Insights on exploit prevention

Oh lol. Never seen a noclip that does that.

How do they even work - the ones that don’t use bodymovers.

Some change the HumanoidState to StrafingNoPhysics or just make all the parts in workspace non-cancollide (something like that)

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Some change your humanoid state to StrafingNoPhysics, other ones set all your body parts CanCollide to false in a RenderStepped loop, and some just change the CanCollide of every part you touch to false.

So when I have a local script running an infinite loop does that mean that script can’t be modified? I have a custom camera script with :BindToRenderStep(). The script basicly never stop executing does this mean that all the hacker can do is change variables? Because if so why don’t we just put a while loop at the end of each script so the hacker can’t modify it?

No, it can’t. Their machine = their terms. Anything on their client can be modified and manipulated.

ModuleScripts return something, they do not run code. The code is ran on the code that required it, meaning they can be disabled if you disable the code that runs it.

The limits are still practically non-existent. A competent exploiter can manipulate practically anything on their client.

All data of a Lua proto can be modified at runtime. Code is not an exception.

To strengthen what you are saying, let me add some examples.

I have installed a SSL certificate on my machine which allows me to perform a MitM attack on any program performing network requests on my machine over SSL/TLS/HTTPS (like Roblox). I can see and write simple scripts (with the tools I use, in Lua) to replace any values I want. This means that if the client tries to tell the server in any way that I’m misbehaving, I can just edit it transparently without my machine or the server knowing what I did. I can also send any messages I want, duplicate them, or even block them for a time or indefinitely. The server will never know if a local anti-cheat detects anything.

Since Lua is a VM language, editing its memory is easier than a normal compiled program like the engine. The interpreter has a defined (open source, mind you), predictable, and consistent behavior. This makes editing its memory easy. Editing the variables in a script is easy. Since editing variables in a script is easy, controlling its logic is also easy. You see where I’m going with this? I can make any script see anything I want it to see. Since I don’t want to see the bad things I’m doing, I’ll just make it see that I’m not doing anything bad. All client anti-exploits have just been defeated by a single method that is easy to slightly change for every use case.

If I really wanted to mess with things, I’d make it easier by running Roblox on Linux using Wine (Wine Is Not an Emulator, the implementation of windows libraries in linux) and use Linux’s extra freedom to really screw around. All OS functionality can be relatively easily edited to do whatever I want; report on whatever memory or arguments I want it too, and lots more.

I’ve repeatedly told you, and am telling you again along with the two other respectable people above me, client side anti exploits are easily avoided and are only suitable for a quick and dirty emergency patch while a more robust method of prevention is developed.

• They are limited in practice, but in theory they have the power to stop threads (and I do recall that at some point an executor has been able to do this and advertised it as a high-end feature)

• The exploiters code can be executed before the source is even executed on the client.

• And finally, no - it cannot be avoided! It doesn’t matter if you invented Lua or just started yesterday, you cannot prevent your code from being stopped or modified on the client because they control the client. They can modify your environment’s variables. Example: to counter your first argument about destroying the script, the can just rebind the :Destroy() function to just return true?

You’ve just described things that can annoy an exploiter into giving up more easily - I am not talking about practice though. You stated that it can 100% be prevented - and it cannot. You cannot do anything except obfuscate and irritate the malicious user. Nothing that has been described will stop someone who is being getting sums of money to create exploits for a front-page game.

This argument always goes back and forth, so I’m going to state here - I’m not entirely against client-side checks. I am just very cautious about reccomending them, especially where it is at the expense of proper serverside checks.

It’s far harder to execute effective client-side security than it is to focus effort on server-side security, so reccomending beginners to learn all of these advanced concepts about script environment hooking and causing complicated decompilers to error will just mean that the answer is less effective, and in my opinion, they haven’t actually learnt how to properly secure their game.

Yes, a hijacker can very easily change any of those variables. Or they could stop the loop from executing by changing the value of :BindToRenderStep(). It’s not effective.

Please don’t do that.

It’s not theory though. Client data manipulation is very real, not theoretical, and many people can do it.

Yes, requiring a module simply returns the variable that it’s told to in the ModuleScript. No code is ran inside the module, and is ran as if it was, for example, a function of the script that required it.

There is a distinction. Dynamic data can easily be manipulated (this includes protos, scripts, instances, etc) and this is by design and must be possible. Static data (readonly data and Roblox binary source) on the other hand, while it can be modified, there is a super complex check in place for it that no one ever really bothers with because you don’t need to get around it to get an exploit working.

