Here’s a funny detection method to detect and punish exploiters that use executors such as Arceus X, Wave and etc. This currently works to detect all mobile executors, and most people moved into mobile exploiting due to Hyperion being added on Windows!
-- average corescript function name:
local function OnPerformanceStatisticsShouldBeVisibleStateChangedEventTriggeredReactionFunctionalityHandlerMethodProcedureModuleSystemComponentSoftwareArchitectureDesignImplementationMaintenanceMonitoringAnalysisOptimizationPerformanceEnhancementTrackingVisualizationNotificationUserInterfaceInterfaceElementControlPropertyConfigurationModificationUpdateManagementAutomationIntegrationCustomizationExtensionDevelopmentCoaborationTestingValidationVerificationDebuggingDocumentationDeploymentScalingMigrationSecurityComplianceAccessibilityLocalizationIntertionalizationErrorHandlingExceptionHandlingLoggingReportingAnalyticsDataCollectionProcessingStorageRetrievalPresentationUserFeedbackIterationRefinementDocumentationReviewApprovalRelease()
return warn("Your executor is ULTRA DTC ⚠⚠⚠") -- you can replace this with anything, i recommend crashing the client because this is a client sided detection and they can hook functions like Player.Kick, to crash the client simply replace this with "while true do end"
end
local Success, Error = pcall(function()
game:GetService("MarketplaceService"):PromptGamePassPurchase()
end)
if Success then
-- solara
OnPerformanceStatisticsShouldBeVisibleStateChangedEventTriggeredReactionFunctionalityHandlerMethodProcedureModuleSystemComponentSoftwareArchitectureDesignImplementationMaintenanceMonitoringAnalysisOptimizationPerformanceEnhancementTrackingVisualizationNotificationUserInterfaceInterfaceElementControlPropertyConfigurationModificationUpdateManagementAutomationIntegrationCustomizationExtensionDevelopmentCoaborationTestingValidationVerificationDebuggingDocumentationDeploymentScalingMigrationSecurityComplianceAccessibilityLocalizationIntertionalizationErrorHandlingExceptionHandlingLoggingReportingAnalyticsDataCollectionProcessingStorageRetrievalPresentationUserFeedbackIterationRefinementDocumentationReviewApprovalRelease()
else
if Error ~= "Argument 2 missing or nil" or Error ~= "Argument 1 missing or nil" then
-- mobile executors and wave
OnPerformanceStatisticsShouldBeVisibleStateChangedEventTriggeredReactionFunctionalityHandlerMethodProcedureModuleSystemComponentSoftwareArchitectureDesignImplementationMaintenanceMonitoringAnalysisOptimizationPerformanceEnhancementTrackingVisualizationNotificationUserInterfaceInterfaceElementControlPropertyConfigurationModificationUpdateManagementAutomationIntegrationCustomizationExtensionDevelopmentCoaborationTestingValidationVerificationDebuggingDocumentationDeploymentScalingMigrationSecurityComplianceAccessibilityLocalizationIntertionalizationErrorHandlingExceptionHandlingLoggingReportingAnalyticsDataCollectionProcessingStorageRetrievalPresentationUserFeedbackIterationRefinementDocumentationReviewApprovalRelease()
end
end
This detection works due to the fact that executors block some functions for security purposes in their executor, they’re not a fan of malicious scripts being executed in the executor and getting their users robux drained. Some executors have started to modify the Roblox Lua environment (which includes your LocalScripts that runs in your game) to block malicious functions from being called. This opened up a gateway for us developers to detect their executors. And since all executors that exist in mobile, and the Wave executor all have the same developers (Tiahh and Rexi) all of these executors can be detected with the same method.
You can use this by simply creating a LocalScript and pasting the code in. This will detect them before the UI of their executor even loads.
Classic metamethod hook errors and being unable to discern if a function is safe or unsafe or in which thread it runs.
Exploit devs are suffering right now, I had issues like this when doing RbxStu V2, Adonis could probably detect them as well I believe, took around an hour to fully fix it, but by the time I did, I had made RbxStu slightly more vulnerable, depressingly.
