[PATCHED] Another Celery Inject Detection!

Resources Community Resources
#1

Hey, this is now patched. This should no longer be used in games as Celery patched this detection.

We all heard of the new Celery exploit, and the detection made by my good friend @Unlimited_Objects!

So I found another incredible detection, but this time it involves MessageBusService and Weak Tables!

Celery devs are unaware of weak tables and garbage collection, so we can use that to our advantage.

To detect it, we will abuse the fact that Celery doesn’t remove references after hooking functions in their Init Script! This means we can check if they reference that, and well, detect Celery.

while true do
   local MessageBusService = game:GetService("MessageBusService") --> Get MessageBusService
   local OurWeakTable = setmetatable({MessageBusService}, { __mode = "v" }) --> Checks if MessageBusService is referenced

   MessageBusService = nil --> Remove the reference, so normally, no scripts are referencing it

   task.wait(4.5) --> Wait for garbage collection! Very Important! (This can be done more efficiently but this is just a showcase, not a guide on how to make anti-exploits)

   if OurWeakTable[1] then --> If the value didn't get garbage collected, it means Celery is attached (Init Script ran)!
      warn("Detected!")
   end
end

Keep in mind that this is a very simple detection! I have approximately 4-5 Celery detections ATM, due to how gracefully they secure the exploit (and their Init Script).

:warning: For people saying “They can hook the setmetatable”, “They can hook the GetService”, or “They can hook the task.wait”, I’m not going to explain to you how to make an anti-exploit, this is meant to be added to an anti-exploit. Also hooking those functions (if not done correctly) would just crash/make the game unplayable (CoreGuis freezing for example) :warning:

Also, :warning: This isn’t the best way to do weak tables, but this is just a showcase of how it can be done! :warning:

Finally: This detection requires you to not reference MessageBusService anywhere in your game (If you have no idea whether you are referencing it or not, you probably don’t reference it)

12 Likes
Looking for a deep dive into exploit creation, and therefore prevention
#2

this is very good :+1:
I will put this in my game to stop the bad exploiters.
good community resource!

3 Likes
#4

Thanks, I appreciate it! Would be super cool if you made a guide to making an anticheat sometime or just some tips/tricks to help noobs like me🙏

3 Likes
#5

Will think of that :thinking:

Though it would be basic detections, not advanced meta hooking detections or stuff

3 Likes
#6

I mean… Celery is a pretty bad exploit, and not sure if much people uses it unless they’re desperate script kiddies. And there is one “exploit” that bypassed it, and I think I remember seeing a v3rm post they made about the bypass.

Though, this is better than nothing, even though I don’t really play roblox. Keep up the good work.

2 Likes
#7

try to make a detection for electron or fluxus which are microsoft store roblox hacks

#8

Those are more mainstream exploits, if anything, they’ll patch it real quick.

1 Like
#9

theyve been up for quite a while and i dont think that they are able to patch it bc they will have to rewrite all of byfron i think or they might not be able to implement it bc of rules. also electron does have some issues, such as usually having to restart the app if you want to inject

#11

can’t wait for this to be bypassed

2 Likes
#12

UWP version of roblox doesn’t have byfron.

1 Like
#14

Turns out: I already detect fluxus and electron when they feed bytecode into the roblox lua interpreter, though, as @WonderWorksXD said, they’ll patch it real quick

As proof, I have made this anticheat for a friend. You’ll get instantly detected for attaching, running a script, or hooking a game’s metamethod (__namecall is the most detected one)

#16

image
image829×800 78.2 KB

image
image825×370 37.3 KB

When you don’t really know how anti-exploits work (and when you don’t read entire posts), you probably shouldn’t say that

#17

It should be mentioned that no script running on the client should use MessageBusService or any other service being used for the weak ref detection (I’ve seen HttpService and InsertService used for an identical detection years ago), or else those scripts will be detected for holding a reference to the service. Also, hooking setmetatable, GetService, or task.wait is much more difficult than cloning the reference to MessageBusService (at least assuming Celery has cloneref). Also also, I would change Unlimited_Objects’ credit to say that he discovered the vulnerability in Celery instead of created the detection. It’s more accurate, since he didn’t actually invent weak reference detection (probably) or measurably expand upon it in the code, and it actually acknowledges the work he went through to reverse the exploit, which I believe to be much more commendable than implementing an already known detection. Thanks for publishing this.

#18

You are right, no scripts on the client should use MessageBusService, but this is the entire point of the detection, as MessageBusService is NORMALLY NOT USED BY ANY GAMES, as its methods are for higher thread identities.

Yes, I am aware of cloneref, but AFAIK Celery doesn’t have it. The notice about hooking was made for devforum members that think that everything is easily bookable (without giving an example too!).

By creating, I mean discovering. Of course, I didn’t invent weak tables, his detection relied instead on getfenv, which deoptimizes some Luau optimizations as it makes an ENV “Unpure”. (Where did you find the term “Created” in my post? I can’t find it.)

One thing you may have not understand tho: I discovered this detection, not @Unlimited_Objects.
As said just above:

I didn’t invent weak tables, his detection relied instead on getfenv

This is the detection I DISCOVERED, and AFAIK Unlimited CREATED the getfenv detection

#21

but I did lol. there’s no reason to attack the guy

#22

It was a “RC7” revival thing but it’s fake and was a joke

Plus the Scriptware team managed to bypass it (SCREENSHOT NOT FROM ME! IT’S FROM THEIR COMMUNICATION SERVER)

image
image1920×989 121 KB

#23

I think they already know this, they are just waiting until they release to reverse engineer ScriptWare, and maybe fix the problems, expect a lot of bans after the patch gets released, but who knows, this is just my theory, we don’t know what will actually happen when It gets released, but I doubt the byfron team will just ignore it, and not try to patch it.

1 Like
#24

Yeah, that was kinda funny, the only “Exploit” that works, is an AIMBOT/ESP exploit, which is probably getting patched on the next release, apparently, Byfron doesn’t crash the client, because the cheat uses a feature, that they didn’t intentionally block, because of legitimate software relying on it.

1 Like
#25

Would that feature be the overlays?

#26

Forgive me for misreading your thread and assuming that you were crediting this detection to Unlimited_Objects. I think if you reread it you will see that it is an easy mistake to make. Also, I did not find the word “created” in your post, and I shouldn’t be expect to because I’m not quoting you. Explaining to you my misunderstanding should hopefully clear up what I meant when I said that in the first place, though. I have nothing to say about Unlimited_Objects’ detection, because I have not seen it. I will, however, stand by my original point that it should be mentioned that no script should keep a reference to the Instance used for weak reference detection. Obviously MessageBusService is useless to script identity 2, but like I said, you can do the same detection with HttpService or InsertService, or even a Part in Workspace. If someone were to edit this script and make their own detections out of it, they should know about that detail. That’s why I mentioned it in the first place. That remark wasn’t for you, it was for the person who scrolled down to try to figure out what’s going on.