generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Countering exploiters

Previous Thread :: Next Thread 
Merely is not online. Merely
Joined: 07 Dec 2010
Total Posts: 17266
23 Jun 2013 12:45 PM
There are always going to be ways to exploit inside game servers on Roblox. With that being said, how do we counter them?

I have spent a lot of time working on methods to counter exploiters. I wrote a ban script that uses data persistence to keep track of permanently banned users. I wrote a crash script that forces the player to actually disconnect from the server, instead of just removing the player object. I wrote a description parser that automatically updates the ban list from the description of the game every 15 seconds. I appointed moderators in my game to ban exploiters. I created a regen script that regenerates the entire server on my request. I even found a way to kick RobloxLocked players.

But the exploiters still keep coming.

I think we need to brainstorm ways of crowdsourcing the moderation of in-game exploiters to harness the power of users. In other words, we need a solid vote-to-kick system that uses data persistence to track likely exploiters, and let users decide if they want to regenerate the server, in case it becomes exploited. I see this as the most viable method to reduce the effects of exploiting on our places.

Server-side scripts give us the edge, since exploiters can't tamper with them after we've parented them to nil.

Anyways, any thoughts? I'm going to release my 'auto-updating banlist from game description' script in hopes that you guys find it useful. When you have a game with multiple servers, it is the best way to counter exploiters quickly if you aren't in the same server with them.
Report Abuse
evillee is not online. evillee
Joined: 23 Jan 2010
Total Posts: 217
23 Jun 2013 12:48 PM
Hmm
Report Abuse
evillee is not online. evillee
Joined: 23 Jan 2010
Total Posts: 217
23 Jun 2013 12:49 PM
So what is the purpose of the auto updating ban list?
Report Abuse
su8 is not online. su8
Joined: 06 Mar 2009
Total Posts: 6334
23 Jun 2013 12:50 PM
why is this protected?

http://wiki.roblox.com/index.php/CloseConnection_(Method)
Report Abuse
Merely is not online. Merely
Joined: 07 Dec 2010
Total Posts: 17266
23 Jun 2013 12:50 PM
If multiple servers exist, it can be difficult to get into the server so you can use a chat command to use data persistence to ban the player. And updating the game itself won't affect existing servers, so the exploiter can run rampant for hours until you shutdown.
Report Abuse
evillee is not online. evillee
Joined: 23 Jan 2010
Total Posts: 217
23 Jun 2013 12:51 PM
I really have no idea how to stop exploiters now. All I have is an Anti Place Steal, and even that is still not a 100% to stop them. Exploiting has become much more complex now.
Report Abuse
evillee is not online. evillee
Joined: 23 Jan 2010
Total Posts: 217
23 Jun 2013 12:51 PM
Oh, I see what you mean there merely.
Report Abuse
NecroBumpist is not online. NecroBumpist
Joined: 12 Sep 2010
Total Posts: 4198
23 Jun 2013 12:53 PM
ROBLOX needs to implement official APIs for server management.
There should be functions to handle everything you just described such as kicking and banning players as well as having bans affect all of the running servers.
Report Abuse
evillee is not online. evillee
Joined: 23 Jan 2010
Total Posts: 217
23 Jun 2013 12:54 PM
Is there a possibility to implement some sort of function that could close the ROBLOX client whenever Cheat Engine or any other system used for exploiting is used? I am not sure if it just can be done or not, I honestly do not know the limits of what ROBLOX can do.
Report Abuse
bohdan77 is not online. bohdan77
Joined: 10 Aug 2008
Total Posts: 7944
23 Jun 2013 12:59 PM
How do you kick RobloxLocked Players?
Report Abuse
Flame6264 is not online. Flame6264
Joined: 06 Mar 2012
Total Posts: 3379
23 Jun 2013 01:04 PM
I'm currently making a GUI that moderators can have that you can select witch player in the game to perma ban. And I'm also working on a GUI vote to kick system.
Report Abuse
evillee is not online. evillee
Joined: 23 Jan 2010
Total Posts: 217
23 Jun 2013 01:04 PM
I only have one last question.
Is it a possibility to conduct an IP Ban with a script? That would stop exploiters completely from exploiting your game, unless they are at a different address.
Report Abuse
ThePC8110 is not online. ThePC8110
Joined: 04 Jun 2011
Total Posts: 486
23 Jun 2013 01:04 PM
Make serverside scripts level 1 access to that they can instantly unrobloxlock players and destroy them. Also, since most exploiters inject into corescripts, it's client side so they can't change a serverside script's source?
Report Abuse
Exploitivity is not online. Exploitivity
Joined: 29 May 2013
Total Posts: 191
23 Jun 2013 01:05 PM
I have an exploit script which all the recent exploiters have been using, I might report it to ROBLOX admins.
Report Abuse
Flame6264 is not online. Flame6264
Joined: 06 Mar 2012
Total Posts: 3379
23 Jun 2013 01:05 PM
I don't think that there is any possible method to do that well at-least not what I know of.
Report Abuse
bohdan77 is not online. bohdan77
Joined: 10 Aug 2008
Total Posts: 7944
23 Jun 2013 01:05 PM
@evilee
You can't IP ban . It was possible back then. But not now.
Report Abuse
Radioaktiivinen is not online. Radioaktiivinen
Joined: 25 Apr 2009
Total Posts: 18629
23 Jun 2013 01:09 PM
I assume you have already prevented stealing places by not storing them as xml on the client...

