[ The Full Guide to Exploiting - Written by Discgolftaco231 ]

The Full Guide to Exploiting.

Written by Discgolftaco231

This is 1 of 5 guides that will come out on Wednesday of every week.


Before we get started, I just want to confirm that this is not a “How to exploit” guide. I repeat, this is NOT a guide about how to to exploit.


First of All, What is Exploiting?

Exploiting is when a person decides to be stupid and make everyone’s day bad. Tbh, I do not think I’m that off about that :wink:

Exploiting can usually be classified into two categories. Game Exploiting and Account Exploiting. There is also Website Exploiting, but we do not need to get into that.

Game Exploiting is when a player enters the game, activates their gamer hax, and decides to break the game and cause chaos in it. No one really likes them, but somehow, they still end up doing it, even though they know in the back of their head: I am making people sad.

Game Exploiters usually like to exploit because they think that exploiting makes then cool or something like that. Maybe it is to impress a girl or boy idk lol. Whatever it is, they do it because they feel power when they know they have control over other people. It makes them feel overly good about themselves, and this does affect them in their future.

Account Exploiting is when someone is able to break into an account and affect it negativally. For example, last night at approx. 9:48 pm, my account was broken into and it’s password was changed. Thankfully, I got an email from Roblox when it happened and I was able to change my password, turn 2FA on, and log all of my devices out of my account before any harm was done. This morning, I woke up to an email with a 2FA verification code that was sent at 2 am. So obviously someone tried to get in my account again, but failed… miserably.

The reason exploiters would exploit into an account would be to cause personal mental (and maybe physical) harm to the account owner. The invader might use up all the Robux on your account, or if you had Premium, continue to bill things from the credit card the account was attached too. All in all, you do not want your account to be exploited.


How Could I Prevent Exploiting?

Very good question. Although there is not a 100% Guarantee you would be able to ever stop exploiters, there are a few ways to at least slow them down to a stop.

If you are a game developer, I recommend making an Anti-Cheat system. What an Anti-Cheat system does is it detects certain player behavior and determines if the player might be cheating or exploiting. Here is a free to use Anti-Cheat made by @UnknownParabellum.

Exploiting in games can also be caused by a backdoor in your game. Backdoors usually come from Free Models and can allow certain users to exploit your game without needing to do too much work. Backdoor scripts are usually named:

  • Loader

  • Anti-Lag

  • Anchor

  • Weld

  • Handler

  • �����������������

And so on.

There are many plugins you can use to detect backdoors; just make sure they are the official plugin by the official owner. You do not want to get a fake anti-backdoor plugin.

Exploiting into accounts is a little bit easier to prevent. First of all, if you think you are a targeted user (devs, youtubers, other popular people, etc.), you need to create a strong password. After you create your strong password, you need to turn on Account Pin. What this does is it makes you input a 4 number pin every time you edit your account settings. Lastly, you need to turn on 2 Factor Authentication. This makes it so when you log into your account for the first time on another device, It will ask you to input a 6 number pin that is sent to the email you have attached to your account. Btw, make sure you have an attached email and phone number. They will become extremely helpful if your account is compromised.

If you have already been exploited into, you only have minutes to save your account. Here are what you need to do in order:

  • Change your password. This could be found in the Account Info tab of your account settings. If it does not allow you to change it, Log Out and click Forgot Username/Password and then follow the on-screen instructions.

  • Turn on 2 Factor Authentication. This can be found in the Security tab of your account settings.

  • Click Log out of all sessions at the bottom of the Security tab in your account settings.

You should be done now. The exploiter is now logged out of your account and cannot log back in because you changed your password. Good Job!


Everything Else you Should Know.

Exploits are always changing. There is never a fool-proof way to prevent exploiting, and there never will be. It is just how the online world works!

I personally know an exploiter and I do not like what he does. He even exploits in my own game. Many times, my Anti-Exploit gets him; but sometimes it does not. Once, he even got auto-banned by my system for 24 hours because he was automatically added to a watch-list I implemented.

Even though you know an exploiter personally, you should still report them. If you do not report them, you are most likely going to get banned for concealing an exploiter. The person I was talking about earlier is my friend, but I still reported him.

As for Game Exploiting, here are a few tips if you are making your own Anti-Cheat:

  • Detect if any instances are added into the Workspace at a certain rate. This could mean that an exploiter is inserting many parts at once to crash the server.

