What the tool-"dupe" exploit is and how to patch it

What is this exploit being used for?
As of the time of this post, exploiters are using this exploit to abuse Roblox’s traditional tools- allowing them to re-parent their own tools to the StarterPack, StarterCharacterScripts, and their own StarterGear. As of last night, they released to the public an exploit that allows them to manipulate their own tools and then re-parent it to another character, allowing them to do some wild hacks that makes other people skydive, “fastbring”, and even being able to crash the server by essentially re-parenting tools into the StarterPack/StarterCharacterScripts until the game slows and inevitably crashes.

What can I do about it?
There is two ways you can go about this:

1. All of these exploits abuse traditional Roblox tools- so games that use custom tool systems are seemingly immune to this. If you do not already use a custom tool system for your game, this may seem like an extreme option. Thankfully, there’s another way.
2. You can attempt to track these changes on the server- and because they replicate, the server actually can detect these exploits fairly easily. I have created a script that can detect and stop this exploit in it’s tracks. You can grab it here- I just recommend reading the comments inside the script before adding it to your game.

Sources:
When it first started occurring in my game, I didn’t believe it. I thought it was an admin screwing around or maybe an unsecured RemoteEvent. So to confirm my suspicions, I created a baseplate with only one thing: a tool giver. You can find the place I used as a control here, it is uncopylocked. Exploiters who were more than willing to show off showed me how it worked and allowed me to test on them.

You can find the exploit yourself on v3rmillion (along with examples of its use), just search “Free Roblox Script Graphene Admin | universal tool dupe | control and kill players” or use the thread id 1183947. I would post the link, but I’m not sure I’m allowed to post links to v3rm on here.

So how did you patch it?
Link to Model: Anti-Tool-Dupe - Roblox

local SCS = game:GetService('StarterPlayer'):WaitForChild('StarterCharacterScripts')
local SP = game:GetService('StarterPack')
local Players = game:GetService('Players')

local Bans = {}

function EnsureDestroy(Child)
	pcall(function()
		repeat Child:Destroy() wait() until not Child.Parent -- This is really crude and probably could be better but it gets the job done
	end)
end

SCS.ChildAdded:Connect(function(Child)
	-- This will detect whenever anything NEW is added, if for whatever reason you actually insert stuff here
	-- later in the game you should add an if statement to check if its allowed
	EnsureDestroy(Child)
end)

SP.ChildAdded:Connect(function(Child)
	-- This will detect whenever anything NEW is added, if for whatever reason you actually insert stuff here
	-- you should add an if statement to check if its allowed
	EnsureDestroy(Child)
end)

function CharacterHookup(Player, Character)
	Character.ChildRemoved:Connect(function(Child)
		if Child:IsA('Tool') and not Child.CanBeDropped then -- If the tool can be dropped, it's not protected by this patch :(
			-- You should also make sure that you don't parent the same tool from someone else into another players backpack
			-- (CLONE IT INSTEAD)
			repeat wait() until not Child.Parent or Child.Parent == Player.Backpack or Child.Parent:FindFirstChild('Humanoid')
			if not Child.Parent then
				EnsureDestroy(Child)
			else
				if Child.Parent:FindFirstChild('Humanoid') then
					local NewPlayer = Players:GetPlayerFromCharacter(Child.Parent)
					if NewPlayer ~= Player then
						EnsureDestroy(Child)
						Bans[Player.UserId] = true -- You can remove these lines if you don't want to ban them
						Player:Kick('Banned by Anti-Cheat') -- You can remove these lines if you don't want to ban them
					end
				end
			end
		end
	end)
end

Players.PlayerAdded:Connect(function(Player)
	if Bans[Player.UserId] then
		Player:Kick('Banned by Anti-Cheat')
	end
	
	local SG = Player:WaitForChild('StarterGear')
	SG.ChildAdded:Connect(function(Child)
		-- This will detect whenever anything NEW is added, if for whatever reason you actually insert stuff here
		-- later in the game you should add an if statement to check if its allowed
		EnsureDestroy(Child)
	end)
	
	if Player.Character then
		CharacterHookup(Player, Player.Character)
	end
	
	Player.CharacterAdded:Connect(function(Character)
		CharacterHookup(Player, Character)
	end)
end)

In this script, I made it detect whenever a new child is added to StarterPack, StarterCharacterScripts, and your own StarterGear folder and delete anything that’s added to it. If for whatever reason you actually add stuff here in your game, just add a whitelist.

