Anti Exploit Help

ScriptingInRoblox · May 1, 2021, 3:07pm

Hey, I’ve recently been attacked by a number of exploiters and I found out their main source.
Basically, they are spamming remote events to change their leader stats, is there any solution to this?

miscdiv:addButton({
  title = "Unlock all advancements",
  default = "(It saves your current population) unlocks all units (except gamepass)",
  callback = function()
   local population = game.Players.LocalPlayer.leaderstats.Population.Value
   curremote:FireServer("Population",-(population))

   curremote:FireServer("Population",100) -- 100
   wait(0.1)
   curremote:FireServer("Population",400) -- 500
   wait(0.1)
   curremote:FireServer("Population",4500) -- 5000
   wait(0.1)
   curremote:FireServer("Population",5000) -- 10K
   wait(0.1)
   curremote:FireServer("Population",15000) -- 25K
   wait(0.1)
   curremote:FireServer("Population",25000) -- 50K
   wait(0.1)
   curremote:FireServer("Population",50000) -- 100K
   wait(0.1)
   curremote:FireServer("Population",400000) -- 500K
   wait(0.1)
   curremote:FireServer("Population",500000) -- 1M
   wait(0.1)
   curremote:FireServer("Population",9000000) -- 10M
   wait(0.1)
   curremote:FireServer("Population",-10000000) -- 0
   curremote:FireServer("Population",population)
  end
})

One of their main lines of code they are using.

Jxl_s · May 1, 2021, 3:10pm

The issue is that you didn’t protect your game properly, allowing exploiters to fire a remote event that gives stats.

A solution would be to remove this remote event, and properly handle the actions.

TheChickenDude8 · May 1, 2021, 3:13pm

Yeah, you can remove this remote event, and properly handle the actions. Also, you can find an anti-exploit on Roblox to prevent exploiters from exploiting

NinjaFurfante07 · May 1, 2021, 3:13pm

Ok it’s necessary that you know this: every LocalScript can be exploited.

To don’t allow the exploiters to exploit you shouldn’t use localscripts for important actions but only normal scripts.

TheChickenDude8 · May 1, 2021, 3:14pm

I used anti-exploits before and they worked

ExpiredCereal0 · May 1, 2021, 3:20pm

Remote events aren’t really exploitable. It is mostly client events that exploiters attack.

Ggblocks20 · May 1, 2021, 3:24pm

They are firing the remote event over and over to get money. In this case, he has to remove the remote event or make it secure.

ExpiredCereal0 · May 1, 2021, 3:35pm

Maybe use some sort of variable in in the Fire Server and then you can later confirm the variable later on the server side. Sort of like a password.

caviarbro · May 1, 2021, 3:42pm

Just make table with people that are eligible to give money easy as that.

Sample code:

local Admins = {"caviarbro","yourusername","ROBLOX"}
local RemoteEvent = game:GetService("ReplicatedStorage").RemoteEvent

RemoteEvent.OnServerEvent:Connect(function(player,Currency,Amount)
   if table.find(Admins,player.Name) then
         player.Currency.Value += Amount
   else
        return player.Character:FindFirstChild("Humanoid"):TakeDamage(100) --punishment for player who falsely fired server (optionable you can delete it)
    end
end)

Also this is sample code I would suggest you to use UserId’s instead.

mistrustfully · May 1, 2021, 3:43pm

This is what’s known as “Security through obscurity” and its not effective at all.

OP shouldn’t use a remote event for this at all, things like changing stats should not be left up to the client to decide.

ExpiredCereal0 · May 1, 2021, 3:44pm

What if exploiters fire the server as a fake player name?

caviarbro · May 1, 2021, 3:46pm

Tell me how are you able to do that? This information is filled automatically and you aren’t inserting your name when you are firing server.

DoctorNO2106 · May 1, 2021, 3:47pm

Don’t let the client tell the server “I can”, make them ask, “Can I?”.

You’re problem (which many have pointed out) is that you’re telling the server how much the player has when the server should be the one figuring that out.

Instead of firing the remote with the value, get rid of the value and try something like this on the server

remotename.OnServerEvent:Connect(function(player)

local value = player.leaderstats.Population.Value

value += arandomnumberifthatswhatyouwant

end)

(I did this in the morning and I’m tired, plz lemme know if somethings incorrect)

caviarbro · May 1, 2021, 3:49pm

The whole problem of OP is that anybody can Fire the RemoteEvent in my code that I provided is the only solution for that problem.

ExpiredCereal0 · May 1, 2021, 4:40pm

At some point in the script, you fired the server. When you do you could put another variable for the server to call. Let’s say if the variable is “12p3123047129384710293857029384798127340918723” then run the server code.

caviarbro · May 1, 2021, 4:44pm

Okay and tell me how is this efficient? Somebody can leak it to public and everybody will be able to keep continue doing malicious things + it will be hard to remember if you don’t have it copied 24/7.

unix_system · May 1, 2021, 4:49pm

No. Exploiters can see all of your remote traffic; putting a hard baked in key is extremely easy to defeat and is not a security measure at all. It is a security illusion.

The only solution to @ScriptingInRoblox 's problem is to re-engineer their entire game’s networking code from scratch, following the principles set out in the Roblox Client-Server Model Developer Hub page. This lays out the principle of zero-trust that you must follow when engineering a secure game.

This is out of the scope of what the OP can be helped with via this category; they should put in a request for help in #collaboration:recruitment to contract someone (for a fair price) to do this for them.

VortexColor · May 1, 2021, 5:56pm

So with security our approach must be security by design. In this case there are 2 major things to consider.

The client can modify ANY data on the client at any time and there is NO way to prevent this.
The client can fire ANY remote at any time as many times as they want and there is NO way to prevent this.

So first of all forget client side anti-cheats and security trough obscurity. These don’t work at all, they are a waste of time and the time you would be spending on those could be spent on doing actual security measures.

But you might be thinking “if i can’t prevent remote firing and i can’t use local anti-cheats then how am i supposed to secure my game?” well don’t worry there is a way.

The only thing we can do is validate the data on the server. The client should never tell the server to do something. The client should ask to. For example an “AddMoney” event is insecure. So is “GiveItem”. They should be replaced with “BuyItem” event and the server should validate the data.

You must always validate all of your remotes.