Prevent Script Decompilation?

Even if this was possible (it isn’t), the client would contain the code and therefore, it will be bypassed. When most people exploit, they run scripts & code created by people who know what they’re doing. The people who run said code can fall anywhere on the spectrum and therefore, you have to assume every client is out to hack your game because the off chance you don’t, you’ll leave your game open to issues which will heavily affect your gameplay, your activity and most importantly the driving factor to any game: Engagement. Also, it’s 5am. And I can’t think properly rn.

some serverside anticheat ideas i thought of but i think aren’t better than localscript anticheat:

1. checking studs per sec speed of player through serverscript can just be spoofed by telling server you arne’t moving so they can still move fast

2. raycast thing you said is bad because players get flung so there will be false kicks, it will just make it so that they fly low and they can spoof again.

3. calculating distance and position of points created as a trail following the player with a specific animation to see if they are flying or doing anything sus because when you fly you stop playing any animations and your character is flat like a dummy but they can just play the animation.

4. neural network to look at the player to see if they are flying because as a human i can see with my own eyes the player is fly hacking just by looking at them and my brain knows they are cheating somehow, maybe make that into a script? but how?

5. orientation checks, when they fly they move around and rotate a lot but exploiter can just make it so that they don’t rotate when flying.

6. character acceleration? you can’t do that

i dont like serverside.

It is possible, there are games that crash decompilation. Anti-decompiler and I would like to know how it’s done.

I think the term you’re looking for is “anti-place stealing”. Crash decompilation (I’m not sure if this is the correct term; sounds cool) is way too complex to be achieved properly (and within definition) on Roblox.

im not talking about place stealing, im talking about localscripts. Anti script decompiler is definitely possible because there are literally games that do it.

Wouldn’t that basically be place stealing without the geometric instances attached? I think if you had access to local scripts, you’d have access to everything on your client including geometric instances.

The main thing here is that Roblox controls the compilation of scripts so, to interfere with that process, you’d need lower level access to the engine.

i guess yeah. Stealing localscripts specifically. yes you can make anti-decompiler, there are games that can stop synapse decompiler and crash it.

Our point is that its not impossible, but that its not worth it.
Its not worth putting in multiple hours(most likely days) for something that just prevents the decompilation of code that shouldn’t even be sensitive in the first place if someone decompiles your local code it shouldn’t be able to cause any significant damage to your game

Also what are these games that achieve this? I’ve never heard of them

if they decompile localscript anticheat then they have a better idea of what they are working with so they can bypass localscript and cheat. making it so that decompiler breaks will prevent them from viewing it so they struggle.

And that’s exactly why local script anti-cheats are discouraged they can be decompiled and reverse engineered to an extent because the “LuaVM” will Censor(Might not be the right word) certain things like variables

Like this

local CoolVariable
--Will be 
local v_1

plus we come back to this
They can just remove or disable the script using other methods
Never underestimate people that make Roblox hacks they are extremely determined and will always find a way around

You know games like Rainbow Six Siege?
They use anti cheats that scan the files on your computer and detect if something has been injected those games still have hackers no matter what you do you will only be able to Decrease the amount of hackers and never completely remove them

Although your method will slow them down you must weigh if its worth the amount of time it will take
The best way to do this would be to do EVERYTHING sensitive on the server the local code shouldn’t contain anything that could possibly compromise the server

There is no way to prevent decompilation, but there are other ways of securing your local scripts.

1. Hide them. I’m pretty sure that you can create hopperbins, never parent them and put your scripts in there and they will probably work. Scripts that can not be found using Dark Dex or any other script thar allows you to see the workspace and services will usually throw unexperienced exploiters off guard. If that doesn’t work then just hide it somewhere else.
2. Obfuscation/Minimisation. Even if the exploiter decompiles your script, he won’t be able to understand anything.
3. Merge all of your local scripts into one. The maximum amount of lines in one script is 16,000. Even if the exploiter somehow manages to decompile that giant script without the decompiler crashing, he will never be able to iterate over thousands lines of obfuscated or minimised code.

In the end it’s all the same bytecode instructions all of which lua decompilers can read
you can see more or less what exploiters go through at https://www.luac.nl/

@Weldify
there are a lot of tools to get any hidden localscripts, you can’t hide them at all
and
since when is the limit 16k lines
I copy pasted the script below to 35k and counting

image1546×909 48.2 KB

also, the PF framework being not very far from being that long is still very easy to decompile

Strange. I swear I heard that the limit is like 16,384 lines, apologies then.

Minification (if that’s what you meant) is a way of removing excess whitespace and renaming locals. Decompilers do not take into account either. local function a() end a() and (function() end)() get compiled into the same thing.

Obfuscation is running your script under another VM layer. It doesn’t make your code “not understandable”, it simply slows down your script. Since there is no point in reinventing the wheel, these obfuscators closely mimic how the actual Lua 5.1 VM works, and anyone with a brain could reverse the structure of the obfuscator and tamper with it quite easily.

“Merging your scripts into one” doesn’t do anything either (unless you want to have big ugly code). Decompilers are designed to not have limits (most of the time), not to mention that measuring code in a matter of “lines” is a very incorrect way of estimating the volume of a script.

Constants are values that never gets reassigned. Any of aforementioned example could very well not be constants.

Globals are those variables which can be accessed in any scope. Not sure what you were referring to when you said objects lol.

And RBXScriptConnections are a class of objects that can disconnect from an event aka RBXScriptSignal.

Lol so overkill… You just need to use the floor material api of the humanoid class to check whether they’re in the air or not.

“Globals”, when looking at them as variables, are any variables that the compiler thinks are not locals/upvalues. With “objects” I was referring to the fact that a global can be assigned any type of value.

I am specifying what the AST considers locals and what it considers globals.

I… Know that decompilers dont take minification into account. I literally stated that there isnt a way to prevent decompilation… Minification makes it impossible to read vast amounts of code and it’ll throw the exploiter who’s reading it off.

Not necessarily true… I’ve heard in the updated Dark Dex, what they would is if they detect a frequently used variable/service they rewrite it to that service. Although putting it into one line seems useful it isn’t because it’s like dex is rewriting the entire script into a more simpler way.