Wanted to come back to this again to say that, a Roblox-provided environment doesnt need to actually give access to sensitive services, rather what would work just as well is a simulated response, enough for such a tool to then build a profile of what an exploit is doing, i.e. what events it’s trying to fire, what remote addresses it’s trying to access, etc.
Feel free to send over any obfuscated scripts that you’re having trouble with.
It’s not really about detection anymore, the people still using the modern junk are well beyond the point where being ‘detected’ deters them. People still exploiting won’t care about detection unless their accounts get terminated. Why care when you can exploit for 7 months and only get slapped with a couple 1-day bans every now and then? The moderation is toothless.
As long as it can achieve injection/execution, people will pay for it.
I think the most bizarre part about the introduction of Hyperion is how infrequent the preventative measures it’s supposed to enact are. Why add an anti-tamper company to your portfolio if you’re going to remove folks who tamper with the game twice a year, and for a single day at a time at first blush, at that?
Just a head scratching decision that makes developing a competitive game experience on Roblox that much less desirable. Roblox’s bureaucracy when it comes to punishing cheaters has struggled to catch up for the past decade and a half, and the gap doesn’t seem to stop widening.
Between the lack of action on Hyperion detections and the seemingly half-baked Ban API (that can be bypassed simply by switching accounts, no VPN necessary!) - the response here has been lukewarm at best.
I’ve been on the platform since 2007 - and the lack of progress on this forefront has been disappointing.
Would be nice if as a developer you had the option to either directly be told when a player is detected in your game, and take your own action, or set a bar for how Roblox should be when banning players from your experience specifically, if Roblox doesn’t want to potentially give indicators about what Hyperion is up to, allow developers to essentially request that Roblox themselves ban players permanently from your game for e.g. if you have a high protection level.
correct me if im wrong but this is in regards to just detecting an exploit that took place but not having the tools to determine how the exploit worked?
you said that players are automatically completing certain game wide actions, what do you mean by this? are they teleporting their character? or abusing a remote event to trigger events? if you know what things in your game could allow the player to accomplish their goal surely you will know what they are doing right? I’m probably missing something.
Yes as I said in the post, I was able to figure the weaknesses out pretty quickly in this case without needing to see the code, however my concern is that a few years ago the level of obfuscation was low enough that you could usually reverse engineer / de-obfuscate these scripts, but now it’s pretty much impossible. The thing is, the script is still Roblox Lua, but it’s Roblox preventing using the privileged services the exploits use that prevent a developer from being able to run it in studio and therefore figure out what it’s doing.
While yes ideally every developer should know enough about their games to be able to fight an exploit without knowing what it’s doing, an exploit that is complex in nature and takes advantage of a less obvious vulnerability is basically impossible to reverse engineer and patch with certainty
im assuming you probably already did this but something ive done is to search for the script somewhere on the internet, chances are if someone is using it in your game they themselves have to find the code somewhere as a de obfuscated script and stick it in their injector which I assume is what is doing the obfuscation.
No, the scripts as released are commonly obfuscated from source these days, so there isn’t a deobfuscated version out there.
did times change? how do script kiddies get their cheats now?
From what happened in my case, a Youtuber who’s entire thing is releasing scripts to sell a piece of exploit software created an exploit for my game (which, to be honest, I’m quite flattered by). The target audience for that kind of thing unfortunately don’t seem to have much interest in knowing what either the software or the script are doing, so the creator obfuscates them. It’s very different from the more collaborative nature of exploit forums I’ve seen things released on in the past, and concerning really as the whole thing makes it very easy for kids to get their hands on exploits without really understanding that they are very likely going to get banned for it
Exploiting forums are, as of now, completely dead in usefulness, they provide nothing more than a place for people to cry about exit scams and saying “Oh the days synapse was here…” and for them to point the finger at eachother, its quite fun in fact, that aside, I got around to what I promised and I’m doing RbxStu V2, and it addresses many issues of the previous version has, but I think I went a little of the tangent.
In actuality, most people who are after profiting on exploiting, will obfuscate their scripts to prevent people from redistributing it, normally placing a key system or whatever, but in reality its not worth it, since too little people are exploiting right now, and the little who are, are getting weeded out, and if not by Roblox, by other people in the community who are or were exploiters or exploit developers, and yes, I know plenty of who get their hands on exploits and don’t even know what they’re doing, I have seen people run full fledge rats on exploits because of how wildly bad they’re written, just now came that a new exit scam was made “Kruncus”, the owner being an old API sploit of Solara. Truly makes you think how people can believe someone so carelessly as to drop 30 dollars into something…
I think there can be alternatives to this, can there not? Why not give developers to a special type of command line that allows access to these core services as a client would? This command line would be run in a test-run version of the game that would be separated and wouldn’t save any changes.
The main things that I think developers would really benefit from are:
Tracking events fired from threads and identifying such threads.
Tracking functions triggered from threads using specific services.
Changes in properties done by threads.
Not only would this allow me to break down what exploiters are doing, but it would save me loads of time in not deobfuscating scripts.
I don’t have the best understanding of the internal workings of Roblox, but this doesn’t seem unrealistic to me. Anywho, hoping for the best outcome here, really.