Can Exploiter Rebuild And Replace The Original LocalScript With Their Own?

Hi, I’m trying to make a game with multiple characters where each character has different skills and I’m trying to prevent exploiters from changing a value that identifies their character. my original plan was to create a master local script that makes sure that value is the same between the client and the server and if the main local script does not detect the master script or the script is disabled then it will kick the player from the server side but I’m worried if they can just delete the main local script and then made their own and replace it. if anyone has another way of doing this I’d like to try it

They’re always going to be able to modify things when the server hands the script over, immediately swapping the two out, essentially injecting malicious client code.


do you have any other method that could stop exploiters from change the value?

I have another question if say you use rendered step will it still be running if the script is deleted?

When the player gets their LocalScript, the server will know which ability they should have. You can always safe-check anything that automatically replicates between client-server, because the server will always have the main authority.

If they switched abilities with an exploit, the server should see their replication as malicious, and notice the difference.

Sometimes this is very hard to do, but a good rule of thumb is to be very specific. If only one kind of player can spawn a projectile, the server should control the projectile physics. At this point, if they weren’t supposed to have projectiles, the server would and should have refused to own the physics of that projectile, making their attack useless.

1 Like

Idk about that one but the function would probably continue to run even if you deleted the script, unless you disconnected it with a dependency! I’m guessing here lol

the biggest problem about this is that some players might have a delay and some of the characters have their own special movement if I use this method players will have a delay trying to activate their special movement

You’re right on the money too, it’s a battle, a yin and yang, of security and accessibility!

1 Like

then should i make the special movement locally?

Always select what it should be on the server. When a player needs to change their movement, you can do this locally, but make sure the server has some fool proof way of monitoring the players. The humanoid replicates automatically, you can check its WalkSpeed property to make sure it’s not spoofed.

But let’s say they decide to use fly exploits, the server won’t see anything wrong with the WalkSpeed property. This is where things get rough. They’re always looking for ways to trick the server. The server needs some way to detect they’re flying, so then you’d check the humanoid’s FloorMaterial property, and try to catch them in the air for a prolonged period of time, but also making sure they’re not just glitching or bouncing around without cheating. This sort of battle continues on and on, depending on the specific game, until you find the ultimate solution that exploiters have yet to exploit. But always be prepared for the next one!

Sadly there’s absolutely no way to prevent exploitation in the end, they can just delete all the anti exploiter scripts locally, disconnect internet for a short time, come back online, and already be done cheating.

Yes, you can see that crazy change on the server, but the server still had no idea what happened when they disconnected for that short time. It only knows what changed, and that’s the key

wow, thanks for the info I had no idea trying to stop exploiters was so hard

A tride and true method is to trust your players to team up. Work At A Pizza Place is an awesome example, because players can vote kick. If someone is cheating and bothering people, they’re more likely to get voted off.

Bot attacks exist, where fake users join the game and vote kick innocent players. This can be fought by giving them a sobriety test. This should be handled carefully as it isn’t practiced much, but you want children and adults to pass the “im not a bot” test in some way without getting confused or struggling. There’s a lot more to cover, I skimmed a couple things, but dang, I hope you the best!