You can write your topic however you want, but you need to answer these questions:
What do you want to achieve? Keep it simple and clear!
Are exploiters able to change the reference to a variable to another variable without changing original variable? (don’t know if this is how to say it)
example code:
-- This is an example Lua code block
local compareclientandservervars = ReplicatedStorage.RemoteEvent
local g = {money=1, power=21}
local exploiterclonevar = g
g = {money=999,power=999}
--original
compareclientandservervars:FireServer(g)
--modified by exploiter
compareclientandservervars:FireServer(exploiterclonevar) -are exploiters somehow able to
--replace g with exploiterclonevar like this so the server doesnt detect change?
--and keep g EQUAL to {money=999,power=999} ?
--serverside
local playerg = {money=1, power=21}
compareclientandservervars.OnServerEvent:Connect(function(p, g)
if playerg ~= g then
print("exploiters modified g kick him")
end
end)
Absolutely. The code runs on the exploiter’s machine, so they can do anything they well please with it. The simplest way to avoid this problem is to not let the client say anything about money or power. If it’s meant to match the server’s copy, just use the server’s copy. FYI, you cannot compare table contents through relational operators. {1} == {1} will always be false, as the operator compares reference addresses, not contents
so does that mean that exploiters can modify a variable’s reference (as in memory adress) in a specific line of bytecode at runtime without making any other changes? (changed name of post to this question because it’s more clear)
Correct. They can even fire the event with their own arguments outside of your script. They could change the script entirely, or override what Roblox Studio API member functions do
would the “firing the event with their own arguments outside of the script” override the original firing of the event/prevent original firing of the event to fire?
They use the injector’s API to hijack the script’s environment. From there, overriding upvalues and such is no different from reassigning them in code. Though Synapse X is now cooperating with Roblox, its API is not unique, and still public. You can get a general idea for the power exploiters have with these APIs:
It can if they choose to override FireServer for that RemoteEvent. They could also decompile the script and replace it with one where code was removed. Otherwise no, but the event will still be received on the server as if it was fired from any one of your scripts
and “overriding upvalues” means that replacing the reference to var “g” in my script with the reference to another variable does not affect the value of var “g” anywhere else within the script, right?
Overriding a variable is no different from reassigning its value in Roblox Studio. Doing this will change the meaning of your variable everywhere it’s referenced in your script, so no, to answer your question, “g” will be affected everywhere
ok, so that means the server will detect “g” being altered to something the exploiter changed it to if I fire “g” to the server, and this is a good way to detect g being changed to something we don’t want and kick exploiters, right?
The server cannot detect the change of g, but it can detect a change if the received arguments were not expected. As I said earlier, you cannot compare tables with relational operators, so your method of detecting this change will never work. If you’re comparing sent value to one the server already knows and trusts, then that value never needed to be sent in the first place
ikr ill just cycle through the table in a loop making sure all items match, but tysm for your clarification and confirmation of my suspicion about exploiters not being able to change a variable’s reference in a specific line without changing the variable for everywhere else in the script.
Again, there is no need for you to verify anything. If you send a car to a dealership, and they ensure that the car is legit by finding the exact same car in their inventory, what was the point in sending that car? There is no need to send uncertain data to a server only for the server to verify its sanctity with the exact data it expects. Just use that existing data and send nothing
You’re not getting it. The exploiter, and general client, should not have sent any data in the first place. That data already exists on the server, so source it from the server where it is trusted
Please take a moment to really digest what I’m saying. Completely forget about sending ANY DATA to the server. This means there is absolutely nothing an exploiter can do to intercept and modify the what the server sees. The server already has the data it needs, so the client DOES NOT need to send that data. Rely on the valid copy instead and forget sending and verifying the one sent by the client
But the data is important for stuff like movement speed and health, and exploiters can easily change that once the server sends the data to them. Therefore, the client sending the data is safer than receiving the data.
Why would you need to send server the data it already has though? all client should be doing is rendering the amount of money the player has or rendering the amount of health the player has while server handles the actual data.
for example a player buys a car or an item all client needs to do is tell server “hey i wanna buy this item” and that’s it. server can then get the price of that item get how much money you have and do any checks it needs to and if you can buy that car or item then server can remove the cash required and add the item. once servers done whatever it needed to with the transaction it can tell the client how much cash they have so that client can update its UI with the correct amount.