Exploiting Explained

Hawaiian0ps · May 15, 2020, 5:40pm

Then what does the difference between regular LUA and LUAC? Could be more effective to prevent exploits or not?

unix_system · May 15, 2020, 5:45pm

There is no such thing as “LUAC” - I think you mean LuaU. You can read more about it on Arseny’s article titled Faster Lua VM Released.

In regards to security, it holds zero benefits against exploiters.

pvod · May 15, 2020, 7:04pm

It’s unfortunate that this cat and mouse game will never end. It’s practically impossible to terminate exploiting, especially when there’s multiple types of exploits. However I’m glad to see ROBLOX never fail to stop it.

Hawaiian0ps · May 17, 2020, 5:15am

Is it possible to store everything in Server Script Service and Server Storage to prevent the map being stolen. When I mean putting everything in Server Storage I am referring to loading from the Server storage itself.

Autterfly · May 17, 2020, 5:38am

No; you still need to send the map to the client so they can actually render and see it.

trqlling · May 17, 2020, 6:18am

You should not have a problem with admin hacks.that’s why this was not covered. If you have a problem with admin hacks then you have used a free model. Try to avoid this and great it yourself! If you need help them just watch a tutorial! Reply if you need a link or have questions about other ways of hacks. (There a some ways people can hack and CREAT admin. I will cover this if y’all want)

NOT my WRITTING

There are a number of things to consider, and a lot of great points in this thread.

Clients can be compromised.

You can make your non-compromised game clients work for you (but if they can decompile your anti-cheat, they can decompile that, too and get ideas for how to tweak them).

What I want you to consider is that this is your game, and you are responsible for the game mechanics and the game being fun. If players are abusing the game to get some benefit figure out how to work that into a game mechanic to keep the game balanced and fun. For example, the more successful your cheating player is, the more the game can make it harder in other ways to balance the game and keep it fun for the less successful players. Here are a few ideas:

You can’t run as fast or turn around as fast.

If you turn too fast, your gun stops working for some time (enforce this on the server).

Perhaps every other player sees a big icon where the current kill leader is - there is nowhere to hide.

Maybe you get your health reduced or damage dealt gets reduced. No one shot kills.

Your head grows every time the server thinks you’re cheating. Soon everyone can make headshots on you…

Respawn time increases.

Obviously your game mechanics might make this make no sense. These are just a few ideas to get you started. Some might be more fun than others.

That’s one strategy for mitigating cheats. There are obvious and some non-obvious ways to detect cheats and fix them server side, potentially not impacting game play for normal players. You’re in a 3D floating point world. If the player shoots precisely at the center of another player’s head, like spot on exact to several orders of magnitude – that it had to be a calculation less than some small epsilon away, and not possible to get that accurate from a mouse, consider it a cheat and take action. If the hacker can figure this out that you are doing this, they might add some noise. Maybe you add some random noise to every shot at the server and increase that noise as the likelihood of cheating goes up - the closer you aim to their center of their head, the more noise it generates on the server. Sometimes when you think you hit something in multiplayer games, they moved due to lag, so maybe this works out in their favor sometimes. Make this feel like that - a natural element of networked game play. For players that get too good, give them more latency - they can auto-aim, but their aim goes to where the player was 0.1-0.9 seconds ago (this requires server work, and maybe that incurs latency), so it only hits players that don’t move. FPS games are highly intolerant of latency, so a couple hundred milliseconds can be enough to destroy the race to the trigger button. It can also ruin the game experience just as much as people cheating can. Pay attention to what your players are telling you and play test your changes often.

You can incorporate client reporting approaches where players can tag others for bad game play, but I’d be remiss if I didn’t caution you that doing this also opens an avenue for abuse where a gang of players can make the game bad for others by reporting them. You can also incorporate some form of deputizing system where the players who have played the game longest (or have some other metric) are granted some admin controls that the game respects to make your game somewhat self policing. Again, avenues exist for abuse.

I’m not going to claim I have a magic bullet for solving this problem, and it’s a subtle art to re-balancing the game without making the cheaters more engaged than the other players. I feel like you must have good user engagement to have this problem. Maybe what you really need is a good strategy to group players together onto servers by skill level. If cheaters advance quicker, soon they will be playing with other cheaters at their own level. A quick Google search revealed that others on the dev forum have made some variety of this. Here’s one result I found .

The most important thing to remember is not to be defeated by the bad actors. There will always be bad actors, and they will eventually find and exploit and all holes in your game and our products. Where they meet with success, they will continue to explore. This problem is actually a pretty strong measure of success - you have made something of value. Whatever it is that you have done, keep doing it!

Exploiting Explained is a pretty good article on the topic. I’ll end with a variant of the same advice @Autterfly did: Listen to your players.

PS. It occurs to me that maybe if cheaters are hacking the client to enjoy your game, that in addition to server side protection, you could make a game pass for auto-aim that disables the server side protection and adds similar client-side functionality in a “legit” fashion. Then you can control the experience and game balance a little better. This can be a dangerous slippery slope / double edged sword, so tread carefully with this idea. You want to avoid angering your core player community, and this just might break your fan base. It’s worth repeating a 3rd time: Listen to your players!

metryy · May 19, 2020, 4:15am

LuaC refers to the Lua API in the C language; Roblox embeds their version of Lua through C which allows games to actually run Lua scripts and is exploited to achieve Lua script execution with external programs. LuaU, Roblox’s new lua VM, removes debug information and restructures their old bytecode format to make it harder for exploiters to actually exploit games.

