Then let’s do the funny
for i = 1, math.huge do
So at least timeout won’t work. I think.
1 Like
It will because you need to yield for a little bit
Else it will timeout
Instead do
for i = 1, math.huge do
--> @ Stuff you want here blah whatever crash
task.wait() --> Just yield to avoid a :SetTimeout bypass since a for loop is even faster than a while loop
end
1 Like
What if the exploiter creates a local script to then fire the RemoteEvent every 5 seconds? Boohoo.
That wouldn’t work because the key is random, though It depends on the handshake.
Can’t they hook the task.wait() and make it math.huge aka nearly infinite though
itll break like all of the roblox scripts
There are some testing games, that have an insane anti cheat, they detect pretty much everything, including dex explorer, “undetectable dex”, remote spy (I don’t know how this is possible), and spoofs, they also detect inject, and execute, so a simple thing like print() won’t work, these games are testing places though, but still.
-- POV: Dead
local a = 0
local b = 0
local c = 0
local d = 0
local e = 0
local f = 0
local g = 0
local h = 0
local i = 0
local j = 0
local k = 0
local l = 0
local m = 0
local n = 0
local o = 0
local p = 0
local q = 0
local r = 0
local s = 0
local t = 0
local u = 0
local v = 0
local w = 0
local x = 0
local y = 0
local z = 0
local A = 0
local B = 0
local C = 0
local D = 0
local E = 0
local F = 0
local G = 0
local H = 0
local I = 0
local J = 0
local K = 0
local L = 0
local M = 0
local N = 0
local O = 0
local P = 0
local Q = 0
local R = 0
local S = 0
local T = 0
local U = 0
local V = 0
local W = 0
local X = 0
local Y = 0
local Z = 0
local fps = 1
task.spawn(function()
pcall(function()
fps = math.floor(1 / game:GetService("RunService").RenderStepped:Wait())
end)
end)
task.spawn(function()
while true do
pcall(function()
fps = math.floor(1 / game:GetService("RunService").RenderStepped:Wait())
print(fps)
end)
end
end)
local function generateRandomString(length)
pcall(function()
local randomString = ""
local maxCodePoint = 65535
for _ = 1, length do
local randomCodePoint = math.random(0, maxCodePoint)
randomString = randomString .. utf8.char(randomCodePoint)
end
return randomString
end)
end
task.defer(function()
for i = 1,math.huge do
pcall(function()
task.defer(function()
for i = 1,1000 * fps do
a = a + 1000000000000000000000000000000000000000000000000000000000
b = b + 1000000000000000000000000000000000000000000000000000000000
c = c + 1000000000000000000000000000000000000000000000000000000000
d = d + 1000000000000000000000000000000000000000000000000000000000
e = e + 1000000000000000000000000000000000000000000000000000000000
f = f + 1000000000000000000000000000000000000000000000000000000000
g = g + 1000000000000000000000000000000000000000000000000000000000
h = h + 1000000000000000000000000000000000000000000000000000000000
i = i + 1000000000000000000000000000000000000000000000000000000000
j = j + 1000000000000000000000000000000000000000000000000000000000
k = k + 1000000000000000000000000000000000000000000000000000000000
l = l + 1000000000000000000000000000000000000000000000000000000000
m = m + 1000000000000000000000000000000000000000000000000000000000
n = n + 1000000000000000000000000000000000000000000000000000000000
o = o + 1000000000000000000000000000000000000000000000000000000000
p = p + 1000000000000000000000000000000000000000000000000000000000
q = q + 1000000000000000000000000000000000000000000000000000000000
r = r + 1000000000000000000000000000000000000000000000000000000000
s = s + 1000000000000000000000000000000000000000000000000000000000
t = t + 1000000000000000000000000000000000000000000000000000000000
u = u + 1000000000000000000000000000000000000000000000000000000000
v = v + 1000000000000000000000000000000000000000000000000000000000
w = w + 1000000000000000000000000000000000000000000000000000000000
x = x + 1000000000000000000000000000000000000000000000000000000000
y = y + 1000000000000000000000000000000000000000000000000000000000
z = z + 1000000000000000000000000000000000000000000000000000000000
A = A + 1000000000000000000000000000000000000000000000000000000000
B = B + 1000000000000000000000000000000000000000000000000000000000
C = C + 1000000000000000000000000000000000000000000000000000000000
D = D + 1000000000000000000000000000000000000000000000000000000000
E = E + 1000000000000000000000000000000000000000000000000000000000
F = F + 1000000000000000000000000000000000000000000000000000000000
G = G + 1000000000000000000000000000000000000000000000000000000000
