How much power do exploiters have with remotes

Verxe · March 9, 2025, 6:09am

working on my game i had to add a lot of encryption to prevent exploiters. i know that exploiters can very easily delete remote events and fire them but I have 2 questions:

if an exploiter deletes an event locally with dex (a exploit explorer) will the events still fire for server to client communication
exploiters can easily fire events, but can they stop events from being received by local scripts? so if I have a server script that sends an event to a client to start the anticheat for example, can they cancel that by disconnecting the listener?

GrinchApkGamer · March 9, 2025, 6:28am

they can hook remotes to prevent them from firing

arbitiu · March 9, 2025, 6:28am

no

they could just delete the script aswell

pixe_ated · March 9, 2025, 6:29am

as much power as you unintentionally give them on the server side

you always make sure that you properly design and validate your remotes so exploiters dont break your game

Verxe · March 9, 2025, 6:49am

i think im gonna reuse the race remote event for my anticheat so if they hook it/delete it/ etc then the drag race wont even start!!!

adudu21 · March 9, 2025, 7:18am

Anything that’s within the client usually can always be tampered with, remote hooks and such exists.

It’s very important to validate requests received by clients, the server is the final decision whenever something is true or not.

You can write code that prevents exploiters from tampering with your code however if an exploiter attempts to bypass your anti-cheat with enough effort, they can eventually bypass it.

j_91 · March 9, 2025, 10:48am

Exploiters can easily view every Event, unless they are in ServerStorage or ServerScriptService.
They can read the names and also fire them, u have to set arguments inside of the event, since they player cant read whats inside of a Server Script.

There’s an exploit called DEX, here u can view the entire game(unless ServerStorage or ServerScriptService)
This has a script viewer, with this it lets u read encrypted local scripts which got decrypted.
So an exploiter can figure out which arguments to use, just make sure the server does the security checks, not the client.

whiplash3r · March 15, 2025, 6:22pm

they can fire remote events whenever they want with any arguments, also fabricate remote functions’ results too.
theres a tip on what they can and what they cant:

press F5
make sure your playtest is currently on client
type any code in the bar at the bottom that says “Run a command”
hit enter

basically yeah, you can just do all that stuff you want to test while doing playtesting on client to verify. You can try doing something nasty like verifying descendantry of idk workspace? if exploiter’s workspace doesnt match then do some more checks (like maybe theres a chance player not fully loaded in yet) and if theres no replies from remotes then kick since they probably deleted remote. That’s just something that I came up with, unreliable but with some modifications it might work?