Couple of ideas:
-Add "Replicate" checkbox to objects. Objects with it checked are not replicated to clients (including children of the object). Can be ignored for parts and visible stuff in workspace if it causes problems. But for things like ____Value objects, Body_____ objects and so on it can be useful. Will also reduce lag to some extent (especially if storing immense amounts of stringvalues for some h4xy scripting experiment)

-Add report functionality that takes a snapshot of the place (parts, scripts, player objects, objects in players...) to be examined by an admin, along with the chat log. It can be used to compare the place with the place file and see if its full of h4x. After there is indication that h4x actually happened of course.

-Add report functionality that instantly summons an admin (not visible to players), who will start as viewing the reported player. Some useful guis to quickly view chat logs, object hierarchy explorer and so on. The admin can then follow the situation for a short time. (this needs a better way to prevent false reporting though) Id imagine if you had a few adming constantly viewing multiple reported offensers at the same time, it would be enough to reduce h4xing. Possibly as a separate report option for things that cant be seen from lets say the chat log.
Report Abuse
Radioaktiivinen is not online. Radioaktiivinen
Joined: 25 Apr 2009
Total Posts: 18629
23 Jun 2013 01:10 PM
You could add a built in report counter thing that counts the amount of times a player has been reported by the players.

If he is a known offender the amount of reporters needed will be a lot smaller.

If enough people report the admin could be summoned.
Report Abuse
Legend26 is not online. Legend26
Joined: 08 Sep 2008
Total Posts: 10586
23 Jun 2013 01:11 PM
Except regenerating the entire server is kinda.. not possible when the place is large. As always, a vote to kick system could easily be abused or not even be used at all because the users either don't understand what's happening or are having fun with the exploiter (just depends on the person).

What I've done is created a script that forces archivable to false for everything and if it's changed, remove everything and destroy the server. As you might think, though, it's pretty temperamental at times.

