How Roblox Exploits Work (+ how to fix them)
Vložit
- čas přidán 26. 08. 2024
- 50% OFF COUPON WITH "DOUBLEBYTE" (ends in 3 days):
linktr.ee/Byte...
To try everything Brilliant has to offer-free-for a full 30 days, visit brilliant.org/...
You’ll also get 20% off an annual premium subscription!
discord: / discord
wondered how to make a main menu in roblox studio? or how to create a shop which has working GUI? ive made lots of 2024 roblox scripting tutorials about all the different bits of roblox to give you some up-to-date information about all of its properties and events.
my goal is to simply give some insight on how to use the various features and instances roblox studio, and show you some fun stuff you can do with them. thanks for checking out this roblox scripting tutorial :)
Get all of my knowledge in one package: linktr.ee/ByteBlox
money
I subbed to the newsletter for ite free to sub
Moni
ip grabber
ip grabber
Here is another way to think about it:
The server is your boss, you are an employee. Your boss will give you reports to fill out and send back. You can write faulty info in the reports, and a bad boss will take it at face value. A good boss will validate the information and correct it and/or fire (ban) you from the company (game)
“Idk, some stupid name system”
I couldn’t agree more.
My favorite color is "random hello Block inside my house blue style red absolutely no AAAAAAAAA red"
good description, 100% accurate to the video
read the entire thing in context
did you seriously just read the first sentence of the description
The description is not a description of the video but a description of the channel
@@Doggerblobber sarcasm bro
@@CouldBeAnyone Must admit you’re right that definitely is sarcasm (this reply isn’t sarcastic)
This is a pretty good explanation, also on the flying script, that's pretty hard to pull off, so usually exploits will just make it a invis seat the flies or your char stiffens up and flies, I forget what its called, but its like the just spawned in a dummy char to start making anims type pose.
not actually, im an exploit developer and flying scripts work like swimming in platformstanding or platformstanding and velocity
this is very wrong, most flying scripts enable platformstand and use bodygyros and bodyvelocities
@@TheCoolIllusion "only infinity yield's one"😂
not really, that the basic way to do flight, any other way could be seen as clunky and counter-intuitive, @@infernus8560
@@infernus8560 not rlly, if youre playing a game with a competent developer team they wouldve had that patched already
For those that want to get more technical, a client-server connection works by the client(you) sending an input to the server. You press W and send that to the server, the server moves you forward and then sends you back information on where you moved to on the client.
If you create a part on the server, the server will tell all the clients (all the players) that there's a part there, and the players will see it. With exploits, you delete that part or change any property, it will only show for you but the part will still be there on the server for other players to see.
This is why if you change things like money in multiplayer games even though you have 999999 you can't buy something. Because on your pc it's 999999 but on the server it's the actual normal number.
Creating wall hacks and other tools is the best way to hack cliently for this reason since only you can see changes, because you can just create billboard GUI's inside player bodies and only you will be able to see them. No one else, even the server, can see what is inside your game. Only you.
actually client not sending input it sending character position
@@SuperBro112Lol yeah, server trusts the client for the client characters position, otherwise it would have too much input delay for clients with low ping. This is why exploiters can teleport, and an anti tp needs to be implemented.
This is super incorrect. The way the client-server relationship works is through replication.
When you press W to move forward the client moves you forward then tells the server that you moved forwards so it can update it for all the other clients. The server doesn't move you, in fact almost everything is done on the client and replicated to the server.
The exception to this is minimal changes like brick colors, can collides, etc etc.
Also changing your money on the client could still work if the developer doesn't have some sort of client validation on the server-side. However most games have this which is why this generally doesn't work.
@@tannnxrAllow me to correct your correction, if you don't mind.
Pressing W to move on the client will send a query to the server to move the player forward, and the server validades if the movement is valid. The way movement on client looks smooth is through "Client-Side Prediction", where you do actions locally first before the actual action takes place in the server. This is why on high latencies you spot players moving slow, floating, or "moving back" for a slight second. Those are the attempts of the server correcting the position of the player. Consider looking into it? This is present in almost any game, unless there's measures against it. Some games simply keep the input playing until its said otherwise. Like in some fps, if you move forward and disconnect, you will keep moving forward because you lost connection and there's no confirmation from the client that you've stopped moving.
Yet another correction, I haven't developed in Roblox in a while but I'm pretty sure filtering enabled is on by default now so there's no getting around remote events. Changing something locally won't change the value on the server, and a verification should always be done server side to prevent exploits of course. That's basic network security every game should have except singleplayer games.
