the art of a roblox script
this information was me being actively involved in trying these in 2019-2021? i don't remember. i didn't factcheck any of this and this was just from memory and select rumors and speculation.
also i did not exploit! i used these with admin commands.
and i'm not talking about the actual roblox script instances. i'm talking about exploit scripts.
and i'm not talking about any ordinary exploit script. i'm talking about the cool ones. the ones with movesets. the awesome ones.
the cop, mafia skeleton, kritzkrieg taunt, kitchen gun, holy hand grenade, neko (the horror), karma, the ones with big weapons, monster man, taller monster man, all of that stuff.
3-4 years ago, i actively used some of these (with admin commands), and i had a blast.
how it was made
roblox used to not have a client-server boundary! they were linked together. this was bad. you never trust the client. any change a client made to the game affected the entire server. roblox's prison life was a good example of this. people changed skyboxes, among other things.
roblox also had no anti-tamper (anti-cheat would not suit well for roblox's model)!! the only thing guarding between them and exploiters was changing a certain value every wednesday that would basically take minutes to overcome.
this made things incredibly easy to tamper, and this was when many of the aforementioned exploit scripts were created.
some developers made executors where you can run powerful code. script developers made their exploit scripts in one file instead of multiple (important), so exploiters could copy, paste, and run them and have a lot of power over the game.
FilteringEnabled
...and then roblox pulled the plug. around 2019, they introduced FilteringEnabled (and Experimental Mode), creating a client-server boundary. you actually had to network now. instead of automatically bridging the gap, roblox developers had to use new instances: LocalScripts, RemoteEvents, RemoteFunctions, etc.
aside from a few exceptions, clients could not change the server. many scripts, roblox and exploits, broke.
since many exploits relied on the lack of a client-server boundary. they broke.
this update also broke a bunch of gear, roblox items with scripts and stuff that you could play around with (i.e., mouse target position).
furthermore, games were broken! i heard that black magic, a roblox fighting game experience, was significantly impacted by this.
right now, the most damaging thing you could do was become a black hole or spin very fast to fling other people like a beyblade or something.
MainModule
...but exploiters have to get clever...
backdoors!
the roblox library (now called the creator marketplace) features free models and plugins that everybody in roblox studio, the program where you can create games experiences, can use.
also, roblox did not tell you if a model contained scripts or if a plugin wanted to inject scripts.
models, at least, were confined to where you put them (aside from skies). HOWEVER, plugins had a lot more privilege. they could put their scripts in hidden places where you could not find normally unless you enabled some settings.
these scripts were typically obfuscated; they were difficult to decrypt. most of these obfuscated scripts usually end in one place though,
MainModule.
another unrelated free model or plugin (henceforth, called asset because i'm getting tired) would be uploaded to the library. the top-level instance in these assets would be a ModuleScript called MainModule.
ModuleScript?
currently, roblox has three types of scripts:
- Script
- LocalScript
- ModuleScript
Scripts typically go by server scripts; they can change the game, but they cannot access certain client-related things like mouse position. these are autorun and cannot be imported.
LocalScripts typically go by client scripts; they cannot change the game except for certain things like physics sometimes, but they cannot access certain instances and cannot run certain methods. these are autorun and cannot be imported.
Imagine that pre-FilteringEnabled combined Scripts and LocalScripts.
ModuleScripts are more what you are probably used to. they only run once and are run only when they are imported (using require). like i just said, these are the ones you import, kind of like what you usually do in most other programming languages.
if an asset has a top-level ModuleScript named MainModule, they will be imported. this is bad. if you code, it's like if you import a package and when you run it (not install it), it imports another package. it's a spooky surprise.
MainModules will usually contain code like this:
local module = {}
function module.load(username)
-- release the payload!!!
-- ...
end
return module
and an exploiter with an adequate backdoor can basically run:
require(assetid).load("player_username")
it's that easy! it actually affected a whole lot of games, popular or not, and it can still affect developers today. a friend of a friend with a semi-popular and active game got hit with this a few years back.
also, note that i said top-level instance. you can add instances under the ModuleScript, called children, and they will also be imported, like models and meshes.
y'know how i said that Scripts, LocalScripts, and RemoteEvents are basically required for networking now? yea. what i just said beforehand basically overcomes this obstacle.
A LocalScript is parented to the target player's character, which will call RemoteEvents imported with the ModuleScript, which will be handled by a server Script.
yippee!!
building
gonna go back to the old way for a little bit.
y'know how executors could only run a single script? for any other models, you had to do that manually (or use InsertService.LoadAsset, which is pre-2016, but i never saw any scripts i looked at do that but it's probably there).
i remember specifically seeing one of the big weapon scripts create and weld Parts for a big sword. and that sword was REAL detailed. it was admirable, but you can probably create a snippet that will do that for you. cool nonetheless.
today, you can just ship models with the MainModule, but... eh.
animating
on roblox, you can upload animations. these animations only work if they are uploaded by roblox or uploaded by the game's owner (user or group). consequently, exploiters cannot upload their own animations and reference them.
aside from using roblox animations or the game's owner's animations in a wildly different context, they can use Weld instances.
Welds take a higher priority than Motor6Ds, the instances that can be animated. Welds are pretty much just Motor6Ds but not typically used for animation, usually just for connecting two (unanchored) instances.
people can use Welds to animate without the restrictions that roblox applies.
trolling guis
a collection of exploit scripts and MainModules. it's like using a gui instead of a terminal; it has better user experience, and this is probably where you'll find most exploit scripts and modules, and this is what i enjoyed the most. you can browse and try out certain things, and it was interesting going through them.
some of these trolling guis are available in the library in models and plugins as MainModules.
hammering the nail
post-FilteringEnabled, roblox added a few extra safeguards.
