If I can change Character's jump power in LocalScript, can hacker too?

I can change my Character’s WalkSpeed in folowing local script:

  local player = game:GetService('Players').LocalPlayer
  wait(5)  -- wait for character load
  player.Character.Humanoid.WalkSpeed = 50

Does that mean, hacker can also do that?

Yes, hackers can also spawn in parts and physics on their side (BodyMovers to float, fly, launch) and remove blocks/ make them non-CanCollide (noclip)
These don’t replicate to the server but stuff like player position and physics from clients do replicate.

Some exploiters have an explorer type client and most likely can change this, there are ways to encrypt scripts if you want to.

Yes, a hacker can as well, the best thing you can do is magnitude checks on the server every X amount of seconds to see how far they’ve traveled, if its more than the desired amount you should teleport them back to the last position instead of kicking/banning just in case it’s a false positive

Could I request an expansion on what exactly it is you would be trying to protect with encryption please? Not sure how useful encryption which involves the client is?

Always assume that anything a regular client can do, exploiters can, and more.

Obfuscation* doesn’t do anything

Well most people use encryption to protect scripts from being stolen if a place is leaked or stolen.

How would we use encryption???

I’ve seen some scripts like for anti-exploit they use certain encryption so people can’t leak them or give them out, I’m not sure what they use to encrypt them but I’ve seen it before.

Are any of them Free Models? Could I perhaps take a look?

I’m not certain people usually have free models with encryption since they can be taken so there wouldn’t be any reason to have encryption on free models. Most of the scripts that have encryption are stuff like whitelisting, models you can buy from a product hub, etc

I would suggest not to use them since it may add a virus to your game.

Are you talking about Anti-exploit??

No, I’m just trying to understand what the encryption is used for as to me it seems unusual to encrypt - something is going to need to decrypt which will involve key exchange/being held and intuitively to me this sounds fairly easy given the circumstances involved.

CC @rottendogDkR, @centraltrains

You’re probably referring to obfuscation, which is the practice of re-writing code, usually with software. The end code is unreadable by humans but still functions the same, as opposed to encryption which would make your code completely unusable.

The consensus is that obfuscation isn’t needed, as it makes debugging much harder and has almost zero security benefits.

Yeah, but that’s the least of your worries, the best thing to do is to secure your remotes and maybe as you work on the game create a server-side anti-exploit.

@LitTurtleMan
You’re talking about obfuscation, not encryption, they are different in a lot of ways (but I do see why you are saying encryption). There are obfuscators that make it impossible to view the original code, but, you can still understand how obfuscated code works if you are experienced.

Encryption, as in the real definition, (not obfuscation) would actually not help you at all in either case, because encryption is basically just scrambling up something, and decryption would be unscrambling it. So, if you use encryption, at some point you have to unscramble your code, which means that someone with your server code that unscrambles it can also unscramble it too.

Obfuscation is just removing stuff from the code and making it harder to read, such as renaming variables to nonsense, or hiding numbers behind really complex calculations, which makes it harder to read the code, but it does not make it impossible to understand what’s happening. Obfuscation will make your code really slow and laggy, and thus, its a bad idea to use it.

You shouldn’t use obfuscation, because, it makes it hard to work on your game and doesn’t actually stop people from stealing things in your code, and, on top of that, again, it makes your code really slow and laggy. You can even reproduce readable code from obfuscated code in the same way decompilers would work, but instead of by looking at the binary data that the code gets turned into, you would do so by running the obfuscated code in some kind of special code sandbox that helps you understand how the original code works by telling you things the obfuscated code does.

@builder_seller Anything (anything at all) you can do with a LocalScript a hacker (an exploiter) can also do. The way I think about exploits is that they are LocalScripts with a lot of extra features that Roblox doesn’t allow since they can be used for bad purposes (But exploiters don’t usually care).

Exploiters can also basically edit your scripts. They don’t really edit your scripts (though it actually would be possible for them to with a special exploit that had that functionality!), but they edit functions and things that happen in your scripts. They can make your script do anything, even remove behaviour, its just a matter of changing things in the right way. That’s why client sided anticheats will never be unstoppable.

Exploiters can also view your code by doing something called decompiling. Roblox takes your code and turns it into basically a bunch of binary data (this is what Roblox uses to actually run your code, since, its not running the text itself). An exploiter can use some stuff from the binary data to create something similar to your code automatically, and that helps them to understand how it works. The code they will be able to make will be a lot different from yours in some ways, and things like your code comments with -- and the names of values you use will not be there (for example, if you have a value called abc that’s set to "123" it might become string_1 = "123" when decompiled), but, they can still use the code they get from decompiling and understand how it works.

Exploiters also have the ability to change your code, and can even change Roblox itself. The only way that you can stop exploiters is to do things on the server, since, exploiters can only change their own game, and not a Roblox server. Real hacking would mean that they could access a Roblox server, but, real hacking usually is actually impossible without some form of bug with Roblox’s website, or the server itself. Bugs that allow for that type of thing almost never happen (though sometimes they can) and over time less and less of them exist. There have only been a few bugs that have allowed people to steal your game’s place file, and even then, those do not allow the hacker to make changes to your game.

The reason that things that exploiters do can show up for other people is only because the server (or your code) allows them to. For example, the reason exploiters can teleport or speed hack is because of something in Roblox called Network Ownership. Basically, all Parts have something called Network Ownership on the server, and that tells the server who can control objects. That doesn’t allow them to do things like change their Health, or change what their character looks like for other people.

In conclusion

I know that’s a lot of information, but, the conclusion is that you should think about an exploit like it can do this:

1. Edit your LocalScripts & ModuleScripts
2. Act like a LocalScript or ModuleScript
3. Change how the exploiter’s Roblox game works (change the code of Roblox itself)
4. See how your LocalScripts and ModuleScripts work regardless of whether or not you try to hide it
5. See any values that are in your LocalScripts or ModuleScripts, INCLUDING ones that would be hard to see with a script. There is no way to hide values, no matter how you try to.
6. Do things the server intentionally or unintentionally allows them to do
7. Change, hide, etc anything going to the client, or coming from the client to the server (e.g. RemoteEvent or RemoteFunction data)

These are some things exploits CANNOT ever do:

1. Edit your server Scripts
2. See your server Scripts’ code or otherwise see how they work
3. Act like a server Script
4. Change how the Roblox server works (change the code of the Roblox server)
5. See things in ServerScriptService or ServerStorage, or view code of ModuleScripts there
6. See or do any of the things they CAN see for themselves for other players (For example, they can’t see the code of a script on another player’s Roblox, change their game’s code, see their IP address, etc)
7. (Directly) Change hide, etc anything going to other clients, or coming from those clients.

P.s. @DoctorNo2106 This is part of how my game’s anticheat works, I wrote an article about anticheat development and game security that involves something like that. You are absolutely correct.

My anticheat is also open sourced, and, it doesn’t kick or ban, instead, it will try to move them where it expects them to be. This might be helpful to anyone who wants to understand how server-sided anticheats in Roblox can work, or it can be helpful if you are worried about players exploiting in your games.

It’s not perfect, of course, so, you should read about what it can and can’t do before you decide to just plop it into your game.
https://github.com/Hexcede/Hexolus-OpenSource/tree/master/Anticheat