Hacker view local script question

benpinpop · July 14, 2021, 9:36pm

Essentially, I’m making a application center. And I’m sending an authentication code generated by the server, to the client, using a remotevent, at when the player joins. Is it possible for an exploiter to view the application center local script and just see the variable? Or can they only see the original version of the script?

(Bonus question:) Are they able to setup a function connected to the remote event fast enough to intercept the authentication code information?

MrMouse2405 · July 14, 2021, 9:59pm

Hackers can see / read local scripts, and if they are very advanced hackers, they can try to see the variable.

Advanced exploits such as Synapse X and etc allow exploiters to inject local scripts into the game, so they can setup a certain function to intercept the authentication code.

By the way, can i know why you are sending an authentication code to the client?

benpinpop · July 14, 2021, 10:18pm

I want the client to receive an authentication code, so when they complete the application the client sends the code to the server, and the server authenticates that it’s not a user injecting code and firing the event themselves. And it currently works. But is this not a good method though?

Code for context:

local Alph = string.split("abcdefghijklmnopqrstuvwxyz", "")
local AuthCode = ""
game.Players.PlayerAdded:Connect(function(plr)
	for i = 1,100 do
		local Choose = math.random(1,2)
		if Choose == 1 then
			local NewNumber = tostring(math.random(1,9))
			AuthCode = AuthCode .. NewNumber
		elseif Choose == 2 then
			local NewLetter = Alph[math.random(1, #Alph)]
			AuthCode = AuthCode .. NewLetter
		end
	end
	RepStor.ReceiveCode:FireClient(plr, AuthCode)
end)

iGiDgames · July 14, 2021, 10:22pm

Make sure you give them a limited number of tries, so that they can’t guess thousands of times

benpinpop · July 14, 2021, 10:23pm

Yeah, It’s one person per server, and they’re kicked for each try. (Pass or fail). I’m also in the process of finishing the datastore to save the time they took the quiz and whether they have passed or failed it.

TwilightWolf93 · July 14, 2021, 10:26pm

I’m pretty sure that multiple localscripts can be triggered by one remoteevent, so an external script could catch that code and the exploiter can do whatever they want with it.

i can’t think of a way to make sure the player actually does the application, though.

benpinpop · July 14, 2021, 10:29pm

Well it collects all the answers into a table, and then sends them to the server for grading. Where the server has it’s answer key, in a ModuleScript. (As a child of the script.)

MrMouse2405 · July 14, 2021, 10:33pm

I think adding the process of Authentication Code would be unnecessary. I say this for several reasons:

An event can trigger several local scripts and exploiters can easily inject a local script.
You cannot track on server what the client is doing. Due to FE, client changes do not replicate to server except some rare cases (Network Ownership for parts)
The last reason is because, anyhow the client can steal the Auth Code and fire server with random answers, so auth code system will be useless here.

So, you should just make sure to do these things to stop hackers .

Check For Remote Spams
Add a cooldown, so if a player fails to pass a test, add a cooldown of a long time.

Doing that should be fine.

benpinpop · July 14, 2021, 10:34pm

Mk, since the player can only do one application each join, I added a single bool value to change when an answer is sent. And if a second answer is sent, they’re automatically kicked from the game. Thanks for the advice, I’ll cut it out of the script.

TwilightWolf93 · July 14, 2021, 10:37pm

Adding onto it, make sure there is no way for an exploiter to get the correct answers with their exploits. (Don’t store them in LocalScripts for example)

Then there should be no problem.