Can a hacker turn on a function inside a script?

If I make a function inside a script that says

function aa()
print(“turned on function”)
end

Can a hacker turn on the function?

7 Likes

Hackers/Exploiters can’t modify your scripts or call functions physically unless there is some vulnerability, Client-Sided scripts are more exploitable, but Server-Scripts are fine as long as there is no Remote contact between scripts that can allow backdoor entrances in your game.

7 Likes

They cannot directly run it from the script.
However, if it’s a local script, they can replicate the function and copy it over to their own script and run it from there.

Another way they can do this is actually by replacing the script with their modified version using Instance.new("LocalScript", TargetScript.Parent).Source = MyEditedCodeOrYourCodeEdited TargetScript:Destroy()

this will remove the script youre running and replace it with a modified version of it or one with completely different code.

6 Likes

If your code is ever replicated to the client, yes, they will be able to call/modify anything inside of a script.

I’m not sure why the above comments think otherwise, iirc exploiters have modified luau environments that allow them to dump the stack of scripts, and this would therefore expose the function.


And, please don’t put any sort of security into a Client script, it’s not worth the battle when you’re the one running code on the client, just stick to the Server :smile:

1 Like

u cant get source u gotta decompile the byte code

1 Like

Script.Source is viewable from the client and it returns a string.

Exploiters could only see client and module scripts (with dex or any other explorer tool) or if they could get the hand of the Source property.

they could also use hookfunction(broken link) on their exploits(krnl,syn x, scriptware etc) to hook the function and replace it with their own version.

tldr: exploiters can run the contents of local scripts or hook a function in a local script

Warning. Exploiting leads to unreversible consequences and reputation.

2 Likes

If that function is in a local script, I believe there’s a commonly used primitive function in many script executors either called getfenv or getsenv which gets the environment of all global variables within the local script.

In this case your example function:

function aa()
    print(“turned on function”)
end

will be shown within the returned table when a hacker executes the script. From there, they can call that function from their exploit which I assume you’re referring to as “turned on function”. There’s a simple way for exploiters to not have access to running local script functions like that during run time. Simply add local in front of the function name and it wont show up in the getfenv or gensenv (whichever one) function call.

Ex:

local function aa()
    print(“turned on function”)
end

An exploiter can replicate the function, but not directly turn it on. They can create an identical version of it in their own script but cannot activate the same exact function

If it’s on the Client side then yes. The client can modify anything they have access too (or AT LEAST most of the stuff they have access to)

Like @Kurookku said, an exploiter could use getfenv to get the environment of the script with the function. But they could alternatively use hookfunction if their exploiting program has it.

I’m not very sure if making the function local will make it not show up in the environment. But I’m guessing it probably wont

The Source property is plugin security. It can only be accessed in plugins and the studio command bar.

Of course, if the source code was sent to the client, an exploiter could access it in some way regardless of not being able to use LocalScript.Source. However, I think I’ve seen it mentioned somewhere that source code isn’t sent to the client. Sending source code to the client would be pointless as it can’t be accessed by LocalScripts which means it would be useless

They cannot.
Unless it’s a remote event or something like that.

Depends on if it’s a local script or not. All local scripts should fire to server scripts passing information needed to do whatever. The server script then preforms said task. Simple things that will have no impact on the game can be done in a local script also. It’s a pain but it’s the only way to stop exploit possibilities.

Hackers have full “access” to local scripts.
Once you get good at firing remotes this becomes pretty easy.

Lowkey “MyEditedCodeOrYourCodeEdited” sounds like a sick username

Hi,

Developer of the :scream: Rain :scream: executor here. To answer your question, yes.

Since you declared a global function, exploiters could use the getsenv() which returns a table of the script environment to get the function.

getsenv().aa()

They could also use getgc() to get garbage collected items, which should include your function.

for _, func in pairs(getgc()) do
  if typeof(func) == "function" then
    if debug.getinfo(func).name == "aa" then
      func()
    end
  end
end

The source property is not used in the client. The source code of the script is compiled to bytecode, doing changes to the source property now does nothing.

No.

There is no point in hooking the function when the OP asked for if it would be possible to call the function.

getgc() :wink:

Executors usually have the thread identity 8, 7 or 3, which has access to everything, including PluginSecurity properties. But source is useless in the client.

3 Likes