Exploiters have too much power

How do you know this? The clients have to report what they do to the server in some way so it knows to reward them. Lords of Nomrial could have its RemoteEvents/Functions set up poorly and the exploiter could just be changing the code to ServerGiveMeLevelPls(1000000) and the server listens because it came from a RemoteEvent/Function and the developer never anticipated it being fired by an exploiter.

Ok, yeah that clears it up quite a bit. It sounds like another issue someone reported a while back saying that exploiters were changing their stats in FE games and implying that it was ROBLOX’s fault - it seems like it’s just the way certain games/programmers handle stat changes.

If I were to make a guess, and this guess could be completely wrong and the issue could be totally unrelated to what I’m thinking of, I’d say that your remoteevents/remotefunctions telling the servers to update players’ stats fire whenever the stat is changed by the client or something of the same nature. That’d basically mean that the way it’s set up, stat changes from anywhere would cause the server to recognize and apply the change globally. I would look to see if your RemoteEvents/Functions are firing whenever Player.StatName.Changed fires.

my game has no problem at all, they can’t change anything.
i was only worried by the fact that they (could) edit server script.
which i have no proof of just yet.

1 Like

So there hasn’t actually been any exploiting in your game yet by this user, he just showed a screenshot of how he can see the local contents of the game?

yea. as i said, i protected everything.

1 Like

Okay, but then I don’t see what the problem is. It will not be impossible to hide the local contents of the game from exploiters, because the game has to run on their pc and therefore the content must be replicated to them. They don’t have “too much power” because they can only edit theoretically everything on their end, according to your description. It should be assumed that this is the case always when coding your game.

This gui looks like it’s a simple rbxm injection, meaning the only code it’s running is roblox lua. Maybe at a higher context, and maybe it can change the .Source property, but roblox lua can’t change the source of a server script from a client, even in non-FE, and certainly not when the server script isn’t even replicated to the client.

If he really is running code on the server then the only thing I can think of is that your game has some access point where the client can provide a string of text that gets run through a loadstring. If you didn’t make it then maybe you have an admin script that did.

The image is from 2016 as the chat references a recent exploit from the past 1-2 weeks.

Exploit reports are often misleading. If the reporting users didn’t write the exploit, there is a good chance they won’t describe it accurately.

Let me know if you get any information about modifying server scripts vs using a script to modify values on the server. The latter would include anything done to trick server scripts into doing something useful.

1 Like

I know that the image is from 2016 - I was just saying that it’s a script that creates an explorer GUI that’s been around since at least 2012 with a few modifications.

ILL HAVE U KNOW MY GUI EXPLORER IN 2012 WAS SLICK

old gui explorer.png

the bidding starts at 10 robux

8 Likes

Unless Roblox had something to moderate exploiters like in lots of games, there will always be exploiters. I wish Roblox could do a blacklister so it checks if things like popular exploiter programs or cheat engine is up and running in the background, if it is it does not allow them to join games or servers. I know Valve does this for their anti-cheat (though, VAC does it very poorly… but it does ban you if you have things like cheat engine open)

ROBLOX has already a check to see if Cheat Engine is open. It is easy to bypass, yes. If ROBLOX would start banning every person who would get detected by a check we would have no players on ROBLOX soon.

4 Likes

I have found a FE bypass exploit on youtube that could be useful in patching it.

1 Like

@kni, can you send me a PM with the link?

That screenshot shows someone messing with localscripts. So I don’t buy the claim that people are able to view, and then edit server scripts.

If you make a remoteevent / remote function that does something like “BuyItem”, and the client sends the price, this is very easy to exploit.

event:FireServer("BuyItem", item, -10000000)

In that example your code is probably giving a user money. Variants of this example are commonly seen in many forms throughout various games.

  • Some games give you EXP when you swing a sword. Spam that event and you just made a trainer.
  • If your game's health regen is done by requesting changes via the client, exploitable.
  • If your game deals damage by the client requesting a target and damage... do server side sanity checks! And a server sided cooldown!

    You need to write your game assuming everybody has your localscript in front of them and can send any request they want. If you do this, it’s very easy to write your game in a way that can’t be exploited :slight_smile: Good luck finding the issue!

  • 5 Likes

    There needs to be consequences for exploiters. I’m not saying ban them all if it detects something as little as cheat engine, but if they’re using programs to exploit and cheat then that should be a bannable offence. Same should go with botting, account theft is at an all time high with new exploits and stupid kids clicking links they shouldn’t be.

    Exploiting, cheating, and account theft is already a bannable offence. Botting is fine if it’s not used maliciously (e.g. allow users to subscribe to updates for your games via PMs)

    1 Like

    How is botting allowed though? It’s using fake accounts to mass-spam bot people into joining groups, playing games, and even going to offsite links.

    This is called phishing. Botting enables them to send out more links, but botting itself is not the root issue.

    The root issue is spam – not botting. I can manually PM someone a message a minute without bots and still cause issues.

    Both of those are already bannable offenses, but not botting because botting isn’t the issue.

    This is up to the game developer to handle. Some bots may be good (e.g. I could make a white-hat bot to play through games for developers and find bugs), while others may not be wanted (ones that grind items for instances).

    1 Like

    Sure will I haven’t tested it or anything I just saw the video that had 3k views and quite a good approval rating.

    1 Like