Can Exploiters Read IDs

Help and Feedback Scripting Support
#1

Quick question if exploiters can read ids as variables in a localscript like:

local id = HttpService:GenerateGUID(false)

And do exploiters change code in the original client script or do they copy the local script, apply their code, and then enable it for it to execute?

#2

Nothing on the client is 100% safe. It might be very difficult to identify where the IDs are stored in the stack during runtime, but it’s not impossible. The Roblox client exists in memory on an exploiter’s computer and exploiters have full access to their computer’s memory. I’m not aware of whether there are existing tools that can find the memory that the Roblox client uses, but it’s theoretically possible (albeit probably not a huge concern if I’m being honest).

2 Likes
#3

may i ask what (or why) you’re using HttpService:GenerateGUID() for a localscript?

afaik, everything in a localscript can be read and overwritten using exploits

1 Like
#4

I create an ID and the server fires a remote function to the client to see if the id is still the same, if not, it kicks the player.

1 Like
#5

if that’s supposed to be a security measure, it’s insanely vulnerable since the player/client can change the args of remote events

1 Like
#6

I tried doing that but since I don’t know how to get the id myself, cloning the local script or toggling the enable property changes the id so the server would know the id got changed

The client check is like this:

RemoteFunction.OnClientInvoke = function()
	return id
end
#7

the client can simply read the value from the first localscript and insert a new script and change the ‘id’ variable to be a string from the first script

local id = '4b21-421b-d1b5-sab2'
#8

How do you read variables and is it hard to read them?

#9

dont really know how to read the variables since i dont touch exploits but no, its not hard to read variables if its on a localscript

#10

Essentially all you have to do is read the client event and once you can read it you create your own fake client event and from there you can completely bypass this method of anti cheat so yeah I’ve already seen someone bypass the server to client to server model that I made. I wouldn’t call it “easy” but to an experienced exploiter it definitely falls into the “easy” category unless it has lots of solid encryption layers. I was told about 100 layers would be enough to completely stop an exploiter from using a bypass

#11

What do you mean read the client event?

#12

Exploiters can read anything on the client

1 Like
#13

They can read this and create their own version of it that can entirely bypass anything you are trying to do inside of the client event as well as sending fake information back to the server of their choice

#14

This kind of won’t work.
The exploiter will intercept the remote event arguments and copy the id.
Then they can disable your local script and fire the remote event from their own script.

1 Like
#15

Exactly what I was saying. I’m glad that people understand this

#16

This is my server script:

local ReplicatedStorage = game:GetService("ReplicatedStorage")
local Remotes = ReplicatedStorage:WaitForChild("Remotes")
local AnticheatRemotes = Remotes:WaitForChild("AnticheatRemotes")

local playersData = {}

local function Check(player)
	local playerData = playersData[player]

	if playerData and playerData.Active then
		for i,v in ipairs(AnticheatRemotes:GetChildren()) do
			if v:IsA("RemoteFunction") then
				if not playerData.Ids[v] then
					local success, result = pcall(function()
						return v:InvokeClient(player)
					end)

					if success and result and playerData.Active then
						playerData.Ids[v] = result
					end
				else
					local success, result = pcall(function()
						return v:InvokeClient(player)
					end)

					if not success or result ~= playerData.Ids[v] and playerData.Active then
						player:Kick()
					end
				end
			end
		end
	end
end

game.Players.PlayerAdded:Connect(function(player)
	playersData[player] = {
		["Active"] = false,
		["Ids"] = {},
	}

	local playerData = playersData[player]

	player.CharacterAdded:Connect(function(character)
		playerData.Active = true
		Check(player)

		local humanoid = character:WaitForChild("Humanoid")

		humanoid.Died:Once(function()
			playerData.Active = false
			playerData.Ids = {}
		end)
	end)
end)

game.Players.PlayerRemoving:Connect(function(player)
	playersData[player] = nil
end)

while task.wait(2) do
	for _, player in ipairs(game.Players:GetPlayers()) do
		Check(player)
	end
end
#17

are you calling GenerateGUID function on the client or the server?

#18

exploiters can modify the behaviour of scripts on the client and also make changes to variables theres 2 ways how exploiter could bypass this

  1. they could hook GenerateGUID function
  2. they could get generated GUID from the game scripts or game itself and use it

client anticheats are usually waste of time and i would suggest focusing on server checks because all it takes for exploiter to bypass it is just decompiling game and reading scripts

2 Likes
#19

When I used a fast loop like this it was notorious for causing false flagging. Really bad. If you are going to use a method like this don’t fire it so often and the kick shouldn’t be instant so it confuses the exploiters

1 Like
#20

But in order for them to make changes, they would have to clone the local script?

1 Like