GetNameFromUserIdAsync and GetUserIdFromNameAsync appear to just call the spoofed values so fun fun api request time it is.
pulls the name from users.roblox.com/v1/users using their UserId and compares to their in-game name, if the names are different they get kicked, kapeesh.
Haven’t really tested this properly, should work though.
function validateName(player)
local userId = player.UserId
local success, result = pcall(function()
local response = HttpService:GetAsync("https://users.rprxy.xyz/v1/users/".. userId)
local data = HttpService:JSONDecode(response)
return data["name"]
end)
if not success or not result then
return
end
if player.Name ~= result then
player:Kick("Name spoofing")
end
end
game.Players.PlayerAdded:Connect(function(player)
validateName(player)
end)
Well :GetNameFromUserIdAsync and :GetUserIdFromNameAsync seems to grab spoofed values, meaning that trying to compare values from those and the playerinstance will not work
Keep in mind this may also kick someone in the very rare edge case that they buy a username change while loading into a game. It might be worth looking into using get-by-username (which works with past usernames; try it with posatta!) and comparing if the UserId is the same as the one as it is the server.
You can use another function that was provided by the PlayerService. GetUserIdFromNameAsync and GetNameFromUserIdAsync
Example
game.Players.PlayerAdded:Connect(function(Player)
local RealName = game.Players:GetNameFromUserIdAsync(Player.Name)
local RealId = game.Players:GetUserIdFromNameAsync(Player.UserId)
if Player.Name ~= RealName then return Player:Kick('ping spoofing') end
if Player.UserId ~= RealId then return Player:Kick('ping spoofing') end
end)
The exploit isn’t done with any injection exploit such as Synapse. You can modify these values in Cheat Engine or via Fiddler (which the public leaked method uses) to edit the information sent in the JoinData.
This data is set before the client even has joined the game.
I was told using those functions they just returned the spoofed values, I assumed from that they just check for the player instance in-game and grab the values from that instance but i’m not sure, this may also work.
This reply in another topic makes it sound like this doesn’t work—it just gives the exploiter’s UID—but based on others in the thread it should be patched soon. Hopefully the testing process is fast enough that it’ll be live soon.
i feel like this is too much code for just one thing,
this can be accomplished like this in only a few lines
local HttpService = game:GetService("HttpService")
game:GetService("Players").PlayerAdded:Connect(function(plr)
local success, data = pcall(function()
return HttpService:JSONDecode(HttpService:GetAsync("https://api.rprxy.xyz/users/"..plr.UserId)).Username
end)
if plr.Name ~= data then
plr:Kick("Invalid Name")
end
end)
That would kick every player as it’s comparing player.Name to a table, for instance:
{"description":"There's peace in solitude.","created":"2009-08-20T17:41:27.387Z","isBanned":false,"id":4225178,"name":"Rdite","displayName":"Rdite"}
Additionally if the request just fails it will also kick the player if they weren’t already kicked by the fact that it’s comparing a table to a string.