Hey, let me correct your correction of their correction. Mostly because I fear a new Roblox developer reading this and misunderstanding how this works.
First, Roblox doesn't use Client-Side Prediction at all, according to some staff posts on devforum roblox exclusively interpolates positions and humanoids based on data already received.
Second, yes, FilteringEnabled is on by default, actually you can't even disable it anymore, it prevents any clientside changes from affecting the server, has been like that for a few years.
But here's the catch, neither of those are true if you have Network Ownership of a part! Your client actually simulates any parts that it has ownership of and sends it to the server, this not only includes your character (the reason your inputs aren't sent to the server) but also unanchored parts around you, with extra leniency for taking Ownership of Humanoids.
The server never actually calculates physics and humanoid states for anything a player has Network Ownership of, so it doesn't have any idea if the data you sent to it is correct and just accepts it as truth, replicating any changes you make to those properties. Then the new changes get sent to all players, and if it's a position the interpolation code on the client kicks in.
What I'm guessing you're thinking of when you mention Client-Side Predictions on Roblox is how it handles Humanoids, your client does indeed simulate Humanoids that it has ownership of, and when switching Network Owners NPCs tend to lag behind or rollback, but that's simply because as an Humanoid changes Network Ownership your client needs to update the position from your own simulation to the new owner, and both from latency and physics in Roblox not being deterministic it's likely that there'll be a big difference between both clients. This means that in no point here is it possible for a Player's Character to suffer this as they'll never change Network Owners from their Player unless the server specifically sets it with BasePart:SetNetworkOwner. (or have some other forced Network Ownership change such as a weld between 2 characters, which is how Network Claim exploits work)
Btw, when I say position I'm not exclusively referring to the Position but instead properties like Velocity and CFrame, if you have Roblox's source code go dig around the addInterpolationSample function for a more technical approach to understand this concept... Or just reply with any related questions you have, I'm waayyy too obsessed with Roblox networking and have quite a bit of experience programming both anticheats and cheats (for pentesting of course).
Sorry for the big response, I got carried away. And feel free to correct any mistakes I made here! I'm sleepy and not in the mood for proofreading :P
Exploits are done on the client. Therefore you could say executors use local scripts. When anything is changed using the executor, only you will see. However. Some things like walkspeed can be replicated. If you set your walkspeed to 50 then you will run at that speed. For the server, you will run at that speed. But the walkspeed value will be default
Thank You for the Explanation!
understanding how they work is the best way to possibly fix the problem
yes
the most important part of exploiting would be Physics calculations
Most people ignore it and by default, it gives ownership of object's physics to the client when close enaugh, allowing you to do bunch of stuff, same for player model that client is operating
Im pretty sure that the client doersnt give properties of all of the objects to the server, im pretty sure the client just sends They're player position and send RemoteEvents, The client does not say that the part has CanCollide off ( unless the client has NetworkOwnership of the part ), it just says the Player Position. Exploits just run LocalScript's basically
Whenever you want to fix an exploit you just ask your self “What would another player expect to see if a player was cheating (which can’t be mistaken for something else)” then code the server to check for those behaviours.
As someone who wrote exploits for 1+ years i confirm this video fr
literally everything he said you can easily get around
i love this explanation on this topic, im hoping some newer developers learn something from this, you did a great job :)
Bro, u are probably one of my the most favorite you tubers, like ur videos 👍
Even tho I kind of know how hacks work, this gives me a cleaner idea to it. Cool video!
I have a question going through my mind rn. If the game is kind of copied, why wouldn’t it replace the part we are seeing green back to white? Is the server only replacing things only when modified in the server side? If so, couldn’t we just modify the object a little bit so it has no impact on the gale or performance but because it is modified often, it can’t be modified.
Whenever something is changed on the server, that change gets cloned to all clients. However when a change occurs on the client, it only affects that client
Could you explain the process of terrain generation through wave function collapse in Roblox? I've come across some videos on this topic, but they use other game engines which has left me feeling confused. I'm hoping you can help me better understand this concept. I recently watched one of your videos and found it to be very informative and excellent. I'd be happy to support your channel in any way I can.
