Exploiters can “listen” to the arguments being sent to the server and learn the key instantly, what they mean by not trusting the client is that for example:
Player has 1000 Gold, the player will fire the remote and the server will check if do they actually have 1000 Gold to purchase the item, if they do then you take the gold away and give them the item, if not then nothing will happen.
Exploiters could look into the LocalScript to get the key and even if you try to hide it or if you change the key every few seconds, it’s not possible to make your game secure that way. It’s because the key needs to pass the client either to send it to the server or to verify the key.
I could end this post here and ask another question on another post about how the exploiter is able to see anything on the client, but I will continue this post. So, how / why is the exploiter able to see anything on the client?
The client is their computer. Since the computer is physically in their possession, they can do literally anything with it. Anything can run on it and it can be modified to run anything undetected because they just have control over it.
Also, keys have been tried in many games before with various layers of complexity (rotating keys, random keys, mix of both, etc) and it has never once worked to stop people from reverse engineering them.
So, if the companies that made the computers stopped the exploiters from doing what they want on their computer like exploiting (which would be a waste of time for the company), game devs wouldn’t have to bother with making an anti-cheat?
Edit: As in the companies add limitations to what they can do on their computer.
You can lock down computers to some extent, but being in physical possession of the hardware means there will always be a way to modify it and get around it. Additionally, computers don’t come with built in “hacking functionality” or similar; the behavior that leads to it relies on usually genuinely useful functionality that is repurposed for this. That is to say you will ultimately be taking away freedoms from the end user the more you lock down the hardware, and a lot of people would probably not hop on board with that.
Unless you develop strictly for a cloud platform that only sends user input from a thin client, you will just have to write network facing code with the volatility of the client in mind at all times.
A computer whose only job is to send keystrokes to a server that runs the game, and the server sends back frames for the computer to display. What you pay in requiring a very fast connection and tons of input delay you gain back in easy cross platform integration and higher barrier of entry to cheat.
So how do proxy’s and the blockchain work bcs they run on a users computer how do they do it if they use keys at all
Edit: also I’m pretty sure there is a way to have a scrambler both on server and client side that is set up in a way that client cannot access it due to it being fired up first thing when player joins a game
Proxies are a different thing entirely, they just bounce internet traffic around to hide the source of where it came from or where it’s going and they mask who you are to people viewing the web traffic. That’s when they’re used for anonymity, that is. There are a lot of proxies that do a lot of cool things, such as enable work-from-home users to connect to their workplace’s LAN.
The blockchain works because it’s decentralized. It’s like server-side validation, but the server-side is a thousand other users. In order for actual cheating to occur, all of those thousand users would need to get together and agree to risk being sued or blacklisted for the benefit of a single random stranger. They could all, of course, agree to validate everything for every random stranger, but then every participant would start losing whatever value the system holds, and they’d be screwing themselves over.
Neither of those concepts relate especially strongly to Roblox hacking though.
That isn’t a thing, though some claim it is. Some people also think that if you delete a LocalScript in such a way that it keeps running, hackers can’t see it. That’s the same type of thing, and it’s not true. LocalScripts run on the client’s computer. If you delete the LocalScript or parent it to nil or whatever but it’s still running, then it’s still on the client’s computer. Anything that exists in any form on the client’s computer can be hacked.
This I agree with you is incorrect but as you said what if Roblox can implement a way for every user in a server to validate every other player and when they leave and join another server those players accounts communicate with the new servers accounts and give them the validation keys/data also I don’t understand why Roblox doesn’t have an ai instance tester where if the ai doesn’t see what the player did was possible then it’s flagged until ban etc but that’s for another topic also I believe that Roblox should stop trying to make anti cheats and just make a validator bcs there is always a back door
It needs to be mentioned that something like cryptocurrency isn’t instant validation. In fact, it can take multiple days just to validate one transaction. It’s not exactly feasible to do that every frame for every client. Additionally, cryptocurrency has very strict and deterministic rules which is not applicable to the vast majority of games.
Validation is also not as easy since all clients run asynchronously and with different pings and such, which is not an issue in a system like cryptocurrency where the order in which validations come in is not technically important.
Additionally, having keys or data on the clients doesn’t do anything. It would need to be relevant to the game state (like player position, speed, orientation, active action, etc), and be sent to the server for validation at reasonable intervals for it to decide on what the valid game state is globally. Some games in and out of Roblox already do this, usually in the form of the server calculating the player’s position at the same time as the player, and correcting it where necessary. This still has false positives and strange behavior around bad connections, as simple of a check as it is.
Lastly, AI is not yet at the point where you can train it on a specific game to search for specific cheaters in a reasonable amount of time on anything but a super computer.
