At which point the exploiter has eliminated the client detections. Great! The server still checks everything.
2 Likes
The server checks what, though? What is there to check? Offering vague responses isn’t helping me understand the point that’s trying to be made here, which means loss on productivity and learning. What is the thought process here?
If a client eliminates the detection, does that not make your suggestion moot? Expecting client responses to pass through a remote is unnecessary work that a bypass can be quickly made for by disabling legitimate responses and setting up a sender in the background that submits spoofed replies every expected interval.
3 Likes
Using client side detection will catch skids that aren’t careful. Server side protections will mitigate those that are, and they are entirely dependent on the game.
2 Likes
You… still aren’t explaining your thought process though, so I’m getting confused as to what you’re trying to say here. You’re jumping topics and there isn’t a clear line of thought here.
A secure server-side as well as for remotes is a given, that has been mentioned several times already. Client-based security is just if you want additional measures, even though they can be bypassed. This is rehashing things that have been said numerous amounts of times.
Your original suggestions were on client-side detection and obscurity, both of which aren’t full security measures. Yes they can stop exploiters for a given time but it’s a matter of time before a bypass is created and you need to rethink strategies or scramble again. Where you lose me is a lack of explanation and a jump to a different concept to your initial one without indication of where it comes into play; it’s extraneous.
5 Likes
It is best to put your time, and effort into server-sided checks (Like raycasting to see if the client is noclipping), rather than client sided checks. Don’t waste your time on something that can be bypassed.
Oh no… I accidentally… Necrobumped, I didn’t realize how old this topic was 
1 Like
From what I’ve gleaned this topic has been ongoing for a long while. I’m not sure if the original starter of it even cares about it anymore, and I think at this point replies are just repeating what has already been said.
So I’m not surprised you necrobumped as this topic has gotten a bit disproportionally inflated.
3 Likes
I’ll be producing a module to encrypt and secure remotes. So far strings. Numbers work. But not user data values. I’m working on it and I’m planning to make it security tight. Both sides have a unique algorithm. And even if you were to decrypt it. Your going to have to figure out what other small bits are. Because if you end up with one thing wrong. You’re banned.
Sorry about the bump. I just think that the whole security aspect on roblox is lacking. Although it gives developers a drive and something to dedicate themself too it’s a struggle to comprehend for new developers
2 Likes
There’s nothing lacking in security, it’s just people keep repeating bad practices such as encryption and other local methods which are often easily bypassed. It’s much more effective to plan the game from the client-server model POV and thinking like the exploiter.
2 Likes
Encryption isn’t what you want for remote events, as third parties intercepting them is not the problem. What would be a useful module to write is a robust server-side validation layer, one that handles things like type-checking of the RemoteEvent parameters, range-checking of the parameters, per-remote flood-checking, correct-context checks, authentication checks (for remotes that require elevated privileges, like admin commands), etc.
7 Likes
can’t someone use iron brew/aztup brew to obfuscate scripts
or if they are a savage, obfuscate an already obfuscated script.
can’t that work or
(just realized this post was inactive a year ago dang)
Theres many forums out there and in discord groups that blatantly say that ironbrew isn’t great at all and can have important values within it dumped and reverse engineered/put together.
Also, you dont have to read an entire cheat to know why/how it works. Sometimes having a friend run that obfuscated cheat in a baseplate to see what errors it spits out (like if the error spits out a RemoteEvent path), that can help you indicate if it’s a remoteEvent that needs sanity checks.
You can also observe that script’s cause…see what it allows the cheater to do and work on a patch for that. Prison Life is riddled with tons of these kinds of obfuscated guis, if you owned that game you can easily start patching them. The gui is just an aesthetic, once their options are patched, there’s no more concern.
1 Like