Exploiting Explained

This won’t actually do anything; ModuleScript instances are still held in nil when they are destroyed, not to mention that one could probably hook a function from within your module or script without actually having the module or script, and then from there “extract” the environment. Abstract and confusing local “protection” is just an all around bad idea.

41 Likes

Nice job. You explained this in very mature manner, gave detail, and something to support the topic. We need people like you these days. Keep up the GREAT work! :+1:

15 Likes

What is bullet drop and proper spread?

10 Likes

Bullet drop is how the bullet falls in an arch as it travels.

image

And spread is when you hold down the trigger and the bullets spread around instead of hitting the same spot.

image

17 Likes

I truly believe there could be ways of fixing the loopholes, most modern games already are out of the exploiting era, roblox should indeed hire a lot of white-hats, for the sake of everyone, clothing copying fixing, loopholes used by exploiting, and etcetera.

12 Likes

Before I knew about remote exploiting, my server had 0 checks because I thought the remote events/functions magically checked for exploits/tampered information.

17 Likes

The wierd functions should of been explained in more depth, I already know how most work and I really haven’t tried to learn them, they can be pretty powerful and it shouldn’t be a one paragraph explanation.

7 Likes

This sadly isn’t true. Games that appear this way are either not popular enough to attract this audience, don’t contain a mechanic someone would desire to exploit for their own benefit, or simply hasn’t been exploited/hacked yet.

16 Likes

Then, battleye does a great job, if not perfect, try and study it out. I’ve never seen any hackers on Arma II or Arma III in my life span.

5 Likes

A quick internet search usually shows otherwise; maybe you haven’t encountered them ingame but there’s certainly people doing it if the game is popular enough.

13 Likes

I’ve been a part of a few Arma communities with 200+ players, and friends with the developers. To casual players that play with a few friends on small servers, it may seem like battleeye does a very good job at preventing hackers. However, on these popular servers, hacking is still prevalent and custom hacking detection is still a must-need even with battleye.

11 Likes

Man, you’re amazing, you did a great job publishing about this. you have a good and correct information!

6 Likes

Great work! As most comments say, people jump to blame ROBLOX straight away but never think about the actual player.

13 Likes

I’m pretty sure Fortnite uses battleye and it’s perfect. In over a year of playing the game I can only recall encountering ONE blatant cheater.

Of course there are still people making hacks for it and videos on YouTube, but the hacks get detected so fast that’s it’s literally pointless using them.

13 Likes

Well, according to my friends who work in that field, Fortnite actually uses 2 anticheats, and it just chooses 1 to use at startup, so technically you’d have to bypass 2. I know there are Fortnite cheats, though. The harder the cheat is to make, often times the more private. Again, there’s no game that’s really immune to it unless you’re playing Tetris and literally everything is server sided.

13 Likes

I’ve actually played Arma III multiple times and I still do, Arma 3 contains 2 anti cheats, 1 at the startup and then the server admin, so you’d be bypassing 2, however it depends on what you use, I personally believe ROBLOX should focus more on trying to make it harder to exploit, like basically a way to stop an injection, I don’t know how but it’s what I think.

8 Likes

I don’t think you should hold such a belief because it is in contradiction of a couple of things (as others have stated on this thread):

  1. At the end of the day, client-side security is never truly secure
  2. To achieve a properly secure system, the developers must apply protection measures on the server
  3. Preventing the code injections you’re referring to is client-side security
  4. Client-side “security” gives end users and developers a false sense of security, potentially leading to neglect with regard to server protections

Also, Roblox have always been improving the security on both ends. They just haven’t brought it up publicly because that would be counterproductive: hackers (exploiters, if you will) would merely gain more information from it.

The reason why you may not have noticed a change despite these improvements is because many of them are client-sided, and so they are ineffective. There’s also the fact that Roblox has rapidly increased in popularity leading to it becoming an important target for hackers.

11 Likes

I think a built-in Anti-Cheat on the Roblox servers would be a way to completely stop exploits. Games that use PunkBuster or BattleEye have virtually no cheaters, and if they do, they’re banned shortly after being detected.

The argument that “client-sided security is never secure” is null in this instance. A lot of games will outright block your access if you don’t have PunkBuster or BattleEye installed. I’m not sure why Roblox couldn’t do the same. They could also do the Server-Sided approach.

I think it could come down to licensing issues, or maybe they want to make everything themselves. But Exploiting has gotten a lot worse recently, and developers can’t be expected to do everything when they have blocked access to 90% of the services that exploiters typically inject their code or UI into. A lot of these exploits typically inject their UI into the CoreGui, which unsurprisingly enough, doesn’t allow read access. Devs having read access to the first child throughout the CoreGui would solve a lot of problems relating to exploits.

11 Likes

Most of these anti cheats require kernelmode, often through the usage of a signed driver(?). Still, there are cheaters that get through and more private hacks circle around; if they’re smart they’ll cheat and not get banned. It’s not a null argument when it’s clear that no amount of obfuscation on the client side or checks will stop anyone. An example (not game related, but still) would be the pdf written on the old Skype client which detailed so much of their security and ways around it, despite it being insane things like rewriting itself as it ran.

Tl;dr Roblox games are too diverse to have an universal stop-all anti cheat, and the fact is Lua as it is right now is a very open attack vector by design.

16 Likes

I haven’t been living under a rock but what? People can just steal all our work? Now I am totally thinking of creative ways to hide my stuff… and also feeling a little unmotivated… smh

6 Likes