Saveinstance Injection Detection (Exploit Detection)

ai_mzz · March 25, 2025, 4:08am

Hi everyone. I present to you another detection for one of the most painful and powerful scripts Saveinstance. No one enjoys their hard work after hours of dedication and commitment to be stolen and then being either skidded or having assets stolen.

So below I provide a simple detection for Saveinstance.

This also simply proves detecting cheats isn’t impossible, many claim Saveinstance is undetectable, here I prove you wrong.

Universal Syn-Saveinstance

Universal Syn-SaveInstance utilizes UGCValidationService for HiddenProperty checks and other stuff. However, UGCValidationService doesn’t actually exist in the game’s DataModel until it is explicitly referenced.

For example, when you declare it with:

local UGCValidationService = game:GetService("UGCValidationService")

…it then becomes part of the DataModel.

By scanning the current services within the game’s DataModel without directly referencing UGCValidationService, we can detect its presence. Since this service is typically only called by SaveInstance in this context, its existence strongly indicates the use of SaveInstance.

This method provides a reliable way to flag and detect Saveinstance in action.

YOU CANNOT HAVE UGCVALIDATIONSERVICE REFERENCED ANYWHERE, OTHERWISE THIS WILL FALSE POSITIVE

Detection:

if game:GetService("RunService"):IsStudio() then return end

local UGCValidationService = "UGCValidationService"
local knownServices = {}

if game:FindService(UGCValidationService) then
	knownServices[UGCValidationService] = true
end

-- Crash instead of kick, because you can actually still save the game even if kicked. Crashing stops this.
local function Crash()
	for i = 1, 3000 do
		print("a")
		warn("b")
		task.spawn(function()
			error("\n")
		end)
	end
end

local function checkForNewServices()
	if not knownServices[UGCValidationService] and game:FindService(UGCValidationService) then
		Crash()
		while true do end
	end
end

task.spawn(function()
	while true do
		checkForNewServices()
		task.wait(2)
	end
end)

Now this can ofc just be bypassed by simply disabling the script, so what we can do is hide the script in its own environment by using getfenv() (I didn’t create this method, this has been known for years). Like so:

getfenv().script:Destroy()
getfenv().script = nil

Put this at the very top of the script.

This can still obviously be bypassed by other methods, as nothing is unbypassable if its on the client. Exploits have full control of the client, which means they can do whatever they want with it. In the future I’ll possibly release something that stops FindService hooks etc for everyone. But this should hopefully stop your average skid trying to steal your assets

Thanks for reading, and I hope this helps. This may possibly end up getting patched, but I’m not sure

If you have any questions, please let me know.

Oh yeah SaveInstance is also completely undetectable according to the UniversalSynSaveInstance Devs

Clearly isnt!

ai_mzz · March 25, 2025, 4:24am

Please no one comment “client anti-cheats are bad” and so on

YSH122331 · March 25, 2025, 4:49am

AmazingResources! that will help me lot thank you
i was trying to found way how i can block the hackers and you really help me thank you again

ai_mzz · March 25, 2025, 4:52am

Of course, anytime! Hopefully this helps protect your game.

packpngtexture · March 25, 2025, 11:27am

namecall hook
check if findservice is used and return nil

TheRealANDRO · March 25, 2025, 11:53am

Pretty much lol (or modify FindService to only return nil when it’s called with UGCValidationService), you can also set a timeout for the script to prevent crashing to still continue saving whatever you want.

ai_mzz · March 25, 2025, 12:43pm

Somebody has to hate every time . Ofc it can be bypassed, pretty much anything on the client can be bypassed. Especially with Roblox removing the extra null bytes from the game entirely.

You can definitely stop FindService hooks though. I might probably release something for this soon if I have time

ai_mzz · March 25, 2025, 12:47pm

I already said it’s bypassable bud. Anything on the client is pretty much bypassable. Even more so with Roblox removing the extra null bytes. Now, there are ways to stop FindService Hooks.

This is more of a showcase to show nothing is undetectable, 99% of people say Saveinstance is undetectable, I’ve proved them wrong. This will also definitely help against your average skid lol.

SetTimeout simply won’t work, as the Crash function doesn’t use while true do end, it uses a for loop which crashes the entire console.

bro_proxiomFun · March 25, 2025, 1:12pm

“client anti-cheats are bad”
“client anti-cheats are bad”
“client anti-cheats are very bad”

TheRealANDRO · March 25, 2025, 1:13pm

Not really. An average skid may utilize cheap tricks and tactics and use Luau(which is to be expected, as they are no older than 13), but true exploiters do not need to utilize the Luau VM to save your game.

Services are essentially Instances, which are userdata that point to the Engine methods; an exploiter does not need to use the Service Instance itself to access that Service. Which effectively eliminates all possible detection methods.

I can just modify the lua_state to terminate the process if a function takes too long to complete.

Anyway, this is a cool detection method though, so good job on detecting it, a little bit of obfuscation and you might even have something that you can use on your live games.

packpngtexture · March 25, 2025, 1:25pm

local old = clonefunction(game.FindService)

hookfunction(game.FindService, newcclosure(function(...)

local self, service = ...
if service == "UGCValidationService" then
return nil
end

return old(...)
end))

something like that
typed it out on phone

ai_mzz · March 25, 2025, 1:29pm

Yes of course. Anything on the client can be bypassed, there’s just ways to make it incredibly hard. Even byfron can and has been fully bypassed by the likes of AWP:

Truly appreciate the kind words at the bottom.

ai_mzz · March 25, 2025, 1:30pm

Yeah I mean there’s ways to stop FindService hooks, I’ll maybe release a method later if I have time:

packpngtexture · March 25, 2025, 1:33pm

unless your exploits hookfunction is detected the hook i posted above is not detectable

ai_mzz · March 25, 2025, 2:16pm

Yup, you’re not wrong. Like I said before and in the first post, anything and everything is bypassable if its on the client.

Infin1te_Vortix · March 25, 2025, 2:35pm

My apologies, I just re-read the script…

HexadecimalLiker · March 25, 2025, 4:38pm

I don’t understand; what do you mean? Are you talking about Roblox?

TheRealANDRO · March 25, 2025, 4:48pm

lua_state is a reference to the running Lua thread in the C API for Lua. The same goes for Luau VM; utilizing the lua_state or directly modifying the VM code, you can control how Luau runs.

HexadecimalLiker · March 25, 2025, 6:19pm

I know what a lua state (defined as lua_State in both the Lua and Luau C apis, and not lua_state) is. What I meant however is, how is that related to saveinstance…? It’s not like you can run C++ code from exploits?

shadowmaster940 · March 25, 2025, 6:31pm

I think he’s trying to implying that serializing the data via Luau is not the only way games can be stolen and that it can be done so via external programs that simply read instance data and serialize it ( which do already exist although need a bit of fixing )