That’s true, so that’s just something impossible to patch.
Along with other things like ESP, which don’t even use Lua at all.
It’s just something you have to live with.
1 Like
The only thing you can do to prevent no recoil is making it so the server handles where bullets shoot towards due to recoil, so even if an exploiter removed client-side recoil which is just visuals, it wouldn’t prevent the server from handling recoil normally.
Funny thing is with my custom character replication, and player culling methods, most universal ESPs are really broken and buggy on my game. Which was a really neat side effect because my whole goal was performance alone.
Basically player body parts that aren’t actually visible on your screen, are moved to underneath the map. This prevents you from rendering them, without changing their transparency or instancing any kind of modifiers of any kind. Fun thing is ESPs still see the body parts, but of course they aren’t where the player is.
1 Like
Wait what? That would absolutely DESTROY hit detection, especially since it’s not like the client just shoots and lets go of their mouse. Recoil control is integral to being actually good at the game.
The plain and simple thing is, while the client is so vulnerable to code injection, the exploiters will just get smarter and smarter, like they did when FE was first introduced, and since it was fully implemented.
The hard part, is fixing the client’s issues with code being easily injectable, but apart from that, theoretically the only way is to ride the tides, and make our scripts more intelligent when the exploiting community get around the last version.
True, the only problem is I feel like most developers are being completely abandoned on this front. I feel like the official stance is “Well you should code your game to be less vulnerable”. But in this particular case in order to code out the vulnerabilities, I had to completely ruin some of my own code. I had to get rid of these nice, clean, easy to read and easy to use functions and variables to prevent exploiters from calling and modifying them. One thing roblox does have is official guides on “clean-code” and how to code properly, but clearly those same methods make your code more exploitable.
I feel like roblox used to be a good place to learn how to develop games, and a real land of opportunity. But now following roblox’s official guides is only a good way to make a game that gets completely destroyed by cheaters and hackers on the first day. I feel like if I were to make a game using only information from roblox’s wiki, it could never possibly hold a significant amount of players.
From where I sit it doesn’t really seem like roblox is even trying to do anything about this problem anyways, I’ve estimated 1 out of every 200 users are using some form of injector. Within the past few days I’ve had 30 confirmed exploiters join my discord server, who knows how many exploiters played but didn’t join. I can’t even get them banned because most of them have 40+ accounts, and from what I’ve heard all the exploit software has anti-hardware-id ban methods too.
I also feel like developers have a better ability to detect exploiters than even roblox itself in a lot of cases. I specifically made a feature request to allow serverscripts to file reports (probably with a huge debounce to prevent developers from abusing it). I’ve actually heard of developers who are able to make IP bans for their specific games (many of them have been banned because it’s against ToS), but if developers can IP ban, why can’t Roblox?
3 Likes
I can see why it frustrates you, but the amount of legal reasoning behind developers not even being able to autodetect geographic location, account birth dates, and even IPs is far greater than you would imagine, these being a few;
The EU GDPR laws
The California privacy laws
International human rights laws (primarily around not disclosing any protected characteristics, ie; gender, race etc)
All of the international child protection laws, such as COPPA in the US, etc.
There is probably more, but even YouTube has been hit by issues from COPPA, so you can imagine what Roblox has to do to stop any possible issues.
It’s interesting you mention that, because to some degree, roblox already violates those. You can at least see server IP/location just by opening the log of every roblox session you start, granted I don’t read the logs often at all, and I’m only assuming the other information is in there was well.
Plus the fact that roblox developers can set that up on their games implies that roblox as a software has the ability to get that information anyways. It’s against ToS, but not impossible, because developers can access it too, so it stands to reason the privacy laws have little sway over roblox as an engine.
1 Like
If you mean the logs in the Roblox folder on the users OS, that isn’t sent to anyone automatically, that is usually only sent to Roblox via support, or upon request from support, etc.
Roblox are actually allowed to access IPs as part of the fact the internet pretty much needs them to view a website, but collecting them in a database for anything other than security or policy enforcement (such as banning an IP, etc) is against the law of many of the above listed.
I think the reason off-site ads were removed for non member players in the first place was due to the targeting aspect, which is why YouTube had the issue with the FTC about COPPA, so Roblox probably did that to “futureproof” any advertising / data selling issues, even to prevent any investigations.
Hmmm, that’s very interesting and I’ll definitely look into it more. I almost feel like there has to be some sort of workaround or licensing aspect to some of those laws because IP banning is not a new thing, many corporations and platforms still do it. Also I’m not sure how hardware ID banning fits into those laws, but the fact that exploiting software specifically has bypasses for it implies roblox definitely does that.
Either way I’d still like to see developers be able to report users through server scripts, as long as it’s a highly limited async, it shouldn’t be too abuse able, and it’d definitely help catch alot of people. Since developers specifically know if flying is possible or not in their own game, and can easily detect a fly hack, or other things like that.
(But of course my post was never approved, I assume they just think it’s a dumb idea)
1 Like
They do a lot of things behind the scenes to stop hackers, but having anti hack scripts does help. It is a shame that it’s impossible to check the name and location of a script when it fires a remote event.
1 Like
Just don’t add local before your variables and I’m sure they won’t be able to edit it. I have an exploit aswell.
1 Like
I would LOVE a type of system that could detect which script called an event, module, or function. That would make fighting injectors stupidly easy, and would help a TON in debugging as well. Not sure how it would work, but I’m going to go make that a feature request.
yeah but normal variables are pretty inefficient.
Yeah but I’m just telling him a possible fix that could help him.
1 Like
How bad is it to use normal variables actually? It can’t cause that much lag can it?
I was under the impression it was actually the opposite, especially since the specific functions they changed there were written as
function Ammo(args)
--code
end
No “local” at all.
The client has total control over what runs on their machine. It’s their computer. You might be able to protect against getsenv, but the exploiter could literally just delete your script. There’s no point trying to have client-sided security as anything more than an additional precaution on top of whatever the server’s doing. Your time would be better spent trying to secure remotes and do other server sided sanity checks to make sure what the client’s doing makes sense.
4 Likes
I mean I think you could just add a check if it’s something stupidly high then you could kick them or something, not sure.
Again it doesn’t matter how much protection you add on the client, it’ll always be bypassed some day.
1 Like
Well that’s why I wrap all anti-exploit methods in with the core engine script. If they delete the script, they basically delete the whole game and it becomes unplayable.
and yes I know they can make their own copy and run that, but injecting 7000 modified lines (which also relies on things the original script already changed when it initialized) is far from practical.