Any way to prevent memory spoofing?

hey! I have been making a game similar to rubet where you can create/bet coinflips.

The way my game decides is it allows players to join 10 percent more or less of the creator’s value in items, and it adds it all up, and chooses a random number. seen here:

	local function determineWinner(creatorValue, joinerValue)
			local totalValue = tonumber(creatorValue) + tonumber(joinerValue)
			local randomValue = math.random(totalValue)
			if randomValue <= creatorValue then
				winnere = "creator"
				return "creator"
			else
				winnere = "joiner"
				return "joiner"
			end
		end

but i have exploiters joining the game and rigging coinflips and I just now got hold of the script:

while true do
function x_calculate(seed) -- calculates the x seed
    local func = math.pi; -- math.pi, who doesn't love pi!!!
    local y = {"Robux","Tix"}; -- robux or ticks, cannot decide... 🤔
    local seed = seed(y); -- SEEEEEEEEEEEEEEEEEEEEEEEEEEED
    local clientseed = 91283781259 -- Client seed (Dehashed by NNhack 3.3)
    local guess = (func / 1 * 2 / 0.23 / tick()) - 20 + (clientseed * 2) -- game memory guess function bruteforce
    return [y[guess]] -- injects into game memory leak letting you win every flip on join
  end
  local x = {};
  local xz = getgc(true); -- gets the gc (group chat, gift card, grand Cp, can be anything)
  for i, v in xz do -- for iv in zxzxzxz doooo
  if(xz.dump("Robux") or xz.dump("Tix")) then -- dump robux or ticks,,, cannot decide
  local x_out = x_calculate(game.ServerScriptService:Initialize(xz.dump("InitializedRBXClientSeed"))) -- Hood Shit.
  hookfunction(game.ServerScriptService.Initialize, function(self,outcome) -- i love barry alen fastest man alive.
  outcome = x_out;
  return (self,outcome) -- spider man
  end
  end
  end
end

and according to everyone I asked this script spoofs memory. How am I able to patch this and prevent this from rigging coinflips?

As a general rule, you can’t. Do the mission critical stuff on the server and assume that all clients are compromised.

Basically, do the animation of the coinflip on the client, but decide what side the coin actually lands on on the server. This way, if a client is compromised and tries to change the outcome of the coinflip, it will look different for them, but since you decided the outcome on the server, it won’t matter.
In short, don’t trust any important information with the client, and always assume that the client is compromised, like @nicemike40 said.

all decisions of winner is on the server.

i have multiple checks to verify the player has the correct info and all the decisions are on the server.

then how is the client exploiting it?

exactly! I have no idea! they are rigging my coinflips.

You are using math.random to work out the winner, right?

I’m pretty sure I figured it out, but I need to know if you are using math.random to work out the winner of the coinflip (I’m pretty sure you are)

yup.

local randomValue = math.random(totalValue)

Basically, since you are using math.random to determine who wins the coinflip, it is exploitable. The reason for this is that math.random uses a seed (a really long number) and puts it through multiple calculations to make it ‘random’, this is called a pseudorandom number, and it isn’t truly random. The exploiters have figured out the seed, and can predict what the random number is going to be.

solved. thank you to everyone that helped.

It would be great if you posted how you patched this for future people with the same issue!

I realized it was a fake script a few hours after while reviewing it. it has undefined functions and attempts to access server resources. I just added few more server-side checks for my remotes.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.