As you can see, if the gui is removed or the client script is disabled/removed, it will result in “nil” which will be detected as a bypass attempt.
The exploiter cannot fool the server script that uses InvokeClient to get the info.
And even if the exploiter were to remove the gui, it wouldn’t matter since the official kick gui by roblox can be deleted in under 2 seconds due to it having no checks at all.
That looks easy to bypass. An exploiter can just hook into that RemoteFunction and send their own response without it ever reaching the localscript.
Well if that would be the case, what would be the point of doing it ?
I mean, the Kick UI is just for looks, it doesn’t manage the Kick System.
The point of doing what? I’m not sure what you’re referring to.
The point of an exploiter doing it would be so that they can continue to play without being kicked. The point of this custom kick system is, well, I’m not sure.
Well, in the Module, there is a character loop check, if the exploiter somehow reset his character (Which is probably not possible without using LoadCharacter() which only works ServerSided, it will kick him due to the server finding his character inside the workspace.
If he is able to bypass the client script, he will prob be able to change his camera position, but that wouldn’t cause any harm.
Note, it currently doesn’t kick the players on other’s screen, I am currently fixing that.
Couldn’t I just move the UI into say, SSS or a different area where I don’t see the UI? Roblox’s kick system is much safer, and your kick system only makes the UI look better, not the functionality better.
I know that, I never said that people should use mine, I was just releasing it for those who wanted a better looking one, and also, even if you move the UI, it won’t change the fact that everything in the player’s client has been deleted completly.
Bug Fix: When someone other than yourself gets kicked from the game using the module, will no longer be in the playerlist, this was a bug before and has now been fixed.
I don’t exactly see a purpose of this? This system shouldn’t be used where you actually need a player to be kicked - due to the fact that any exploiter worth their salt will be able to get around this with no sweat.
That is ridiculously easy to bypass.
The exploiter doesn’t need that specific local script to respond to your invokes. They can use any script they want to respond, and send whatever parameters they want in the return. An exploiter could just use their own scripts to simply reply to the checks. Even if they delete the blur effect or whatever, they can just say that they didn’t. This is such an unreliable method to kick people and I don’t think anyone here sees this as a reason to use it over the normal :Kick()
functionality.
Highly would not recommend this. There are many problems with it, such as the weird way it is structured and the use of :InvokeClient() when it should be using a remote event, not a remote function, but the worst of it all is the unfixable security flaws.
Because of the use of :InvokeClient() (the usage of it that actually makes sense), this is super easy to break via an exploit. Some simple code as such would completely bypass all anti-exploit measures:
local Players = game:GetService("Players")
local PlayerGui = Players:WaitForChild("PlayerGui")
local Threads = {} --So the threads don't get garbage collected. Not sure if this matters.
PlayerGui.ChildAdded:Connect(function(child)
if child.Name == "KickClient" and child:IsA("LocalScript") then
child.Disabled = true
local checkClient = child:WaitForChild("CheckClient")
checkClient.OnClientInvoke = function()
table.insert(Threads, coroutine.running())
coroutine.yield()
end
elseif child.Name == "KickGui" and child:IsA("ScreenGui") then
child.Enabled = false
end
end)
This is why you should NEVER use :InvokeClient(). Even if the client’s response doesn’t matter that much, they could still make it yield forever, causing a potential memory leak.
Yes, this is fixable, but even if you do fix it, it will always be possible to bypass. Really the only way around this would be to check all events on the server to make sure that the player sending the request wasn’t kicked, but this is more trouble than it’s worth, as you would have to modify not only your own code but also would have to fork a bunch of other default roblox code that uses remote events/functions.
Even then, “kicked” players will still appear in the player list, settings menu, and take up server slots. It just isn’t worth it for a bit of a fancier ui.
Nice! but you should not use it to kick exploiters as they could bypass it easly.
Or just disable interactions with the kicked player (server sided).
I agree, I’m gonna make the server kick the player using roblox’s default kick after 10 seconds of being kicked from the custom kick to prevent bypassing.
Update: Players who gets kicked using the Custom Kick will be kicked 10 seconds later using roblox’s default kick (If they are still in game).
In those 10 seconds a exploiter can still mess up the game.
I would not recommend using this system at all.
As other users have mentioned, this script is unsecure and shouldn’t be used in games.
Although you have added a method to circumvent players from causing harm, this will still give players time to do harm.
I recommend, at least until Roblox adds an ability to customize the kick UI to just use the default kick method.
If you’re interested in having your own kick UI, you could teleport players to a different place in the universe which will display a kick UI with no way of them affecting other players.
A few things the separate place should have:
- No parts, models or anything except for a spawn point
-
CharacterAutoLoads
should be turned off - Place needs to contain no client-sided scripts, at least any that can be exploited.
Admin Module/System
If you’re looking for an admin module, you’re in luck. (this is a bit of an advertisment)
I’ve development one called Minimal which is quite easy to setup and use.
I’ll be working on a security update for it shortly to improve it’s security.
More information can be found in the post.
Minimal - Easy to use admin module [OUTDATED]
Thanks!
this doesn’t make much sense lol
if an exploiter can mess up the game in 10 seconds, what’s stopping them from doing it during the first 10 seconds (when they’ve just joined and haven’t been kicked yet)?..
also, to anyone concerned about the security flaws, just add a while true do end
after the GUI tweening is done, they’ll still see the GUI but won’t be able to do anything and will crash soon.
You’re right about the fact that an exploiter wouldn’t use his last 10 seconds of being in the server after getting kicked to “mess up” the game.
First of all, he needs to make a bypass script for the Custom Kick before getting kicked, otherwise, the exploiter wouldn’t have enough time to make one in 10 seconds, and if he doesn’t make a bypass, all of his game data, including replicatedstorage, “All of the players other than him on his client” and
Workspace will be cleared from his client which would make it impossible for him to interact with the game.
Yes, the “while true do” would work, but it shouldn’t be used that way on normal players who get kicked for example: spamming or things like that.
Why the advertisement tho, how is it related to the topic, I have alreadry made a basic admin that works with the Custom Kick, there’s no need of any others that isn’t making use of the Custom Kick Module if we’re talking on the Custom Kick thread.