How to safely invoke the client

commitblue · March 20, 2022, 12:16pm

its me again

Alright, so did you know if you ever invoke the client using remotefunctions, your opening up opportunities of exploiters to damage your server? its interesting. not really but ill show you how to prevent this

lets say you have the client, like this

(ignore the remote name lol)

yes, the server will print “Hello, server!”

and the exploiter changes it to this:

this would damage the server, but with this method of safely invoking the client, you will instead get

Oh and it also works if the exploiter infinitely yields the server too. Want to implement this? Ok follow my steps.

create some variables dude!

game.Players.PlayerAdded:Connect(function(plr)
task.wait(2)
--safe invoke
local timeoutcount = 0
local timeout = 5
local result = nil
end)

give the client some time to return a value! (Edit timeout value, just dont mess with timeoutcount)
and result will be important, leave it nil, you will know why its important later

Lets multithread

local urremoteevent = replicatedstorage.urremoteevent
game.Players.PlayerAdded:Connect(function(plr)
task.wait(2)
--safe invoke
local timeoutcount = 0
local timeout = 5
local result = nil
task.spawn(function()
local som = urremoteevent
               
end)
end)

this is important, because were gonna check if it can be used or is bad

Check the type bro! it could be bad or not needed

local urremoteevent = replicatedstorage.urremoteevent
game.Players.PlayerAdded:Connect(function(plr)
task.wait(2)
--safe invoke
local timeoutcount = 0
local timeout = 5
local result = nil
task.spawn(function()
local som = urremoteevent:InvokeClient(plr)
if typeof(som) == "string" then -- ofcourse, change string with whatever u like
result = som
end
end)

end)

basically checks the type of the result the client gave you, if its not the one you need it will drop it

Waiting for timeout, we can’t wait all day

local urremoteevent = replicatedstorage.urremoteevent
game.Players.PlayerAdded:Connect(function(plr)
task.wait(2)
--safe invoke
local timeoutcount = 0
local timeout = 5
local result = nil
task.spawn(function()
local som = urremoteevent:InvokeClient(plr)
if typeof(som) == "string" then -- ofcourse, change string with whatever u like
result = som
end
end)
repeat task.wait(1) timeoutcount += 1 until timeoutcount >= timeout or result ~= nil
end)

This repeat event will yield until timeout count is the same or bigger than the timeout u gave, or until result is not nil(~= nil)

Finally, do whatever you want with this result.

local urremoteevent = replicatedstorage.urremoteevent
game.Players.PlayerAdded:Connect(function(plr)
task.wait(2)
--safe invoke
local timeoutcount = 0
local timeout = 5
local result = nil
task.spawn(function()
local som = urremoteevent:InvokeClient(plr)
if typeof(som) == "string" then -- ofcourse, change string with whatever u like
result = som
end
end)
repeat task.wait(1) timeoutcount += 1 until timeoutcount >= timeout or result ~= nil
if result ~= nil then
print(result) -- replace this with whatever u want to do with result
else
plr:Kick("Unexpected behaviour : timeout reached")
end
end)

Were done! now the clever or not exploiters cant mess with ur remotefunction anymore! epic!

Credits to @CodedJer , he made a formatted version to clearly read it.

local players = game:GetService("Players")
local replicatedStorage = game:GetService("ReplicatedStorage")

local urremoteevent = replicatedStorage.urremoteevent
players.PlayerAdded:Connect(function(plr)
	task.wait(2)
	local timeoutcount = 0
	local timeout = 5
	local result = nil
	task.spawn(function()
		local som = urremoteevent:InvokeClient(plr)
		if typeof(som) == "string" then
			result = som
		end
	end)
	repeat
		task.wait(1)
		timeoutcount = timeoutcount + 1
	until timeoutcount >= timeout or result ~= nil
	if result ~= nil then
		print(result)
	else
		plr:Kick("Unexpected behaviour : timeout reached")
	end
end)

Feedback is appreciated

R0bl0x10501050 · March 20, 2022, 1:45pm

Please format your code if you want people to actually follow what you’re doing.

commitblue · March 20, 2022, 1:46pm

Ill format it a bit later. But I still don’t see what’s wrong with the formatting

HugeCoolboy2007 · March 20, 2022, 2:17pm

Code indention and spacing is just easier for people to read as opposed to having everything to the left

commitblue · March 20, 2022, 2:18pm

Alright I will do it a lil later, I’m busy rn

Dawgcool13 · March 20, 2022, 4:04pm

If you want to safely invoke the client, you need to wait for the client to tell you they loaded. Oftentimes the client will load for more than two seconds.

You can use ‘game:IsLoaded()’ and ‘game.Loaded:Wait()’ for this.

if not game:IsLoaded() then
   game.Loaded:Wait()
end
-- fire your ‘GameLoaded’ remote here

commitblue · March 21, 2022, 10:50am

They can infinitely yield the server like this xdd

thus there is a timeout so

xFly_Flame1014 · March 28, 2022, 12:27pm

game.Loaded:Wait() might infinitely yield since it only fires one, if you don’t want it to infinitely you can use repeat RunService.Heartbeat:Wait() until game:IsLoaded()

commitblue · March 28, 2022, 1:06pm

What I meant that if I make a remotefunction and wait for the client to tell me that their loaded, they can easily make an infinite yield

xFly_Flame1014 · March 28, 2022, 2:00pm

Sorry for the misunderstanding lol

CodedJer · April 1, 2022, 8:04am

What Is this supposed to do, I do not understand due to the formatting.

commitblue · April 1, 2022, 8:27am

when you use remotefunctions to invoke the client, the exploiter can infinitely yield server, so this serverscript is basically a timeout thing.

commitblue · April 1, 2022, 9:00am

what is that ? Is the handshake system like the timeout thing?

RlGHTEOUS · April 1, 2022, 10:33am

No pcalls? The documentation for InvokeClient specifically mentions wrapping in a pcall to prevent errors

commitblue · April 1, 2022, 10:56am

I think task spawn already handled this for you

RlGHTEOUS · April 1, 2022, 11:03am

It won’t stop the current thread from continuing but it doesnt exactly catch the error either
(Nor is invoking the client ever truly safe)

commitblue · April 1, 2022, 11:04am

Then add a pcall I guess.

luvebrainz · April 1, 2022, 9:11pm

This post is inherently misleading, due to the fact that exploiters can still hook onto your OnClientEvent‘s using metamethods. There is no “safe” on the client, no matter how hard you try. You might slow down script kiddies and exploiters who have no knowledge on this, but any competent exploiter can still, very well, just spoof the data.

commitblue · April 1, 2022, 9:12pm

I would like to see you make a code that yields the server infinitely.

luvebrainz · April 1, 2022, 9:15pm

What? No one is able to do that without a server sided vulnerability?

I think you’re misunderstanding me. Im saying method you have provided doesn’t seem very practical or safe as a security measure as you claim it to be.