Can't access coregui

H3kken · March 10, 2020, 7:46pm

I’m making a game that I want protected against exploits. To do this, I came up with an anti-exploiters-gui script that would detect if something unexpected would be inserted into the core gui (via the client).
This is what I made:

local plr = game.Players.LocalPlayer
local AllowedNames = {}

game.CoreGui.ChildAdded:Connect(function(Obj)
	if (not AllowedNames[Obj.Name]) then
		plr:Kick("Do not cheat.")
	end
end)

I know there is nothing inside the AllowedNames table.
If I run this, the error

The current identity (2) cannot Class security check (lacking permission 1)

occurs. Can anyone come up with a solution?

ReturnedTrue · March 10, 2020, 7:50pm

You’re not meant to access the CoreGui, this is for internals only (permission 1).
The exploiter could just insert a UI into the PlayerGui or delete this LocalScript anywho.

starmaq · March 10, 2020, 7:58pm

Yeah as returned said, Roblox has some core scripts hidden in some places, these scripts are very important since they handle stuff like the menu and developer console and a lot of stuff, that devs aren’t supposed to mess with, which is why they don’t let you play with them, you can not :Destroy() them nor do anything with them, you cannot even reference them.

Since referencing them can lead to an error, this is happening because when .ChildAdded fires, the object that fired might be a core script, thus it errors.

So I guess what you can do instead is have a while loop or something to constanly check if #coregui:GetDescendants() has increased, but again, this isn’t really gonna be that exploiter proof since the local script can simply be removed.

H3kken · March 10, 2020, 8:09pm

Will running while loops break if the script they run in gets removed?

DatabaseReplace · March 10, 2020, 8:30pm

The core gui is not meant to be accessed by local scripts due to security reasons. If you want to check for non-roblox made core guis, I found this thread that may help:

Kiriot22 · March 10, 2020, 9:12pm

That won’t work. You cannot call any methods on CoreGui at all, due to the “class security check”.
And even if the lock wasn’t there, the idea would be terrible in an actual game, as the descendants of CoreGui increase all the time - new players added to the tablist/escape menu, dev console and messages in it, backpack, and so on.

At the end of the day, it’s pointless to even bother detecting exploiters’ guis, since in an ultimate scenario they can stop using roblox guis entirely and switch to the external ImGui lib.

viindicater · March 10, 2020, 9:35pm

Very true. Often times hackers don’t even use any guis/images, hack commands can be modulated in other ways like key press, chat, or if all else fails, hard-coding their hacks to do what they want directly. And with trial and error, hackers WILL determine which script(s) are trying to stop their hacks and simply disable or delete it/them.

wevetments · March 11, 2020, 5:20am

Your idea of detecting objects added into Roblox locked containers is a band-aid solution. The best and ultimate way to counter exploits is a proper Client to Server communication and sanity checks. Also as others have mentioned, your method is client-sided, while this is good for additional security, your priority is to make as much security checks server-sided or backed with server-sided checks.