Recently, there has been an increase in exploiters using a server crashing script. This script basically spams invalid animation IDs in which Roblox decides will have to be loaded BY the client even if it errors. There is no way to figure out who this is currently as far as I am aware.
Here is a screenshot of the output with this script:
Using the gui and entering 500 will drop everyone’s FPS to about 2/s
If anyone knows of a solution to this exploit, please respond so everyone may see how to fix this. It is a very major issue to a lot of developers and games.
Firstly, I think the best way to “solve” this exploit is to eliminate any alien code by finding the backdoor where it is sourced. There are many backdoor script locators such as this one.
I mean, if you mean this exploit specifically, you can do a
while wait() do and scan for Animation objects and delete them, with a whitelist of the animations that belong to you. But I recommend taking the information above.
Another thing you can do is you can set a RemoteEvent to fire all clients, detect for that one foreign gui, and delete it. But it can be intercepted by exploiters again as they have access to everything client sided.
I can’t scan for an animation that has failed to load. I’ve tried checking with whatever check animations function it was. But that only works on running animations.
And events can be easily deleted making them pretty useless.
It isn’t a backdoor. It’s a code which abuses the replication of animations, by loop loading invalid animations, causing the animation load error to pop up on every client (and possibly the server)
My idea on how to prevent that would be to check if a player loads too many invalid animations or does it too often (or both). Or check if the animation id is valid in the first place, and isn’t just some random numbers.
I’ve been trying to catch the error. But error catching is pcall which needs to be embedded IN the script being executed.
I believe the Humanoid has an event which fires upon loading an animation. Try that perhaps? I mean this event specifically: https://developer.roblox.com/api-reference/event/Humanoid/AnimationPlayed
I’m unsure whether it fires for animations that fail to load tho, and I cannot test that right now.
How do you want to detect a script executed by an exploit?
Except it’s not a backdoor. It’s considered an exploit when someone inserts it themselves while in-game.
Exploits execute localscripts on the client and the localscripts are not in the place file itself. And there are very few cases where you can detect them.
But these scripts are meant to be “invisible” from the developer. You cannot deny that.
I’m pretty sure there are no cases they can be detected. Unless the executor is a really bad one.
I mean you cannot detect scripts but rather certain behavior. There are however cases when it’s possible to detect the exploit as soon as it injects, but most of them is patched by the exploit creator as soon as someone figures it out.
I think you are confusing the recent backdoors case with script executors.
There are plugins which put a script in your place file in some hidden location. That script can be called a backdoor, as it is a serversided script inserted into your game without your knowledge, which’s purpose is to give certain people serversided access to your game.
On the other hand script executors can only run code on the client. As people say, since it’s your pc, you have full control over it. You cannot call that inserting a backdoor script into the game, as the script isn’t even seen by the server. It only exists on the pc of the player who created it with an exploit.
Yup. This is a localscript client-side exploit, it does not require a backdoor because loading an animation onto your own character, on your client, replicates to the server. Does it even have to be an invalid id? That may just have been easier. Should check if spam-loading valid animation Ids can still be a problem…
I understand this, but we really can’t do anything about it. That’s why I say “solve” in this case as some backdoors may be linked with exploits, and should be removed right away.
It’s not terribly useful to suggest a course of action for an unrelated type of exploit that he may not even have and that won’t fix the identified problem.
Also, this is very cleverly designed, as it uses Instances and renderstepped to their advantage. If only we can detect something in the 0.0166 seconds we have.
I haven’t looked into that but I think yes. My guess is that roblox caches loaded animations, and when you attempt to load a lot of invalid ones, it makes a request trying to find them each time (because of the random numbers).
My idea of a solution is to use the AnimationPlayed event, however Im unsure if it fires for invalid animation ids too.
It doesn’t fire on invalid animations if they don’t even start.
If AnimationPlayed isn’t working, this will probably have to be something roblox has to fix. The error code doesn’t even tell you who is doing it, just that it is happening.