  • Detect player changes on the Server. Any Anti-Cheat on the Client can easily be bypassed.

  • Secure your Remotes. Make sure your Remote Events and Functions are secured on the Server. If they are not, exploiters can spam them; and crash your game.


Many Thanks to you!

I would just like to end this off by saying thank you for taking your time out of your day to read this. This took me over an hour to set up, and your participation really will make my day. Stay safe out there! :smile:


Resources and contributions:
Written and created by Discgolftaco231, 2020. Re-share permitted. Plain copy is not permitted.
Special thanks to @UnknownParabellum for showcasing his Anti-Cheat Framework.

Links used (in Order):
https://en.wikipedia.org/wiki/Video_game_exploit#:~:text=In%20video%20games%2C%20an%20exploit%20is%20the%20use,a%20manner%20not%20intended%20by%20the%20game's%20designers
https://www.techopedia.com/definition/24632/account-hijacking#:~:text=Account%20hijacking%20is%20a%20process%20through%20which%20an,information%20to%20carry%20out%20malicious%20or%20unauthorized%20activity.
Website Hacking: How to avoid a hacker attack.
Urban Dictionary: hax
https://www.marketwatch.com/press-release/us-anti-cheat-software-market-global-industry-analysis-size-share-growth-trends-and-forecast-2020-2025-2020-09-04#:~:text=Anti-cheat%20software%20is%20designed%20to%20prevent%20players%20of,tools%20and%20techniques%20to%20cheat%20in%20online%20games.
Anti-Exploit Framework | UnknownParabellum
Backdoor Definition & Meaning | Dictionary.com
Free model | Roblox Wiki | Fandom
Password Definition & Meaning | Dictionary.com
Roblox
https://i.ytimg.com/vi/4wcmTLO9oxU/maxresdefault.jpg
Server Definition & Meaning | Dictionary.com
Custom Events and Callbacks | Documentation - Roblox Creator Hub

More guides coming soon!..

18 Likes

Thank You So Much For This!
I will be using these methods for my games.

1 Like

This is very big brain. I have a question though. What options do I have to check if people are exploiting in my game? Do I just have to play the game myself and see if anyone is exploiting? Or is there something else I can do to see if anyone is exploiting.

1 Like

well, there are many ways to do this. Here are the most simple ways:

  • Set up a Discord Bot API. There are many tutorials on this around the DevForum and Google.

  • Set up a Google Analytics page and configure it to allow users to “report” exploiters to Mods. The report would go to the Google Analytics page (or you can do that with the Discord Bot)

Both of these topic have many tutorials on how to set them up. The DevHub even has it’s own dedicated page for Google Analytics setup. Here: https://developer.roblox.com/en-us/articles/Using-Google-Analytics#:~:text=%20Using%20Google%20Analytics%20in%20Roblox%20%201,detailed%20usage%20of%20Google%20Analytics%20(please...%20More%20

1 Like

Thank you! I’m glad that there are ways to catch the exploiters that I don’t see in game. Exploiting is just a really scummy thing to do and I don’t want that in my games.

1 Like

Yeah. Exploiting is just one of those things that just exist. It is scummy, but it is just life.

Have a good day!

1 Like

Game Exploiting is when a player enters the game, activates their gamer hax , and decides to break the game and cause chaos in it.

this just isn’t true. most of the exploiters who know what they’re doing try to conceal it and carefully test things that they are sure won’t get them in trouble. for example, they do certain actions, check which remotes are fired, and try to replicate that themselves. a lot of the time, you won’t know that someone is exploiting (like when they’re stealing your game’s assets)

Game Exploiters usually like to exploit because they think that exploiting makes then cool or something like that. Maybe it is to impress a girl or boy idk lol. Whatever it is, they do it because they feel power when they know they have control over other people. It makes them feel overly good about themselves, and this does affect them in their future.

there are a number of reasons people exploit. usually it’s simply because it’s fun. however, they’re still people and it’s inappropriate to lump them all into a category like this (what you mentioned usually isn’t the case anyways).

No one really likes them, but somehow, they still end up doing it, even though they know in the back of their head: I am making people sad.

they literally don’t “know [this] in the back of their head.” if someone doesn’t like them, they can just switch servers for all they care. they don’t expect people to stick when they’re messing around, but people still do stay.

it’s not the exploiter’s fault for assuming the players can just leave, just like it’s not your fault for assuming all exploiters are bad.

