Join the game and open dev console. Go to the scripts tab and look for anything you don’t think you created.
Also, if you have HTTP service enabled, look at the network tab. If you see “weird” network activity like HTTP requests to domains like discord, builderman.xyz, etc. that you are not making then your game probably has a backdoor in it.
You might be able to find these malicious models by pressing ctrl + alt + f in studio and searching for getfenv or require. You’re likely to unuse getfenv and lots of malicious models use it to obscure what they’re doing.
Why don’t people make exploits for their own game and sell them lol. It’d be the ultimate pro gamer move.
Then when you feel like it, “patch out” the exploits and come up with “new ones”.
Either being caused by an insecure remote or a serverside backdoor. (would probably be the latter)
Backdoors are caused by infected free models or plugins.
(Don’t freak out, removal is as easy as 1, 2, 3!)
Go through your plugins, and see if one is not created by a trusted source.
(With the BTRoblox extension, you can easily view source code of plugins)
If there is an infected one, it will probably look something like
It looks intimidating, but it’s really just hiding the script through a bunch of strange encryption.
Key things to look for are: getfenv, require, string.reverse
If you find a plugin that has this, simply remove it.
If there is not a plugin that has that, look for the same stuff by going through scripts in your explorer.
(A common technique to hide the malicious code is to spam whitespace and hide it to the far right of the script, so make sure you are checking there as well!)
Edit: It’s also very possible that your version of HD admin is not the official one and contains a backdoor in itself. (thanks for Dusk_ie for pointing this out)
Edit 2: If it’s not caused by the admin itself, make sure to go through the steps I showed above.
Actually when using sha or any hash algorithm you cannot derive it. It isnt a pure function that is what makes it so special, there isnt really a equation other than the exact value you gave it
Not sure why it hasn’t already been suggested but it’s possible your version of HD admin is not the official one and contains a backdoor. Make sure you get the official version of HD admin. Alternatively, try using a different suite (I prefer Adonis personally).
If these exploits are indeed still occurring after you’ve removed the admin then there is likely a backdoor script elsewhere in the game.
You have a server sided backdoor in your game. HD admin among other vulnerable admin systems can grant permissions from the server. I believe this is done via the _G.HDAdminMain ‘PlayerData’ module.
“encrypting data on the client” is more than misleading, you’re just obfuscating things, clients have access to all replicated data
tldr;
if possible, don’t use third party scripts, delete all scripts that you don’t know the origin of, put server-side scripts in server script service, the scripts are invisible to clients there
But then how does the client know the key? Unless you’re using this purely for a password thing (i.e. client sends password and server checks) in which case hashing is useless.
I have seen this many times before in games.
Due to this I have got fired in a game.
Sadly there is no fix to this. Unless you make a script where if the script detects there is a cheat/exploit they get IP banned so their IP is banned so they can’t join on alternate accounts.
You could also try removing HD Admin and use different admin, or make your own admin.
I hope I could help. I will see you soon