The above effectively stops people from duplicating tools to the server and prevents people from crashing your game. To patch the remaining exploits such as skydive and fastbring, I detected whenever a tool is removed from the character and listened for a new parent. If the new parent is not the backpack or the character of the person it originates from, it immediately destroys the tool and server-bans the player (You can easily modify this if you don’t want to ban people).

An important note: Because of the way this works, please disable tool dropping in your game as tool dropping will render the second part of the script useless. If you have to give a tool from one player to another, it is important to clone the tool (and destroy the original, if you want) and give it to the new player instead of re-parenting it- as this will trip the anti-cheat.

I hope this helps.

Raknet is a protocol and networking middleware lol. http://www.raknet.com/

These exploits are abusing vulnerabilities in Roblox’s packets (sent by raknet), which fun fact! Roblox tracks and if you abuse them you will get banned.

So, roblox will ban ME?

I think I wont use this anymore, my game is still small

Roblox will ban the people abusing the exploit, not the people using this patch.

ok, whew

Thanks for making this exploit, it seems like its the worst for hackers

EDIT: Anti-exploit (silly me)

*Anti-exploit

You’re welcome. I hate exploiters with a passion. Whenever I can share knowledge with the community on a concrete, one-size-fits-all solution, I feel it is my duty to do so.

Very interesting indeed, however can an exploiter find a way to bypass this?

Would you not need a whitelist if you are giving a player a tool through tool.Parent = character or would you need to do tool.Parent = plr plr.Humanoid:EquipTool(tool)?

This is roblox we’re talking about here let’s be honest this prob won’t even get patched for a long time and I HIGHLY doubt they would put in effort to ban users over this.

You don’t need to whitelist if you’re giving a brand new tool to a character. This script detects if a tool someone else had is given to a new person.

That’s why I said if you have to do that, clone the tool and parent it and delete the old tool.

This is a good approach to patching the exploit and should do the job well.

I’ve taken a similar approach myself to patching it but with some minor differences.

Including the main stuff like watching StarterGear and characters and other dupe points, I am also tracking when new tools are added to a players backpack and then making sure those tools only are parented to the players character and/or back to their own backpack.

If the tool is parented elsewhere it is assumed to be a malicious reparent and destroyed, with the original tool owner dealt with by the server. The reason for this additional system is as it seems malicious actors are able to parent these tools to other places too.

This approach seems to work and we’ve had no instances of successful tool exploits occurring in our games since the installation of this.

Hopefully Roblox will patch this completely so we won’t need to do these checks ourselves, this was plaguing my games for a while now and I had no clue how they were doing it for the longest time.

Tools are a completely silly mess. I came across this exact same exploit wherein exploiters could flood the starterpack with malicious tools and essential cause the anticheat to explode. It’s completely laughable.

This is the least educated post I have ever seen since crosswoods was happening.

Wrong and wrong. It’s been around for ages, and it’s not an exploit. It’s literally part of Roblox’s networking systems and has been exploitable for years, it’s just nobody has actually been publically doing anything with it until recently (and even then it’s still tightly under wraps due to how abusable it is for some things such as faking purchases in games)

Users could already (locally) do this for years with exploits. I haven’t looked too far into raknet abuse, however from what I know I don’t believe that this would be possible to replicate to the server in the way you’re describing it. (I may be wrong here, so please correct me with sources if you can as I would love to learn more)

Again, Raknet isn’t an exploit, and who is the “they” in this case?

The things you’re describing (skydive, dastbring, etc) were already possible with regular scripts, and I believe still are. None of those needed interaction with Raknet.

No idea what custom tool system means here considering all tools are custom by default (unless you’re talking about using free models or making your own scripts?) and not to mention those fling things and such all come down to how the tools are coded

I took your bait and got the model to see how bad it was considering how uneducated this thread was so far.

From what I can gather, this could be abused to falsely ban players by simply transferring the tool to their character, easily done by dropping the tool in a place where they can pick it up (as last I checked that can be modified client side, the server will still think it cant be dropped meaning it can still ban whoever picks it up) or simply equipping it to them by other means.

Plus, as you already said, cloning the tool will defeat this apparent anticheat entirely.