I haven’t tested it for quite, I believe 75% or so and up? I’m not sure truly, the debug library needs fixing, but I’m planning a complete rewrite in V3 of it, hopefully the last version, probably not keeping most of UNC, as in just a whole new RbxStu specific environment targeted towards debugging and development
Exploit security is really annoying to deal with, Synapse and Script-Ware deserved more praise back in the day, because right now is either of the two for exploiters:
Be safe & Detected
Be unsafe & Undetected
(Also I already kinda thought of a way to fix this issue, but I’m not sure if it could work truly, I’d have to check later, and imma not yap it here to avoid it being used lmao)
UNC for executors is like best before dates on food. It means nothing, was invented by someone to boost the reputation of their product (which to my knowledge in the case of UNC wasn’t even best of its kind at the time), and to this day has zero actual impact on if the product is good or not. Who cares that some random paste can’t run some niche function that nobody uses?
That is where you fall flat and wrong, all functions in UNC fulfill a purpose, if you cannot use them or do not know how to, perhaps that is where your r
hate comes from, that aside no one has iterated on the environment because no one has gotten big enough, and the current scene for exploiting is maintaining compatibility with previous scripts, because as it currently stands, all the good exploiters are long gone, the only good ones that remain are working on big projects, or have turned to mixing rodev and other things.
UNC isn’t a waste of time, it’s just for compatibilities sake, I could grab and make my own standard, but as I am a studio executor no one would support it, for example. Moreover, a lot of the functions inside of UNC fit the bill for debugging in a client environment or for setting up testing scripts on clients, the most niche one can get in UNC is the cache library, (excluding cloneref…) and that is it, all the other ones fulfill a real purpose.
Hell yeah. I am currently working on a similar project, but written in pure Luau. Me and my friend are attempting to create an executor for Roblox Studio written in Luau for fun and I’d say we got far, as we reached 82% actually working UNC support. Right now, we are trying to improve the security of the executor and blocking functions that can be utilized for malicious purposes. This has been a real pain to deal with, as we are just using Instance wrappers/proxies to simulate an actual Instance and then from there we attempt to prevent malicious functions from being called. But almost every single day, I find a way to bypass my own security.
About our 82% UNC, we have massive limitations, such as our hookmetamethod, getrawmetatable, setrawmetatable, and etc only works within our executor’s environment, and does not actually do changes to the actual metamethods of Instances, but rather just a simulation of it achieved by making Instance proxies/wrappers with newproxy.
Here’s a video showcase of the executor, I’m posting this here because why not:
(This video was taken a while back, when we still had 77% UNC.)
Being in pure luau is limiting truly, never tried doing it in full Luau because some things are plain and simply impossible without elevating to higher identities, whilst people hate in Solara, quiving has put his time in to trying to make it as safe as possible in pure Luau, and that is something is a feat of its own.
Good luck on ur project, looks g from what I can see, I gotta put myself to work on V3, hopefully last time I work in an executor myself
Damn. He wrote Solara in pure Luau? Didn’t know that, that’s pretty cool. Does he have support for gethiddenproperty? If not, maybe he could use this for a 1% UNC boost. I’m telling you this because I’m pretty sure you have contact with quiving. This method can get hidden properties and non scriptable properties.
gethiddenproperty = function(object: Instance, property: string): (any, boolean)
local Success1, Check1 = pcall(function()
return object[property]
end)
if Success1 then
return Check1, false -- property is not hidden
else
local Success2, Check2 = pcall(function()
return game:GetService("UGCValidationService"):GetPropertyValue(object, property)
end)
if Success2 then
return Check2, true -- property is hidden
else
error("Property " .. property .. " does not exist in instance " .. tostring(object) .. ".") -- property does not exist
end
end
end
It is currently completely impossible to implement sethiddenproperty and setscriptable in pure Luau, but it may be possible if Roblox implements a SetPropertyValue function at some point in the future.
No since you will never access exploit environment unless theres a huge vulnerability. It only helps script users to run scripts made for UNC without worrying about executor incompatibility.
