This isn’t help with a specific script, but instead asking if this is possible. (apologies if wrong channel)
As we all know, a LocalScript is the only option for detecting abnormal changes in walkspeed and other humanoid characteristics. During this detection window, it is very viable for an exploiter to delete this script.
To counter this, could you have a server script in ServerStorage/ServerScriptService (where the client cannot access) and keep injecting LocalScripts every math.random(X,Y) minutes to detect changes? The client would not be able to weave past this as they are unaware of when exactly this will take place.
To secure it even more, could you just cycle through each character descendant and hide it under another player script such as the chat module?
Is this possible? Why? Why not?
Thanks for reading.
4 Likes
Well this could possibly work, but the exploiters could just hook up the scripts or disable them.
It is overall better to stick with serverside scripts to prevent anti-exploits. You can prevent atleast those speed hacks you mentioned alongside with fly and other stuff.
Exploiters would most likely detect the hidden module later on, as exploiters can also use getnilinstances and instafind.
1 Like
I believe you misunderstood. To counter exploiters efficiently, there in fact is no hidden module.
Some scripts are vital for certain exploits (for example, I don’t think you can teleport without a tool for most exploits), so inserting a localscript in a random descendant in backpack (including the tools), performing a quick check and self destructing will flag up an exploiter without them even realising what’s happened.
1 Like
To make it even more confusing and/or untouchable, randomise the name every time it’s injected. Surely that’s extremely difficult to maneuver against?
1 Like
Well yeah but “trying to sneak it in”, exploiters can edit anything on the client or disable them.
1 Like
Exactly. That’s why a clone is sent from ServerScriptService every few minutes. They won’t be able to loop through every descendant fast enough to find it (let alone the scrambled name) before the LocalScript will pick it up.
1 Like
Eh well for short term exploits, this method is quite useless. I am not entirely sure but pretty sure an exploiter can whitelist and blacklist scripts, even new ones being added (clientsided), so they could just whitelist what they need and block everything else where your function doesnt go to use anymore.
Even if you tried a detection with AncestryChanged to see if the localscripts were deleted/disabled, the exploiter can just hook up that.
1 Like
Ah, true. Thank you for helping me tackle all possible angles of exploitation. This will greatly help me to develop a strong anti-exploit.
2 Likes
the topic for this is i think Tutorial or smth like that wait no something about comm sources
1 Like
My pleasure, if you have any further questions, you can reach out to me in devforum dms or Discord Tiitus#3617. Make sure to mark the solution, if you think I said it well.
2 Likes
Just saying but you could have the script instead send a packet to the server, and if the server doesn’t receive the packet, it would know that the script had been deleted
1 Like
Ah. Thank you for that suggestion.
1 Like
Although I just noticed they COULD techinically fake the signal, but if you use a complex algorightm based on many different things happenning both INSIDE and OUTSIDE of the game AND make it connected to the anti-cheats (so basically, if you remove the anti cheat, you would have to remove it), then that would work, as they would otherwise have to literally read through your code and rewrite the entire thing (while not including the anti-cheat)
2 Likes
exploiter can just hook to return the correct value you want whit out needing to find your script.
make ws always return 16 if a local script tries to log it
2 Likes
Yes, which is why I said you would want to 1. make it complex, 2. encorporate it INTO the anti-exploit script.
This way, it would be too annoying to make hacked clients and therefore would have less (not none, thats basically impossible) people hacking
Its like if an apple was just sitting by the side, someone could take it, but if I put a pot over it, people COULD still take it, but since it would be 1. more annoying and 2. more risky, there is a less chance for them to do so
2 Likes
One very surefire way is to inject the local script onto the client, run it, and then delete it. Use a random name. Inside the script, have a very complex mathematical function that takes in several factors, and some random data from the server, and sends a number back to the server which performs the same calculation. If the numbers don’t match, or the server doesn’t get a response, then nail the player. Since the number is different each time, the exploiter cannot just send any number back, they have to send the right number back to defeat it.
There is something else that can be done, but Roblox themselves will have to code it into the system. The server knows what all the scripts are in a game. What Roblox could do is take a hash (like SHA-256) of each script, combine that with the properties of each script, combine them all into a single hash value, and send that to the server. Do it periodically. If the server does not get a response, boot the player. If the number doesn’t match what the server has, boot the player. This cannot be done at the LUA script level though. The server only needs to calculate this number once. The client must do it each time. One interesting thing though is they could make it a function and send a random number to the client. Then the client would have to apply this number to the final hash in some crazy and complicated mathematical way and send it to the server, which is similar to a one-time password. That would stop a lot of exploits in their tracks. Even injected scripts would be detected, depending on the scope of the search.
To defeat this, an exploiter would have to hack the client software itself, which is not easy to do. Only a true hacker would have the skills to pull this off.
3 Likes
Yes, but hacked clients are literally made BY true hackers, the people who use it most likely has no coding knowlegde, and is probably a 8 year old who just searched “roblox hacks” on google.
The people who MAKE the clients would still be able to return the correct hash value simply by having the client delete the scripts AFTER obtaining the hash code
1 Like
Again, client security is never safe and the exploiter can just hook all the scripts and whitelist them / blacklist them so that new scripts wont even necessarily work.
1 Like
I agree, it’s a cat and mouse game. The exploiter is the lord of their computer and has final say as to what runs on it and what doesn’t. The best that we can do is to mitigate the risk as much as possible. One thing is that Roblox can add something like PunkBuster to their client. I remember when I played World of Warcraft, they used something called Warden. It was a server based anti-cheat. What it would do, on command from the server, was send contents of memory locations, running processes, system information, and other things to the server. The server would analyze the information and make a decision on whether to ban the user or not.
Now it’s evolved to where statistical analysis is being used, so data collected over time. This is what I’m doing to combat aimbots/ESP/DEX, as well as other things.