What exploit is this and how do I patch it?

So in my game people are reporting an exploit, I believe it’s an exploit using VR mode but I’m not sure. What’s the best way to patch this?

image

image

image

1 Like

I’m taking a educated guess here but I have heard of people being able to use accessories such as their hat and hair to replicate stuff like these, perhaps this could be the reason? If so I recommend writing a script to delete all accessories when a player joins

1 Like

I believe it’s a VR exploit.

@colbert2677 made a post on it a while back, but there wasn’t any solution found.

There was a client sided solution which you could try, but don’t rely on it.

Here was a client sided solution. Put this in ReplicatedFirst, it’s the fastest way to have this executed.

local VRService = game:GetService("VRService")
local UserInputService = game:GetService("UserInputService")
local player = game:GetService(“Players”)

if UserInputService.VREnabled then
    player:Kick("VR support is not available for this game.")
end

VRService.UserCFrameChanged:Connect(function()
    player:Kick("VR support is not available for this game.")
end)

This isn’t a very good solution, but it’s the best one I found and can be used temporarily until a server sided solution is found,

If a server sided solution is found, let me know.

1 Like

But I don’t think you want all your players to be hatless

I fail to see how exploiters can manipulate their accessories to achieve an exploit such as this. Spewing nonsense might even make the OP actually take measures to do this, creating poor UX (given that the game allows people to use their own avatars) and make them write unnecessary code to mitigate an issue that is not even remotely related to a player’s accessories.

I would recommend looking into checking if a player is in VR mode as I did some digging and there is reasonable evidence in this article that the exploit is caused by VR players.

There is no solid way to determine if a player is in VR mode on the server, so the best way I can think of (can be bypassed by exploiters) is to fire a RemoteEvent determining if the player is in VR mode, and prevent from them playing (such as kicking or softlocking their game) until they disable their VR device/headset.

I was an exploiter a while ago (I don’t exploit now) and this is probably Filterware/Homebrew/BXFE (all fe script hubs) and they use network ownership. How this script works is since your accessories are on your character you can delete their mesh and it would replicate. Then you parent your accessories to the workspace so they “drop”. Since they are unanchored you could set your simulation radius to math.huge (using sethiddenproperty() or setsimulationradius() [for synapse]) and then you can move the “blocks” anywhere you want and it will replicate.

For how to patch this, I would make a script in serverscriptservice and check every few seconds for accessories in the workspace. If there is an accessory then delete it. This will stop hat exploits but there is still another “fe” exploit that I know of which is called “reanimaton” (also known as a “vr exploit”). Basically you execute a permadeath script (so you dont respawn) and then kill yourself so your whole body is unanchored. Then you can use motors/network ownership to move yourself/animate yourself any way you want. I don’t know any way of patching this right now, this is kind of roblox’s issue.

7 Likes

Do you have some kind of source code for this exploit that you can post here? I’d like to read through it to see how it works.

What exploit do you want source code for?

The VR exploit, I’d like to read through it and see how it uses accessories to replicate client sided changes.

This is roughly what the script is. I just wrote this based on what I remember.

Deleting mesh of accessories and dropping them:

for i,v in pairs(game:GetService("Players").LocalPlayer.Character:GetChildren()) do
	if v:IsA("Accessory") then
		v:WaitForChild("Handle"):GetChildren()[1]:Destroy()
		v.Parent = workspace
	end
end

I don’t know how the reanimation works but you could go on v3rmillion.net and serch for “clovr vr script” or something and see if there is a source code for permadeath.

EDIT: Forgot to mention in my other post there is another fe script hub called “hat hub” like the person said below me, it got leaked

EDIT2: messed up my code it should work now

This is a paid script called hat hub, it got leaked recently so expect to see this more, try make the game check for a hat mesh, and when the mesh is removed kick the player or load their character

1 Like

Thank you very much for this information.
I’ve wrote this anti-exploit, do you think it can be bypassed?

-- Server Script in ServerScriptService --
local Players = game:GetService("Players")
local Debris = game:GetService("Debris")

Players.PlayerAdded:Connect(function(Plr)
	local Event
	Plr.CharacterAdded:Connect(function(Char)
		if Event then
			Event:Disconnect()
		end
		Event = Char.DescendantRemoving:Connect(function(Obj)
			if (Obj.Parent and Obj.Parent.Name == "Handle" and Obj:IsA("SpecialMesh")) or Obj:IsA("Accessory") then
				Debris:AddItem(Obj, 0)
				local Hum = Char:FindFirstChildOfClass("Humanoid")
				if Hum then
					Hum.Health = 0
				else
					Plr:LoadCharacter()
				end
			end
		end)
	end)
end)

(I’ve tested it and it works)

1 Like

simple patch for this make it only r15 since this script only work for r6

My game is fully R15, but they still managed to do it.

This works on r6 too since it’s using hats and not the players dead limbs

best thing is see what hat’s required and if it’s match in the character remove them since it require some hats like 10 or 9 hats depends on which thing it won’t make a false detection since there’s noone gonna wear the same things unless the person want to do something for example hand require https://www.roblox.com/catalog/4855525473/Nagamaki
https://www.roblox.com/catalog/8337370/Blockhead-Baseball-Cap
https://www.roblox.com/catalog/48474313/Red-Roblox-Cap
https://www.roblox.com/catalog/48474294/ROBLOX-Girl-Hair
https://www.roblox.com/catalog/451220849/Lavender-Updo
https://www.roblox.com/catalog/62724852/Chestnut-Bun
https://www.roblox.com/catalog/20372960/Bed-Hair
https://www.roblox.com/catalog/63690008/Pal-Hair
https://www.roblox.com/catalog/62234425/Brown-Hair
https://www.roblox.com/catalog/376524487/Blonde-Spiked-Hair
you need to check in the character if there’s these stuff remove them

This should work if it is on the server (looks like it is). For the reanimation thing where you use your dead limbs to animate yourself I think that you should be fine if your game is r15. It is still possible to do a reanimation script in r15 but much harder bc you have more limbs (sorry for late reply).

I actually know a bit about this. Alot of times exploiters will use workspace:UnjoinFromOutsiders to move the hats even when they are inside of their characters. The best way around this is:

workspace.DescendantRemoving:Connect(function(part)
	if part.Name == "AccessoryWeld" then
		workspace:UnjoinFromOutsiders({newproxy(true)})
	end
end)