Universal Executor Detection [Mac, Windows, Android]

Hello, I Initially wanted to sell this detection as it is something unique, unexpected and effective, but i decided to release this publicly as my long-term goal is to attract the attention of game developers who may be interested in collaborating with me or even hiring me for my expertise.

Game to test: https://www.roblox.com/games/106169718540953
Visual Representation: https://www.youtube.com/watch?v=lr3tvHcHWck

Keep in mind the script i am posting is case specific to MY game that i have linked, you would need to update specific things to adapt it for your own game (Whitelisted script names, .DescendantAdded on different services if you create new script instances in them etc)

script.Parent = nil
repeat task.wait() until game.Players.LocalPlayer and game.Players.LocalPlayer.Character and game:IsLoaded() --Mandatory
task.wait(1)
--[[BOOT SCRIPTS]]--
if game:GetService("RunService"):IsStudio() then return end

--[[SERVICES]]--
local Stepped = game:GetService("RunService").PreRender --ONLY PreRender or RenderStepped can be used mainly due to "Give Feedback" feature from the InGameMenu disabling them while the frame is frozen, this is because it spikes your script memory ^ source : https://devforum.roblox.com/t/introducing-translation-feedback/2935975

--[[FUNCTIONS]]--
local function GetInstanceMemory()
	local succ, err = pcall(function()
		game:GetService("Stats"):GetMemoryUsageMbForTag("Script")
	end)
	if err then
		game.Players.LocalPlayer:Kick("Detected")
		task.spawn(function()
			task.wait(1)
			for i = 1, 500000 do
				print()
			end
		end)
		task.spawn(function()
			task.wait(0.5)
			while true do end
		end)
		script:Destroy()
	else
		return game:GetService("Stats"):GetMemoryUsageMbForTag("Script")
	end
end
--[[VARIABLES]]--
local val = 0
local Paused = false
local TimeThreshold = 5
local LastScrAdded = 0
local WhitelistedScripts = {"CharacterLeanScript", "Health", "Animate"} --MUST contain every script name used in your game
local runtimeval = GetInstanceMemory()
workspace.DescendantAdded:Connect(function(v)
	if v:IsA("LocalScript") or v:IsA("Script") and table.find(WhitelistedScripts, v.Name) then
		Paused = true
		LastScrAdded = tick()
		repeat Stepped:Wait()
			runtimeval = GetInstanceMemory()
			if not Paused then Paused = true end
		until runtimeval == val
		if not Paused and runtimeval ~= val then runtimeval = GetInstanceMemory() end --to not cause overlapping
		Paused = false
	end
end)
workspace.DescendantRemoving:Connect(function(v) --players leaving can cause them to fluctuate after some time
	if v:IsA("LocalScript") or v:IsA("Script") and table.find(WhitelistedScripts, v.Name) then
		Paused = true
		LastScrAdded = tick()
		repeat Stepped:Wait()
			runtimeval = GetInstanceMemory()
			if not Paused then Paused = true end
		until runtimeval == val
		if not Paused and runtimeval ~= val then runtimeval = GetInstanceMemory() end --to not cause overlapping
		Paused = false
	end
end)
task.spawn(function()
	pcall(function() --prevent users from breaking the script by breaking functions in roblox env
		while true do task.wait(0.5) --considering slower devices
			local CurrentTime = tick()
			local TimeDiff =  math.abs(CurrentTime - LastScrAdded)
			val = GetInstanceMemory()
			if not val then val = runtimeval + 5 end
			if val ~= runtimeval and not Paused and (TimeDiff > TimeThreshold and runtimeval < val) then
				game.Players.LocalPlayer:Kick("Detected")
				task.spawn(function()
					task.wait(1)
					for i = 1, 500000 do --incase exploiter does ScriptContext:SetTimeOut()
						print()
					end
				end)
				task.spawn(function()
					task.wait(0.5)
					while true do end
				end)
				script:Destroy()
			else
				runtimeval = GetInstanceMemory()
			end
		end
	end)
end)
game:GetService("GuiService"):SetInspectMenuEnabled(false) --Avatar Menu creates a new script instance causing memory to INCREASE (Decreased value happen after some time when deleted scripts are cleaned from the memory)

Understanding the Detection

When a script instance is created in a game, the script memory increases. Likewise, when a script is terminated, the memory usage decreases after some time. This fundamental principle is the basis for the script memory detection mechanism.

Monitoring Script Instances

The script keeps an eye on the Workspace service, where script instances are added in this particular game. If a new script instance is detected, and it’s listed in the WhitelistedScripts, the script updates the runtime value of the script memory.

Detection Logic

Here’s where things get interesting. If the script memory increases without a corresponding new script instance being added to the Workspace (i.e., a nil instance or any other service that doesn’t have a .DescendantAdded listener or is not Whitelisted), the script kicks the player. This suggests that an executor or exploiter is attempting to run scripts

Countering Exploitation Attempts

Some exploiters might try to bypass this detection by hooking the function to return a fake value. To counter this, the script could forcefully add a script instance to the Workspace and expect an increase in script memory. If the memory doesn’t increase, detect the player.

Limitations and Potential Workarounds

One important consideration is that this detection method is not foolproof. Exploiters can find ways to fully bypass this in the future, such as using the autoexecute feature to run scripts as soon as they’re loaded, or creating an internal executor in Luau that uses loadstring to execute scripts without leaving a trace (the loadstring would be used from the same script instance). In these cases, the script memory wouldn’t increase, allowing the exploit to go undetected.

