Is there a way to detect a print on Client side? For example if a client prints “Injecting Synapse” or something is there a way for me to detect with with a Local Script?
I don’t know if you can detect prints, not sure
1 Like
No, I don’t believe you can. But why not have a third party bool value? You could change it right before/after the print. Then you can detect when it changes in the second localscript using .Changed.
Yes by using LogService.MessageOut but this is extremely unreliable.
Exploiters don’t need to print anything to the console, and in fact some scripts don’t because they know they might get detected, or they could even use a custom print function. Synapse has a console built into it, and there is a function for writing to that console instead.
3 Likes
Yes. That’s why I used it as an example. I’m basically trying to detect exploits since I was told the easiest way was to “detect prints”.
You can use LogService as incapaz has said:
If a script errors inside an exploit, the script name is usually a randomly generated string of numbers and letters that you can detect with a regex expression, but I wouldn’t rely on this for any great deal of security.
You’re a lot better detecting other things such as what the exploit does rather than attempting to detect the injection of an exploit. Now, there are some methods you can do, but I’m not really going to share those as they’re unreliable due to how Roblox’s Luau is changing the behaviour of the Lua VM and also don’t want those methods being shared in general.
So, it’s best you just detect exploits such as checking physics (walkspeed, noclipping, etc) and make sure that the client isn’t sending things to your RemoteEvents that you’re not expecting.
3 Likes
The primary problem in my place is not basic character replication. It is people having complete control over servers using admin commands, destroying parts of map, inserting objects, banning my admins, etc.
People keep saying “backdoors” yet I have used Ctrl + Shift + F and spent hours checking every single script and possible vulnerability and there is not a single backdoor in the place. Not a single “require” for outside models either.
Interesting, as the only way someone would have server-side access is through a vulnerability in your code or otherwise exposed backdoor into your game, often contained within free models.
I’d suggest that you check, as you’ve mentioned already, for scripting using require() or getfenv() as well as scripts that use HttpService. It could very well be possible that someone is executing code within your game using HttpService and a custom Lua VM.
Make sure to also check third-party services you’re using, as those could be the cause for it. Not to say the third-party service itself is at fault, as they may not have the intention to be malicious but more so that said third-party service may have a vulnerability that is being abused - which would usually be stuff such as admin systems, etc. that have not been properly audited.
Edit: Also worth noting; check for code that’s obfuscated. That code itself could contain the require() or anything that’s loading the malicious code as obfuscated code runs on a rudimentary Lua VM - so you can’t simply just Ctrl + Shift + F to look for those things.
2 Likes
Things I’ve tried so far:
Looking through every single script - skimming and looking for hidden code
Ctrl + Shift + F to check every require() and audit every single one
Ctrl + Shift + F to check getfenv, no results
Ctrl + Shift + F to check HttpService, no results
Made sure HTTPService was disabled
Made sure Filtering was enabled even though it has to be since game is public.
Double checked my Adonis model and audited to make sure it was correct one
Checked all my Adonis logs to ensure it was not a moderator or admin causing the problems.
Don’t need to worry about FilteringEnabled; it’s forced for all games on the platform.
This strikes my attention since is there a reason you can’t use your own system or an alternative that does not use any external dependencies? You could use something such as https://github.com/evaera/Cmdr.
2 Likes
We are releasing Version 2 of our game soon and in that I custom coded my own admin panel that also has a second layer of security - auto generated password only my admins have access to that changes weekly. The second layer of security is to help in case exploiters can ever trick it into thinking they’re an admin. It’ll also tell us who is logging in and it logs all commands to discord.
However Adonis is pretty known as a trustworthy admin system. I’ve never had problems with it specifically.
1 Like
I think implementing your own admin system is the way forward here.
Also, I do not intend to discredit Adonis, as you’re certainly right, it’s a pretty known admin system. My concern with it is more the use of external dependencies, which may not be audited. Similar exploits have happened in the past, even with Roblox’s own created assets such as a sword giver model by the Roblox account.
The exploit allowed users to insert this asset via InsertService and load private assets from the game owners inventory in order to steal closed-source ModuleScripts. This is one of the reasons that InsertService is so heavily restricted.
It’s always good to be mindful of these exploits when it comes to security and try limit the chances for vulnerabilities and if there is any; you’re in full control to address them.
2 Likes
Alright, I will keep that in mind.
1 Like