Detect if any instances are added to the CoreGui when the game is running. This could infer that there is an exploiting panel on someone’s screen.

normal scripts don’t have this ability, the CoreGui is locked. also, most exploit guis nowadays use a drawing library which allows them to create UI without needing any roblox UI objects.

Detect player changes on the server. Any Anti-Cheat on the Client can easily be bypassed.

some changes aren’t detectable on the server. there’s nothing wrong with having an anticheat on the client, but you just have to make sure that you’re never relying on it for anything. the server is still the only thing you can trust.

a lot of exploiters don’t know what they’re doing. you’ll stop those exploiters with a client-sided anticheat. the exploiters who do know what they’re doing will easily bypass it like you said. you spend an hour making one, and stop a decent portion of the exploiters in your game. there’s no reason not to make a client-sided anticheat unless you’re really short on time.

Secure your Remotes. Make sure your Remote Events and Functions are secured on the Server . If they are not, exploiters can spam them; and crash your game.

it is true that you should secure your remotes, but this is not the reason. remotes have their own separate throttling thing and spamming them won’t do much (apart from crashing the exploiter). here are some other reasons why you should secure your remotes:

  1. so the exploiter can’t take advantage of them. ex. giving themselves cash.
  2. so the exploiter can’t cause errors on the server by giving them values that are unexpected.

there are more reasons too. as you said, it’s important to secure them.

1 Like

Alright. Thanks for letting me know! I will edit the post when I am able to so it fits this criteria. Have a good day! :grin:

1 Like

Can be heavily spammed, (the reports).

1 Like

(adding on to what you said)

yes, you should never have a remote for something that is server-only, like datastore or httpservice. instead, keep it all on the server without letting the client touch it. otherwise, it can become a large security issue

1 Like

Yes, I understand that. I guess I forgot to tell him/her. However next time, you might want to reply to @TeaCem’s post instead of telling me.

:grin:

besides this ones which are great, I believe there is a script that makes it so players get kicked if their account hasnt reached a certain age. if you end up permbanning someone id suggest to set the period to around 2 weeks so you dont have to worry about exploiters in alts.

1 Like

as an ex-exploiter (weird name), this is really accurate, and it scares me. Anyways, beyond that fact, Exploits are an iffy thing, I personally used them when given perms so I can go behind the scenes, or test the dev’s code, It is a good business, but tons of people look down on it, and I know why. The lovely toxic “script kiddies” who only know how to rob their mother of $20 and by illegal well know injector here and copy scripts from V3rm or something similar.
In my opinion, Exploits are both helpful, and really bad, as in my case, I used for private tests with game devs, and then there is the bad with script kiddies with their wallhacks, aimbot, etc.
My best advice for stopping these, and this may not work, is to require game assets using the require function when it is needed/unneeded. And just because I used it does not mean that you need to do it to, I repeat DO NOT USE EXPLOITS, lost a few of my best accounts. Then again, against the tos anyways.
Later
Werty :upside_down_face:

3 Likes

Ever since I have gotten into scripting, I have always wanted to make something to keep exploiters away. I promise you I was never an exploiter tho hehe

When I have the chance to, I will add this for the guide. Thanks for letting me know :+1:

1 Like

This harms genuine users more than it harms exploiters. There are plenty of account dumps available that let exploiters (or literally anybody) steal accounts that are years old. A few weeks will just stop little Timmy from checking out the cool game his brother showed him that got him playing Roblox.

4 Likes

Very good point. Although it really depends on the game. I’m sure Little Timmy wont be playing a FPS that is only available on PC. However, I could see this being a problem for other games.

I will add your opinion as well when I get the chance.

Uh no, if your game has good security you would never need to do this. Plus it prevents new players from coming to your game, will they come back if you kick them? The only games which need to do this are roleplay games because of trollers spamming there games.

Also it’s super easy to get accounts more then a month old, the reason I know this is me and my cousin bought a lot of accounts for cheap from an account dump.

So basically don’t do this since it’s terrible for experience, can be bypassed, and is just a bandage fix if you have trash security.

3 Likes

Why did you put in detecting coregui objects, with the other two points that arent bad?
you should never bother trying to detect exploits client-side, exploits can literally hide your GUI detections with syn.secure_call(TheirGui) (or whatever it can be)

The CoreGui is the most common place for an overlay of some sort. It is possible to detect a CoreGui change from the server.