Best ways to stop hackers firing remoteevents

I understand that but the this script that I really don’t really want it to be stolen is a LocalScript that can only be handled by the Client, It’s a chat script.

Other than that is non of my worries, You can’t Exploit my RemoteEvent nor RemoteFunction I always check on the server.

Don’t worry about people stealing your scripts. There’s nothing you can do to prevent it. If your server security is bulletproof (which it should be), there’s no harm in hackers seeing your scripts.

3 Likes

I know, It’s heart breaking when you do something really really cool but it’s a pain that your hard work can be stolen by such malicious people at any given time.

4 Likes

The stolen local scripts are pretty much useless to the exploiter if your game relies on server side scripts to function and reverse engineering the serverside scripts is just a waste of time for them as the original owner can just report them for the stolen assets.

4 Likes

It’s easy to do that. If you want to hide your script only set the parent nil, because with the localscript the exploiters can do a function like a require but for localscripts and fire functions of the localscript, its like use the localscript to fire a function who fires a remoteevent and bypass the anticheat.

Also you can change your RE name with httpservice instance guid function. It’s very easy but is hard to do in the games who the localscripts uses same remove events. You can add RemoteKeys, generate one on a module then the serverscript check the remotekey and add a check remote func who returns false or true, if you want to check some from the client in the server, for example the exploiter changed the a value to 1000 but if you fire the check remote func checking that value it will returns the server value who is 100, what you can prevent with this? Very much, you can prevent to fire remotes beacause it have a value of cash or the correct value in the client but not in the server.

1 Like

All these replies are great, just icing on the cake, if an exploiter fires a remote and the server sees that it’s illogical, you could create a webhook that gets the players username and userid.

That information could be used for a ban script, a “hall of exploiters” on your Discord server (if you have one) or any other punishment really.

2 Likes

I know this is old but one funny way i’ve seen people make it a lot harder for hackers to fire remote events is to make it named something that you can’t type easily

J̵̢͈̙͎̼̓̆̈́̑̀̐̋̍u̶̧̹̩̗̣̙̐̍͜͝ş̶͔̩̯͙̬͔͔̑̇́̌̄̏͂̓t̸̡̧͇̭̤͕̘̭͈̞̳̟́̌̔̌͑ͅ ̷̢̧͙͖͉͇͍̝̠͈͎͉̞͔͑͊́ͅḷ̸̢̲̜̣̝̻̩̾͌̚i̴̢̲̳̞͍͈̇͋̍̾̿͋͊͋̉̽́̊̂k̵͇͛͊̀̐ë̵͉͈̩̬̖́̽́͑̅̀̊̊͋͋̉̾͘ ̷̦̻̫͓͙̫̣̚͝ẗ̶̡̛͖̘͙̥̙̪̣͉́̿̆̔̓̆͊͆͛̚͘ͅh̵̡̛͉̙̠͙̠͑̔́͂͊̽͜ȋ̵̡̢̢̲̙̳̲̘̲̗̖͚͒̏͛̀s̶̨̼̮͈͉̪̤͕͓̲͎͋̈́̋́͗̐̈́̀̈́̑̈́͌̌̕

not only is it not on your keyboard, but it is not copy and pastable on the hacker’s side sometimes and it turns it into other random symbols. the only way to get it is through the parent:GetChildren() and loop through the children and find the remote event (Correct me if i’m wrong)

1 Like

It doesn’t look like you have read the replies of the topic. Exploiters are already able to see remote traffic so using a “password” for a remote is useless.

Never mind, I see you meant a name. Obfuscating remote names is still not a good idea anyways as you make it a pain for yourself as well.

And the really powerful exploits even have functions to copy things to your clipboard so it’s just a matter of them getting the name of the remote through that

1 Like

there is nothing wrong with client side obfuscation. (I would have to say obfuscation alone is pointless but its really just part of a bigger picture for security, in games outside of roblox atleast).

Have you made a game before? It is not as simple as this. You can’t expect to find all bugs, with obfuscation there is no useful call-stack.

(post withdrawn by author, will be automatically deleted in 1 hour unless flagged)

See:

Please read before replying!

But say later on your code causes a bug. The obfuscated code won’t provide anything useful.

You don’t need to obfuscate code, if your server checks are bulletproof then there is no harm in exploiters getting remotes.

well, duh you just edit your testing version and then push that instead, lol obviously you wouldn’t try to fix the obfuscated version that would be a hassle, and I don’t think you really understand how obfuscation works, because the code is literally the same just ciphered names, so errors/callstacks will be fine, btw.

you’ll see what line has an issue and you’ll see what value/function has an issue like normal.

No no, you are not understanding.

You can’t expect your code to instantly be immune to bugs and errors.

Say the obfuscated script causes an exception. You will get a stack trace but it will not be useful.

How do you know what part of it actually went wrong? i.e how do you “translate” it?

Yes…? A lot of people do that, but as incapaz stated, obfuscators also make it much harder to find out what broke exactly unless you have a built-in debugger in the script, not to mention that obfuscating lags your scripts by a lot.

1 Like

Wait. So you mean that even if a ServerScript is on workspace or ReplicatedStorage, the source inside it won’t be readable by the hacker’s client? Like if it was a blank script? If that’s true I wasted a lot of time spawning scripts inside serverscriptservice and binding a :Destroy() function to them when they arent needed anymore.

Yes. Server scripts do not ever replicate bytecode. I’m not sure about ModuleScripts required by the server, though. And honestly, if it’s a server script, it should probably be in ServerScriptService anyways.

Short answer, you can’t, don’t rely on the client for security. I’m not saying you can’t do stuff on the client, just make sure you have something preventing them from the server.

For example, a VIP room. You could remove the door from the client, and you can check if the players who are in the room are VIPs. If they aren’t, you teleport them out. Don’t rely on the client for sanitizing remote or anything.

General: Hackers:

I will be needing to check if a hacker messes with a Remote, which simply Deletes most Objects Client side, at the start of the game; for the easiest Fog of War makeable.

BUT, if I catch a Hacker (I HATE Hackers); not gonna Ban them, or let them know they were caught in any way… Going to change their Default Successful Hit percentage, stored on Server from .5 to .45; then few minutes later .41, etc… Let him to continue to spread the hack to All… They may never figure out why they lose every game. Good!

I am suggesting this to all Programmers… Do not let them know, PLEASE.

2 Likes