He probably did not break DEX. But rather the LuaU decompiler of an exploit.
The method probably works by having Lua code which somehow messes up the conversion and/or decompilation. It is probably done by having too many variables in some way as many decompilers have a limit for it.
I don’t suggest you use anti-decompile methods though because an exploit creator can patch the method and they don’t even need to decompile the script for exploiting it.
Error logging is a great thing. But remember exploiters can easily patch ScriptContext error detection by just hooking to the error event and removing all events which are generated by exploits.
I don’t suggest you use anti-decompile methods though because an exploit creator can patch the method and they don’t even need to decompile the script for exploiting it.
I wouldn’t worry too much. Dex has not been updated in months and searching it on google provides you with an old version. Even if the script executor has a built-in script hub with Dex, they’ll need to update that too.
But the thing is. It is likely that the script breaks the decompiler of an exploits not Dex. High quality exploits will patch these methods if they become public.
Just adding onto this, scripts never implement their own decompilers. They are always provided by the exploit, and a lot of exploits tend to be made by highly competent people constantly updating them. Just follow best practices.
For this issue, it’s way easier to just check the X and Y coords, while letting raycasting handle the Y coord (flying, jump height, etc)… with that being said, you should not kick the player the first time it triggers.
check every players dX and dZ coordinates every second, if theyre above the max walkspeed (something like 25) ± a few studs/sec for lag, I flag them and if it happens again theyre kicked and logged
But I disable it only when there’s a server-wide command, like i’m teleporting everyone back to the lobby so ill fire a BindableEvent located in ServerStorage to let the anticheat script know to ignore the logs for a few seconds.
All this could be fixed if FireServer() Automatically Passes the Player AND the Script that fired it, The Server can then Check if the Script is nil or if it’s parent is also nil.
If it is , then it is possibly an exploit.
If Roblox does add this , then yes , it will break many games , but it would be a simple fix by putting a comma and an extra argument. This will also ensure that scripts that fire remotes must at least have a parent of some sort instead of having nothing or nil as a parent.
That can stop a lot of exploiters who like to fire things in their tracks!
Roblox has no way of doing this. Their code isn’t magically immune to exploiters changing it.
The only reason Player can’t be spoofed is because the server has an open connection to the client and can verify that it matches the real one. A script is completely stored in the client, and can not be verified.
In the simplest terms I can put it: it’s not possible at all.
It’s not about instances or Roblox event connections. I’m talking about the actual connection over the internet from the player’s computer and the server. Since the client has already verified who they are to the server (via security cookie), the server can verify that the player instance sent is the same as the one that was verified.
There is no such thing for other instances, as they exist entirely in the memory of the client.
game.CoreGui.DescendantAdded:connect(function(child)
if (child.IsProbablyBad()) then
flagPlayer()
end
end)
keep in mind tho that an exploiter could simply do this to get around it:
for i,Connection in pairs(getconnections(game.CoreGui.DescendantAdded)) do
if Connection.SomeCodeSignature == "x35\x41\xDE\xAD\xBE\xEF" then
Connection:Disconnect()
end
end
not possible. it would depricate older games with inactive devs and i don’t think adding a new remote instance to make this solution is very reliable, as an exploiter could just hook their remote firing events and fake their script instance.
your best bets are to just
not allow remotes to do anything that grants insane powers (such as GetAdmin:FireServer()
for sensitive remotes, such as stuff to do with shops and cash, be sure to write atleast basic encryption for them, and do server checks to make sure its nothing outrageous (like if someone buys something for negative cash, then their cash would actually increase, so check the cash that they’re spending)
In general roblox players more often use synapse. an exploit program. But the good news is that it is a local script. And exploiters can’t run scripts. but unfortunately there is a way:
The exploiters can fire RemoteEvents GetService (“ReplicatedStorage”): WaitForChild ( “remoteEvent”): FireServer () remoteEvent.OnServerEvent: connect (function (player) player.leaderstats.money.Value = player.leaderstats.money.Value = 10 but I use different methods.
Or make them miserable. Make them think that they’ve gotten away with it. Right when they think they’ve won, delete their progress and make them miserable poor souls. Take no mercy…
They don’t even need to do that, they can still do workspace, as it’s a forced function. Workspace will always refer to the workspace no matter the name you give it.