A complete guide ~ How exploits work & how to best prevent them

Blaroo · September 17, 2020, 10:40am

They can’t get your country anymore, roblox fixed it, They removed it from HiddenProperty, and OSPlatform as well.

FPSVision · September 18, 2020, 2:20am

Someone that I’m friends with made a script where the moment you hit inject/attach on synapse it kicks you. How is this possible?

sjr04 · September 18, 2020, 9:18am

Likely does something unreliable like checking spikes in memory using Stats service. This is extremely unreliable and the roblox client is extremely unpredictable with memory spikes. I’ve seen from the dev console it go from 300 to 400 before.

Exploit programs being injected should be the least of your concerns, your concern should be your remote security as well as anything you can detect server sided that gets done to the character, and small checks on the client if you can

FPSVision · September 19, 2020, 7:23am

Is there any other way aside from spikes?

formy2kids · September 20, 2020, 3:34pm

Don’t spend so much time and effort to detect an injection. You will most likely have many false-positives, and actual cheaters will be able to bypass any system like that. Just make cheating impossible. Make it impossible for players to teleport, speed hack, or noclip. This will discourage cheaters from cheating in your game, and will also minimize the effectiveness of cheats in your game by a lot. It’s the best we can do as developers to prevent cheaters from ruining our games.

FPSVision · September 21, 2020, 12:53am

Speed hacks and fly hacks really don’t benefit players in my game, what Im looking to prevent is people stealing my map, I already had a lot of ppl message me on discord talking about how they are going to enjoy leaking and using my map. DMCA claims are easy and I can easily take down copies but my concern is preventing it.

Autterfly · September 21, 2020, 1:00am

There is no preventing it. Such is the world of game development on any platform. Does the client have to load it? The client can do anything with it.

Detuction · October 7, 2020, 9:34am

Do exploits add new scripts some-where?
If so, then can’t you just delete it when its added?

Clear_View · October 10, 2020, 8:05pm

No, exploits work by directly executing their code on Roblox’s VM. This is what a normal script does but exploits will skip creating a reachable LocalScript instance

You might’ve been confused because there’s some “anti-exploit” scripts that kick a player if a new LocalScript is added to ReplicatedFirst.
This was because RC7 originally put their script variable’s instance into ReplicatedStorage, but no exploits do this any longer.

However, most exploit do create an actual LocalScript instance, but it’s parented to nil so it’s unreachable by other scripts.
Perhaps if you catch an error you can traceback the callstack and see what script errored, if it’s parented to nil and not an expected script, it’s probably an exploit script.

Clear_View · October 10, 2020, 8:07pm

Back to what I said in the thread,
anything that the player needs to run the game (e.g. see the parts, execute the scripts), can be stolen.

There’s no way to outright prevent map stealing because whatever the client can see is what they can take.
Your best bet would be to DMCA any copies of your work that you see.

sebaxRTT · October 17, 2020, 8:58pm

Anything that isn’t in ServerScriptService or in ServerStorage can be edited by an exploiter?

unix_system · October 25, 2020, 8:17pm

No, not since 2015 when Filtering Enabled was rolled out (if it was enabled), and now since around 2018 since it became mandatory for all games. Things in of ServerScriptService / ServerStorage can’t be seen, so it’s good to store things the client doesn’t need to see there (i.e. configs, assets and scripts) so they can’t reccie your infrastructure.

nana2050 · November 7, 2020, 10:55am

ROBLOX officially patched it. they cant get it anymore. They can’t get scripts to get your country/osPlatform. Now, for country, it will say, for example, “username is from nil”, and os: "username is from nil, OS: " roblox patched it.

mrmoonrbxm · November 7, 2020, 3:38pm

You should focus on server-sided security rather then client-sided as anything on the client can be bypassed by a exploit, mostly just a waste of time.

Iinksafe · November 7, 2020, 5:08pm

Agreed; proof:
I was in my game, like sending RemoteEvent connections, and I just discovered that only 2 connections can be send to the client and server.

The 3rd connection will be nil. (Correct me if I am wrong, thanks )

G8Max · November 12, 2020, 5:10am

I found this thread interesting, and tested these tips myself in studio. I found a better way to deal with walkspeed checks on the server side, here is my code that prevents the walkspeed check from returning an error, which would terminate the entire script when a player dies in game:

local prefix = "[ " .. script.Parent.Name .. " ]: "
print(prefix .. "Walkspeed Checks Running!")

local kickMessage = prefix .. "You have been kicked for travelling too fast!"

function getPosition(plr)
	local success, result = pcall(function()
		return plr.Character.HumanoidRootPart.Position
	end)
	
	if success == false or not(result == type(Vector3)) then
		wait(.1)
		getPosition(plr)
	else
		return result
	end
end

game:GetService("Players").PlayerAdded:Connect(function(plr)

	spawn(function()
		repeat wait() until plr.Character 
		wait(2)

		local normalWalkspeed = 16 

		local lastPosition = getPosition(plr)
		while wait(4) do
			local newPosition = getPosition(plr)

			local distTravelled = (newPosition - lastPosition).Magnitude

			local distError = 2

			if ((distTravelled - distError) > 4 * normalWalkspeed) then
				warn(plr.Name.." is travelling faster than possible! Player kicked.")
				plr:kick(kickMessage)
			end
		end
	end)
end)

Since the player’s HumanoidRootPart is destroyed when dying, the script returns an error and terminates meaning all players are free from the walkspeed check. I resolved this problem by replacing the HumanoidRootPart position variables with a function that uses a pcall() function to ensure it returns the value we want, and has control flow after it to recall getPosition() if it has failed getting the Position value it needs. Hope this helps

IceyTamim · November 16, 2020, 9:19am

i would use this and credit you if I wanna make a script that prevents exploiter from changing their walkspeed with exploit. also make sure that admins cant get kicked for changing their walkspeed with admin like HD admin or something. which isn’t exploiter at all.

PysephDEV · November 16, 2020, 2:02pm

There are quite a lot of flaws in here.

A player could get flung by an exploiter, leading to a kick.
You don’t even take into account for player ping - if someone has bad ping this could lead to false detections.
I would check every Stepped, because within 4 seconds an exploiter could teleport to a place, grab something and teleport back.
Sort-of tied in with point no.3: with smaller intervals between checks, you would get more accurate results.

Overall, IMO this thread is a meme. It relies a lot on client detections, and I barely see any talk about genuine server security, and other practice of how you should handle client-server communication properly. The tostring(math.random()) code-bit is a joke especially.

kazykublin · November 16, 2020, 3:43pm

Probably mentioned somewhere earlier in the thead but if a script is generally injected it’s parented to nil so you can catch that with ScriptContext if they error without affecting any of your other game scripts.

G8Max · November 16, 2020, 6:44pm

Yes, I am also including a teleporter in my game which is making me think of a way to have a value object in ServerScriptService that can have a child value including a player’s name in which is changed and set whenever a script wants that player to bypass this detection.