- script capabilities - roblox developers could assign the minimum privileges required for use in a script, like imports and instance access
- obfuscation - roblox does not like obfuscation and will be very suspicious of you if you have obfuscated assets public on the library
- script injection permission - a plugin needs an opt-in script injection to be able to add a script into the game; this is part of a larger plugin permissions effort
- scripts in a model - roblox tells you if a model contains scripts and how many there are
- require snitch - roblox outputs to console if a module imported/required a MainModule
- source available - MainModules cannot be private to import (not a new development)
loadstring, a function that can run Lua code in a string, is disabled by default (also not a new development)- Hyperion - an anti-tamper for Roblox by Byfron, which halted exploits on Windows in the first few weeks and months when it released; they are (hopefully) working on improving it
good for them.
conclusion
without backdoors, exploiters don't really do too much.
assuming they get past Hyperion, they really only can abuse insecure RemoteEvents and RemoteFunctions; the ones that aren't stringent in checking if a player can do certain things. other times, they can't even be very strict without false positives.
the complex scripts, pre-FilteringEnabled and MainModules, have a certain class to them. they're interesting. perhaps it's because they are unrestricted. maybe it's because they're dealing with certain limitations and restrictions that make them all the more endearing, like using Welds of actual animations.
or maybe it's because they're a product of an older time.
roblox did not use to have particleemitters (2015, apparently). many games and script developers had to create Parts or assign meshes and transform them manually. black magic, an old roblox game, and many older scripts did this. the lack of particleemitters and the use of meshes and parts instead was probably endearing, at least to me.
roblox also used to not restrict sound use. before their purge of the audio library, which privated all non-approved audio and could not make new ones public after some copyright moderation fiascos, the audio library was open and you could use anything that was on there. roblox's terrible moderation brought rise to full length music and awesome sound effects that anybody could upload and use. today, only music from roblox's partners and distrokid can be used, and sound effects can only be uploaded with id verification.
in conclusion? these scripts were cool and admirable... just not the ones that are obviously weird and should not be presented to kids (neko cough cough).
alright. byby.
extra
extra extra
EDIT: 2024-12-18, 2024-12-19
i don't know where else to put these without breaking the pace (what pace?), so here's some extra words.
first, weld animations.
i believe these are usually choppy. also, weld animations aren't mandatory. you could definitely use motor6ds instead! you can just transform motor6ds like welds; however, the issue is that they will still be influenced by the animation, so it gets these weird offsets (the kitchen gun script!). animations, the ones you upload, are comprised of KeyframeSequences that you can access, and you do not need to use roblox's solution (upload, load, and play) to use these. you can create your own implementation! however, this is probably a lot more work for a simple fe script.
fe script? it's short for filtering enabled script. it's the exploit scripts compatible with filtering enabled and are usually placed in MainModules. i described them in their own section.
furthermore, fe scripts really only get in through backdoors. otherwise, they really can only manipulate physics in their control (players can temporarily handle physics objects when they're close to them) and exploit insecure remotes and other things i forgo.
also, the player character is under the physics ownership of the player. this means that an exploiter (and any player i guess) basically has control over the physics of their character. they can fly and spin really rapidly (which can fling on touch).
this also has negative effects for some genres on roblox, especially fighting games. since a player's physics is handled by the client, this causes some latency between what the client sees and what the server (and other clients) sees. i mean, you can get used to it, it's just weird.
roblox also just... doesn't really have good tools for server-authoritative movement (roblox currently uses client-authoritative). it was worse before i guess.
we have UnreliableRemoteEvents (UDP) now instead of strictly RemoteEvents (TCP) (at least an year old).
UDP? TCP? reliability?
i don't network!!! :D !!!
UDP is unreliable; it's unordered and the data may not even get to the receiver. this is fast.
TCP is reliable; it's ordered and the data will most certainly get to the receiver. this is slower than UDP.
in this case, UDP is good because we really don't care about older inputs and stuff. we just need the new ones to work with. also, this is helpful for something as fast-paced as a movement controller. a roblox developer has a nice article explaining more about this.
the problem (or something to note) with UnreliableRemoteEvents is that the data is capped at 900 bytes.
also, something i completely forgot (lol), RemoteEvents are not TCP. they are UDP but with reliability on top. so... kind of TCP???
roblox also has shapecasts now (at least an year old). roblox used to only have raycasts. you can use these for custom collisions, like for character controllers! the problem is that these don't have margins, so shapecasts close to walls will just... miss. you can phase through walls.
shapecasts?
raycasts but shapes.
community members have created their own solutions, the most prominent being chickynoid. however, chickynoid is suffering from the aforementioned problems and the lack of documentation.
however, roblox recently announced plans for server authority in the upcoming year, possibly complete with rollback. this is interesting.
Server Authority (Beta) - We are building native support for Server Authority. If a Creator enables this feature, the server will become the single source of truth for game actions, logic, and data; this should reduce cheating and improve fairness. Due to the additional latency incurred from a server authoritative solution we are also working on techniques like speculation and rollback to keep games feeling super responsive for your players. This feature is early in development, and we’ll be running tests through 2025. (2025) (source)
script fighters also exist. it's basically a fighting game but using those fe scripts. it's a little fun and you can try some out, but some scripts are more powerful than others of course.
games that just allow you to run code are called script builders. these run luau code in a sandbox.
also, good video if you have not watched it (it's about black magic :3).
anyway, that's all. byby.
■■