just make a script that can detect injection because all executors inject code/script in your game and if you can achieve to detect that you can probably block it

That’s the whole point of this topic - @FancyDucc is looking for a way to do that. If you know how, please share it

here is an example of how you might want to do it.

– Place this script in ServerScriptService

local checkInterval = 300 – Time in seconds between each scan (e.g., 300 seconds = 5 minutes)
local suspiciousParentContainers = {
game.Workspace,
game.ServerScriptService,
game.ServerStorage,
}

– Criteria for suspecting a script (very basic example)
local function isScriptSuspicious(script)
– Check for common suspicious indicators, e.g., obfuscated code or suspicious names
local suspiciousNames = {“hack”, “exploit”, “backdoor”, “inject”}
local nameLower = script.Name:lower()
for _, suspiciousName in ipairs(suspiciousNames) do
if nameLower:find(suspiciousName) then
return true
end
end
– You can add more checks here, like checking the content of the script
return false
end

– Function to handle new descendants being added
local function handleNewScript(script)
if isScriptSuspicious(script) then
print("Suspicious script detected and removed: " … script:GetFullName())
script:Destroy() – Removes the suspicious script
– Additional actions can be taken here, such as alerting admins
end
end

– Function to scan for suspicious scripts
local function scanForSuspiciousScripts()
for _, container in ipairs(suspiciousParentContainers) do
for _, desc in ipairs(container:GetDescendants()) do
if desc:IsA(“LuaSourceContainer”) then
handleNewScript(desc)
end
end
end
print(“Completed a scan for suspicious scripts.”)
end

– Start the periodic scan
while true do
scanForSuspiciousScripts()
wait(checkInterval)
end

There’s just the problem that scripts added on the client don’t replicate.

ok so i dont know how to make a script that knows if an exploiter injected any script in the games code. but maybe obvious changes that are not supposed to be there can help detect exploiters. here is an example script yet again if you want you can change some stuff inside the script this is the closest i can get

-- Place this script in ServerScriptService

local Players = game:GetService("Players")

-- Assuming achievements are identified by these names
local expectedTimeToComplete = {
    ["Achievement1"] = 600,  -- 10 minutes in seconds
    ["Achievement2"] = 1200, -- 20 minutes in seconds
}

-- Function to handle starting an achievement
local function startAchievement(player, achievementName)
    if not player.achievementStartTime then
        player.achievementStartTime = {}
    end
    player.achievementStartTime[achievementName] = os.time()
    print(player.Name .. " has started " .. achievementName)
end

-- Function to handle completing an achievement
local function completeAchievement(player, achievementName)
    local achievementTimes = player.achievementStartTime
    if not achievementTimes or not achievementTimes[achievementName] then
        print("Error: No start time recorded for " .. achievementName)
        return
    end

    local completionTime = os.time() - achievementTimes[achievementName]
    local expectedTime = expectedTimeToComplete[achievementName]

    if completionTime < expectedTime then
        print(player.Name .. " completed " .. achievementName .. " suspiciously fast.")
        -- Implement further actions such as alerting admins or logging for review
    else
        print(player.Name .. " has legitimately completed " .. achievementName)
    end

    -- Reset the timer for this achievement
    player.achievementStartTime[achievementName] = nil
end

-- Example usage (normally these would be triggered by game events or RemoteEvents)
Players.PlayerAdded:Connect(function(player)
    -- Simulating a player starting and completing an achievement
    wait(5) -- Simulate time delay
    startAchievement(player, "Achievement1")
    wait(300) -- Simulate player takes 5 minutes to complete (should trigger suspicion for Achievement1)
    completeAchievement(player, "Achievement1")
end)

I don’t think there is any way to actually detect injection.

Very rarely, we ever see a “vulnerability” in an exploit which allows for us to detect it.
ROBLOX tries their best to keep the anti-cheat up-to-date but its almost impossible to patch every method because every game is so different, so if they did make an in-game anticheat, innocent players might get banned a lot. (what I’m trying to say is the only way ROBLOX can have an anti-cheat is to block it straight from the injection process, which isn’t always the easiest,.)

I’ve seen exploiters get relatively annoyed at games like this:

Because it has some sort of “Character Froze” or some sort of check for the actual ragdoll, and when you inject into any roblox game, it freezes your game for a second, except, this can easily be bypassed by using “auto-inject” or just injecting well in the loading screen, and it might kick laggy players.

Most executors nowadays just parent their scripts to unreachable places, like CoreScript packages, you can try detecting them but good luck with that. Plus they’re still prone to ScriptContext error signal.

I’m curious, could a hacker change code in a local script and it would take place right away?

If I had a movement local script and inside it I put speed to 20, could they change that to 100 and then the local script put stheir movement speed to 100?

