How do you detect dark dex?

I know this game can detect anything abnormal people have told me its “Uncrackable” for security
https://www.roblox.com/games/3016661674/Rogue-Lineage

A Script can’t detect whether or not a LocalScript is running. It is literally impossible to stop a hacker from deleting a LocalScript and it is likewise impossible to detect.

Maybe you could have a script constantly clone a local script from a place of storage wait for it to check whatever it is checking for delete then repeat

It works! This is revolutionary!

That won’t necessarily work either. The bytecode is not copied, the LocalScript merely contains a reference to the bytecode which is stored on the client. It can be nulled out or altered by someone with the patience. Or they can just block those packets from being received. You have 0 control over the client whatsoever. But even if it did work, it would be ugly and not as efficient as you want in a multiplayer game. This is a video game, not a bank. Your primary focus is on playability and there needs to be a balance between security, performance, and your own personal sanity. Don’t give the client any power over sensitive data and patch whatever comes up, but don’t go out of your way to fix Roblox-based hacks that don’t yet pose a threat in your game.

This is also client-side validation, and as soon as someone who isn’t a skid realizes that a script is stopping them, they’ll either disable it or work around it.

That’s where ServerScriptService scripts come in.

The localscript will be disabled or deleted on client and that wont replicate to the server so the script in ServerScriptService will still think that the localscript is running. Unless of course you are relying on a remote function for constant updates from that localscript but that can also be easily detected and spoofed

I know, I already came to that conclusion after posting what I said.

thats why i suggested to constantly let the local script run whatever it needs destroy it server side and then clone it and put it back in a loop

so it will be there regardless and if the client destroys it the server will put it back

But then couldnt the exploiter also run code every frame that deletes any new localscripts added to playerscripts or wherever the serverscript is cloning them?

Edit: sorry read your reply wrong

it would be stored in serverscriptservice which i think the client cant see and even that im pretty sure like 1/10th of exploiters even know how to slightly script

Once one of those 1/10 exploiters create the script necessary to exploit this and release it on the internet, the rest of the 9/10 exploiters with no experience can just execute that code and be off

Also I wasnt talking about the cloned script in sss

Haha, yes i meant both scripts the cloner and the cloned would be there, And yes that is a problem but what you could do is have a huge table of random strings and name the localscript that would give them a harder time and im sure they would have to go through and make a table of all the possible names (the harder you make it to get around the less problems you will have)

Or they can just check if any localscript was added, regardless of the name. Since most of the localscripts essential to the game would have loaded by the time the exploiter is able to play the game and inject dex, any new localscript would most likely be the antidex (unless the game dev clones localscripts into the player later for whatever reason) we should also probably stop bumping this thread to the top now, it was fun discussing this with ya!

You can’t detect exploit scripts unless the exploit script is dumb. Most exploits I know of use a special CoreGui instance separate from the normal CoreGui that’s even more undetectable, to house their scripts’ GUIs. Don’t know how it works, but it’s definitely not something you can detect.

you basically can’t detect dark dex because they’re using syn.protect_gui.

also game.DescendantAdded won’t fire since they are using syn.protect_gui again. if roblox changes their own guis (like renaming) there might be false positives.

wdym it doesn’t pose a threat, it does

for example they can:

1. steal maps
2. if the player paid 20$ to use this script (breh) they can see local scripts and prob copy an entire gui (in case they making a game with a similar genre or similar style), maybe even like 90% of an entire game if it is insecure enough.
3. it can make doing local changes easier, as the skid that is using dex doesn’t have to find what they are trying to modify and what property they want to modify.
4. it gives exploiters more opportunities for script making.

that is true, but only for synapse users. Most people (which are probably kids) can’t afford it.

for other people who can’t pay 15-20 dollars, they use free exploits, which cannot use syn.protect_gui().

And none of these can be fixed. Maybe DEX can, but I don’t know much about it. Someone can just make an alternative if they actually care about hacking your game. When Roblox fixes a client-side hack, they fix the concept instead of just the one hack. They limit chat length, they remove the bytecode compiler, they remove the compatibilities that allowed studio DLLs to be executed inside of a running game, they implement a real client-server model, and whatever they did to fix the fiddler exploit. Only once or twice do I know of them specifically detecting cheat engine, but of course that was worked around immediately since it’s client side protection.
And no, DEX doesn’t really pose much of a threat to you and I. Neither of us have any running experiences that are large enough for someone to target. I simply don’t like seeing people get so caught up with their theoretical fixes for hacks that either don’t work or go too far and waste too much time or performance. It’s the same animal as premature optimization. You’re going much too far out of your way for an issue that doesn’t affect your game. Make a working game, then make the anti-hack system or optimizations tailored to it once your game is big enough for it to become a potential threat.

There are many ways to “access” CoreGui, to a degree.
I have created an anti-exploit system which primarily focuses on client security.

It uses a LOT of hacky methods, but I have counteracted most bypasses with a simple server ended check here and there

For example, I can detect anyone using an exploit Gui in CoreGui around 90-100% of the time, if they are NOT a Synapse user with the Gui protected.

Outside of non Synapse users, my system makes Synapse protected Gui objects lag so much, that they will either break, be unusable, or in some cases, trigger my ping spoof detections, therefore neutralizing any protected Gui to begin with.

You can check my system in action against Synapse via the link below.