Great guide! However I would like to point out that Synapse Xen was discontinued and Luraph was decompiled by bork so I mainly recommend ironbrew!
I’m not sure of the entire process of deobfuscating code from Ironbrew. A friend of mine who had Synapse X couldn’t even get the source code from it.
Ironbrew is a great obfuscator, in pretty much all aspects.
Continuing the discussion from The guide for Obfuscation:
People often think Obfuscated scripts are malicious. Say for example you are making a Hotel System, to sell to the public, but you don’t want your scripts stolen. Have your config in a Module Script, and then require a module. In that module, all of your obfuscated stuff exists.
If you don’t use a require module, and the scripts are like under the config, it is going to look very shady.
In that case use a real solution like adding an open-source license. With licensing you can guarantee nobody will touch it.
I understand obfuscating a bit of the frontend to make it a little harder for exploiters but obfuscating entire script systems to sell is obsolete imo.
Sell services, not goods.
Obscurity is not integrity, confidentiality, anonymity, or authenticity. It’s designed to hinder the performance and ability of decompilers. It’s not a defense approach, it’s a translation.
- Say you obfuscate the code which takes in unsanitized input, that doesn’t prevent the user from exploiting SQL injection, cross-site script attacks.
- Say you obfuscate some code using strcpy(), that shouldn’t prevent buffer overflows and control hijacking.
- If it actually does prevent the above situations, the original code logic has been changed. Which is not great for obfuscation.
If you’re going to implement a defense, it should aim to prevent specific attack vectors. Obfuscation aims to prevent decompiling, and shouldn’t be used to claim a game is secure from script executors. For security and the works, here’s this awesome topic.
As a programmer, I don’t see obfuscation as a good practice for development.
@xJxck_yy But cool topic, thanks for posting. Obfuscation seems to be quite popular on Roblox and despite the controversy on its use, it is interesting to discuss and talk about. I think a good addition to this would be a more in depth guide to how obfuscation works and achieves its goal.
Obfuscation is a very useful thing I’ve found in Roblox. Many people think it’s malicious as the principal uses of it are hiding backdoors.
I’ve seen many users say that it would be harder to debug. My solution would be to keep the script hidden and disabled in a folder in ServerStorage, that way you can disable the obfuscated code and then enable the non-obfuscated code and fix it.
This doesn’t makes your script exploit-proof, people can still use it but their source code is hard to crack.
Iron Brew is the best obfuscator.
Thanks for this tutorial, I’m thinking of selling some a few modules that let’s you set up datasystems and datastore easily.
My question is can people just copy the obfuscation code and pass it on? From what I understand the obfuscation just makes the code harder to read.
Does your system use licensing? With this, I mean does it connect to a form of database, such as MySQL.
Not yet, it’s not completed. I’m just confused on how obfuscation works.
You’re right. Obfuscation is just accomplishing the task that makes code hard to read for a user and a decompiler. If you’re giving out obfuscated code, it might be tricky for your consumers to read the code but they can redistribute the obfuscated code just the same.
I advertise against obfuscation in any development practice, but especially with marketing. If you plan on selling an obfuscated product, you’re going to lose value in the following ways.
- You’ll be selling the code functionality, but not code logic. In development, functionality and what the program should be accomplishing is going to change; only selling functionality will prevent consumer developers from adapting the script to fit future needs. This shifts all updates and maintenance of the script to you, where this now becomes a service.
- Developers cannot determine how the code works. This creates a trust system, trusting that you have no malicious code in the product and that you’ve employed secure, correct, and efficient methods in your script.
I apologize if this sounds at all negative, but that’s not the goal of this. I hope this can clear up some things, feel free to ask any questions. I do agree with some points of this thread and disagree with other ones. Let me know what you think about this.
It’s not security, it’s just a way to hide your potentially malicious code from script kiddies who have no idea what they’re doing. You can’t rely on it for all your security as most exploits can hook your functions. Although as @Amiaa16 has said, it’s not a bad thing to do with your already secure scripts as it may stop people who don’t know what they’re doing.
There’s a lot I should say about this. First is the status of these obfuscators
- Synapse Xen is discontinued as far as we’re aware of.
- Luraph is easily crackable now.
- Ironbrew 2 is discontinued, but V3 is in the works.