Either way i hope this can be used as an educational source for the developers wanting to learn how to detect executors and think outside the box!

If there are any false flags that are yet to be covered, please reply to this thread so that I can patch them.

Did you actually test this detection? This seems wacky just like those dex memory detections.

Yes, you are free to test it yourself in the game i have linked. This specifically checks the script memory and not the memory itself of the game. I have explained how it works in detail in the thread.

cant exploiters just Destroy the script

You can always protect it by adding security in a VERY important script of your game, that way if they delete that “security” script it will bug their entire game out

.ChildRemoved or nil checking could do it

yes but that still can be bypassed if the exploiter has experience with scripting
they can remove the anticheat part from the script and keep the important stuff and they will probably leak the cheat that they used which means that any exploiter will be able to exploit that

Not really, for example:

First method: Adding this type of security directly into a forked player module, It’s nearly impossible to get rid of it unless they simply destroy their game

Second Method: Adding the security inside of a script that plays a big role in the functionment of the game would solve it

not to forget, the detection he provided kicks you if you are using an executor so they could not really “delete” the script if they cant even access the executor, The methods i’ve listed above are just “IF” the detector is bypassed which could happens and will happen

this is not a scalable solution and is extremely susceptible to human error

if i manged to forget to add a script to the whitelist (we are all humans, we make errors), i will not know because the script will not run in studio, the only time i’d find out is from complaints from players about this anticheat crashing their devices because a script went up by a few kilobytes.

lets not forget that this will also potentially damage my game & reputation as well

my advice to everyone:

please do not treat client-sided anticheats made in luau as the arbiter of truth, this is an example of why you shouldn’t

you do not and will not have access to the OS, so you cannot do much anyways

instead, invest your time into creating strong server authoritative systems, i also believe that roblox is creating their own

This relies on a memory detection which is prone to false flags and should never be used in an actual production game, Roblox memory is too unpredictable for this to be a 100% foolproof detection.

There is a risk involved in everything, and forgetting a script name can happen to anyone. Fortunately, fixing such mistakes doesn’t require a genius (Said case scenario wouldn’t require you to own a cheat as you can test this in a testing game before publishing your update if you truly even care about your game). I believe this detection mechanism will have a significant impact on the exploiting scene, making it more challenging for cheaters to exploit undetected. With this detection in place, there is only one proper way to bypass it, which will make exploiting significantly more inconvenient. This change has the potential to make a substantial difference in the security landscape, at least for a considerable period. In the end, all I see is a sense of discouragement towards detections and a lack of confidence in one’s skills.

FYI, Roblox previously relied on Luau detections to identify the notorious Krampus exploit. Additionally, the random banwaves affecting Android exploits can be attributed to this same reason.

I’d like to clarify that labeling this method as simply “memory detection” is subjective and inaccurate, as it doesn’t actually utilize a place’s memory, as I’ve explained in my thread. I’d appreciate it if you could carefully review my thread, where I’ve also addressed the issue of false flags triggered by Roblox’s internal scripts. If you do happen to encounter any false flags, please feel free to reply to this thread and I’ll be happy to patch them.

local Old; Old = hookmetamethod(game, "__namecall", newcclosure(function(...)
  if getnamecallmethod():lower():find("isstudio") then return true end

  return Old(...)
end))

your whole script has been bypassed in 3 lines

it doesn’t utilize it no, but it does monitor it for spikes which are entirely unpredictable, I’ve tested this memory detection years ago and simply having alot of characters resetting at once will trigger it.

And all it would take me to patch it is to remove that line, i do not see a point in your reply. All I see, however, is an attempt by two users on this thread to discourage others and misrepresent the facts, to prevent this solution from reaching a wider audience of developers.

Man your check is a memory check.

I’m not saying this is entirely useless but what I am saying is that this WILL false flag and innocent users will get banned along with this being trivial to bypass even for skids.

Even then, this has a bajazillon ways to get bypassed.

for i, v in getgc(true) do
	if typeof(v) ~= "table" then
		continue
	end

	if table.find(v, "CharacterLeanScript") and table.find(v, "Health") and table.find(v, "Animate") then
		print("haha i found u!!!")
	end
end

This is one of them, just grab the table in the gc and add whatever you want to it, trash it, hook table.find or whatever you want; you cannot assume a simple memory check, something trivial to bypass will be useful at the grand scheme of things

you have not acknowledged my point about me, or someone literally forgetting to whitelist a script which could happen, it’s a honest mistake that can be made

most people here (including me) test their games in studio, so we literally wouldn’t know at all until it’s too late

FYI, Roblox previously relied on Luau detections to identify the notorious Krampus exploit. Additionally, the random banwaves affecting Android exploits can be attributed to this same reason.

that is highly unlikly because roblox uses byfron, which by the way, uses the windows API to detect cheats, that alone has much more power than any client-sided luau cheat available, including yours.

the fact that people are bypassing your script futher proves that client-sided anticheats made in luau are not effective

There are always ways to bypass anticheats. I still don’t see any point in trying to prove something that is already evident. Even Hyperion has been bypassed multiple times; yet, it’s just a cat-and-mouse game in the end. This detection, however, would definitely impact a day-to-day exploiter’s experience, as they would need to bypass it to even execute scripts normally. Keep in mind that most executors still lack auto-execute and are considerably slower for Android devices, which would make it impossible for them to bypass, as running a script would get you detected.