Can exploiters get local variables?

RomDino · July 22, 2019, 3:47am

So basically I have this local script:

local numb = 13819 + 1948914

Let’s assume the exploiter does not know how to do math, but is able to look at the script, is it possible for them to get the calculated numb variable?

Pooglies · July 22, 2019, 3:48am

If somebody is exploiting, I could only assume they wouldn’t check every script depending on how many there are.

Shinjaa · July 22, 2019, 3:49am

Anything available to the client will be able to be controlled by the client or stolen, there’s no fix to this. And yes, they can read that value through memory I believe, in theoretical ideology it would make sense since the Lua code in that script you gave is compiled whenever the client joins a game, therefor the Memory Address’s Value of that Datatype will be changed corresponding to the value with the operation (+) you have in your variable. Every Datatype Bool, Int, etc I believe they each have a memory address, which can be read / written to in a language like C++

RomDino · July 22, 2019, 3:50am

I meant the calculated numb value is saved in the local script, but yet when they look at the script it still shows: local numb = 13819 + 1948914
Can they use :getreg() to get the already calculated numb value?

Pooglies · July 22, 2019, 4:01am

I have a question of my own, will stealing games go so far as to be able to steal server sided scripts aswell?

t0tally_cool · July 22, 2019, 4:19am

Unless you have a backdoor, they should not be able to get access to a server script.

Autterfly · July 22, 2019, 9:20am

This is not exactly correct or in the ballpark, but the full explanation is also lengthy.
In short, the memory address isn’t static or related to the compiled bytecode; it’s almost completely impossible to predict.

Minor and unrelated but Lua optimizes this addition into a single number when it compiles, so decompiling would just yield the result.

But yes, local values can be inspected during runtime so long as they are in the scope of some function that is still around.

Shinjaa · July 22, 2019, 11:44am

Thanks for correcting me, I was pretty unsure on whether or not that might’ve been true with the Explanation on Memory Addresses However I was 100% sure about the Client explanation.

H_mzah · July 22, 2019, 12:57pm

I’m going to assume you’re not going to be storing references to addition of numbers very much in variables, so as a word of caution make sure you do not store any keys/codes, and other similar data in LocalScripts if you can help it. It’s very easy for some exploiters to view your LocalScripts, and as a result they’ll be able to access that data and use it in-game. Ensure you have proper server-side sanity checks for anything involving “authorization” for the client.