Skip to content

Harden anti-exploit tamper detection against function interception#2105

Open
realmaitreal wants to merge 3 commits into
Epix-Incorporated:masterfrom
realmaitreal:master
Open

Harden anti-exploit tamper detection against function interception#2105
realmaitreal wants to merge 3 commits into
Epix-Incorporated:masterfrom
realmaitreal:master

Conversation

@realmaitreal

Copy link
Copy Markdown

Changes to MainModule/Client/Core/Anti.luau

Rationale

The existing tamper detection loop relied on calling debug.info(Detected, ...) to
verify that Detected had not been modified. This approach can be neutralised by
intercepting debug.info at the environment level, causing the tamper loop to stall
indefinitely. Additionally, while true do end was used as a response to detected
tampering, which Roblox kills via script timeout — rendering enforcement ineffective.

Changes

  • Capture debug.info as a local (rawDebugInfo) before setfenv alters the
    environment, preserving a direct reference to the original C function independent
    of later environment-level changes.
  • Capture Kill's debug metadata (source, line, name) at module load time for
    later integrity comparison.
  • Replace all tamper-sensitive debug.info calls in checkStack, isMethamethodValid,
    and the xpcall error handlers with rawDebugInfo.
  • Add a private behavioral heartbeat counter (_heartbeatSeq) incremented by the real
    Detected body when called with action "_". The tamper loop checks this counter
    to verify Detected is executing its actual implementation, rather than relying solely
    on debug.info introspection of Detected (which can be intercepted).
  • Add an integrity check for Kill by comparing its current debug.info metadata
    against the snapshot taken at load time.
  • Replace all while true do end enforcement responses with the proper
    Detected(...) + pcall(Disconnect, ...) + pcall(Kill, ...) + pcall(Kick, Player, ...)
    chain already used elsewhere in the file. while true do end is killed by Roblox's
    script timeout and provides no actual enforcement.

@realmaitreal realmaitreal marked this pull request as draft May 3, 2026 19:38
@realmaitreal

Copy link
Copy Markdown
Author

I'm currently working on more tamper detection.

@realmaitreal realmaitreal marked this pull request as ready for review May 3, 2026 20:48
@realmaitreal

Copy link
Copy Markdown
Author

Added a load-time debug metadata snapshot of Detected and Kill, checked each tamper loop iteration via a pre-setfenv reference to debug.info. Since hookfunction mutates function objects in-place and changes their debug metadata, any hook is caught without calling Detected, defeating bypasses that pass the heartbeat sentinel through to the original.

@GalacticInspired

Copy link
Copy Markdown
Member

@Expertcoderz @coasterteam

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants