Exploiting Explained


#1

The Exploiting Issue

Note that this is not a rant/opinionated post.

So if you’re not aware of exploiting by this point, you’ve probably been living under a rock that the pioneers used to ride for miles. Roblox is often seen as an exploit-infested ground by most from the surface, although this isn’t the case. This post serves to address some of the raised concerns I’ve seen all over the forum, what kinds of exploits there are, what they do, and what Roblox has done to fix the issue (both publicly and internally).

I will be lightly touching on subjects such as the Lua interpreter, and what makes it possible for code injection to happen. For any further questions you can DM me here or on Discord @ reruwu#7149.

Common Concerns

Place Stealing

We hear this one a lot, “my place was stolen, help!”. I feel this is the most common issue, and it comes in many shapes and sizes; from someone yoinking and republishing your place to them openly threatening you of leaking it (which shouldn’t be an issue anyways, as only local things are present from the local exploits).

People amp up the whole place stealing thing like it’s some wizardry of reading geometry right out of memory(???). Often times, people just use loopholes or the Roblox api in fancy ways, and it’s mostly things you could do from a normal LocalScript (given elevated privileges, of course).

My view on it? It’ll happen if your game gets enough attention, but you shouldn’t have it discourage you. There’s nothing Roblox can do to fix this, and it’s an issue that plagues any game in general.

As a side note, anything in server-only containers such as ServerScriptService or ServerStorage that don’t get moved can NOT be stolen conventionally from the client, period. They are not replicated.

More info by EchoReaper: Place theft - Why ROBLOX places are already as secure as it's possible to get them

As it was pointed out, there is another form of place stealing, but it’s not exploit related. Usually it involves someone giving Team Create access to someone who then downloads the whole place, server side included.

It was also brought to my attention that places could also be stolen on the server (such as the breach that happened a while ago). This is a much rarer instance that is out of the developer’s control, and often involves a serious security hole. It’s not something to worry about, though, since these kinds of things don’t just happen and get spread.

Decompiling

Simply the act of taking Lua bytecode (the stuff that runs through the interpreter) and turning it back into psuedo-code. Also known as “script stealing”, this issue falls under the same umbrella as place stealing. It can’t exactly be patched, unless Roblox switches to a completely different way of Lua execution/compiling.

There are MANY misconceptions I’ve seen thrown around over time, so I will debunk them all here if I can, while also answering some other general questions.

  • Can server sided scripts be stolen?

    • No. There’s no wizardry to do this with a decompiler. It’s not because they’re encrypted differently or anything like that, but their bytecode is just never sent to the client, at all!
  • Does renaming my variables do anything?

    • Yes, and no. When you rename variables, you aren’t exactly making it much harder. The logic within your code is still there, and it’ll just take a bit more time than simply eyeballing. As a rule of thumb, if it’s going to make your debugging harder (such as renaming all variables to ‘iiIiiIiIllIi’ and such), you’re not scripting right.
  • Does removing whitespace/indentations/comments help?

    • Not at all. Comments and whitespace don’t get compiled, so you’re just making your life harder. Line numbers are present in the bytecode, but in the form of being attached to individual instructions, which serves absolutely no purpose to decompiling; still useless to remove.
  • What exactly IS debug data?

    • Debug data is present in Lua bytecode chunks, and it’s a way of bettering your debug experience when an error happens. This data consists of variable and upvalue names, chunk names, line numbers, and a couple other misc things. Basically, it’s the reason your errors show up as ScriptName:24: attempt to index upvalue 'Testing' (a nil value) and not as (roughly) attempt to index upvalue (a nil value). Yes, it can be used for decompiling, but a dedicated exploiter will figure out what your code does regardless of that.

Remote Exploiting

Ok. There’s not much to say about this one besides it being an issue because of either:

  • Bad client-server network model implementation, or…

  • Some really clever exploiting.

Basically, your network model should always assume that ANY input from the client has been tampered with.

Local Stuff

Finally, what is probably the thing that happens most. Noclip, aimbot, teleportation, ESP, helper guis, etc. What can you do about these? Not much. Spending time implementing local checks for things like noclip will get circumvented, and aimbot could really even be implemented externally, not to mention messing with “teleportation” could affect your players on lower end internet or hardware. So, what’s the way about it?

