Exploit prevention

Help and Feedback Scripting Support
,
#1

Why can exploiters access CoreGui, but developers can’t?

:dart: What do I want?

Roblox should allow read-only access to CoreGui (something like GetCoreGui() or FindFirstChild("CoreGui") ). This way, we could detect exploit menus like Dex, Infinity Yield, AimBots, and RemoteSpy. :man_detective:

:x: The problem

Exploiters can read, create, modify, and delete things in CoreGui, but developers can’t even search for them. :clown_face: This makes no sense! If it’s about “security,” then exploiters shouldn’t have access either! :triumph:

:mag: Code examples

If we had read-only access, we could easily identify suspicious menus in CoreGui :

-- Searching for a specific exploit menu
local exploitMenu = game.CoreGui:FindFirstChild("MenuExploit")
if exploitMenu then
    print("Exploit detected! Name: " .. exploitMenu.Name)
end

Or we could list all the GUI elements inside CoreGui and look for something unusual:

-- Listing all GUIs in CoreGui
for _, gui in pairs(game.CoreGui:GetChildren()) do
    print("Detected GUI: " .. gui.Name)
end

If a function like GetCoreGui() existed, detection would be even easier:

-- Example of a fictional function that could exist
local coreGui = GetCoreGui()
if coreGui then
    for _, gui in pairs(coreGui:GetChildren()) do
        print("Detected GUI: " .. gui.Name)
    end
end

This would GREATLY help in combating exploiters without affecting security! :rocket:

We wouldn’t even need direct access… Roblox itself could create a script that automatically checks for any out-of-place GUI inside CoreGui . :thinking:

12 Likes
#2

You can still show it: File > Studio Settings > Studio > Explorer > Show Core GUI in Explorer while Playing. You can also use it in Roblox studio plugins: CoreGui | Documentation - Roblox Creator Hub

#3

This only works in Studio, not in published games.

It does not allow scripts to automatically check anything—only a developer manually looking.

Exploiters can still access CoreGui via script, while developers cannot.

2 Likes
#4

That’s called a professional hacker

#5

to be honest the whole coregui thing is a joke

12 Likes
#6

It’s not about being a “professional hacker,” it’s about allowing developers to protect their games against exploits in a simple and efficient way.

1 Like
#7

This is true, much of the coregui is very poorly done.

#8

I didn’t mean that, I meant you’re all noobs

#9

I didn’t quite understand what you meant by ‘noobs.’ Could you explain your point of view better?

#11

They have access to their computer so they can modify what they want on their computer I think (which is why they’re able to modify their CoreGUI)

7 Likes
#13

:dart: Detecting Menus and Exploits

Most of the exploits I mentioned are menus like Dex or Infinity Yield, which are easy to detect if we have access to the CoreGui. Other types of exploits that manipulate remote events are a different matter—I’m specifically talking about the menus.

1 Like
#14

exploiters modifying CoreGUI on their own machine doesn’t have to matter since exploiters are stuck on their own pc they’re powerless

3 Likes
#15

Yes, it’s true that modifications to the CoreGui are limited to the exploiter’s client. However, many aimbot menus and other exploits, such as Dark Dex or Infinity Yield, are still created within the CoreGui…

1 Like
#16

server-side hit detection laughs at your client-side and keeps the game fair, end of story

3 Likes
#17

Players are still flying and ‘blocked’ is ignored for them…

3 Likes
#18

I think this should be put in Feature Requests.

And I also completely agree with this—CoreGUI should 100% be made a readonly Service.

My only problem with it is that I don’t think this will happen. It’s like you said:

If Roblox hasn’t implemented something like that that as part of the anticheat, why would they give US the power to do it?

It’s not like Roblox is letting them do it; they’re called exploiters for a reason.

Roblox definitely did NOT give exploiters any form of permissions; that would be ridiculous.

I think it would be better as a readonly Service, accessed like game:GetService("CoreGUI"). Of course, that’s just my personal opinion and it could also be done as a globally scoped function like your example.

No. Exploiters use CoreGUI as a way to show their own exploit UIs, just as they use other methods such as injecting code written with Dear ImGui.

Of course, making your own game secure is important too, but letting developers have more access to improve their anticheats is also important—especially because exploiters still run rampant, even after Roblox has made major improvements to the anticheat!

I do not mean to sound confrontational. If I did, please let me know, and I will edit this reply accordingly.

4 Likes
#19

Although server-side hit detection is important, modifications to CoreGui on the client side still have a significant impact, especially in competitive games. Tools like aimbots allow the exploiter to gain unfair advantages, such as auto-aim, which affects gameplay and compromises the experience of other players. Even with server security in place, these client-side modifications can unbalance the game and harm competitiveness, making the claim that they are irrelevant overly simplistic."

2 Likes
#20

Okay, but exploiters already use methods to ‘protect’ their Guis, making them invisible to scripts. If you were able to read all the children of CoreGui, it wouldn’t be there. Even if it was, an exploiter could just hook whatever you use and hide their Gui that way. You cannot win by using client sided anticheats, you’re only postponing the inevitable. If your lucky, you can block skids who can’t script on their own, but eventually the script they use will get fixed.

6 Likes
#21

Hey, this reads like ChatGPT. I am definitely in agreement with the point made, but try to convey your points in your own words rather than relying on ChatGPT if you did use it.

7 Likes
#22

you can see the " at the end also

4 Likes