Here is a 5 minute video of what I exactly mean: czcams.com/video/MyMbbmWVCDw/video.htmlsi=Ay81n4cKTaT9ZfUj
2:35 wall hacks dont have any interaction with the server + they can put the wall hack stuff into the coreGui which no script has access too except plugins. what means there's no way to prevent wall hacks if an exploit puts them into the coreGui
U cant do that🤦♂️
CoreGui is for hiding gui or anything related with it
I've been a developer since 6 years and I know what I'm saying. I've worked with exploits and plugins before @@darkness0194
CoreGui is where roblox UI is located, normal scripts do not have access to it and see it as nil, since an executor is not considered a normal script and a third party one it does have access to changing stuff on the coreGui, plugins also have access to the coreGui so it doesn't get messy in the PlayerGui @@darkness0194
It's much easier to make anti-cheats because Byfron is doing most the work, but Byfron is also against normal players crashing their game
most exploits actually work by hijacking roblox’s lua vm. usually with execution methods like proto conversion and bytecode conversion, or maybe even with pre-compiling in a different lua vm, such as FiOne, and compile it to be compliant with roblox. that’s how they execute lua on the client.
i once made a full serverside anticheat bypass by destroying my localplayer on the client and then indexing it to the server localplayer because for some reason you were still able to access your localplayer on clientside which would then allow you for a whole serverside anticheat bypass because at one point roblox messed up their localplayer security lol
to make it simple for the people who dont understand, basically exploiting you will have an executor that sends local scripts through the game say i made a local script that made everyone jump it will only show for me.
might aswell explain as an exploiter.
I've been exploiting roblox since 2011, i won't explain anything goodluck :D
i know how exploiting works i even made my own exploit api and used Synapse X for a couple of years@@ТІР
@@ТІР Why are you acting like you exploiting for 12 years is an accomplishment?
@@VigourousSurvivor who said it was? i explained my profession.
@@ТІР not even a profession but ok
Scripts that only affect your client are called, “client-sided scripts.” Scripts that affect ALL players are called, “server-sided scripts.” I know this from experience because before roblox added the anti cheat I used to exploit.
Scripts that affect all players can still be client-sided scripts, no?
Server-sided scripts affect the experience itself while that can be editing the players, it generally doesn't do that unless you have a game similar to Murder Mystery 2
@@confidentletteryou're right
the client doesn't tell the server if the part is collidable, it only tells the server where the character is.
havent finished the video yet but you can really do anything against esp since any half decent exploiter will use Drawing
oooo thanks for explaining how client and server work
Never thought gigachad would teach me how to fix roblox exploits
this isn't how exploiting works but good enough 😆 the client doesn't ask shit from the server for things like wallhacks they just modify their own client they don't interact with the server at all otherwise exploiting would of been dead long long long ago.
Edit: Since this got hearted might aswell add into this with more funny information! at times the client might actually wanna interact with the server via sending packets ( events ) to actually exploit some vulnerabilities in roblox whether it's poor serialization or sanity checks! so hopefully you see this message in the sea of hearts
underrated
This not a valid member of workspace error has actually of occured for me when one of it’s vector3 values was too high
As an exploiter, thanks for telling me how anti-cheats works
Not a very good exploiter if you didn’t know about server and client before lmao
@@byteblox100 I didn't know about server and client when I started exploiting, but after several months later, I learned about the server and client
Some exploiters can access to servers, not every exploiters can access to servers
Server-Side or SS exploits exist
SS Exploits work by injecting a require function
Example: require("{Exploit name}"){symbol}("{username or userid}")
Or ("{username or userid}"){symbol}("{Exploit name}")
@@Vastralix i learned what server and client is the day i started
8:08 this exploit exist, you can do almost everything with your avatar and server will believe. also i know dex: dex is a exploit that adds client explorer using gui, dex can be runned by a Infinite Yield (like admin hd but hacks) or from a injecter (programm that runns hack into the game). also i know a hack that makes you giant hat that flings not anchored objects. also i remember: using dex you can resize something and in brookhaven theres was event to collect eggs and with hacks you can resize them to a size of a map to collect all eggs easy
I am as exploiter, you're right, there's alot of exploits going around for years
@@Chillz_AZY Same bro
now teach us about ss exploit to show all those newbie why you shouldnt put random free model in their game
exploiting is dead on roblox anyways, synapse became a security company working for roblox
yeah and its not like android exploit exist at all 😂
@@LgdFanta bro are you sure about that lmfao
@@LgdFanta my android from ww2 is NOT playing roblox..