These problems aren’t really solvable. You can often diminish their impact with client checks, which will be bypassed, or proper server sanity checks, which are the better way to go (for movement related exploits). Ideally, nullifying the effect that using any of these cheats might have by having clever game mechanics which flow well but make using these not really useful is the way to go, rather than attacking the code that does it itself.

Trust me, if you’re trying to go out of your way to patch a pesky aimbot, you’ll soon come to realize that it can be done in any way from literally snapping the camera center to the target to even messing with the network code; just add bullet drop or proper spread!

Weird Functions

If you’ve ever encountered an exploit script, and see weird functions like getrawmetatable or getobjects, you might be inclined to think that Roblox is setting up your game to be exploited with these fancy hidden functions. The same can be said about the debug.* functions, but, alas, they’re not even implemented in Roblox. Often times, exploits implement custom functions using their own code to achieve things a normal Lua thread could not.

Exploit Terms/Types

Level Six/Seven

You usually hear this term tossed around a lot, and it usually has some misconceptions too. The 6 or 7 simply refers to the internal Roblox thread context the exploit is running on. 7 used to be the most with most permissions before it was dropped to 6, and the name simply stems from this. It’s not some hackerman way of classifying how much damage you can do with it; you could have a commands UI exploit with elevated context and still call it this.

Script Executors

Probably the most destructive kind of exploit. This exploit usually involves executing Lua code on the local user’s client at an elevated context. These have access to all the api your LocalScripts have, and more. There are realms of things you could do with this sort of ability, but to counteract them, I suggest you think the same way. Simply thing, “how much damage can I cause to my own game if I could run any LocalScript?”. The scripts run could be anywhere from nil to not attached to a script object at all.

Some technical stuff about why this happens now. Lua runs on an interpreter/vm (lvm.c in the source). Lua code can be executed by being injected via the api functions the normal code uses for running code. This is one of the ways this kind of execution is achieved, and it is present in most non-native languages. The simplest way of explaining it is signing code in the format that is compatible with the target platform (such as Roblox). The code is then injected using the real api, as if it had been queried by a real thread. If everything is set up right, you can roughly get the interpreter to run code that wasn’t actually generated by the real compiler.

Lua C Executors

These ones are simpler. Not much to say about them; it’s just creating a Lua thread and interacting with it using the official Lua C api (you can read up on it on the Lua site).

Command Exploits

Simple, mostly UIs with a few commands that run precompiled code to affect the game; again, not much to say.

What has Roblox done?

Just because Roblox doesn’t talk about every little new check, encryption, or obfuscation they add doesn’t mean they’re not there. It’s common belief that exploiting is some walk in the park because Roblox spends no time in this field, which is a bit of a toxic way of putting it without first seeing the facts. Roblox are actively working on security, as it has a huge impact on the platform. Before shouting “DO SOMETHING!!!” at the engineers, you should remember that there are things in place already for protecting the client.

The client is full of encryption and obfuscation, as one could conclude from a semi recent issue players were having where they were not able to join games because of an encryption key mismatch.

Other things, such as the public fact that FilteringEnabled is now enforced, means that the game developers will be fully tasked with properly implementing their games, outside of the few bugs that arise here and there with Roblox code.

In short, there are a lot of checks and things being done, but it’s been known that no matter how much you put into it, there’s always probably on the other side of a screen reverse engineering it.

Wrap Up

Exploiting is an issue that won’t go away anytime soon, especially the local kind. It’s best you simply design your game in a way to minimize their impact, while concentrating on using your time to provide features for your real players!

Oh, right, and listen to feedback.
This post may be updated at a later date if I there was important information I excluded.


How to prevent exploiters from changing the currency
Game Development Resources [MEGA THREAD]
Securing Game Scripts
Que tanto sabemos de un Anti-Cheat
Aporte/Debate - Seguridad servidor/cliente
Como evitar que un hacker envie datos falsos al servidor a traves de un RemoteEvent
#2

Very informative. Good work.


#3

You should explain how some games get leaked with server scripts and children from server-sided containers, because some people are going to be wondering it.

Just a heads up: the main reason is because developers give someone team create access and that person leaks the game.


#4

Brilliant post and very informative, loved reading it. Keep up the good work!


#5

Thanks SO MUCH for writing this out! People have been saying that FilteringEnabled being forced doesn’t make a security difference since the client can “still run code”, which is just wrong. I’ll be copy-pasting this to prove them wrong.


