The guide for Obfuscation

Hello scripters and developers, welcome to my guide on Obfuscation.

Have you ever wanted to sell products to the public? However, are you fearful of someone taking your scripts and re-distributing them? Well, this is the guide to Obfuscation that you might just need!

What is Obfuscation?

Obfuscation is the process of creating code that is hard to read, makes no sense, and has a lot, and a lot of random stuff in it (this is a simple explanation). Whilst your code is still out there, you can choose to Obfuscate it if you wish. This will make it a lot harder for people to obtain your source code, therefore, it will be a lot harder for them to re-distribute your work.

What is the difference between Obfuscation and Closed Source Modules?

Closed Source Modules (Private Modules) are just what they say they are. Open Source is where your source code is clearly visible and can be copied. Closed Source is where its just closed off, and no one can obtain your source code. This was a feature Roblox supported, up until February 2019.

Obfuscation isn’t really closed source. It’s still out there (the code that is). The thing with Obfuscation is that it isn’t Closed Source, but it is making your code extremely hard to identify, depending on what Obfuscator you use.

Why should I even bother Obfuscating?

With Obfuscation, it can give you some sort of ease and relief, that you know it will be a LOT harder for people to obtain your source code. Say you want to sell a Product, that works with licensing. You sell a lot of licenses to the public, but suddenly, 10 people re-distribute it, as the source code is just there, nothing changed. When your code is Obfuscated, it is extremely hard to identify, and for newcomers, its impossible. Here is an example of some Obfuscated Code:

What obfuscators are out there?

There are multiple well known obfuscators for Lua, but I’ll just name a few.

Syanpse Xen: Probably the most well known one, most likely because its associated with Synapse X, a common exploit. Synapse Xen focuses on Security, but can be slow. You also have to purchase the Exploit, Synapse X, to be able to use Synapse Xen.

Ironbrew: Another very well known Obfuscator is ironbrew. Ironbrew has incredible Security, like Synapse, and it’s performance and speeds are very good as well. Generally, from what I have seen, most people consider Ironbrew as the best Obfuscator you can get your hands on.

Luraph: Probably considered the worst out of the 3, Luraph is another Lua Obfuscator. It isnt remotely as secure as Ironbrew or Synapse Xen, and it isn’t as fast as Ironbrew either.

Verdict: I wouldn’t really say there is a “winner” that much, but the best Lua Obfuscators are definitely Ironbrew and Synapse Xen. They both have their goods and bads, but they are definitely the best.

However…

Remember, Obfuscation isn’t 100 percent security. Honestly, it isn’t even really Security, it’s just making your code hard to identify, so your stuff can’t be re-distributed nearly as easily.

The only official feature that ever offered pure security was Private Modules, but they are gone now. You could technically hold your code on an External Server, but that goes beyond the expertise of most, and it also costs for Hosting.

Hope this Guide for Obfuscation helped you out!

Thanks,
xJxck_yy

Do you have a link to any of these obfuscators?
Also, isn’t there a lua beautifier which makes obfuscated codes more neat and readable?

No, I don’t think obfuscating your code makes it harder for anyone to obtain.

They have the code regardless of if it’s obfuscated or not, and I don’t see how it makes it harder for them to re-distribute.

---

The only thing that obfuscation helps a little against, is modification of code. And even then, there are some people who are very determined to de-obfuscate scripts.
Also, I think the reason why private modules were removed was because backdoors were using it so that developers wouldn't see their code, and admin modules such as Kohl's Admin started hiding stuff inside of their code(the CHAIR! incident), and everyone started to lose trust for private modules.

Obfuscating your code just makes people lose their trust for your code, because the most common reason for obfuscation is to hide malicious code, therefore they think that your code is malicious.

Actually, I think obfuscation is only useful for people with malicious intentions for example obfuscating a backdoor or obfuscating an exploit script so it’s harder to patch. I don’t really mean to be offensive but I don’t think this thread is useful.

There are other reasons to obfuscate code. Other than the reasons stated above, it can be done to further secure local scripts in your game to make exploits more difficult to make.

@brokenVectors Obfuscating your code objectively makes your code’s actual source harder to obtain. Sure, you can get a general idea of what the script is doing but I highly doubt there are many people that are willing to go to that extent.

Obfuscation has nothing to do with exploiting, it’s just that malicious people find it important to hide their code so it’s harder to patch their exploits. Developers who are overly concerned about security often obfuscate their LocalScripts, even if it’s not really that much more secure.

Security through obfuscation is not security at all.

It’s a failing practice. It lures developers into thinking their codebases are secure instead of addressing the architecture of their game and properly designing said implementation. It’s a band aid that accomplishes nothing.

It shouldn’t matter that clients have access to client-side code when using a decompiler. You should be building a proper model that ensures every server-client is sensible, not simply obfuscating your current codebase.

