Avoiding the Workspace to replicate from server to client

Noxielotl · January 12, 2019, 6:44pm

They can just delete the antihack local script.

Nightrains · January 12, 2019, 6:49pm

I’m sure that can be detected too.

davness · January 12, 2019, 6:51pm

And the detectors can be deleted too.

Noxielotl · January 12, 2019, 6:51pm

Not really. Any local script antihacks can be stopped.

Noxielotl · January 12, 2019, 6:52pm

Have you read my solution?

Nightrains · January 12, 2019, 6:55pm

I doubt it very much, I think everything should be Client-Side, making requests to the server all the time seems to me to be very inefficient and a waste of memory, you can make the Anti-Exploit to be in an important script that if deleted nothing in the game would work.

Noxielotl · January 12, 2019, 6:57pm

It’s not making requests all the time.

Also server is a vital part of a game.

Doing everything client side is an EXTREMELY bad practice which most old Roblox games (before FE) did which is why they were so prone to hackers.

OverHash · January 12, 2019, 7:06pm

A client can do anything. Pretend that an exploiter has access to a command line and all your scripts + maps you give it. This means they can do the following

See all descendants of services they have access to (Workspace, PlayerGui, etc)
Execute their own scripts
See any remote event/function requests you are sending and hijack them, essentially
See any remote event/function requests the Server fires

This can have a result of the following:

Delete other scripts (such as anti-exploit
Steal map models or GUI models
Change transparency of other parts
Change their local character’s properties

Vulkarin · January 12, 2019, 7:14pm

The server can put objects into PlayerGui

@AyeeAndrxw is right, your current design is not easy to keep secure. What sort of advantage would an exploiter have if they could see outside their range?

davness · January 12, 2019, 7:19pm

Let’s get back to the image of the OP:

If the exploiter has acess to the whole map, they can also see where the other players are, even if out of their range.
Since the players are stationary (they can’t move), it’s then very easy for the exploiter to send a barrage of projectiles in their direction (aka sniping) knowingly that in the early game there are no proper defences.

Vulkarin · January 12, 2019, 7:22pm

Couldn’t an exploiter already see the location of other players’ characters in workspace as AyeeAndrxw mentioned?

However, since they are stationary, you could do what @ITBV said and have the server reveal to the client more objects as their base increases. This wouldn’t have the cache issues that were addressed earlier since once it’s revealed it’s revealed forever.

davness · January 12, 2019, 7:30pm

The players are stationary, the projectiles evidently are not.

The goal is to the Workspace not to replicate from the server, if possible, if not, we’re discussing the alternatives.

If the client doesn’t get the other player’s location replicated from the server in the first place then they cannot see it.

Vulkarin · January 12, 2019, 7:44pm

As long as you don’t expect clients to lower their FOV then that part should be fine. You can easily have the server and client communicate to create localized parts. As long as the FOV isn’t changing super quickly there shouldn’t be much performance issues.

I would think the projectiles would just been handled by the server and replicated to everyone, that way players know who/what killed them and the server doesn’t have to work with any spoofed client information/parts.

Nightrains · January 13, 2019, 1:27am

If you put script.Parent = nil the script will still work, and it can’t be deleted.

davness · January 13, 2019, 1:49am

I think that the topic is being derailed to a discussion about exploiting.

It is a fact that there isn’t a foolproof method to stop exploiting only using client-sided methods. Refer to @AMD_chan’s Exploiting Explained for more information.

The problem here is:

I don’t want to let the client to see the server’s Workspace. Period. I would then handle Workspace replication my way.
If I let the client see the server’s workspace, I have no guarantee I can delete the unallowed parts from the client. This is a particular case where I can’t really implement sanity checks.
I still want the Workspace to dynamically calculate physics, so moving it to ServerStorage is not an option unless I like to waste time recoding the collision solver on a platform that is less efficient.

Captain_Teach · January 13, 2019, 1:54am

If you’re concerned about exploiters seeing more than they are supposed to, just kick() whenever an object that’s isn’t allowed being replicated onto the players client is found.

davness · January 13, 2019, 1:56am

That means that the server would literally kick everyone: The server replicates everything in the Workspace by default, so every client would see something they shouldn’t.

OverHash · January 13, 2019, 4:12am

That is false information. I don’t really want to derail away from this topic, but the code will still execute, and therefore can be edited (I believe it goes into the RAM, but don’t quote me).

There is no way to stop exploiters from viewing everything - besides not giving them it

What you are doing is making it harder to find the script, but if you really try, you can find the script one way or another.

Sidenote,

script = nil

Removes all references towards the script, and is probably better for what you sound like you want to do.

joesmaller_xyz · January 13, 2019, 5:14am

Personally, i’m not sure if exactly what you’re asking for is possible (without using some of the hacky methods stated above), as such it might be worth making a feature request instead.

Zenuvius · January 13, 2019, 6:15am

Why ServerStorage ?

Sure it helps with security, but having the replication being done via remotes etc could possibly lower overall game performance. Mind you, I’m no expert, personally I would put the game map in ReplicatedStorage and have a localscript handle the replication manually.

Does this pose a security risk ? Yes.
Can you patch them ? Yes.
Can your patch be exploited ? Yes.

On the topic of security, no matter what exploit you encounter, there’s always a way to patch it. Likewise, no matter what patch you write, there will always be a way to exploit it. This is the reality that you have to face security-wise. There’s no ultimate patch for anything.

OP wants to avoid direct server replication, this isn’t about security so why speak of it right ? However one could argue that efficiency and quality does come to mind on any programming topics.

Surely security matters, but before we get to that, let’s look at a couple pros and cons,

1) ServerStorage

More secure than clientsided method handlers [ PRO ]
Slower than clientsided method handlers [ CON ]

2) ReplicatedStorage

Replication can be done without having to go through possible latency delays [ PRO ]
Easily exploitable [ CON ]

This brings us back to the old debate of Security vs Gameplay, personally I would suggest handling them on the client side, because statistics. You have to consider this, with server handlers, you’re looking at a guaranteed gameplay-affected experience for all players in your game.

On the other hand, with client-handlers, you’re looking at the issue of Security and Exploiters, the possibility of ruined gameplay experience for some players.

Between this two, it’s better to pick the latter, statistic wise. In no way am I saying that security is mediocre and redundant. In fact, security is always something I think about first when I’m programming, but while doing so. One must never sacrifice general gameplay for improved security.

With every method there’s flaws to account for. And in your case, that’s the only suggestion I could think of really. In no way will this be the best solution, it is simply my humble opinion. Someone else may stumble upon this and suggest a method unknown to us, and in that event we shall learn and improve !