RoCheck | Verifying a HTTP request is from a Roblox game

grilme99 · October 28, 2019, 5:33pm

Notice

This package has been archived. It is outdated and follows bad patterns. For all future work, please refer to my new package Rodentify.

Hey people! I’m back on the grind with my very few community releases (I want to do more).

Spent the last hour or so rewriting my own module for checking if a request is from a Roblox game - but decided I may as well open source it as I know lots of people will find it useful!

What is it?

When your Roblox client joins a game, it asks the Roblox API for the IP address and port to send packets to. RoCheck basically does the same thing - it asks the Roblox API for the IP of a server. Using this information, we can compare it to the requesters IP address and we will know for sure that the request is from a Roblox game.

It is pretty much impossible to bypass. The only point of failure would be your bot cookie expiring or your method of getting the requesters IP. Keep in mind RoCheck does NOT compare IPs, it only retrieves the IP of the server. You must compare the IPs!

Use cases

There are various use cases for a module like this! For example, does your game have a private API? You can use this to be 100% sure a request is from that Roblox game. Let’s say a rouge developer leaks your API key, if you also use this method then you don’t have to worry about someone using that API key maliciously because the API will only work if the request is from your game!

How do I use it?

You can install the module with NPM by using the following console command npm i rocheck. Then you can use the module like this:

const rocheck = require('rocheck')
 
rocheck(placeId, jobId, cookie).then(ip => {
    console.log(ip)
}).catch(err => {
    console.log(err)
})

Drawbacks

Because we basically get a bot account to join a game, the game server must be accessible to the bot. This means the game must be 100% public and > 1 max players. That’s pretty much the only requirement, though!

You could get around the game having to be public by giving your bot account access to the game somehow.

Feedback

This is my first NPM module ever, so I’d really appreciate some constructive feedback! Everyone is welcome to fork and improve upon the module, it’s an MIT license so you use it how you please

RoCheck for Python

Kwok6140 has ported RoCheck to Python. If you’d like to use a version for Python then that’s what you’re gonna want! I haven’t tested it properly myself, so you should contact Kwok if you have any issues with it.

https://github.com/Kwok6140/RoCheck

ReturnedTrue · October 28, 2019, 5:41pm

Could there be varying join time for the bot & what happens if the game server is full?

grilme99 · October 28, 2019, 5:43pm

Yes, there could. It really depends what you’re hosting on but it’s usually pretty quick!

If the server is full then this method won’t work. It’s a pretty big drawback but still, a great method for verifying a request is from Roblox!

Edit: You could make the game send an initial request to your server as soon as it starts, and then make the server cache the servers IP. That way it won’t matter if the server is full and will also be much faster!

TechSpectrum · October 28, 2019, 7:57pm

Thank you for this, running a clan promotion system business with a public API for our clients and I only do basic header and Place Id checks because I havent been able to figure out how to get the server IP yet.

VisualPlugin · October 28, 2019, 8:02pm

From what I’m understanding (I couldn’t understand everything you’ve said), you’re implying that all Rōblox servers belong the same IP address.

Since HTTPService disallows client-sided use, your IP address will be that of the server. The address of your server depends on the region its first player happens to be from; if I join an empty game in California, a new server will be established in the US West region. Fortinately, you could easily determine if a server is hosted by Rōblox using Whois APIs.

My suggestion is that you re-read the post and revise it for anything that may be unclear.

shayner32 · October 28, 2019, 8:11pm

The system pretends to “join” the server - it sends the join request, which returns the IP to connect to. You can then compare the IP of the request to the IP of the server the join request returned, to confirm that the request is coming from a valid server.

A “whois API” wouldn’t work - but I know what you mean. The goal of the system is to ensure that a request came from a specific server/game, not from Roblox itself. There’d be no point in a system to ensure a request was from Roblox, because I could just make a game that sends the request and join the game.

grilme99 · October 28, 2019, 8:14pm

@shayner32 is 100% right.

If you’d like to check out the out stuff you receive about the game (there’s a lot more than just the server IP) then go to the source (index.js) and then on line 78 is where the game_data is parsed. Just console.log that and you’ll see how much there is!

VisualPlugin · October 28, 2019, 10:50pm

I get it now! The way I was approaching this issue was from a point-of-view where the game’s source code gets leaked, but not the private API server.

grilme99 · October 28, 2019, 11:28pm

Hope you get some good use out of it, I was debating weather or not to release this but decided to. Let me know how you get on with it!

fivefactor · November 3, 2019, 5:09am

This is a really cool module! The method I usually use for this is sending a request on server startup and caching the IP but this is still pretty awesome.

grilme99 · November 3, 2019, 11:04am

Thanks! You can still do that, but using this you know for sure that the IP is valid. You can then check any future requests off against the cached IP.

Meta_data · November 3, 2019, 9:43pm

Cool module, but I suggest phin over request-promise, since request-promise requires request, which uses bluebird and some other junk that node 10+ doesn’t need. Too bloated.

grilme99 · November 3, 2019, 9:44pm

Yeah I did notice the number of dependencies. I’ll be sure to clear it up later on with a different HTTP library for sure.

charliewithadot · November 4, 2019, 5:12pm

Seems like a cool module. However, there’s one semi-major drawback. That is you only get the IP of the server your client is sent to join. Since Roblox game servers have many IPs this isn’t very effective at blocking API requests on an IP basis as other servers will blocked.

grilme99 · November 4, 2019, 5:16pm

I’m confused what you mean. This isn’t for blocking and banning IPs, it’s for verifying a request is from Roblox.

charliewithadot · November 4, 2019, 5:18pm

I mean that if you are verifying a request is from Roblox the server the bot account joins may have a different IP to the server that sent the request.

grilme99 · November 4, 2019, 5:20pm

That will be in very rare cases and shouldn’t affect anything much at all. The likelihood that someone malicious is going to be in another game server with the same IP is very, very small.

charliewithadot · November 4, 2019, 5:28pm

This is essentially the problem that might occur:

download

(sorry the arrows dont show well in devforum dark mode)

grilme99 · November 4, 2019, 5:32pm

Why is game server 2 sending a request directly to “Get roblox server ip”?

charliewithadot · November 4, 2019, 5:33pm

Game server 2’s ip is meant to represent the IP returned when rocheck sends a join request. as an example