On ROBLOX, an exploit (also frequently called 'hack') consists of using a bug, glitch or vulnerability in a game or in ROBLOX's software to manipulate the game in a way that wasn't intended by its designer. Exploiting is considered as cheating and is not permitted on ROBLOX^[1]. People who use exploits in an unfair or malicious manner are known as "exploiters".

Countless rumors have been produced and propagated on ROBLOX concerning exploits and exploiters. Many theories of questionable value have been proposed about the actions and identity of users such as Dignity and 1x1x1x1.

History Edit

During the history of ROBLOX, many exploits have been found, disseminated and abused by ROBLOX users. Most of those have later been fixed by the ROBLOX developers.

There is no solution to completely eliminate exploits on ROBLOX, but many attempts to reduce exploiting have been tried or are planned for the future.

Cheat Engine Edit

Cheat Engine, a debugger for Microsoft Windows created by Eric Heijnen, was used for a long time to take advantage of various vulnerabilities in ROBLOX. Many exploits have used it, most of which have later been fixed by the ROBLOX developers.

Its numerous features have given life to exploits such as "speed hacking", which consists of making the ROBLOX client run faster, memory editing, which consists of finding and editing values in the memory to change game values, dynamic-link library injection, which consists of injecting a DLL file into ROBLOX's software to manipulate its code, and many others.

Lua bytecode Edit

The Lua virtual machine compiles code to Lua bytecode before interpreting it. This process is irreversible, and thus was frequently used for code obfuscation.

Lua bytecode, for implementation reasons, does not have the same structure as Lua and allows, by unconventional means, manipulation of the stack and other things that are not possible in plain Lua. It is possible, though difficult, to write Lua assembly code manually and to assemble it into Lua bytecode. Lua can load Lua code and Lua bytecode through use of the loadstring function.

It has been proposed on the Lua mailing list that direct stack manipulation could be used to access the environment of other functions during their execution and therefore to "steal" values from these functions (and even from C functions that Lua has access to), something which is not and should not be possible in pure Lua.

The ROBLOX user NecroBumpist had implemented exactly this idea.^[2] Using Lua bytecode, he created a function that allowed a script to 'steal' values from other functions, including C functions. That made it possible to steal values from the ROBLOX API, but it was not until many months later that someone finally found a way to use this Lua bug to modify the global environment and to become capable, in a game server, to make the core scripts and the join script execute any Lua code.

This resulted in the removal of the ability to load bytecode with the loadstring function.^[3] Notwithstanding common belief, this exploit had nothing to do with the common DLL exploit in the same time period. Removal of bytecode had no other side effect than making code obfuscation (which later became useless because of a change in script source replication) impossible without other means.

References Edit

1. ↑ ROBLOX Terms of services, http://www.roblox.com/info/terms-of-service
2. ↑ Necro's Magical Bytecode Exploits, ROBLOX forums, http://www.roblox.com/Forum/ShowPost.aspx?PostID=57817090
3. ↑ John Shedletsky, Bye Bye Bytecode, ROBLOX Blog, http://blog.roblox.com/2012/08/bye-bye-bytecode