This guide will explain how exploits work and how to prevent them.

I’ve been learning reverse engineering over the summer and have also honed my C skills. I tend to see a lot.
There was a lot of misinformation about exploits in the forums. Now that I know how they work, it felt right to clarify everything and assist developers in preventing them.

Let’s start by clarifying:
Yes, Roblox has been reversed. I wrote an exploit to play with their Lua to gain a better understanding of how it works. My exploit will not be released publicly and I won’t use it to cheat in real games. It was written for educational purposes.

Let’s start with the basics: What types of exploits exist?
Roblox has many exploits. Script executors are the most popular because they allow you to do virtually anything without any restrictions.
Exploiters can execute scripts in three main ways, but they are not essential to your ability to develop countermeasures.

Second, Roblox should do more to stop exploiters.
I have seen their security measures and know that they do everything they can to stop exploiters. This is the only reason why there are so many exploits
It is all because of the hardworking and smart people in this community that work together to get around Roblox’s restrictions, such as Louka. eternal. DefCon.

Roblox can’t do more to stop exploiters because they don’t have the resources. Or it might require UAC privileges that would be sketchy, which could lead people to believe Roblox is a virus.
As the developer, you are responsible for anti-exploit development. Your game is your best defense against exploits.

Before we move on, let’s clarify some points.
1. By injecting the exploit, it’s almost impossible to detect. Although Roblox can do this, it is not difficult to do.
Some exploits can be detected by injection. We’ll discuss these in detail.
2. Roblox actively works to prevent exploiters. Roblox actively tries to stop exploiters. There are updates every week to shuffle the important information you would need to get an attack working.
3. Roblox cannot simply check that an exploit’s window has been closed. Roblox can check for specific windows, but most exploits will randomize the window name.
4. Anti-exploit must be written around detection scripts and not exploits.
5. Filtering Enabled does not provide a single solution. This prevents exploiters from re-engineering anything.
6. It is almost impossible to stop script and asset theft. Don’t forget that anyone who sees the client’s use can be exploited.
7. Exploiters CANNOT see server script code. They can’t see it again, so they can put a lot of checks inside.

Section 2: Different types of exploits

Exploiters can cause havoc in your game in two main ways.
First: Client script executors. These are the most popular. These are the most common. Synapse X and Sentinel are some examples. Tempest and JJSploit, which are better than Synapse X, are others.
Second: server script executors. These are commonly abbreviated “SS”, which stands for server-side. These are rarer and usually occur due to developer stupidity. You’ll find pages of SS’es and “backdoors” in the catalog’s front page models.

Backdoors are created by a server script listening to the client and executing commands or full-on scripts. These are more dangerous because they don’t have filtering and can lock your game if you don’t stop them. We saw this with MeepCity, tubers93

Backdoors are often hidden in scripts, so make sure to check every script that a model is using if they’re using FMs.
Although exploiters may try to hide their backdoors with obfuscated codes, I’ve never seen anyone be smart about it. If you see obfuscated codes, or Ctrl+ F to search for “require”, it is easy to determine if the backdoor is open.

It is easy to prevent backdoors/SS’es. Make sure you are using clean models and that the plugins are actually from verified developers.
It is more difficult to prevent client exploits, but I’ll show you how to do it below.

Section 3 – How to create your anti-exploit

Roblox does most of the anti-script execution work, as I have stated before. Because you are the only one who understands your game’s inner workings and can therefore tell what a player should or shouldn’t do.

For your anti-exploit, you want to rely almost entirely on the server. Too many people simply paste an anti-RC7 code into their client. An exploiter could delete it and be out of the loop.
An exploiter can’t delete an anti-suicide server-side exploit if they don’t have a backdoor.

Start by error logging. This will be used to our advantage to identify a lot of scripts that are poorly written.
An event must be connected to log any error. The message and parameters it sends can be used to determine if the error is exploitable. Roblox’s replication limit means that we must use this code on the client. Make sure you hide it in large client scripts!

game:GetService("ScriptContext").Error:connect(function(message, stack, scriptFrom) game:GetService("ReplicatedStorage").ConsoleError:FireServer(message, scriptFrom:GetFullName()) end) 

Next, create a remote event called ConsoleError in ReplicatedStorage. This will log any errors that are made. You can send these errors to a server to prevent false-positive bans. They will then manually review the log to decide if they should or not be banned.
Because most exploits scripts will use get a full name as a parameter, the script from parameter uses script from.

Let’s now make more scripts where exploiters use errors!
This is a simple task, but it should be completed before you start writing any other game scripts.

We will randomly assign the DataModel children names that scripts use. It will take some effort to create your game’s scripts, but it is worth it. (i promise)

This script can be placed in either a client or server script. It doesn’t matter which one you choose. If you place it in a client script, make sure you delete it after it finishes running.

game:GetService("Lighting").Name = tostring(math.random()) game:GetService("Workspace").Name = tostring(math.random()) game:GetService("ReplicatedStorage").Name = tostring(math.random()) game:GetService("Players").Name = tostring(math.random()) game:GetService("ReplicatedFirst").Name = tostring(math.random()) 

This will randomize the names for commonly used exploit services. If your scripts don’t work correctly, it could break your entire game.
To fix this, you should use the game: GetService(“ServiceName”) instead of the game.ServiceName. It’s a good practice

You can now catch an exploiter executing a script that uses Game.ServiceName.

What if they did this:
game:GetService(“Players”).LocalPlayer.Character.Humanoid.WalkSpeed = 100

Wow! That’s awful. Because an exploiter might just delete anti-exploit client-sided, we shouldn’t be able to check the client’s walk speed.
A distance checker should be added to the server. We check the distance a player has traveled every interval. They may be using speed hacks if they move faster than they should in a given time.

game:GetService("Players").PlayerAdded:Connect(function(plr) spawn(function() -- open a new thread so we don't waste stuff on the playeradded connection repeat wait() until plr.Character -- Give the character some time to load wait(2) local normalWalkspeed = 16 -- This is your player's normal walkspeed, which Roblox defaults to 16. You can change the settings if you want to use something else. local lastPosition = plr.Character.HumanoidRootPart.Position while wait(4) do local newPosition = plr.Character.HumanoidRootPart.Position local distTravelled = (newPosition - lastPosition).magnitude -- See how far the player's walked. local distError = 2, -- Allow for some error in distance if the player does this -- Every 4 seconds we check, so the player should have AT MAX travelled 4 * 16 STUDS if ((distTravelled-distError) > 4* normalWalkspeed). Then -- Check if the error is greater than the distance they should have walked. warn(plr.Name.." is probably speed hacking, they travelled", (distTravelled - (4 * normalWalkspeed)),"studs more than they should've!") End end end (end)

This should be a good example of what you can do to stop exploits in your games.
Other examples include:
Did the remote give you an inordinate amount of money, or did it come from your pocket?
You should make sure your money remote only affects the person who fired it.
You can limit the number of times a player can give you an item/cup if you have an item giver.

This is my guide to exploits and how you can prevent them. I will update this thread with more examples and detailed descriptions later, but I hope that this can help you make Roblox more secure against exploiters.
You’ll likely have an advantage because script kids who copy and paste from V3rmillion are the ones who will exploit your game.

About the Author: Brandon Ward

You May Also Like