Today we will be releasing a very powerful lua hook detection for anti cheats. This detection can be used to detect any sort of lua function hooks, including instance metamethods.
Exploits can be detected on inject from this if they have a lua init script that hooks the game metamethods on inject. Many competent exploits may be safe from the on-inject detection, but this can still
prevent people from creating their own lua hooks for __index. Now you can have a good client anti cheat that checks humanoid walkspeed.
The method itself has to do with how the Lua stack works. We’ve all heard or had to deal with so-called “stack overflow” errors; they usually happen when we try to run an unconditional recursive function - simply put, Luau cannot handle more things onto the stack, and therefore it errors to prevent further issues. Exploits have historically been susceptible to metamethod hook detection vectors that involve checking the call stack for irregularities in one way or another. This approach is no different - it abuses a very niche aspect of the Luau engine in order to detect __index hooking. All lua hooks are detected by this.
If you are planning on using this, make sure you paste it in the top function scope of your script and don’t modify anything but the punishment behavior in the placeholder as the technique is very sensitive to even the slightest of change!
We wish you an exploit-free New Year!
BTW, This method has existed since exploits introduced hookfunction and game metatable hooking. No idea why some other developer did not discover this first.
-- Made by Fate
local AntiHook = function(Func)
if (Func) then
local Check;
Check = function(int)
if int < 16379 then
Check(int + 1);
else
Func(workspace,"Name");
end
end
local a, b = pcall(Check, 1);
return not a and b:find('stack overflow')
else
return true
end
end
local LocalPlayer = game.Players.LocalPlayer
local Index;
while wait(.1) do
xpcall(function()
return game["AAAAAAA"]
end, function()
Index = debug.info(2, "f");
end)
if (AntiHook(Index)) then
LocalPlayer:Kick("Exploit");
break;
end
end
WAOW! This thread almost made me CRASH THE BRAND NEW WHIP I WAS DRIVING!!
Thanks for this insane release, all exploit metamethod lua hooks are BTFO’d. I will definitely be adding this to my up-and-coming anime game.
Wow, crazy release, right around the corner of my up-and-coming horror shooter FPS game, which imo is a pretty orginal concept.
EDIT: Original* A sunray reflected off my Rolex and hit my eye, so I mistyped.
I wouldn’t use this for any serious projects. Ignoring the fact that it’s a client side check that can just be disabled, it’s also very unreliable because it depends on specific and undocumented client behaviour. This is behaviour that can change at any moment (and has likely before), and you could kill your game overnight when it does and no players are able to join or are otherwise punished.
Absolutely never rely on undocumented observations. At least when something is in writing somewhere you can expect it to reasonably stay the same, but if it’s not, there’s no such guarantee.
this behavior relies on a constant lua limit, so unless that changes this detection i don’t see why it would false flag. but yes, it does exploit an undocumented client behavior.
While this is neat as a concept, no one should use this in practice- you’re relying on C closures to retain properties that aren’t explicitly defined anywhere and are subject to change with every new update. Developers who do use this might find their entire playerbase being kicked for exploiting because Roblox so much as re-organized some engine code.
I’d like to mention the maximum stack depth has never been changed since the introduction of scripting. It’s almost like you’re only worried about people using this because it detects your popular remote spy exploit!
You can put LocalScripts in nil and if you set its name too just “LocalScript” and not “AntiHook” exploiters won’t think much of it. While still possible to disable it they wouldn’t know it was there until they tried to hook something.
Edit: One of my friends dmed on Discord about this reply saying “legit the first thing I think is there scripts in the nil.” So I just wanted to say you could also hide it in the default Animate script inside the character.