If you've played Roblox for a while, you've probably seen those bot messages that go along the lines of "Go to scamsitelinkgoeshere.org for free robux!" They can be really annoying. They also irritate me, so I decided to go create BotStop!
What is BotStop?
BotStop is a fully open-sourced Captcha-style system with the following features:
A minimalistic, simple UI accessible even to those with vision impairments
UI Sample
Simple, attribute-based customization
Plug-and-play installation
Fully open-sourced
Easy-to-read code, for those who want to fork this
Insert it into your game. You should end up with this:
Don’t worry about the fact that they’re named the same.
Put the BotStop folder in ReplicatedStorage, the BotStop script into ServerScriptService, and the BotStop ScreenGui into StarterGui.
That’s it! You’re ready to stop bots!
Configuration
If you select the BotStop script, you’ll see in the Properties window the Attributes for BotStop. They’re quite simple
CaptchaLength - How long the captchas generated will be
CaptchaLowercase - Will the captcha generated contain lowercase letters
CaptchaNumbers - Will the captcha generated contain numbers
CaptchaUppercase - Will the captcha generated contain uppercase letters
MaxCaptchaFailures - How many failures are allowed before it kicks you
DataStoreCaptchaCompletion - Will the captcha’s results be sent to DataStores
Q&A
Will the captchas be as impossible as the Roblox website captchas?
Nope! It’s impossible to fail provided that the submitted code is the same.
Can I edit this?
Yep! This is fully open-sourced! If you make an edited version, you’re free not to credit me. Just credit me if you use a stock build.
I have a quick question - bots usually join the game, then leave within 5-20 seconds. Why not just disable chat for the first 20 seconds a player joins? That seems a lot easier, and less annoying for every time a player joins. Think about a new player loading in for the first time - the second they get in, they will be faced with an annoying question. That isn’t a very good first impression.
I’m not trying to put your work down, I think it was very cool what you did. I’m just wondering, what is the point of a captcha, in comparison to other, easier methods?
Couldn’t the bot or whomever just inject a local script to enable the chat? It would bypass the captcha entirely. To be fair I’m not sure if there are bots out there capable of injecting scripts with an automated script injector.
game:GetService("RunService").Heartbeat:Connect(function()
game.StarterGui:SetCoreGuiEnabled(Enum.CoreGuiType.All, true);
end
Nonetheless, this is a neat concept and reading the previous replies I hope this gets improved.
Most of the code is in a central script called BotStop which goes in ServerScriptService. If you want to edit the client-side, it’s in the BotStop GUI.
Bots do some crazy bypasses and some of the things they do is not fire the .PlayerAdded event. (not 100% sure, but I’ve heard they do not add the Player object at all and don’t run LocalScripts as well)
You also do some bad practices, while it’s not my place to judge, things such as connecting events inside other ones can easily be cincumverted by using a table.
Thanks for the heads up! This was intended to minimize the appearance of the chat messages that try to get you to go to such-and-such website. For those, I’m pretty sure they require a player object. I’m not sure though, because I don’t make bots.
The clients that bots use are the literal bone for the Roblox Client to work; I’m obviously no bot developer or a reverse engineerer but with insights on how the client works I can guess they either:
Interface with the Roblox C++ code for sending messages;
Inject and execute code that uses a low-level Luau API to send the chat message (something way more low than firing the remote that sends messages);
Send a POST message with the message format to the actual game server;
Those are some things off the top of my head; this is just to say that there is actually no way to prevent bots that use those methods that the developer cannot prevent/interact with.
I forgot to mention, but when I said I’m not 100% sure I meant the fact that some bots might not do this, and this will work (looking at your scripts, the client disables the CoreGui and do not re-enable it until the server validates it, which is never since the .PlayerAdded event is not run!)
