CoreGui Instance Detection

A couple of years ago, Roblox exploiters used to insert instances inside of PlayerGui - which was easily detectable by utilizing the ChildAdded event. Times have since changed and exploiters began to insert their instances inside of the CoreGui service.

Exploiters have more access to the client than game developers do, and unfortunately you’re unable to utilize the ChildAdded event for CoreGui instance detection like you were with PlayerGui.

This script is made to work around that, detecting any instance parented to the CoreGui service.
Source code: GitHub - 0x2502/anti-coregui: Prevents exploiters from inserting instances inside of the CoreGui service.

7 Likes

And then you realize, exploiters can just prevent the local player from being kicked. So you decide to just crash them instead! Then you realize that exploiters can just protect their guis (if they are using Synapse). Oh good! Then we can get other exploiters that use Hydrogen, Krnl, and the other ones that are not synapse.

Then you realize:

script:Destroy()
2 Likes

Synapse and Script-Ware (for Windows) are no longer functional. They have both been inactive since Hyperion’s release, with no updates or news about their potential return. The recent integration of Hyperion into the UWP app has also made KRNL and other exploits that relied on the UWP client patched, unless they can find a way to bypass Hyperion. Some exploits still use an older version of the UWP app, but it is likely to become unstable and stop working as time goes on.

This is a great resource to stop new or intermediate exploiters who have no clue how gui protection works. It may not catch EVERY exploiter, but it’ll surely catch a few!

7 Likes

There are many ways to get around this, such as using cloneref ( exists in most exploit environments ). Even if a measure isn’t great, it’s still good to have something standing in the way of exploiters - it may stop more of them than you think.

3 Likes

This type of detection has been around for years, just not widely known by developers but this is a solid method of detecting CoreGui exploits. if you know what you’re doing its not that hard to bypass on its own, so I threw together a different version with a few basic sanity checks, feel free to use its not anything that advance but should help.

task.spawn(function()
	while task.wait(1) do
		local Name = math.random()
		local Trap = {Name}
		local Bait = setmetatable(Trap, {__mode = "v"})

		if Bait[1] ~= Name or Trap[1] ~= Name or getmetatable(Trap).__mode ~= "v" then
			print("wow great hook")
		end
	end
end)

task.spawn(function()
	while true do
		local HoneyPot = setmetatable({game:GetService("CoreGui"), {}, newproxy(true), newproxy()}, {
			__mode = "v"
		})

		while HoneyPot[2] and HoneyPot[3] and HoneyPot[4] do
			task.wait()
		end
		
		if HoneyPot[1] then
			print("wow coregui exploit")
		end
	end
end)
9 Likes

I don’t know if you realize, but exploiters can modify pretty much anything local, or anything client sided. This would be super cool if they couldn’t, but they can. By being able to modify anything local, they can do so many things to counter this, like:

  1. just prevent the local script from running by disabling it or deleting it
  2. changing the local script to remove the part that either kicks or crashes them (yes, they can change the code in local scripts)
  3. im pretty sure they can also prevent the script from even spawning in the first place? not 100% sure on this one but i’d imagine they could
1 Like

Even Bitdancer said that there’s no way to eliminate client exploits, but rather make it harder to exploit (and thats literally Byfron’s goal)
No client anticheat is perfect and will get bypassed one way or another. It’s rather a protection later against “script kids”, since I highly doubt they’ll get technical enough to make a bypass.

5 Likes

Well you dont just use the script in a raw state, you include it in a local script that has to prove its presence by communicating with a server side script all while obfuscating it so its annoying to crack the key thats being sent to the server so you cant just create a script and act like its the anti exploit still existing

“CoreGui instance detection”
detects coregui reference

Classic “they can just delete the script” from the average DevForumian

Another “They can just delete the script”, I’m losing hope on this forum

(post deleted by author)