If he loaded in an admin it would only work on client only. There is a backdoor somewhere in your game.
My question here is did Adonis added a backdoor?
Did you also check if there are unsecured remotes?
There are unsecure remotes but not for changing the Skybox, so I’m very confused why would he change the skybox and speed around when he could use an insecure remote and kill everyone? Isn’t finding a backdoor in Adonis more complicated than using an insecure remote?
2 Likes
There are such things as Filtering Enabled speed hacks and kill hacks most of them work by teleporting the user to the target until they’re pushed off the map.
Also did you check if any remote can modify instances?
Hmm, I don’t think so but I’ll check again. I’m mostly confused by how he managed to change the Skybox there is not a single script or event that interacts or uses it? Maybe instead of a skybox he actually put very large parts around the map but I doubt that?
Could be possible but again your game is FE.
Check if all of your remotes are secured
How popular is your game and how likely is it someone would target it? If it’s a small game with no ‘enemies’ the likeliness is this is due to a backdoor in one of your installed plugins, admins or otherwise loaded model.
Not to promote my own stuff or anything, but using my plugin Instance Scanner you can check for scripts in your entire game by selecting the workspace and then running a scan, click on ‘Script’ and it will show you all the scripts in the game.
3 Likes
It’s a group game it only averages 15-30 players around the evening.
I checked and I found a remotEvent that sends a part Instance that gets destroyed in the serverscript, but that wouldn’t explain the Skybox
Like I said he could’ve placed very large bricks around the map and placed a decal on them. I advise you do what SteadyOn said
With this you could send anything to the server, including a Server Script that executes code. Does the instance get parented to anything once sent to the server? Does the server check that the instance is a part and how quickly is it destroyed?
why even pass the horse lmao
2 Likes
This is incorrect, see Fliptibell’s reply
VVV
Here the player could probably pass some kind of table, e.g.
local horse = {
Destroy = function (self, ...)
--// The client can now run whatever code they want on the server
end
}
Try and find a workaround where passing the horse to the server from the client is unnecessary because this is a gaping flaw.
1 Like
Wouldn’t work. You can’t pass functions across the client/server boundary.
EDIT: It still is a huge security flaw though because you can pass object references and destroy basically anything in the game, from the server, replicating to all players (yikes!)
7 Likes
So he just used the RemoteFunction to alter the skybox by sending code through that changes it?
1 Like
ohhh, didn’t know that!
Let me rephrase a bit, is it possible to access the Skybox and alter it when no Localscript uses any RemoteEvents/Functions to acess the Skybox?
1 Like
It shouldn’t be without a backdoor.
1 Like
Alright thanks to everyone for replying, I’ll just keep looking for a backdoor for now then!
I’d just like to say as the developer of Adonis, the script is open source if you’d like to scrutinize it, and no, I did not add a backdoor, and as far as I’m aware there is currently no way to abuse the script as a non-admin to accomplish what is being described. Based on what you’ve said, it sounds like he’s only doing things that involve replication, as opposed to executing code server-side, so maybe they found some bug with FE that allows them to do this?
Also Studio has had instance/name searching built in for a while now. There should be a little search bar thing at the top of the explorer window, right above workspace. Typing in the name or classname to search for (such as “Script”) will show you everything that has a matching name or classname.
Also functions cannot be passed over remote events, however as previously stated any objects passed to the event in place of “horse” will be destroyed. This means absolutely ANYTHING that the client sees that is a destroyable instance, which includes skyboxes, can be destroyed by abusing that remote.
3 Likes