Side note: “Data manipulation” for dynamic data is often as easy as *(type*)data = value;.

Server side security is the way to go. While good client side security can and will prevent most exploiters, there will always be someone in the exploiting community competent enough to break your security, and even worse, profit off of it.

Improve your server side security first, and client security next. Do not even consider renaming locals or minifying scripts as obfuscation, as that will not get in the way of determined exploiters who want to defeat your security.

I’m not sure what you mean by no scripts or map info are sent over the network. You can see script source in the .rbxl file along with part and other information easily. It is made even easier by the fact that Roblox released their special compression formation and tools to extract place information are available. If your talking about script variables and run time internals then I’d agree with you, but I never mentioned that in my post. You can also see part movements over the wire, although I’ve never done this.

A HTTPS proxy can. As I said, I’ve installed a local certificate and I have gone that far. I actually wrote a paper deconstructing Roblox internal API calls for my advanced protocol analysis class. I used Wireshark and a HTTPS proxy I will leave unnamed. For that project I ran Windows in a VM on my Debian Linux machine so that I could host Roblox in a Host-Only network and guarantee that I catch ALL traffic.

That wouldn’t be Roblox’s protocol, it would be HTTPS or lower down the OSI model TLS. Once you strip that away with the HTTPS proxy as I mentioned, it is prone to replay attacks.

I’m sorry, at this point I don’t trust you.

An annoyance, nothing more.

While I admit that getting a complete picture of the control flow may be more difficult, changing variables to hide activities is much easier. This controls the logic flow, effectively making the anti-cheat innocuous.

Right, the point of using Wine is to ease some of the security features present in Windows. In Linux you can easily load Kernel modules and become the true god of your machine. I haven’t done it myself (but being a Linux user I’ve looked into it) but it is present inside the WineHQ database.

All it takes is one person to decide they want to profit from their knowledge, then the script kiddies swarm down.

Everything from the instruction opcodes being shuffled to their encoded register/values being encrypted is possible. This reply isn’t exactly valid and just dismisses the point. “Editing” the “memory of the Lua VM” is actually editing the memory of the Lua states being used by the VM, so I can’t exactly tell what you were trying to say with your original post either.

Ah, shoot, let me clear it up then:

From my viewpoint Lua’s memory and the VM’s memory are the same thing. Since the VM alters its memory in the same way for every script, it is easier to manipulate Lua’s memory than the memory of a normal compiled executable.

Sniffing Roblox’s HTTP traffic won’t give you scripts or map info. They’re sent over Roblox’s gameserver protocol. You’re going to have to look somewhere else if you want to even consider getting anything useful from Roblox’s HTTP requests.

Fiddler is an HTTP proxy with abilities to sniff HTTPS traffic. As stated earlier Roblox literally does nothing useful in terms of the actual game over HTTP, everything is done over the protocol Roblox uses for their gameserver. I highly doubt you’ve “deconstructed Roblox’s internal API calls” since you’re still telling everyone how you sniffed their HTTPS requests and got very useful data.

Roblox doesn’t use HTTPS to communicate with it’s gameservers and as far as I know they NEVER have, so your statement is invalid.

You can’t be trusted either considering you’re spreading invalid knowledge.

Still prevents what you’re saying is possible.

Why would you just change random variables for no reason?

I’m pretty sure you’ve never tried running Roblox on wine. It simply WON’T work. You can also load kernel drivers in Windows too, no difference.

Spreading misinformation won’t help it you guys either.

Also, like said earlier, Roblox has added a ton of security to it’s Lua implementation. It’s far from predictable.

IIRC it is actually RakNet which provides replay attack mitigation. I don’t really know why you’re talking about using a HTTPS proxy; the Roblox game client only makes use of HTTPS to fetch assets (images, audios, etc.)

If you want to learn more about the Roblox protocol, I recommend taking a look at roblox-dissector by @gskw

When a user joins a game, they don’t receive a .rbxl file. The server replicates instances over the network and scripts (rather, Lua bytecode chunks) are sent in a serialized, enciphered form.

I’ll admit, when I deconstructed the HTTPS traffic it was Roblox Studio’s traffic instead of the Roblox Player. I assumed that the Roblox player must do something similar, which many of you are telling me it doesn’t. I’d have to look further into the Roblox Player communication before I comment any further. My mistake.

(I didn’t want to risk encountering other player’s information or exploit on a live server)