ZaexVaIor · May 19, 2020, 2:16pm

Best thing I’ve found about what we can do is possibly kick the player if there’s any new GUI added into the workspace with a specific name that each executor might have using FindFirstChild and other methods which I do not want to disclose as it could very well neutralise my anti-exploit, me and my fellow programmers were working on that and have accomplished in kicking players using Protosmasher and Synapse X from the game.
Of course for this method, you will need to actually own those exploits and test them and analyse their working methods to get this done, but I guess it’s worth spending 50 USD as it could very well determine the success of your game/group on a whole new scale by reducing the number of exploiters on a notable scale.
Despite ROBLOX doing their best in their ban waves and methods of spotting an exploiter, every developer has to personally make changes in their game and make sure all the remotes and scripts are protected in a way they can’t be tampered with. Most of the exploiting occur due to unprotected remotes and datastores in the game that are exploited to the exploiter’s needs.
Instead of looking and working for an anti exploit, try and create a safely protected game.
The anti exploit part comes after you have a proper air tight security in your game / places.
[ For those who don’t know what Protosmasher and Synapse X are, they are the most famous and effective paid exploits on the internet. ]

ViniDalvino · May 21, 2020, 3:53am

Yes they can. Most of the exploits come with a debug library which allow the exploiter to understand what script say.

NACKRR · May 21, 2020, 6:38am

Thank you so much my friend, this has helped a lot of people. Thanks for this great content

unix_system · May 21, 2020, 9:30am

Ah, I’m aware of LuaC - I just didn’t identify that’s what they meant with the capslock

From what the user was talking about (comparing Lua to “LUAC”) I suspect they were referring to Luau.

In regards to Luau, it doesn’t make it any harder for exploiters - they’ve had no real impact due to Luau except the removal of variable names from their decompilers.

Ryfiles · May 23, 2020, 12:22pm

Yes I agree, it is kinda fishy, not to lie.

Voxelinator · May 31, 2020, 7:52am

I must admit, I’ve been involved with backdoor removals quite recently, I’ve started to see a trend of backdoors which seem to look similar in appearance to Lua-C, which sometimes are loaded with an API for Lua-C alongside the backdoor payload itself.

Lua-C from what I understand, primarily looks like bytecode, meaning that it’s possible the backdoor I saw recently was either that, or some other form of obfuscation, although I have asked friends of mine and they’ve said the same I did, in that it isn’t obfuscation.

Hawaiian0ps · June 1, 2020, 1:37am

I just thought of this now but could a exploiter be able to bypass FE and be able to take the whole game or it will be not even possible?

VegetationBush · June 1, 2020, 8:03pm

Wow, I’ve read this thread before any posts have come here and after some long time I see like 50 thousand posts here.

I didn’t want to make a whole thread about this, but I thought about the whole concept of “Client Sided Checks”. Basically, you make a Local Script as an anti exploit so you can detect exploits from the client side. But, the thing was people can just delete that script, and kabam it’s gone. But, I’ve been thinking about this for a while: what if be set the Archivable property to false(it wouldn’t be false at first, but it sets the property to false in the actual script)? Wouldn’t that stop the script from getting deleted?

This is about what it would look like:

script.Archivable = false

-- Rest of anti-exploit script

An answer would be great!

Autterfly · June 1, 2020, 9:10pm

Nah. It only stops its instance from being cloned. Even then, the property can be set back to enabled. If it’s on the client it can simply be bypassed one way or another.

ZaexVaIor · June 18, 2020, 8:09pm

Yeah, exploiters can delete/edit and rename a script from a game but the changes are only local to the player.

ZaexVaIor · June 18, 2020, 8:12pm

It’s not about getting kicked for deleting scripts for the whole game, no exploiter can make any change to the server thanks to filtering enabled.
EVERY change is local to the player and if you want to kick a player messing with the scripts have a separate script checking for the presence of the scripts and kick when the value is false.

Crystalflxme · June 20, 2020, 2:21am

I probably don’t know what I’m talking about here, but I did a test of client sided anti exploits a little while ago and found success with having two scripts: one that was the anti exploit, and the other being a checking script. Both scripts contained code checking if the other was moved, renamed, deleted, etc. When I tried doing something like removing both in one command line the other script would kick me before the next line of execution could start (which was deleting the other script). Inside the script you could keep references to certain instances without using something like script.Parent just to be sure that the script would be unaffected if successfully moved somehow. And the only weakness I can think of is if the exploiter ran the deletion code before the scripts got references (that don’t use script.Parent) to each other. This, I’m assuming, would be hard as the code would be run in PlayerScripts.

How would you bypass this? Am I missing something?

Autterfly · June 20, 2020, 2:33am

You can bypass this by just stopping the scripts. Exploits can force both scripts to error at the same time, yield forever, or just completely stop. It’s a losing game.