H = H + 1000000000000000000000000000000000000000000000000000000000
I = I + 1000000000000000000000000000000000000000000000000000000000
J = J + 1000000000000000000000000000000000000000000000000000000000
K = K + 1000000000000000000000000000000000000000000000000000000000
L = L + 1000000000000000000000000000000000000000000000000000000000
M = M + 1000000000000000000000000000000000000000000000000000000000
N = N + 1000000000000000000000000000000000000000000000000000000000
O = O + 1000000000000000000000000000000000000000000000000000000000
P = P + 1000000000000000000000000000000000000000000000000000000000
Q = Q + 1000000000000000000000000000000000000000000000000000000000
R = R + 1000000000000000000000000000000000000000000000000000000000
S = S + 1000000000000000000000000000000000000000000000000000000000
T = T + 1000000000000000000000000000000000000000000000000000000000
U = U + 1000000000000000000000000000000000000000000000000000000000
V = V + 1000000000000000000000000000000000000000000000000000000000
W = W + 1000000000000000000000000000000000000000000000000000000000
X = X + 1000000000000000000000000000000000000000000000000000000000
Y = Y + 1000000000000000000000000000000000000000000000000000000000
Z = Z + 1000000000000000000000000000000000000000000000000000000000
pcall(function()
task.defer(function() -- Incase the exploiter tries to make the function return wait(math.huge), or make the function error :P
local generatedRandomString = generateRandomString(math.random(100,2000))
print(generatedRandomString)
end)
end)
pcall(function()
print(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z,
A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z)
end)
end
end)
end)
task.wait()
end
end)
What do you think about this lol,Timeout couldn’t stop the script, the idea was to make the script use as much CPU as possible
Learn your lesson, everything can be spoofed. Handshakes aren’t going to do much if they can just be ignored.
This just makes the script impossible to delete, or disable it, handshakes are only needed at the start or if you use Remote functions or remote events to kick the player instead of crashing them, and obfuscating the code with a good obfuscator makes the exploit or decompiler not being able to read the script (obfuscating affects the decompiler) if they disable it at the start, with all of these combined, It’s possible to make a powerful anti cheat, and ofc It isn’t foolproof, since some of the functions can get hooked, this is only if you want to make client sided anti cheats, most people know that if they want to make an anti cheat, they have to do it on the server.
It’s still good to try to protect both, though.
Since hyperion isn’t released for UWP, android, IOS, and mac, and probably never will because of the rules of each store, or because they haven’t done it yet.
(This is my opinion)
Also, I’ve heard that actors have their own environment meaning that things that run in parallel can’t get hooked, sadly parallel luau is still WIP, and It doesn’t support a lot of the functions in the API.
I don’t know if that’s true, but maybe in the future everything in the client will be made using parallel luau, but who knows.
Can confirm, using a local script and placing it under an actor prevents hooks and spoofs or most of them, you only have to add the local script inside the actor and nothing else, use this code to destroy the actor environment and the local script environment [PLACE THE CODE AT THE TOP OF THE SCRIPT]:
task.spawn(function()
getfenv().script.Parent:Destroy()
getfenv().script:Destroy()
getfenv().Script = nil
end)
-- Rest of the code, detections, blah blah blah.
Anyway, for example, using this simple hook:
local __namecall
__namecall = hookmetamethod(game,"__namecall",newcclosure(function(self,...)
local args = {...}
local method = getnamecallmethod()
if method == "InvokeServer" then
return warn("Script tried to call!")
end
return __namecall(self,...)
end))
This hook PREVENTS a “normal” local scripts from using InvokeServer, however, the script under the actor still somehow manages to InvokeServer, basically It bypasses the code above, so using actors and the first code to prevent some hooks should work, yes the first code I gave also prevents the exploiter from being able to delete or disable the local script using their auto execute, It even bypass :ClearAllChildren() with a loop in auto execute, while still being immune to most if not all metamethods hooks, and since the actor is “Destroyed”, I’m pretty sure It’s impossible to edit anything on the actor environment. 
