generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Exploiting: The Final Solution

Previous Thread :: Next Thread 
Rerumu is not online. Rerumu
Joined: 11 Oct 2014
Total Posts: 950
08 Sep 2016 06:26 AM
After long hours of thinking I have come up with the final solution to RC7 and other level 7 exploits.

(Note: Game must be FilteringEnabled to work, duh.)

Step 1. Make a client script.
Step 2. Have said client script wait for a string value to be added to it and get its value, then proceed to nil itself.

(This Value will be your encryption key, have ALL remotes have their name encrypted using the Epix method with said key or similar, make sure all servers have a different key.)

Step 3. Mod the _G table, keep a separate table as its index with the real functions in it, and set the __metatable to some set of characters, must be constant in all clients.

Step 4.
A. If said set/string changes, kicked!
B. If any remotes are removed, kicked!

Step 5. Establish a framework using the _G in its index table, so when iterating over _G nothing will show up.

Step 6. Make sure the __index function, if it returns nil, TO KICK THE PLAYER. There is no reason for a script YOU made to have a wrong function name.

Step 7. Hook####y##r functions to the remotes so that you can access the remotes from any script.

Step 8. Have a validation function that requests the SERVER KEY from the server, this key should also vary from server! And if a wrong one is provided on calling a remote, kicked!

Step 9. Set up the validation as strict as you can, making sure only YOUR scripts can get the key, and nil said scripts right afterwards clientsided! I cannot stress this enough people, NIL YOUR CLIENT SCRIPTS.

Step 10. Once everything is set up, all other client scripts should make a variable of the key and nil themselves, and now they can do _G.LevelUp(key,player) as an example. But _G.LevlUpp(key,player) should KICK you for indexing something not in the index table.

This is by far the best method, if you're proficient with Lua that is. Otherwise, have fun!
Report Abuse
TimeTicks is not online. TimeTicks
Joined: 27 Apr 2011
Total Posts: 27115
08 Sep 2016 08:08 AM
Solution:

Filtering Enabled

Enjoy.


Report Abuse
nooneisback is not online. nooneisback
Joined: 28 Feb 2012
Total Posts: 1672
08 Sep 2016 08:33 AM
I agree with timeticks, so much hard wkrk when filtering does almost all of it for you. Remote events and functions can alsways be exploited, encrypted or not. All you need to do is spam the thing.
Report Abuse
ArmaVictorem is online. ArmaVictorem
Joined: 18 Mar 2015
Total Posts: 1332
08 Sep 2016 09:39 AM
yeah brute force is still an issue
Report Abuse
ClassicalGod is not online. ClassicalGod
Joined: 26 Sep 2008
Total Posts: 2842
08 Sep 2016 09:43 AM
if you're looking for anti-exploit try this:

game.Workspace.FilteringEnabled = true


always works for me :)
Report Abuse
dav1000999 is not online. dav1000999
Joined: 06 Apr 2012
Total Posts: 8
08 Sep 2016 09:59 AM
If the key is made of 500 or more characters, brute force will take forever to find it.
Report Abuse
Waytide is not online. Waytide
Joined: 06 Sep 2016
Total Posts: 154
08 Sep 2016 10:13 AM
This looks like security through obscurity to me.


Report Abuse
Protoduction is not online. Protoduction
Joined: 27 Jul 2012
Total Posts: 1054
08 Sep 2016 10:20 AM
You could probably get around the brute force firing events by making sure the time between events firing is greater than a certain constant

For brute force attacking encryption keys, think of it this way

An 8 character key would have 7.2 quadrillion possibilities, if you use all 96 numbers, letters and symbols which are on most keyboards.
With 8 characters, the key could be cracked with a weak processor in about 22,875 years

If you created a key with 20 characters, only using letters from the English/American alphabet, it would have 19.9 Octillion different possibilities and would be cracked by a weak processor in around 63 Quadrillion years

So in essence, create a key about 20 characters long, made up of random letters.


