Exploiters have too much power

i don’t use admin scripts.
the person who sent me this image, told me that he could edit them, Yet i’m still waiting for further response from the person.

So you’re believing that server scripts can be edited… because some random person told you they could?

not some random guy, in real friend of me. He has been speaking to this person, i’ll try to get more info about the exploit however.

Why wouldn’t he have the ServerScriptService on the GUI if he’s got all the other services?

The source code literally looks like an image smacked onto the old in-game explorer GUI from 2012 with some sort of photo editing software rather than actually being part of the exploit.

I have questions for @Nitefal:

1. Are you 100% sure that the source of global scripts can be edited and this isn’t a hoax to scare you?
2. Just confirming, you’re aware that the script he’s editing is in his Player rather than ServerScriptService, right?
3. Are you sure PlayerScripts, parented to the Player in this screenshot, isn’t a LocalScript?
4. If #3 is affirmative, does the code in the source window match the actual source code of the script?
5. Has this exploit proven itself able to view and edit the source of your global script code in any other way?
6. Why would they target just your game and Lords of Nomrial?

I know that nowadays, skids who buy their exploits off of v3rmillion talk out their asses with absolutely no idea what they’re saying, just trying to sound impressive. Things like “I HAVE LEVEL 7 SERVER SIDE BYPASS EXPLOIT CODE EXECUTION” is common jargon they like to throw around (even though it’s false and nonsensical)

Also, apologies if you’ve already answered any of the questions I’ve asked or they’re obvious. Just confirming.

still gathering some information of the server side editing,

1. Not yet
2. Yes
3. it is a localscript
4. yes
5. no
6. those are the 2 i know of

Edit:
This might clear up what i mean:
The lords of nomrial is also an FE game, the exploiter could still change anyone’s stats regardless of it being FE. not through events but by changing the source directly.

How do you know this? The clients have to report what they do to the server in some way so it knows to reward them. Lords of Nomrial could have its RemoteEvents/Functions set up poorly and the exploiter could just be changing the code to ServerGiveMeLevelPls(1000000) and the server listens because it came from a RemoteEvent/Function and the developer never anticipated it being fired by an exploiter.

Ok, yeah that clears it up quite a bit. It sounds like another issue someone reported a while back saying that exploiters were changing their stats in FE games and implying that it was ROBLOX’s fault - it seems like it’s just the way certain games/programmers handle stat changes.

If I were to make a guess, and this guess could be completely wrong and the issue could be totally unrelated to what I’m thinking of, I’d say that your remoteevents/remotefunctions telling the servers to update players’ stats fire whenever the stat is changed by the client or something of the same nature. That’d basically mean that the way it’s set up, stat changes from anywhere would cause the server to recognize and apply the change globally. I would look to see if your RemoteEvents/Functions are firing whenever Player.StatName.Changed fires.

my game has no problem at all, they can’t change anything.
i was only worried by the fact that they (could) edit server script.
which i have no proof of just yet.

So there hasn’t actually been any exploiting in your game yet by this user, he just showed a screenshot of how he can see the local contents of the game?

yea. as i said, i protected everything.

Okay, but then I don’t see what the problem is. It will not be impossible to hide the local contents of the game from exploiters, because the game has to run on their pc and therefore the content must be replicated to them. They don’t have “too much power” because they can only edit theoretically everything on their end, according to your description. It should be assumed that this is the case always when coding your game.

This gui looks like it’s a simple rbxm injection, meaning the only code it’s running is roblox lua. Maybe at a higher context, and maybe it can change the .Source property, but roblox lua can’t change the source of a server script from a client, even in non-FE, and certainly not when the server script isn’t even replicated to the client.

If he really is running code on the server then the only thing I can think of is that your game has some access point where the client can provide a string of text that gets run through a loadstring. If you didn’t make it then maybe you have an admin script that did.

The image is from 2016 as the chat references a recent exploit from the past 1-2 weeks.

Exploit reports are often misleading. If the reporting users didn’t write the exploit, there is a good chance they won’t describe it accurately.

Let me know if you get any information about modifying server scripts vs using a script to modify values on the server. The latter would include anything done to trick server scripts into doing something useful.

I know that the image is from 2016 - I was just saying that it’s a script that creates an explorer GUI that’s been around since at least 2012 with a few modifications.

ILL HAVE U KNOW MY GUI EXPLORER IN 2012 WAS SLICK

the bidding starts at 10 robux

Unless Roblox had something to moderate exploiters like in lots of games, there will always be exploiters. I wish Roblox could do a blacklister so it checks if things like popular exploiter programs or cheat engine is up and running in the background, if it is it does not allow them to join games or servers. I know Valve does this for their anti-cheat (though, VAC does it very poorly… but it does ban you if you have things like cheat engine open)

ROBLOX has already a check to see if Cheat Engine is open. It is easy to bypass, yes. If ROBLOX would start banning every person who would get detected by a check we would have no players on ROBLOX soon.

I have found a FE bypass exploit on youtube that could be useful in patching it.

@kni, can you send me a PM with the link?