Necro's idea is good. We need solid support from roblox to do well combating exploiters. The replication API (scalability is NOT a reason for leaving this locked, wth?), a better, official way to ban/kick players and actually close the connections, etc.
Report Abuse
Merely is not online. Merely
Joined: 07 Dec 2010
Total Posts: 17266
23 Jun 2013 01:51 PM
The issue with the replication filter is that it slows down the place significantly because the server has to filter everything the client tells it. Talk to Sorcus if you want the details.
Report Abuse
booing is not online. booing
Joined: 04 May 2009
Total Posts: 6594
23 Jun 2013 01:54 PM
Merely,
Can you still use Debris to remove RobloxLocked items? If you can't, then you guys should enable it and make it so that Debris can't add services and FindFIrstChild can't recurse through RobloxLocked objects.
Report Abuse
1waffle1 is not online. 1waffle1
Joined: 16 Oct 2007
Total Posts: 16381
23 Jun 2013 01:54 PM
Sorcus doesn't do "details."
Report Abuse
booing is not online. booing
Joined: 04 May 2009
Total Posts: 6594
23 Jun 2013 01:57 PM
waffle is an ESFP
Report Abuse
1waffle1 is not online. 1waffle1
Joined: 16 Oct 2007
Total Posts: 16381
23 Jun 2013 01:59 PM
booing is a NOOB
Report Abuse
jacob2233 is not online. jacob2233
Joined: 23 Aug 2007
Total Posts: 723
23 Jun 2013 02:01 PM
I'll be quite honest, there is no for-sure method to stop exploiters. If one is found, you should probably alert the whole game-dev world, as they only use methods of detecting exploiters as early as possible, not stopping them.

A method I'd recommend is creating a behavior log of the sever, detecting everything that is created and destroyed, just trying to find out how the server is supposed to behave normally. When an exploiter come enters, the place is going to behave differently, doing things considered unusual. Though in concept it sounds simple, it is much more difficult to actually design an automated method to do that.

But, still have to be quite honest, as long as exploiters know how to use DLL injections, there will not be a way to stop them. A friend and I created a libstubhook library for iOS to inject new code into iOS apps, one app of interest being Minecraft pocket. We'd write up a quick C script that includes the library, compile it into a dylib, and play the game with the new code we wrote. It even works while on servers, since the methods we hooked or stubbed usually sent the data to the packets or got data from packet handler, because modifying the actual packet methods themselves wouldn't work.

A person who created a server program for the game said he added anti-cheat (I assume using data persistance as well), which works at stopping binary mods (modifying the games raw binary to do what you want), but it did not stop our coded hacks. But the method for hacking iOS apps is not similar as exploiting ROBLOX or it's servers, so I'm not to sure if the same could be said for exploitations.

Last, as for banning, I don't think permanent bans are that effective. A person could use a simple proxy (which has some holes) or even worse, a Tor proxy (which is untraceble even by governments) to get around it. As a last resort, instead of banning, make a compromise with them, them exchanging how they exploit for a lesser punishment, so you'd be aware of what exactly they're doing and expand around the hole they take advantage of.

To be honest, if I knew how ROBLOX's server communicates with clients, it'd be easier to create a picture of different holes, but since I never bothered I don't really know.

For example, if the client can send scripts to the server, that'd be a hole, since the server should be the only thing handling scripts. If a new instance of an object was created on the client and is sent to the server, that'd also be a hole. The server should be in charge of everything, from new instances created to even the smallest aspects. The only thing the server is partly in charge of is player input, simple moving, joining, leaving, and so on. The only thing the client should be in charge of is animations, handling player input and texturing.

In the case of people stealing places from others, it is because on the client side the place is stored in the RAM, making it vulnerable to anyone with access to where in the RAM it's at. A way to sort-of prevent that is adding an encrypted flag as a hidden instance in the workspace (like a string value, but hidden) which holds the place identifier, so when they copy the world they copy this hidden instance. When the theif plays the stolen world while connected to the internet, have the client check the encrypted flag, find the original owner, and check if the place is copy-locked or not. If the place is copylocked, have an automatic report be sent to a ROBLOX staff to investigate the matter.

Anyway, sorry for the long reply, with half of it being random rambling...If ROBLOX were an iOS app, I could point out exactly what to do, but since it's not, I "pretended" it is and tried to offer a solution.
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image