[Anti-Cheat] What's the location of a LocalScript which's "script:GetFullName()" equals to its "script.Name"?

Lately I’ve been spending time making anti-cheats, and one of my goals which started today is to figure out where injectors inject their LocalScripts. A friend helped me out with his exploit injector, as for obvious reasons, I do not own any exploits.

The main question is: What is the full, specific location of a LocalScript which’s “script:GetFullName()” equals to its “script.Name”.

The testing LocalScript my friend injected used for testing:

script.Name = "Test Script"
print("This is a test local script, and it was inserted in the following location: "..script:GetFullName())

A screenshot of what his client logs printed in the Developer Console:

1 Like

Just a note, exploiters have full control over their client, so this probably isn’t worth making. They can just delete your anti-injector script, and you can’t make it a server sided check because its only local.

The best way to prevent exploiting is to do lots of sanity checks on the server. There’s no way you can prevent people from doing stuff locally, its literally on their computer.


To answer your question, the parent of your script is probably nil which is why it only prints script.Name

Synapse X has this funny function called getnilinstances()


I already have taken measures so exploiters cannot delete nor disable specific LocalScripts, I’ve talked about this on a previous post.

1 Like

Exploiters can pause the script’s execution entirely without changing it’s Disabled property or deleting it.


Could you by any chance tell me how they do this, if it is true as of currently?

1 Like

EDIT: I was wrong in how localscripts worked, see Dandcx’s post for details

I’m pretty sure this would be easy to get around by simply editing the localscript or stopping it from running altogether. Script.Source changes can’t be read by anything but plugins and studio’s command bar, so your thread (itself a hacky solution that might end up patched in the future) will have no way of knowing if the script itself has been tampered with - only if its disabled or deleted.

Does the hash of a script change if Script.Source is changed?

1 Like

It’s undetectable but they can basically stop the script from running any code at all without disabling or deleting it which stops it from doing literally anything, using a remote event to detect it by having it send a request every random amount of time or so wouldn’t work since they can call the remote event constantly effectively bypassing the check.

What they can do is go to the LocalScript and literally halt the execution of the script fully which stops it without disabling or deleting it. (I can’t tell you, I just know that it’s possible.)

1 Like

Exploits actually don’t create local scripts, they create a hacky version that isn’t listed within roblox’s main memory. At least thats how I know Krnl works.

Script.Source doesn’t replicate. LocalScript code is replicated with bytecode sent to the player’s pc. This is why exploiters use decompilers to turn the bytecode back into a readable lua.

GetFullName returns the script’s path minus ‘game’. So if a script is in nil it will just return its name. Else if its in ReplicatedStorage it would return ‘ReplicatedStorage.TestScript’

Also when posting about client sided anti cheats,
just don’t
Synapse, Krnl, dark dex and many other exploits will just read the public post and make a bypass in mostly a day.

1 Like

Yeah I know, I’m taking the risk either ways. That aside, is an exploiter actually able to change the LocalScript.Source of a LocalScript?

LocalScript.Source doesn’t exist on the client

So theoretically it is not possible to stop the Lua Code from running with exploits, other than deleting or disabling the LocalScript, is it?


Every post about anti cheats always evasize the fact that the player is in complete control of the client. Maybe you can catch a few skids who don’t know what they’re doing but unless you’re really experienced with exploits. Client-sided anti cheats are useless


They can hook functions to something out or disconnect something, say like Player.PlayerAdded (only can disconnect client only)

So basically they can turn off any events, such as Instance.DescendantAdded or Instance.DescendantRemoved?


The client is literally on the player’s pc, they can change anything about the game on their screens

1 Like

I’m pretty sure that relies on client memory spikes if I’m pretty sure.

Its the only known client sided method that is actively used but it produces a lot of false positives and doesn’t work 100%

1 Like

Is there any possible way to access Instances which’s parent are set to nil from Studio LocalScrips?

You’re on about injection detection which is possible using checks for client memory spikes like @dandcx said but I’m on about the fact that exploiters can halt the script’s execution entirely without disabling or deleting it.