I don’t recommend all of these obfuscators as @T_eethyz has said.
Then the deobfuscation:
All obfuscators can be cracked depending on the person or company dealing with it / the complexity of the actual obfuscator. Like Luraph has been fully cracked by one guy but ALL obfuscators CAN be constant dumped, so I still don’t think you should ever use obfuscation to hide your variables as their values are all loaded and can be printed out. Even more advanced users can edit your variables without even deobfuscating your code. Let’s say you fully deobfuscate an obfuscator, you should be left with the script that has 0 debug information (no comments or variable names) but it is still readable just not as easy to read as before. So again, obfuscation should not be relied on as all of your codes “security”.
@xJxck_yy I totally get where you’re going at though and thanks for posting! I had fun typing out this response because I’m not doing a ton of things.
I hope this could have helped someone, and if you still have any questions don’t hesitate to reply to this or PM me.
heads up, ironbrew is open-source.
cough, well not really it got leaked so defcon decided to release it.
I would seriously agree with you, if it weren’t for one thing that really stands as one of the only exceptions to this that I can think of.
Here:
Check out this Roblox game:
https://www.roblox.com/games/527730528/Magic-Training
After playing it for a bit, you see how fluid and responsive everything is. The problem is that it’s all (I’m positive of this) client-based in terms of handling if someone gets hit by a spell or something.
It’s extremely vulnerable to exploits because of it. However, securing remotes and ensuring people can’t remotely kill others in game, say, would serve as a detriment to the responsiveness and fluidity which makes the game enjoyable. Other secure, sort of similar magic games which use wands like these sacrifice the speed which I can tell for many, matters, because it’s nice to not experience constant delays which if it involves sending spells at others and timing it right, is important. In this case, it makes not much sense to sacrifice speed to me.
That’s just an example, (likely the only case I can think of) where being secure isn’t beneficial to the gameplay involved.
Otherwise, I 110% agree with you.
Synapse Xen is discontinued;
Ironbrew is discontinued with the source code currently available;
Quite sure that Luraph also has been cracked.
WallySecure is also a good obfuscator and so is clvbrew (invite only I believe) but I’ve been banned from WallySecure for rules that aren’t clearly existant, so I don’t suggest using their server for anything other than obfuscation ok the owner cleared up confusion about it.
I’d prefer you use WallySecure because it’s the best obfuscator out there in my opinion. It is extremely customizable and depending on the security you want you can choose the options. clvbrew is not as secure as Wally, but since it’s barely accessible nobody has made any tools to even constant dump it. clvbrew’s constant enc works like a charm, so you can use both.
All in all, do not obfuscate scripts unless you are selling them. And especially, try avoiding to obfuscate local scripts.
CLVBrew and Aztupbrew are both being actively updated rn, and they are forks of Ironbrew. I’ll highly recommend you do not use Aztupbrew because it does not provide any better protection than Ironbrew, and it’s easy to constant dump it. CLVBrew encrypts your strings, Wally if you select the option or you use the macro’s it will encrypt your strings. Same goes with Luraph, if you use the macro “LPH_ENCSTR” your string will be encrypted. I’ve constant dumped Luraph, AztupBrew and WallySecure. WallySecure’s and Luraph’s string encryption indeed does work, while Aztup brew’s does not.
I ran some tests again, Wally ran the script I specified before in less than 0.1 seconds.
Luraph is currently free, and so is Wally. Both are publicly available.
There honestly isn’t any point of obfuscation. It’s still possible for people to steal your work.
Or you know, offer services rather than goods.
Or look into a real alternative like licensing if you need to sell goods for some odd reason.
In the Ro-av community, tech groups add whitelists to their products and obfuscate their scripts. Obfuscation is not wrong but uhm, I wouldn’t recommend doing it for purposes listed on this thread.
Hey, creator of WallySecure here coming to tell you WallySecure (compared to clv) isn’t slow anymore and there is a way to fix that: WS_FAST_EXECTION (a new macro) can actually improve performance to match clvbrew:
As you can see, the new macro provides speed that is almost equivalent to clvbrew. Basically, you should be wrapping your whole script in this macro as it is what will bring the best performance. Keep in mind that VM obfuscation will still have a large impact on performance no matter what:
(unobfuscated file)