Wouldn’t work. You can’t pass functions across the client/server boundary.
EDIT: It still is a huge security flaw though because you can pass object references and destroy basically anything in the game, from the server, replicating to all players (yikes!)
I’d just like to say as the developer of Adonis, the script is open source if you’d like to scrutinize it, and no, I did not add a backdoor, and as far as I’m aware there is currently no way to abuse the script as a non-admin to accomplish what is being described. Based on what you’ve said, it sounds like he’s only doing things that involve replication, as opposed to executing code server-side, so maybe they found some bug with FE that allows them to do this?
Also Studio has had instance/name searching built in for a while now. There should be a little search bar thing at the top of the explorer window, right above workspace. Typing in the name or classname to search for (such as “Script”) will show you everything that has a matching name or classname.
Also functions cannot be passed over remote events, however as previously stated any objects passed to the event in place of “horse” will be destroyed. This means absolutely ANYTHING that the client sees that is a destroyable instance, which includes skyboxes, can be destroyed by abusing that remote.
Adonis has the ability to run server sided code from the client. I dont know if that is a factor but its a good reason why you do not use freemodel admin unless youre just lazy, testing things, or idk
It doesn’t sound like they are executing code server-side, and if they are they really aren’t utilizing it’s full potential, though at the same time if they are actually making things server-side they would need to be doing the actual creation server-side as the server won’t see anything the client passes to it through something like a remote event if it wasn’t replicated to the server beforehand (a client can’t fire a remote event with an object and tell the server to replicate it as the server would just see it as nil.) It’s fully possible someone figured out a new way to bypass FE, as has happened in the past.
While I’d be inclined to agree, they are obviously the target of some form of exploiting that appears to be specialized enough to do what’s being described consistently enough for it to be a problem for them. So regardless of how it’s done, it’s still happening, and it’s likely not something common. I’m also inclined to believe it’s not Adonis as if it was, building on your point, it would likely be happening in more games, enough for people to complain to me about it (as they usually do when I mess something up.)
I’d like to also say building on one of my previous replies after re-reading the initial post that if they are ONLY destroying and are NOT creating anything, then they are almost certainly abusing the previously discussed RemoteFunction and any other topics discussed here can be ignored as that’s undoubtedly what they’re using. If, however, they are creating objects as well then that’s a whole different more serious problem, so start by fixing the obvious issues with the RemoteFunction and see if that solves it.
For reference of what they’re probably doing:
--// I don't know where the RemoteFunction is located so I'm taking a guess
local func = game.ReplicatedStorage.Remotes.RemoveHorse
local function destroy(obj)
pcall(func.InvokeServer, func, nil, obj) --// Pcalling cuz pretty sure RemoteFunctions return their errors to the client and actually error where it was invoked and I'm not bothering to pass a humanoid so it will most certain error when it tries to set nonexistant humanoid's WalkSpeed
end
--// Now we can literally destroy everything
destroy(game.Lighting.Skybox)
for i,child in ipairs(workspace:GetChildren()) do
destroy(child)
end
The best way to fix this would be to either stop destroying what the client tells it to (obviously) or at least validate that what you’re about to destroy is actually a horse belonging to the player and not something else. For a little bit of guidance when going about this, it should be noted that assuming the RemoteFunction is the source of the problem (probably is) the client isn’t actually replicating anything to the server, so they can’t change the name of the object that the server sees and can’t add or remove things from it, so you could always just add something to horses that identify them as being horses (like a string value named “IsHorse” or something?) then just check for whatever it is you did to identify them before destroying the object passed, and if you don’t see whatever it is then just ignore it (or smite them for being rude) (this is probably the last edit, I just didn’t want to spam more replies or something)
I’d also advise removing Adonis from your game and only using the Developer Console (it’s actually really easy to use once you get used to it.) A lot of modern Admin Commands have backdoors that allow exploiters to wreak havoc on your game, despite the name being Anti-Exploit or Admin Suite.
On the topic of passing functions and such, I had no idea that you could do that much with RemoteEvents, and makes me a bit worried now since some of my game uses object values.
You can’t pass functions into RemoteEvents. They get removed. Try it. You can do it with normal function calls on the same computer and the same security identity. You can’t do it with RemoteEvents, RemoteFunctions, BindableEvents, or BindableFunctions. With all of those, data is serialized then deserialized. For Remotes it is because data has to be sent over the network. For bindables it is done in order to prevent stuff like this from allowing code execution on higher security identities. When serialized, some data types are removed (such as functions).
Read the whole thread before suggesting that Adonis is the issue. Not only is Adonis completely open source, but the creator of it addressed the concerns of it being the problem. Check open source scripts before insinuating they could have a back door. I’m sure anyone, yourself included, wouldn’t want to be accused of putting backdoors in their scripts.
I don’t use Admin commands at all anymore, so I wasn’t aware that Adonis was open source. There are a few loader-based Commands that seem to all function in the same way, and more or less have backdoors in their code. I’m not entirely sure how true this is now. It’s just everytime I see a script using a require module, it makes me very suspicious about how it functions, and also why I no longer use code that has to be required from the website.