Code System - Protect Remote Events

Resources Community Resources
#1

If made a System to protect RemoteEvents by generating “Codes”:

local random = Random.new()
local letters = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'}
local PlayerSave = {}

function getRandomLetter()
	return letters[random:NextInteger(1,#letters)]
end

function getRandomString(length, includeCapitals)
	local length = length or 10
	local str = ''
	for i=1,length do
		local randomLetter = getRandomLetter()
		if includeCapitals and random:NextNumber() > .5 then
			randomLetter = string.upper(randomLetter)
		end
		str = str .. randomLetter
	end
	return str
end

local CodeSystem = {}

function CodeSystem.GenerateCode(plr,Event)
	local Code = getRandomString(15,true)
	table.insert(PlayerSave,#PlayerSave+1,Event..plr.Name..Code)
	return Code
end

function CodeSystem.CheckCode(plr,Event,Code)
	if table.find(PlayerSave,Event..plr.Name..Code) then
		table.remove(PlayerSave,table.find(PlayerSave,Event..plr.Name..Code))
		return true
	else
		return false
	end
end

function CodeSystem.GetCode(plr,Event)
	for i, v in ipairs(PlayerSave) do
		if v:match(Event) and v:match(plr.Name) then
			local data1 = string.split(v,Event) 
			local data2 = string.split(data1[2],plr.Name)
			local Code = data2[2]
			return Code
		end
	end
end

return CodeSystem

ik that is not the best thing you can find but I invested some time in making it and for some of you it can maybe be useful. If you got any questions feel free to comment or DM me on Discord Germandevs CEO#1111

5 Likes
#2

It’s nice but how would the client use this? I’m confused. Also people can copy local script code (and modules I believe).

#3

Couldn’t you just use GUID to generate a code?

4 Likes
#4

Why use a overly-complicated method and not just secure the remotes with sanity checks? Maybe your game won’t be exploited as much if you wouldn’t trust every client equally

#5

You can use :GenerateGUID() using the HTTPSService to generate a code. It’s shorter than creating a 50 lines code.

1 Like
#6

For anyone considering adding this, it does nothing. At most you’re protecting your game from the 1% that literally don’t know anything about Lua at all and they use free and rat filled exploits.

I don’t think I even have to go in-depth as to how this is a bad idea and how it can be manipulated, but you should spend time creating sanity checks (example below) instead of adding this into your game.

Sanity check example:

-- This would be in the local script.
if game.Players.LocalPlayer.leaderstats.Coins.Value == 5 then
    game.ReplicatedStorage.BuySword:FireServer()
end

-- This would be in the server script that handles purchases.
if Player.leaderstats.Coins.Value == 5 then
    -- give sword
end

You’ll want to check on the client before firing events so you can save on networking resources and then you’ll want to check on the server so you can be sure that they aren’t trying to exploit for a free sword.

I understand why people would add stuff like this, but virtually you’re protecting nothing. Once someone figures out how to get the key and use it when needed and you don’t have sanity checks it means they can do whatever they want.

You should only add a system like this at the end of your game after implementing a lot of sanity checks. To be fair, you won’t even need it by then.

4 Likes
#7

I’ve just made it cause I was kinda bored and I thought it could maybe be usefull for some people.

#8

In my Game every Remote Event is secure and you even get auto banned if you try to fire Remotes Events you shouldn’t be able to etc. I made this little System cause I was kinda boared. I wasn’t really sure how usefull it is but I don’t really needed it so I just thought I could publish it to the devforum.

#9

You know what they say: security through obscurity isn’t real security. Hold the assumption that data received from the client is tampered and be sure to apply validation and/or sanitisation on what gets sent through a remote. The client will still need to know the code so they can deliver their content so they can simply simulate a legitimate request but provide tampered data.

3 Likes