How Do I Protect Against GetSenv?

They can run their own code and fire their own events. They can read that core engine script and rewrite it without security checks. It’s their machine — they can do whatever they want. It only takes one dedicated exploiter to completely break your game.

4 Likes

I have a genius idea to prevent scripts getting deleted.

Put the LocalScript in ReplicatedStorage and put a script on the server that makes sure it doesn’t get deleted. If it does, kick the client.

1 Like

If it gets deleted, it’s only gone locally. Those changes will not replicate.

7 Likes

In a service called ReplicatedStorage…

Yeah, that’s not how ReplicatedStorage works. First of all, code doesn’t run there, but more importantly the replicated part just means it replicates from server to client (unlike ServerStorage).

4 Likes

Did you try getting your ammo on the server? This can protect from exploiters I recommend using modulescripts with the stats and requiring them in serverscripts.

I mean if you delete localscripts in replicatedstorage it would work. You can also copy and paste tools from there to your backpack and it also replicates.

They can just change the modulescript and then the server gets what they changed lol.

The client and server have their own copies of ModuleScripts when they’re required. There’s no way for the client to tamper with server-sided data other than abusing poorly-secured remotes.

@MrGuyROBLOX. Using global variables is about as slow as indexing a table, for every time you use it. The difference should be negligible.

6 Likes

Any ideas to make games hack proof? I’m already out of ideas, learning how replicated storage works.

Depends alot on the specific hack, but nothing is unhackable, it’s a constant battle between patching and hacking. The bright side is, in my case, I’m getting paid to stop them, and they get nothing out of it.

I’m a bit late to the party and just skimmed through the thread, but I just wanted to clarify some things.
@CDDevelopment, you haven’t fixed the issue. Inlining just means that exploiters will use a different method for infinite ammo and such. Exploits have the ability to change constants in your code altogether, for example. It doesn’t matter if your script is 7000 lines long or you have the entire core codebase in it.

Your key system is also mostly useless, and it’d be better to scrap it if it becomes an issue to deal with in your development.

Your idea about a way to tell which script fired an event also wouldn’t work. The client also has authority over this and can spoof it. There’s no way for the server to tell anything coming from the client is legit.

I’d also like to point out that your last point is a bit weird; lots of exploiters sell their scripts so yeah they’re also getting something out of it.

It doesn’t make a difference almost at all really. If you use global variables however, you deal with scoping issues all over the place and it gets super messy. Prefer local variables always.

6 Likes

Well I think it’s a little unfair to call something useless if you’ve never actually seen it. My key system has some clever tricks that in the very least will drastically slow down even a very experienced exploiter.

Also, if you don’t protect your events with some kind of key system (at least in an FPS game), how can you possibly protect against exploiters firing your events.

Sure there would be sanity checks, but one of the biggest things you have to pass to the server is which direction the client shot in, so if an exploiter had free reign over my events, they could just keep telling the server they’re shooting in the direction of other players and they can go afk and farm kills.

A key system, even a crappy one, is far from useless, and better than nothing at all.

1 Like

What are key systems? How does your one work? I want to use it in my game.

For obvious reasons, both as protection from exploiters AND other greedy developers, I’m not going to reveal how my system works.

However, a basic key system is just an extra argument you pass through your remote events that the server can look at to determine if a remoteevent fire is valid.

Noclipping and changing walkspeed is still possible with a key system because those don’t require remote events right?

The key can simply just be found by looking at the network data being sent to the server. It also increases the amount of data being sent to the server.
It’s probably best to just code remotes in a way that assumes anyone firing it is exploiting.

4 Likes

So how do I tell if someone is not firing them illegally?

You don’t need to. Just check on the server if they can do something like for example:
A client wants to buy a sword, the client should go to the server and tell them what they want to buy. Then the server checks the sword’s price and how much money the client has, and if so, give the sword and tell the client it was successful.

Lexi that’s why you need complex keys, different for every player, and they should be unique and ever changing. So a key is neither predictable, copy-able, and can only be used once. I was simply giving the basic rundown of how a key system works.

1 Like