I looked into it, this sure as hell isn’t using Raknet as there is currently only like one or two executors that actually let you interact with any Raknet features, and this is a standalone script that apparently works on anything. I’d be genuinely willing to put money down that this script you mentioned isn’t actually doing anything with Raknet to begin with. Heck, if the replies are true, parts of this script are old as time itself.

They don’t, and you won’t.

Yeah… You are focusing on one vulnerability which can be found by raknet exploit… Raknet is just fancy word for networking and there is alot of other vulnerabilities… It was for example possible to shutdown people’s clients in games by rnet.shutdown() (source: Trust me bro).

Exploit with skydiving is absolutely seperate exploit, which is not limited to skydiving.
It is exploit which allows you to claim target’s network ownership (means you can mostly do anything you want with target).

There is feature to send packages and roblox logs those, so yes exploiters can get banned IF they send random packages.

Raknet is the middle-man api used to send/receive information to/from the roblox server. It’s what enables a roblox game to be multiplayer. They have billions of checks in place for what can be sent out, but every now and then, something slips through this filter. It happens all the time.

The script that re-parents tools is based on a bug that already exists, and can be achieved from a regular localscript in a game (I won’t publicly share this script because that would be bad). This has existed privately for a few years, and only lately was it leaked to the public

The exploit you must be referring to is “ScriptWare”. Unless you’re referring to a private exploit called “Celery”, which has an api in lua that provides full control over everything being sent to the server. This rarely offers more possibilities than using a regular script, but it’s not really “abusing” anything that isn’t already there. It really just allows you to use less lua code, to achieve the same thing. The script can be written to work with any exploit – it’s just easier to do it using Celery and its networking api.

We can conclude it’s nothing more than a bug in roblox’s filter, since it can be done without any exploits (just a localscript in a game). All we can do is report it to Roblox and wait for a patch to be made

This is neither new nor Raknet. Raknet is the API Roblox uses to handle packets/packet information.

There have been exploits regarding the Player’s Character and things parented under it for years. For instance, exploiters have and still can delete instances under their character model freely. This has, IIRC, been used to give a form of pseudo godmode when a script checks for missing limbs or such.

This tool exploit is more powerful, but it isn’t new. It’s only being used more now due to, as far as I can tell, three reasons:

A. More free and powerful scripts are utilizing it
B. It’s more universal than exploiting game-specific things like unsafe remotes.
C. I haven’t seen a single (although it may exist) Anti-Cheat on this forum protect against it. (I’ve seen multiple tool use patched, but not this)

Due to these reasons, it’s a particularly favorable exploit to capitalize on.

Although you are not entirely incorrect, you are being incredibly unfair.

This issue, although pervasive, hasn’t been tackled by many public Anti-Cheats, or even been discussed much in Anti-Cheat creation discussion.

So, even with its mistakes, this post does well in making developers who were previously unaware, or new, understand these capabilities. If the code is subpar, good developers will simply modify it to fix these issues. If said developers are not yet at that level, then they have other pressing issues to also worry about (movement hacks, unsafe remotes, etc).

You seem to forget that posts can be edited, and that the author can rectify their mistakes and improve their script. I don’t get why there’s so much venom in your rhetoric.

This clearly isn’t constructive criticism, as instead of simply informing someone of their mistakes and encouraging improvement, you are simply tearing down their statements and credibility. That isn’t helpful.

I have updated the title of this post as well as the content in it since people have completely missed the point. This post was made to educate people of a new (by new, I mean recently released on v3rmillion where this wasn’t a huge deal before) exploit that I learned how to patch- and how to go about patching it themselves.

I also updated the model/source code due to some small issues with it.

I want people’s games to be protected against these bad actors. If you don’t want or don’t need this information, move on- there’s nothing here for you.

Could you create this post as a bug/exploit report, instead of just as a resource, so it gets seen by Roblox staff?

I’m seeing vectors by which the code you provided could be used to maliciously ban other players if the exploit you describe in OP is actually possible. For example, if a player has a sanctioned tool in their StarterGear, then reparents it to another player’s StarterGear, you’re giving the exploiter the power to ban other players. Double check those yields—wait() statements will skip over one or more entire replication frame, so packets can trivially be sent by an exploiter to reparent their StarterPack to another player’s StarterPack, and ban the other player instead of themselves.

You should really report this exploit on the proper forum (#bug-reports:engine-bugs) if you believe it’s still working and reproducable. You can include the v3rm files in a private message to Roblox staff there.