On The Exploit Side Of Things

Hey! I’ve seen many threads or topics about exploits and many things like it, I’ve seen many false and true stuff so far so I’m here to help you know what’s true and what’s false. Feel free to ask questions in the comments too!

What is an exploit?
An exploit is a;
software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.
Many people call exploiting hacking while some choose to call it exploiting. Hacking is exploiting, but exploiting isn’t hacking. Hacking is where you use these flaws and reverse engineering to illegally access someone else data/account.

How Exploits Work.

Exploits many names. Some call them ‘Executors’ while some call them ‘Exploits’. Even though it has many names, it is still the same thing. Executors/Exploits is a program that is either free or paid that injects a Dynamic Link Library or a DLL for short into the game process. It allows the player to make changes to the client or even find a way to change the server.
Executors have many different levels depending on the strength. If an executor costs more it most likely has more strength and is able to output more scripts.

Scripts.

As mentioned, these exploits run on strength. If the executor has more strength more the ability it has to run more powerful scripts. The reason it is able to run more powerful scripts is because, the higher the level less local the script is.
These scripts to use for your executor is easy to find and easy to make. It doesn’t take much LUA knowledge to make.

Remote Events.

One of the most common and simple ways they exploit is using remote events.
Lets say you own a clicking game. To register the click they have done you would most likely use a remote event to alert the server that they have clicked. All they need to do is run a script that logs the remote events. Most commonly SimpleSpy. After they click it will know where this remote event is, and how to fire it. All they would have to do is copy the code and run it. After that they confirmed that it counts as the click so they would most likely put it in a while true do loop so they have a very fast autoclicker that’s undetected by Roblox.

Module Scripts.

Module scripts is another one of the many ways people exploit. Lets say there’s a gamepass that has to check if you bought it so it will open a GUI if you click the button. Most likely you will store this in a module script. If, this uses “HasPassOtherwisePrompt” Then they can edit this to make it a new function that always returns true. Another example is if you store a module script that has the guns magazine size in it then they can change it to whatever they’d like.

Backdoors

Backdoors are one of the many highly discussed things in the dev forum as it easy to fall for one. Backdoors can be found in free models and plugins. Backdoors lets the user and anyone they want to be able to access basically a clone of the dev console. There are many UI’s that are free and paid to access these backdoors. Whenever someone gets access to this backdoor then they can run require scripts that give them a UI or script they choose.

How to Find Them?

Backdoors are starting to become more and more common these days. One way to find free model backdoors is by pressing CTRL + LSHIFT + F. This allows you to search for anything in all the scripts. After pressing that key-combo, Search; ‘getfenv()’ and ‘require()’ . Most backdoors use this to get their Backdoor in your game.

What about Plugin Backdoors?

Virus plugins or Plugin Backdoors are plugins that have a backdoor purposely put in them. Usually if you notice there is a backdoor in your game and you cant delete it, then it’s most likely a plugin causing it. Follow this video: Roblox how to detect plugin viruses - YouTube If you have a plugin with a virus, It will show how to remove it and locate it.

Many Ways To Prevent Exploiters

Sadly, there are many games that have no anticheat as the creator doesn’t know how to make one so, here are some ways you can prevent exploiter.

1. Fake Backdoors/Exploits

To take necessary protection you can create a remote event thats disguised to be a backdoor/exploit. Make there be a script for when this remote event fires to ban the player. They wont be back on that account.

2. Anti Teleport

Many exploits have their fun by teleporting to players or to different places. You don’t want an exploiter tping to the end of your obby, so you need something to prevent them from teleporting. Heres a good tutorial on how to make one: ANTI EXPLOIT: ANTI TELEPORT | Roblox Scripting Tutorial - YouTube

Mistakes

There are some mistakes that you cant afford to make, such as creating an admin UI while there’s a backdoor. The exploiter can simply execute a command through the backdoor to open the admin UI. Another mistake is not protecting your remote events. Heres a good video on securing remote events: How to secure Remote Events | Roblox Studio - YouTube

Please feel free to comment any questions or feedback about this thanks!

-proxy

I have no idea what you are referring to when you talk about ‘strength’ of a script. How can a script or exploit have strength?

The part about Module scripts and editing things like HasPassOtherwisePrompt.
You don’t do checks like that on the client. It doesn’t matter if it’s a module or a script as long as the check is made on the server and not the client.

The warning should not be about using module script but about doing important checks on the client.

What I mean by strength is by how local the exploit is. Some exploits such as level 1’s can’t run a simple script while some that are level 7 or 8. Its basically how local the script is. Theres really not a way to explain this strength mechanism well sorry.

This goes in #resources:community-tutorials

Oh, Sorry, didn’t really realize how much this is a tutorial until now, thanks for mentioning.

Of course there is a way, you just need to know what you’re talking about.
A script can’t be “more local” or “less local”, this is incorrect.

The level of the executor is basically a script identity, however, the term “level” is often misused or misunderstood so there are many wrong definitions.

You can read more about Roblox script security here: Security context | Roblox Wiki | Fandom

Another option for in-game security is the Network Ownership.

Edit: One of the client closest to an unanchored part can gain network ownership of that part meaning they can update all of its physics related properties (example; its size and position) for all the other connected players in game.

More info on Network Ownership here: Network Ownership | Roblox Creator Documentation

There is, it is literally the context level of the script. Some functions have higher required context levels than others and some may require lower context levels.

This isn’t protection, protection is preventing them from being able to interfere with your code by securing your RemoteEvents and RemoteFunctions, simply don’t have a money remote, don’t pass values from Client to Server that you want to be updated, handle the updates on the server instead and don’t trust the client for things like that.
Example: Player wants to purchase something, have a remote that sends the name of the item they want to purchase, the server then has to check if they have enough money to cover the price of the item and then grant them it, I’ve seen many cases where games get destroyed due to having remotes that simply pass the item name and price to the server.

Yeah except every tool you’d use for hacking can be considered an exploit by this standard.

Unauthorized is different from illegally. If we go by Google and Kaspersky standards, hacking is the same as exploiting, as both involve unauthorized access to data (and reverse engineering in most cases).

Most of this information while not totally incorrect is misleading. Module script changes on client(made by exploiters) don’t pass to the server, meaning they can’t just make a function to pretend you own a gamepass if you properly check it on the server. What you’re talking about is something most FPS games resort to in order to easily handle weapons for laggy players which is having part of the code on the client and laxed security. In this case easier doesn’t mean secure and leaves gaps to things like changing the firerate, changing which part it hit, etc. Many games such as Arsenal, Counter Blox, BIG Paintball suffer from vulnerabilities like these.

Addendum that they can be put by someone you add on Team Create. Be cautious with the people you give access to your game to.

Yes. Change Server, here is very famous example of exploit changing server!!!

Untrue, they cannot update all of it’s properties, they can change physics interactions with it. Network ownership is for physics calculations being handled by a specific client, not part being handled by client.

Oops. I didn’t realize I wrote ‘all of its properties’. Thanks for picking up on that, I will edit the reply.

Not gonna lie, this entire post seems like it was made by someone without knowledge of how exploits work and how to prevent them. It completely ignores the best principle: Never trust the client. Always run checks on the server and make sure sanity checks are always in play with Client to Server interactions.
Can’t wait to change the server from the client! This isn’t a year before 2017, FE is required for every game now.