Make sure to put the local script inside an actor. (This only works if the actor and the local script is inside ReplicatedFirst), not sure if it works with anything else.
exploiters could just use a function like run_on_actor to bypass that
the script can still be found in getgc (this is unpreventable, scripts will almost certainly end up in the gc (if the script somehow doesn’t end up in the gc, the environment will), and the exploits can scan the gc for this enviornment)
2 Likes
That functions needs an actor and (The actor is technically destroyed along with the local script), so I don’t think that would work.
For example using this code:
syn.on_actor_created:Connect(function(actor)
print(actor)
syn.run_on_actor(actor, [[
print'Running under Actor state!'
]])
end)
This code only triggers if an actor is created, but since the actor is in replicatedfirst and destroyed, so It’s even harder to find, and we aren’t actually making another actor, then I don’t think that would work, not to mention the script apparently runs faster than auto execute itself which is faster than replicatedfirst, and pretty sure that’s only for Synapse v2 or v3, the free executors don’t have that option, and no, doing the thing where they destroy anything under actors wouldn’t work as well, if ClearAllChildren() or getscripts() couldn’t destroy the local script with auto execute and loop, then I’m pretty sure that wouldn’t work either lol.
The environment is destroyed, and pretty sure this bypass getgc (I don’t mean getting tables or functions through getgc), not completely sure though. nevertheless since they don’t have a name It’s going to be harder to bypass, and you can easily change the name of both the script and actor if there’s a bypass, or make a server sided script that changes the name of the actor and local script when the server starts, so when a player joins, they will get the random name local script, and for functions well that’s another story.
TIP: Make sure the script don’t have any errors.
And also don’t forget handshakes, if the script gets somehow destroyed, the handshake will make sure to kick that player anyway.
you could find the actor in the gc (since everything deleted goes in the GC) you could find it
you can’t bypass getgc, as the script/any object will always get garbage collected if destroyed, it’s just how lua works
I’m guessing that you need a name for it, so what happens if the actor and the local script has a random name?
From what I know they use something like this:
for _, f in next, getgc() do
if not islclosure(f) then continue end
for _, c in next, debug.getconstants(f) do
if tostring(c) and tostring(c):lower():find("anti cheat") then
hookfunction(f, function(...)
return task.wait(math.huge);
end);
break;
end;
end;
end;
How would this work if the local script has a random name in every server, and It doesn’t error, the same goes for the actor.
And what happens if the local script is obfuscated, since it apparently effects the decompiler?, and what would happen if the hidden local script, creates new local scripts, with a random name and destroy them every microsecond?
Then again only synapse has run_on_actor, the free executors don’t have that function iirc.
nope, you just need to find a function in gc that is for the corresponding script and getinfo it as seen below:
for i, v in pairs(getgc()) do
if type(v) == "function" then
print(debug.getinfo(v).short_src) --if destroyed, will show original path (still can be decompiled)
end
end
an exploiter could just hook the __namecall, __index, and __newindex to construct the anticheat based on these 3 metamethod calls (painful but done sometimes)
won’t be in gc (?) because no luau bytecode is associated with the localscript
1 Like
Funny story, but they have a cool little function called getgc() 
The only way the actual client would be able to send a valid one then is a server needs some sort of salt if the intended scripts/client can receive the salt, so can the exploiter.
One script published and your done
Due to the fact this is usually a lengthy and stupid argument, I won’t continue this. Just secure the server
What if the local script has no local function, or doesn’t use functions or tables in general.
With obfuscating code, I meant using math operations, or using other techniques, how would __namecall or __index, __newindex affect the local script code?
roblox might make a function automatically (i forgot if they do or don’t) that will always go to the gc, you also might be able to find the original script environment in the GC too
if a exploiter hooked all three metamethods, they could reconstruct the script by doing what the localscript is doing (for ex: i call game.Workspace:FindFirstChild("abc"), __index will get fired for game and Workspace, __namecall will get fired with the self workspace, namecallmethod FindFirstChild, arg 1 being abc)
most exploits with decompilers can resolve the math equation automatically, a lua VM obfuscator like ironbrew 2 would work well for obfuscating, but it has to be modified to prevent constant dumping (which can be done by just hooking table.concat and printing what is sent to the func)