If someone wants to read your obfuscated code, they can. For every algorithm used to obfuscate code there’s one to deobfuscate it. Professional companies of any reputability in terms of software reliability and security does the complete opposite of what you’re advocating, practicing security by design—otherwise known as open security.

Want to make a proprietary module? Properly license it like the rest of the world does and/or ditch it being proprietary at all and make a discrete set of open-source modules.

TL;DR: Just because your obfuscation methods prevents a script kiddie from understanding your code instantly, this doesn’t mean your codebase is secure in the slightest. This is a practice that, as mostly any cyber security or network penetration tester can tell you, is a terrible form of security theatre.

This. Also I Heard Someone Obfuscated There Plugin Script To Hide A Backdoor. A Lot Of People Obfuscate To Try Hiding Away This So Thanks. Also Like Mentioned By @Posatta You Shouldn’t Mention An Exploiting Program Like Synapse X.

Every obfuscator can be deobfuscated in theory. As for the constant dumping, it comes from how vm obfuscators and obfuscators in general work. Your strings have to be stored in some way or another and reconstructed in the end, and if the obfuscated script can reconstruct them, nothing is preventing someone from emulating that (well, almost).

I would say this is an issue with the approach, not obfuscation. Obfuscating your localscripts and thinking you’re good to go is obviously wrong, however adding obfuscation on top of your already secure client-server model with proper sanity checks on the server isn’t a bad thing to do, and often may stop more than just script kiddies.

No. This actually is false. It was not pure and there were still ways to steal Private Modules.

You should never add obfuscation to your game as with the mindset that it will improve security. Obfuscation will never make your script more secure sometimes even it might indirectly do the opposite.
Also it makes it a nightmare to debug your scripts and often the obfuscators custom lua vm will have some bugs which could also break your code. Obfuscators will make your script also much more laggy too.

You should only obfuscate your scripts if you are going to sell them though a better solution would be to license them. Obfuscation might temporarily protect your intellectual property from being leaked but it will not add any security.

This guide is rather outdated, Xen does not exist anymore and Luraph has been publicly cracked.

I have to disagree with this. Obfuscating a script hides the real source, which, even if very very insignificantly, still does increase the security. Never lowers it. You cannot compare clean code to vm obfuscated one and call them the same.

This is only true if you rely on obfuscation as your main defense line, however using it as a small extra obstacle for exploiters is fine (as long as you know what you’re doing and i. e. don’t obfuscate intensive stuff).

I actually know a few games which greatly benefit from obfuscating their most vital client stuff. Strucid anti cheat dev told me exploiters have a hard time bypassing his client-sided checks, because thanks to the obfuscation they don’t know how the checks work, and the malformed decompiler output doesn’t allow them to i. e. dump constants.

Granted, which is why (as I mentioned before) you have to be reasonable with what you obfuscate.
Also not that it really matters but some obfuscators let you preserve line info for errors, which let’s you debug them in the normal way.

I’ve only heard of 3 such bugs, 2 of which involved varargs. All have been patched and there haven’t been any new ones so far.

Sure they do lower the script’s efficiency, but not that greatly. Also again, they have to be used reasonably, like every other tool.

Obfuscation does not make any script more secure because the security vulnerabilities are still there. Sure it might make it harder for them to find them but it does not remove any the vulnerabilities.

Obscurity does not remove the problem it only tries to make it harder to get to get information about it.

There is no guarantee that obfuscation makes your script more secure.

Also attackers do not even have to solve the obfuscation as they can use tools like remote spy and use proxy variables in your code to analyse and interact with the script.

Obscurity as a form security have been ditched multiple times by security researchers as there is no proof that it increases real security. It might make the vulnerabilities more obscure but it does not make the code itself any more secure or remove any of the vulnerabilities. Also client side checks are 100% insecure as clients can edit all data on their computers.

I never understood this mindset. What’s wrong with a little more security? Obfuscation makes it harder for exploiters to read your scripts. Is that not a good thing?

Nobody said that obfuscation will make your script bullet proof, it’s just extra security. Also, I disagree with the client side checks. Yes, they aren’t as great as server sided checks but that doesn’t mean they’re completely useless. Again, I don’t see what’s wrong with a little extra security…

It’s such a great obfuscator, people use it all the time on my games lol.
Are there any known ways to deobfuscate code from Ironbrew?

Great guide! However I would like to point out that Synapse Xen was discontinued and Luraph was decompiled by bork so I mainly recommend ironbrew!

I’m not sure of the entire process of deobfuscating code from Ironbrew. A friend of mine who had Synapse X couldn’t even get the source code from it.

Ironbrew is a great obfuscator, in pretty much all aspects.

Continuing the discussion from The guide for Obfuscation:

People often think Obfuscated scripts are malicious. Say for example you are making a Hotel System, to sell to the public, but you don’t want your scripts stolen. Have your config in a Module Script, and then require a module. In that module, all of your obfuscated stuff exists.

If you don’t use a require module, and the scripts are like under the config, it is going to look very shady.