i liked the part where you told how to fix roblox exploits
It’s just to have a secure server lol
@@byteblox100 well how do you have a secure server then? You mean to secure the remote events? That doesn't cover all exploits, and I doubt it even covers most
@@TheFinnish1 basically just check important stuff on the server before actually committing any changes the client wants to make (for example, if the client sends a remoteevent to give a player cash, then the amount of cash should de determined on the server and not the client)
Me who exploits on roblox watching this video: interesting
Thanks 🙏
You explain really well
Taking a shot everyone he says right
Can yall quit saying Exploiters are dead they are NOT DEAD Byfron is not on mobile and synapse X doesn't ban exploiters and also exploiting is just some game stuff and hacking is just messing with accounts websites and etc. So quit thinking they are dead they exist with mobile and btw most exploits just troll or annoy not do massive damage
Since what the server does gets replicated to the client couldnt you make a script on the server which is repeating and is disabling and re-enabling collison on walls to prevent noclip cheats?
You could but that would kill optimization. I believe people have made plugins which detect when a player enters a part, and if the player isn’t supposed to be inside of that part then the server will teleport them away from the part
@@byteblox100 well to make it perform better just wait 1-2 seconds before enabling collision
@@2dquixbut doesn’t it take less than 1 second to walk through normal walls…?
I used to exploit, but then I realised its stupid so instead I'd rather make games now
Aren’t all exploits gone now? Synapse got hired and all exploit injectors don’t work atm and they lost motivation to make more bc it’ll be like 10x harder now with byfron
So what’s the point of worrying now?
not really like some exploit app is constantly finding new ways to exploit but they get patched like 1 day later so people can exploit but just not always
@@Brycki404 theirs emulation, a cheat engine method, and multiple people who have already found a bypass like cheat buddy
@@givemeahotkiss thing is, now that there’s an active patching team like there never was before, exploits will be coming and going a lot more frequently and people will become sick of buying them just for them to be patched in the following week, it’s still a big slash to the exploiting communities. So you can be a lot more careless now if you require performance over security
is there a fix to prevent exploiters from removing parts that have a touched event in them? like they would still be able to remove it but even if they touch it the touched event would still fire
Exploiters cannot remove something server side, so even if they destroy a part locally, you can still use Touched on the server and its able to detect the player who destroyed the part on their end
for anyone reading this comment after almost a full month:
don't follow byteblox's advice here! this is not how roblox works!
the touched event is fully clientsided no matter if it runs on the client or the server. while exploiters can't remove the part itself and can't change it for other players they still completely control how their own client interacts with touchinterests
if you're writing secure critical code you shouldn't rely on physics at all, roblox physics are messy and you'll get a headache debugging it, but if you do need to do it at least use an actually secure function like the bounding box functions instead of .touched!
Pov fe vs fd:
is the color picker you have a plugin?
No, I always had it
@@byteblox100i see. For me its different and ive seen a few people with this one so i asked
Synapse X users be like:
Does a local script only change the client?
Yes
also exploits can change the code inside them so dont put important stuff there
hopefully they working bypass on anti-cheat
i guess your explication was too complex to just explain how someone can exploit and what is the server and what is the client
and also you did a bit bad explaination, not everytime client will just use the server to exploit, and client wont just send properties of something ( unless it has networkship )
BRO THEY ALREADY FIXED IT WITH BYFRON AND HYPERION LOL
Nope
but there are not too much exploits work lol@@Gomi_gs
Android.
@@SuperBootsTheDog or pc at this point. Wave and krampus have shown it is possible
@@Gomi_gs yeah but androids definitely easier
nooo don't Gigachads pls in avatar I'm gonna heart attack
I Ty
W d t how would t h m y nose
I haven't watched this yet, but why are you making this? Exploiters are gone for good now and their exploits are most likely malware. Either way this seems like a good guide, might watch it soon to prevent exploiters if they are still here.
Exploiters are gone because most big games have very good security now. But if you’re developing a small game it’s still very helpful to develop a habit of just checking everything on the server
no way you said "gone for good" no game has exploiters "gone for good" 😂
@@givemeahotkiss mad exploiter
name a game that has completely patched cheating
now explain serverside exploits :)
i love how you explained this, but exploits are dead right now lol. useless video at the moment, no offense
It’s more a video about server vs client with a spicy title lmao
yeah but like with all games cheat developers will find a bypass
I still see exploiters lol. The anti-cheat is only for PC if I can recall correctly.
mobile exploiters go crazyyyy lmaooo
informational video nonetheless!