Hello Roblox Developers, I have a few questions concerning the .TouchedEvent on Parts in the Roblox Workspace.
My First questions is, since hackers/exploiters can see Client-Sided Scripts, Are they able to alter Client Based interactions, For example, I have a Checkpoint. Which will fire a remote event, To update the Checkpoint value, when its touched. Heres a scripting example
local Checkpoint1Remote = game.ReplicatedStorage.Checkpoint1
local CheckpointPart = game.Workspace.CheckpointPart
CheckpointPart.Touched:Connect(function(hit)
if hit.Parent == 'Humanoid' then
Checkpoint1Remote:FireServer()
end)
My question is, Could a hacker/exploiter, Change the values of the RemoteEvent, to example, if Checkpoint1 is Touched, could they possibly Fire the Checkpoint RemoteEvent of Checkpoint3, Or fire Checkpoint3 Remote Event as a whole???
EXPLOIT ALTERED SCRIPT INTERACTION EXAMPLE
local Checkpoint1Remote = game.ReplicatedStorage.Checkpoint1
local Checkpoint3Remote = game.ReplicatedStorage.Checkpoint3
local CheckpointPart = game.Workspace.CheckpointPart
CheckpointPart.Touched:Connect(function(hit)
if hit.Parent == 'Humanoid' then
Checkpoint3Remote:FireServer()
end)
So my question is, How would i deal to overcome such exploitation, the game i currently have, involves alot of Client-Sided/Server-Sided Interactions with remoteEvents.
edit: im not sure if they can read the source code of local scripts though, i think it is being replicated as bytecode so they cannot read it
Exploiters cannot edit any of your local scripts but they can inject their own and thus connect their own connections to touched event to perform things they want such as firing remote event
the easiest way to deal with that is to pass some kind of password argument to remote event when firing from the client to the server where you will check whether that password is valid and it wasnt an exploiter
for example if password is invalid kick the player
They can read every script that is not in serverstorage or serverscriptservice, and they can also edit your scripts, im not sure how much they can edit, but just assume they can
Exploiter can read module scripts and local script (or they could) so basicly you need to check if player haracter is enought close to checkpoint after they fired event. (still they could just fly to checkpoints)
False. Roblox provides the client with the bytecode of your local scripts, not server scripts. Even if they are somewhere that would be replicated, exploiters cannot see their bytecode; all they know is that a server script exists there. However, exploiters can use decompilers to read your code (although it may be somewhat unintelligible). They cannot edit your scripts, but they can disable them and replace them with their own.
Exploiters will be able to fire any remotes visible to them with any parameters they want.
To stop them from exploiting your checkpoint remote, perform a Magnitude (Distance) check of the player’s character from the specified checkpoint:
(I know this isn’t a good solution because of its redundancy when considering the fact Exploiters have control over their character and can set their CFrames, rather I wanted to drive home the points of never trust the client and perform sanity checks.)
local magnitude = (checkpoint.Position - player.Character.HumanoidRootPart.Position).Magnitude
Then just check if they’re reasonably close enough to it:
if magnitude <= maxDistance then
--do stuff
end
The general rule of thumb is to never trust the Client and always perform sanity checks with anything involving remotes.
They can fire an event to make it works(DEXExplorer hack).But It’s kinda rare for it to happens since most of exploit doesn’t work for DEXExplorer Anymore,it can’t read script,fire event,change value anymore so basically.Its VERY rare for that to happens
checking the magnitude of the HumanoidRootPart can be exploited because the client has network ownership of there character so they are able to position there character anywhere they like
can exploiters fire remote events / functions = yes
can exploiters position there character anywhere they want to = yes
can exploiters fire touch events in a server script = yes
