How would you be doing them a favor? The goal is to completely avoid a hook, you are doing a favor for yourself, not for the exploiters.
Your statement after I modify the environment of your local script to remove setmetatable
and debug
global methods:
Your statement after local debug = table.clone(debug)
and local setmetatable = setmetatable
and breaking the whole game because of good old getrenv().debug = nil
(it won’t work on the anticheat script though)
local debug = table.clone(debug)
– invalid argument #1 to ‘clone’ (table expected, got nil)
local setmetatable = setmetatable
– nil
getrenv().debug = nil
– attempt to call a nil value, did u mean getfenv()
?
If you wanna talk about something then make sure you actually know the subject you are talking about
Chief, if you’re trying to do this from a normal anti-cheat script, getrenv()
will be nil, it only exists on executors. The joke you tried to make makes no sense lmao.
And tell me how using getrenv()
crashes the client because I set one global table to nil?
You were mentionning an exploiter setting setmetatable
and debug
to nil. In this case they would require the exploit function getrenv
which returns the default environment of any running LocalScript or Scripts with Client RunContext. I wouldn’t see any game developers messing their anticheat up on purpose by doing debug = nil
at the stop of their script. I don’t how my “joke” (I don’t know how you got that from) doesn’t make sense? Can you elaborate? Why would an anticheat script do debug = nil
in the first place…
Also I obviously meant the table.clone call statement was to be in the first lines of the script, aswell as the localisation of setmetatable
You got me completely wrong lmao.
My joke was basically on you saying if there’s a way to bypass, then there’s a way to detect.
This statement is not true. A developer’s abilities are always limited due to the sandboxed environment they’re working with. My joke was that an exploiter can alter the environment of a script or a function however they wish to counter the methods of an anti-cheat. Developers are limited by the global methods that Roblox provides them with. While exploiters are free to do whatever they wish.
This is again, completely false. Multiple Remote Code Execution methods have and ARE STILL working within Roblox’s Even-More-Sandboxed version of Luau (opensource luau is not quite the same as roblox’s closed source luau, one key difference being collectgarbage
actually being usable with other arguments than “count”). There will ALWAYS, and I mean ALWAYS, be a bypass to whatever restriction(s) are put in place. This is however not a reason to implement basic security measures.
Uh… buddy. That’s still not a counterpoint. You said “completely false” but provided absolutely no proper way or proof of how a developer can still detect an exploit even after environment modifications.
Restrictions are there for a reason. Any security vulnerabilities you use against exploiters are against the ToS and can get your experience moderated along with your account. Bypassing restrictions are temporary anyway and have a huge chance of getting patched by Roblox Engineers themselves in a short time.
I’m not against implementing basic client-sided anti-cheats, go ahead. I’m just here to say that they’re pointless in the long run, if you’re using bypasses for the sandboxed environment, you have to find new ones over and over again(which is extremely hard considering Luau is open source and is maintained by a lot of engineers), not only that, exploiters can still counter these security measures easily with the environment modification method I mentioned.
It is as simple as it can be
if not debug then
warn("Andro detected!")
end
If we’re going to follow your logic:
debug = {}
Or even better:
Script.Enabled = false
Hyperion also implements checks, even though my simple tutorials and this advanced usermode antitamper are different in almost every aspect while still having the same goal in mind, exploits are barely usable! If you also look at my projects whose goal are to detect client tampering (eg FFlags), only 2 people bypassed it out of hundreds, which were my friends. By your logic, correct me if I am wrong, it also isn’t effective in the long run.
Exploits are barely usable? False. Some? Sure.
For Hyperion’s case, it’s pretty advanced for sure. And does it work? Yes.
But did it also get bypassed by CheatBuddy with CPU sandboxing? Also yes.
Among hundreds, of thousands of exploit developers, one managed to come up with a solution like that. And you know what? It works very well. It even works with other anti-tampering solutions that other companies have put in place. And now he’s planning to sell it to people who want to update their executors to use his technology.
The thing is my dude, if your software runs on my computer where I have the utmost control, it is mine. I can see everything if I want to, and know how to. I can decompile it, analyze it, and modify it however I wish. Roblox Client is on my computer and runs on my computer. It is mine. If I know how to, I can bypass whatever checks are in place and do whatever I want. And there’s nothing a developer can do about it. Why? Their code runs on my computer. I can see it. I can see the C++ engine source code on how these global methods and functions work. (Data Mining) I can modify them. I can change how they work to suit my needs. Your patches and detections can only work so far where I have the utmost control over everything.
There’s a reason why even Roblox Engineers themselves, some of the best security engineers in their fields, acknowledge this fact while developers like you are still in refusal.
Once again, I am not against client-sided anti-cheats. It is nice to block out some skids with some methods on the client, but all it takes is one person. And one person who knows how to bypass it. And then it’ll spread.
Okay
--// Put your stuff here
--// Detection
local getDictCount = function(dict)
local i = 0
for _ in next, dict do
i += 1
end
return i
end
local methods = {
"dumpheap", "getmemorycategory", "resetmemorycategory",
"setmemorycategory", "profilebegin", "loadmodule",
"profileend", "info", "dumprefs", "traceback"
}
local SanityCheckDebug = function()
local dType = type(debug)
if dType ~= typeof(debug) then
warn("Failed N1")
return false
end
if dType ~= "table" then
warn("Failed N2")
return false
end
if getDictCount(debug) ~= 10 then
warn("Failed N3")
return false
end
for _, method in next, methods do
local methodFunc = debug[method]
if not debug[method] then
warn("Failed N4,", method)
return false
end
if debug.info(methodFunc, "s") ~= "[C]" then
warn("Failed N5,", method)
return false
end
end
return true
end
print("Sanity Succeeded:", SanityCheckDebug())
That proves yet again your lack of knowledge concerning the subject, if I put this on top of my script it will still run
Sure. I can modify the debug library and what it returns to suit what this local script needs and my bypass will still continue to work. What are you trying to prove here?
Where am I in refusal?
When I said this, it also works the other way around. At then end of the day it is just a cat and mouse game, until new vulnerabilities get found, then get patched. At no point in time have I ever said this was false.
Okay give me an example and I will show you everything that can be detected in it
Also a smarter way of preventing that would be to literally just hook that Sanity function to make it return true since you have access to the source as you said earlier, a simple bytecode decompilation will surely reveal it, lol
See? Not that hard to find bypasses.
Depends on the anti-cheat I’m working with. As you mentioned, I can do a simple bytecode decompilation to reveal the source code and modify the debug.info() function to return whatever the script needs. In your case: “[C]”