Exploiting Explained

Nerkonl · March 26, 2020, 9:11am

This is very helpful and it explains alot! it’s nice to see this in here.

Hawaiian0ps · March 28, 2020, 5:22am

But regardless can a hacker make a roblox plug in that just grabs the assets from the game when the plugin is enabled by that user?

FAMEDYT · April 5, 2020, 8:10am

I can’t stress to people enough that you should only team-create with people you trust.

Hawaiian0ps · April 6, 2020, 4:47am

I agree with that statement because if you didn’t you have a high chance of them letting steal your game and you one even know it. Plus in my opinion I mostly do TC if it’s a long commission and I at least known them for 1 year.

Voidage · April 6, 2020, 5:14am

So you’re saying whatever exploit this is, has access to Roblox servers, and can steal files whenever they want if they have some “ID”? Yeah, sure. You saw something else. That didn’t happen.

FAMEDYT · April 6, 2020, 7:42am

I was more or less thinking like they could one day betray you by using backdoors with modules etc.

ZaexVaIor · April 7, 2020, 4:39pm

That is in no way possible, it might be possible with catalog assets like shirts/pants or tshirts, maybe even accessory models at best, but that’s only possible because that’s already openly available to the client side.
This isn’t the case with places as the server sided scripts are never in reach to the client so there is no way they can decompile those scripts, especially with just the id without even playing the game. That’s not possible unless they have undisputed access over the roblox servers which isn’t true.

Automationeer · April 7, 2020, 6:11pm

Your post is not correct. Please read the OP.

Voidage · April 7, 2020, 7:36pm

No, he’s correct. I read the post and it contained exactly what I suspected: you can steal client scripts. You can’t steal server sided things.

Vortbloxian · April 8, 2020, 12:10pm

Is it possible for exploiters to read what local scripts say?

ZaexVaIor · April 8, 2020, 1:12pm

Yea, it is possible. [ Just adding this since there’s a requirement of 30 characters minimum in a reply. ]

gskw · April 8, 2020, 2:11pm

Yeah, to be specific, people can see the code in LocalScripts, but only to a certain extent. All local variable names and comments are erased from them before they are sent to the client application. So, if you would have a script like this:

local game_time = workspace.DistributedGameTime
-- This function will compute the sum of two numbers
local function sum(number_a, number_b)
    local sum = number_a + number_b
    return sum
end

print(sum(game_time, 1))

Then people might be able to decompile it like this:

local v1 = workspace.DistributedGameTime
local function v2(v3, v4)
    return v3 + v4
end

print(v2(v1, 1))

PropperPlayur · April 10, 2020, 5:42pm

Are MetaMethods/MetaTables Replicated on the server and client?
An example would be:

--inside of the exploit's terminal local obj = --wherever it is local metatable = getrawmetatable(obj) 
metatable.__index = function(_, k) return 16 end 
 print(obj.WalkSpeed) --16 if obj.WalkSpeed > 16 then --this is useless now 
player:Kick("Yeet'd out of the universe") 
end

(got the code from here)

starmaq · April 10, 2020, 6:17pm

Good question, which I didn’t actually cover in the article, metatables aren’t replicated from client to server, meaning if an exploiter messed with a Part’s metatable from the client, only the client’s part’s metatable would be messed, and not the server’s. Exploiters mainly do that to stop sanity checks in the client side, WalkSpeed for example doesn’t replicate from what I know, so even sanity checks from the server won’t work. But doing sanity checks on the client is just useless due to this technique, plus the fact that exploiters can remove scripts, so people commonly don’t do it, thus this exploiting technique isn’t always effective.

anon66957764 · April 10, 2020, 11:58pm

Not only that, but exploiters can even terminate a script’s execution without removing it or setting its Disabled property.

Autterfly · April 11, 2020, 12:17am

Only the server has the ability to compile Lua code. You’d need a RemoteEvent somewhere to be sending the string. Even then, it’s limited in API power but it’s access on the server-side which is much more destructive whether special API is available or not.

anon66957764 · April 11, 2020, 12:23am

Source? Does Luau not allow loadstring() on the client even if you have the boolean checked in ServerScriptService?

Autterfly · April 11, 2020, 12:28am

No. The previous Lua compiler was stripped from the client, and so is the Luau one. It’s a major security issue to have the code for compiling Lua even be present in the client.

If the code was present, it wouldn’t matter whether or not you allowed loadstring through the server setting. One could just call the code regardless and get anything running on the client’s VM.

anon66957764 · April 11, 2020, 12:29am

…which is exactly what I outlined in my post. Read.

I didn’t know this was stripped from the client though. Thanks.

ItsChedski · April 14, 2020, 2:44pm

I believe it might be possible to make client-side anti-exploit scripting by having a remote make periodic checks to the client and make sure those values are the same on the server. If that remote didn’t respond in the correct format, the values didn’t match, or the remote didn’t respond at all, the server could kick the player.