Exploiting Explained

I believe RoBeats does this by creating accuracy maps and other statistics of users when they complete a level. You can them compare those of cheaters to those of real skilled players. Generally, the difference is very obvious (to a human), as it’s hard for a machine to simulate organic mistakes and timings.

My suggestion would be some kind of manual moderation for leaderboards that get shown as you’ll have to deal with at most 100 to 1000 players or so. You can also leverage other methods such as flagging players as suspicious if their stats fluctuate too much or go from barely able to play to near perfect scores every level.

Fun fact : DMCA report exists.

Whats the relevance? Doesn’t stop theft of assets or tech.

You can take down copies of your game, so there shouldn’t be a need to actively prevent place downloading.

That doesn’t help me because I don’t want people having my stuff period.

Bytecode is executed by being fed into Roblox’s deserializer.

It has to be Luau compatible to run,
contain the correct opcodes, lineinfo, etc

You also missed two other methods, a CLVM (custom lua virtual machine) and a lua wrapper. Bytecode conversion is more known as bytecode compilation, as bytecode conversion isn’t possible how it was back before Roblox used measures to prevent it. People also just write compilers that use bytecode, and fully support Luau syntax.

There is also many checks,
known as retcheck “return check”, memcheck, “memory check”, trustcheck which is to do with https services, but there is more.

LBI = lua bytecode interpreter.

A lua wrapper is very reliant on Roblox’s base, alongside proto conversion - bytecode compilation / clvm / lbi aren’t as much.

A CLVM is not easy work and requires a lot of work,
this is what Synapse X is.

In short a clvm is essentially written exactly like Roblox, and can be customised a lot more. But it’s hardly touchable by Roblox and not easy to patch; but this is now easier considering Luau is open source.

Roblox Luau opcodes have different registers within them too, compared to normal Lua ones.
They are placed in different orders, and some contain a little check. Like OP_TALICALL.

I’m pretty sure they shuffle / shuffled the enum too.

Every update they also change the address of many checks, etc.

I won’t go far in depth as I could potentially feed other users to create exploits.

I’m telling this information for educational purposes only.

In short, Roblox do a lot behind the scenes in aide to prevent exploits,
therefore before we suggest they do nothing;
hopefully this clears it up they do.

These vary, can be a Tuesday, Wednesday or Thursday.

Everytime this happens exploits require to be updated.

Anticheats such as Vanguard or Battleeye are going far deeper in your computer than roblox does.
For example Vanguard has root acces on the machine, this is far more effective

Yet, even they can’t stop cheaters properly.

Vanguard uses a kernel-level driver, which is far more effective as when you run the game, so does the driver. I wouldn’t doubt it does a scan while the game is loading to see any external software running too.

For awareness, this happens because this is just when Roblox releases the weekly update - it’s only partially to do with anti exploit. When Roblox recompiles their binary (executable) it randomises the address space using an industry standard technology called ASLR.

Correct. I didn’t want to go in depth, but never mind. Nice one.

As far as I know, FE is one of the best updates ROBLOX has made to stop exploiters. I’ve seen a ton of exploiters complain about it

Happens alot. Mostly the main reason ArtBlox (an amazing creator) privated his games. But the thing is its mostly done through gameInstance which for some reason doesn’t save some stuff which is good.

I would love if ROBLOX was a bit more transparent about their work with the anti-exploiter stuff. Yet I can understand its so people won’t bypass it. (They still will and do)

something called save instance or something is used.

SaveInstance() doesn’t save anything that the client doesn’t have access to (server storage and server-side scripts). I think full game places are saved either through backdoors (somehow) or by bad team members that grab the RBXL file from Studio and leak it.

can exploiters Access ModuleScript to read/write in it ?!

Thanks for the very useful post.

If your localscripts can do it, so can exploiters.

backdoors are server-sided. I dont think server-sided scripts can access the client and download games on them.

Good point… I guess any “uncopylocked”/leaked versions of games that have all scripts and container contents included must’ve been stolen by bad team members through Studio’s “download a copy” menu item, then.

I’ve heard somewhere that exploiters can steal assets from private games, as well as all of the game’s save / version history. Is this true? If the game is private, then how in the world would they get access to it?