If that’s infact NOT the case, I am curious, what if you made a crucial script for the game, like a movement script as I mentioned, and paired it with a cheeky client sided anticheat, so the anticheat is inside of the movement script, combined with the code.
(of course you would have a serversided anticheat too) but if they want to delete the client sided one, they would in theory have to delete the movement script, putting them at a disadvantage.

“It wont matter cause they could just change their movement speed after deleting it!”

Server sided anticheat as mentioned too.

Just for context, I did make a script that when deleted kicks the player, if a cheat developer tries to bypass the client anticheat like that I can still counter it

I’ve worked with pentesters to develop my anticheat for my game (Isle). My game has had 80M+ visits in its 5 years lifetime. I’ve analyzed dozens of bypass methods. I’m also doing security research outside of roblox. I will chip in a bit on anticheats.

You can’t.

Clientside Anticheats:

• Client side anticheats will always be bypassed or will eventually fail. You are 1 developer. You have to somehow hold back dozens of smart exploiters (some of which are willing to spend every day to break apart your anti cheat). Without a 24/7 team, it’s a losing battle. The Roblox platform is always constantly updating too = more entry points + more broken scripts because of updates.

• Exploiters have more resources than you. They can manipulate memory, mimic roblox services, override roblox properties, modify their humanoids. They can control everything on their computer, and everything on their roblox client. You can only control what’s inside of the client.

• Because of these reasons, you can’t detect code injections or executions long-term.

A case study:

• You write an anti cheat that checks for a memory spike for code injection detection. Suppose you check it with GetTotalMemoryUsageMb. If exploiters inject code the RAM will spike up and you can catch that.

  1. Exploiters can run the exploits before the game even loads and disable that script. Checker is now bypassed.
  2. Exploiters can also replace the API function with their own that returns always returns 50MB instead of the actual RAM reading. Checker is now bypassed.

• The smart exploiters will find a bypass your check, then sell the details to the dumb exploiters. Pretty soon all exploits will have the bypassing feature. You’ll catch 90% of exploiters on day 1, but on day 100, you’re going to be catching 10%.

• Not to mention when you add more content to your game, your RAM naturally goes up. This means you could accidentally kick real players because their RAM is high.

Actually Dealing with Exploiters:

• Don’t do a client side anticheat at all. Roblox is constantly pushing out updates and patches. Let the cheaters try and beat Roblox’s systems and worry about better things for your game.

  • You spend a lot of time working on the anticheat to catch the 1% when you should be making new game content for your 99%. Unless that 1% is ruining the experience of the 99% it’s a waste of time.
  • The # of cheaters are so rare that you’re more likely going to harm your normal playerbase with false positives if you’re inexperienced. False positives are when the anticheat punishes normal players unintentionally.

• Everyone has mentioned here to do server checks. This is the best you can do on roblox. Check to see if incoming client data is valid or not. See Security Tactics and Cheat Mitigation | Documentation - Roblox Creator Hub.

  • In my own game, I passively track the player’s position. It’s a variation of movement validation except there’s no kicking involved. The player’s “server” position is what’s used to detect for interactions with the world. Picked up an item? Check the “server” validated position instead of HumanoidRootPart.Position, then give item, etc.

• You can address the root cause instead of making an anti cheat. Understand that cheating is a social problem: people cheat to gain an advantage or get a reaction over others. You could address these problems by structuring your game a certain way where cheaters cannot reliably affect your players.

  • Give power to the non cheaters: give them tools to keep out cheaters in their games. (Private Servers, Votekicks, Blocking/Blacklisting, Reporting/Moderation System, etc).
  • Make cheating undesirable: make it as inconvenient to cheat as possible. (ban accounts with lots of items/time invested, do server checks, make a server side anti cheat, etc).

No clue why you reply to a topic / comment with such little knowledge about the subject.

There is no possible way you should call yourself some type of Anti Cheat specialist if the only thing you’ve brought up in this thread is unreliable detection methods and false information.

Checking for spikes in the memory with any sort of tag is usually a bad practice and very unreliable because of all potential false positives.

Detecting injections by executors has never been impossible.

Having no client sided anti cheat is worse than having one.

If you could provide the details on your own implementation to a client sided anti cheat with evidence that it’s effective in a large game I will update what I said. Otherwise, I believe it’s not a practical use of time, especially for small studios.

Yes, this is why it’s mentioned in the case study/learning exercise and not me giving advice to use it in real games.

Again, if you can provide details on your own effective implementation for a large game it would be something interesting everyone could benefit from.

It’s very easy to make injector detectors, the problem is keeping it running long term while dozens of exploiters are trying to bypass it.

I won’t publically give out detections for executors but i’ll gladly develop an entire anti cheat just to prove you wrong (no offense)

Tell me what to do and you shall recieve (anti cheat)

With all the NetflixCE forks popping up and some of them not even requiring a teleporter game, the exploiting community manages to grow, the thing is that the ones I’ve seen just use a script in in CoreGui, is there any way to detect that?