obfuscator is for learning process, by making an obfuscator, I bet I’ll learn a lot of things I didn’t know before; it’s a very interesting subject for me.
the reason I would want to use an obfuscator would be to mass sell scripts (not necessarily client scripts) and not worry about resales.
An obfuscator can be effective; But you shouldn’t rely on it. It’s much better to secure your remote events with server-side validation. Security by obscurity is powerful; and can catch a good majority of exploiters, but it isn’t a solution to underlying issues in your code.
Dude exploiting community leaks everything they crack.