Report Abuse
Protoduction is not online. Protoduction
Joined: 27 Jul 2012
Total Posts: 1054
08 Sep 2016 10:20 AM
Note when I say 'weak processor', I mean consumer grade processors, for example Intel i3, i5, i7 or AMD equivalents


Report Abuse
TimeTicks is not online. TimeTicks
Joined: 27 Apr 2011
Total Posts: 27115
08 Sep 2016 10:33 AM
Okay this brute force attack is silly. If you know how to properly use RE's then there shouldn't be a problem.


Report Abuse
filiptibell is not online. filiptibell
Joined: 10 Mar 2013
Total Posts: 2362
08 Sep 2016 11:08 AM
@Waytide is correct. None of this stuff really matters, because it's all on the client and possibly accessible by a hacker anyway. Making a private key of any kind doesn't matter if its stored on the client, the hacker can get it. Putting all your functions in a different environment, or setting your scripts to nil won't help, because the hacker could just run the malicious code somewhere else.

The correct way to go about this is just to assume every single thing the client does could be from a hacker or user with malicious intent. Don't leave any data on the client that it does not need, and most importantly don't let them tamper with it and have the change go through on the server. If they try to mess with your game, the change should only be visible to them. The server should be the one making any important changes.
Report Abuse
sonihi is not online. sonihi
Joined: 27 Jun 2009
Total Posts: 3655
08 Sep 2016 11:15 AM
What exactly is a level 7 exploit?
Report Abuse
iYzarky is not online. iYzarky
Joined: 01 Jun 2009
Total Posts: 1271
08 Sep 2016 11:27 AM
Not sure, but I think any exploit that has LUA Injection is considered a lvl 7.


I don't even care hummie
Report Abuse
sonihi is not online. sonihi
Joined: 27 Jun 2009
Total Posts: 3655
08 Sep 2016 11:27 AM
what. what does that even mean
Report Abuse
Waytide is not online. Waytide
Joined: 06 Sep 2016
Total Posts: 154
08 Sep 2016 12:14 PM
"Levels" refer to the script context levels.

A context 7 means backend server.


Report Abuse
Waytide is not online. Waytide
Joined: 06 Sep 2016
Total Posts: 154
08 Sep 2016 12:15 PM
The term "level" and "level 7" has been for half a decade thrown around by everyone when very few people actually understand what it means. They just think it means "powerful".


Report Abuse
Casualist is not online. Casualist
Joined: 26 Jun 2014
Total Posts: 4443
08 Sep 2016 12:22 PM
"Exploiting: The Final Solution"
Don't make anything, and then there is nothing to exploit.
Report Abuse
WoolHat is not online. WoolHat
Joined: 19 May 2013
Total Posts: 1873
08 Sep 2016 12:25 PM
"The Final Solution"

..i've got my eye on you....
Report Abuse
Waytide is not online. Waytide
Joined: 06 Sep 2016
Total Posts: 154
08 Sep 2016 12:30 PM
+1 for WoolHat


Report Abuse
sonihi is not online. sonihi
Joined: 27 Jun 2009
Total Posts: 3655
08 Sep 2016 12:40 PM
All exploiters get on the train!
Report Abuse
llaserx is not online. llaserx
Joined: 10 Dec 2011
Total Posts: 53069
08 Sep 2016 12:43 PM
While true do

gets rid of exploiting faster
Report Abuse
TimeTicks is not online. TimeTicks
Joined: 27 Apr 2011
Total Posts: 27115
08 Sep 2016 12:45 PM
Aryans would one day rule the world.


Report Abuse
sonihi is not online. sonihi
Joined: 27 Jun 2009
Total Posts: 3655
08 Sep 2016 01:16 PM
Wait so level 7 exploits run on the server, or what am I missing?
Report Abuse
TimeTicks is not online. TimeTicks
Joined: 27 Apr 2011
Total Posts: 27115
08 Sep 2016 01:21 PM
No. They don't


Report Abuse
Evolution_Theory is not online. Evolution_Theory
Joined: 03 Feb 2012
Total Posts: 1770
08 Sep 2016 01:33 PM
What if I created a value in server storage and used a script to change it to something very random then I would send it from the server to the client and made the parent of every local script nil, then made every remote function/event check if the key that was sent from local script to server script matches the one in server storage. Wouldn't this work? Local player can't access server storage and scripts that have no parent.


Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image