#6

Cleared up my confusion.


#7

What is stopping a talented exploiter from figuring out how to fully steal a game? Roblox has patched it many times and they always seem to figure it out again, even if it takes longer the next time.


#8

Really useful! People jump to blame Roblox too quickly without looking into it themselves.


#9

If you mean objects and scripts, they pretty much can any time; if it’s server side scripts and objects I think this happens when Roblox accidentally either allows non authenticated players to access certain place files or when an exploiter manages to access the internal game servers. I guess when running a game on massive scale it’s hard to keep track of 100% of the copies that are running at one time, or make sure users can access their places without exploiters being able to.


#10

Adding onto this; places being fully stolen through unauthorized means that aren’t directly Roblox related (aka not Team Create and such) are more serious security flaws which aren’t really related to client exploiting at all, but more involved with network protocol vulnerabilities and such. These are often rare; much rarer than something like a script executor.


#11

Thanks for the very useful info.


#12

Wait can’t you just email ROBLOX to get your game not to be stolen anymore. I worded that terrible but I don’t know how to fix the wording :joy: Most of the games are named say, “Jailbreak Uncopylocked” Shouldn’t the uncopylock section be fixed. Also Uncopylock seems it serves no use except for stolen games. Team create can handle any deal that uncopylock does. It seemed like a super flawed feature.


#13

I’m honestly hoping that ROBLOX releases a code or a model directly installed in your inventory or on ROBLOX studio, named ‘Exploit protection enabled/disabled’ or something along those lines. It would honestly remove unwanted stress and emails to ROBLOX.


#14

It’s mostly about open source; I don’t see a problem with uncopylocked, as people can just save the place file and spread it even faster even without it.


#15

The (un)copylock feature serves quite a big purpose. Namely sharing code and demos with other the community. I learned FABRIK from the uncopylocked demo of it that’s linked on the wiki. They can also serve to preserve Roblox history by allowing creators to let others maintain a game long after the original creator has left the site.


#17

Thank you for clearing this up to everyone. Maybe if you ever have time try to add why anti exploits that check a player’s character is more accurately handled by the client but is safer handled by the server. Maybe just provide a link to network ownership or something.


#18

Here’s a basic(but not completely accurate since there is still a bit more) idea of thinking of what an exploiter can do: Whatever a LocalScript can do, an exploiter can do.


#19

And more, sadly. They can access areas and change certain values we don’t have the permission to.


#20

Great post, more people should know this stuff instead of simply yelling at Roblox.


#21

My way to go against exploiting is to have safety measures. I 1 localscript and only modules. here’s how it works:

this script below stores the modules in a table for each module we send the list with the modules and module information and use Init a function in my module that will store the info and after it has send to all the modules it will delete them. so whenever the client tries to hack they cant get the modules. only this peace of localscript.

local Modules = {
	MenuModule = require(script.Modules.MenuModule),
	ResultsModule = require(script.Modules.ResultsModule),
	RotationInspecterModule = require(script.Modules.RotationInspecterModule),
	TimerModule = require(script.Modules.TimerModule),
	SettingsModule = require(script.Modules.SettingsModule),
	CodesModule = require(script.Modules.CodesModule),
	ChestsModule = require(script.Modules.ChestModule),
	BadgesModule = require(script.Modules.BadgesModule),
	Notifications = require(script.Modules.Notifications),
	SoundModule = require(script.Modules.SoundModule),
	RatherModule = require(script.Modules.RatherModule),
	StarterPackModule = require(script.Modules.StarterPackModule),
}

local ModuleInforMation = {
	Modules = Modules,
	ScreenGui = script.Parent,
	Player = game.Players.LocalPlayer,
	T = game:GetService("TweenService"),
	BadgeService = game:GetService("BadgeService"),
	MarketplaceService = game:GetService("MarketplaceService"),
	MainScript = script,
	Assets = script.Assets,
}

for i,v in pairs(Modules) do
	spawn(function()
		v.Init(ModuleInforMation)
	end)
end

for i,v in pairs(script.Modules:GetChildren()) do
	v:Destroy()
end

Why an i doing this?
My guis handle allot from effects to transitions. people that would steal it could use this for their own.
And i dont want my hard work to get stolen or used without permission.