Is there any way to hide RemoteEvents?

Leet_Code · October 27, 2021, 4:19pm

I usually store all RemoteEvents in ReplicatedStorage, but, as far as I know, exploiters can see them since they’re replicated to the client. Unfortunately, some events are difficult to reliably validate, so I was wondering if it was possible to somehow obfuscate them as an easier way of preventing exploiting?

geometricalC2123 · October 27, 2021, 4:21pm

No, no matter how hidden it is they will always find it, but I found out a way how to prevent most exploits so I’m releasing the model of it later

Benified4Life · October 27, 2021, 4:30pm

It’s impossible to stop an exploiter from sending false positives to a server on roblox. The position of your RemoteEvents doesn’t matter either, as I believe there are programs out there to listen to and record remotes. If you want to keep your game secure, use sanity checks and don’t rely on the client for info, unless its an input or something only the client can provide.

This just seems improbable, and so forgive me if I’m wrong, but are you saying you’ve found 1 method to prevent most exploits? There’s multiple types and ways people exploit, so unless it’s some sort of physics tester it probably won’t cover a large majority of hacks that are out there.

Zenovain · October 27, 2021, 4:32pm

I’m kinda interested what is it?

geometricalC2123 · October 27, 2021, 4:32pm

This can be provable. Just make the serscript send the pass to local then local sends pass to serscript and serscript will randomize password and send it again.
And if exploiter sent the wrong password the ser script will kick the exploiter.

geometricalC2123 · October 27, 2021, 4:34pm

Just make the serscript send the pass to local then local sends pass to serscript and serscript will randomize password and send it again.
And if exploiter sent the wrong password the ser script will kick the exploiter.

This obviously won’t prevent all exploits but it prevents most exploits

Benified4Life · October 27, 2021, 4:39pm

The only exploits this would prevent would possibly be free model assets that have already existing hacks, however it’d only take someone upwards of 5 minutes to realise that you’d use some sort of password protection on the event. As such, newly created hacks made through vulnerabilities, physics, etc wouldn’t be affected by this.

geometricalC2123 · October 27, 2021, 4:41pm

it randomizes the password Everytime event is fired.

GolgiToad · October 27, 2021, 4:52pm

Banking industry uses methods like this, and its definitely secure. I’m using a similar method to prevent item duping using GUIDs. I’m curious how you will prevent the hacker from intercepting the client signal and using it for their signal.

GolgiToad · October 27, 2021, 4:54pm

I believe the secret is to never let the remote event do anything important.

Example of a bad remote:
“I attack”

Example of a better remote:
“I want to attack”

Let the server do the heavy lifting.

Limited_Unique · October 27, 2021, 5:45pm

Just add sanity checks.

batteryday · October 27, 2021, 5:52pm

You can’t “hide” the RemoteEvent from a client. If the Client can’t access the Remote, the Remote is useless.

As others have said what you do is do all logic and sanity checks on the server. The Client should ask “Can I buy this sword” not say “I can buy this sword”

If you really really want you can name your RemoteEvents obfuscated texts so that exploiters don’t know what they do. But if you write your sanity checks properly that isn’t necessary, plus it could really confuse the developer.

Exploiting Explained

Filtering Enabled & Exploits

A good way to get started is to echo what you always hear: under no circumstances should you trust the client with authority over your server game logic. When implementing your RemoteEvent and RemoteFunction code remember to think as the attacker. Your code should be built around thinking, “if I had absolute control of my client, what could I send over this bridge to break everything?” Design should be based around asking the server “can I”, and not telling it “I can”.

Think Offensive

A simple example is a store; ask the server, “can I buy this sword?”, and don’t tell it, “I can buy this sword.” The server should be the one checking everything from currency to experience points to levels, since it has the final say in what’s really happening. You should always be ready for someone on the other side of the bridge to outsmart you, and make absolutely certain the code you wrote is well tested for cases like someone throwing a NaN at you or expecting an object and getting a table that looks like an object.

A really common pitfall is the attempt to “secure” your remotes, or “validate” your data, and anything that is done client side. As a pro-tip: anything coming from your client will not be secure. It doesn’t matter how clever your system looks, or how much time it took you, you’re not the one in control of your client. If it makes you sleep better at night, the extra headache is okay, but you should not be relying on it to ever really work.

Think Defensive

Some exploits don’t actually rely on remote exploitation, but instead in simple things like Roblox’s rules of replicating properties. You might encounter these exploits in the form of flying, super jumps, or speed hacking. The issue stems from the fact that players have physics ownership over their characters for smoothness and fast feedback, but in turn this gives them the ability to move them anywhere. You can mitigate these on the server, or add basic checks on the client, but be sure to remember you can never actually rely on the client.

Stop Thinking

Lastly are maybe some of the peskier exploit types which are just plain local enhancements. These are usually undetectable via conventional means, if at all. You might see these in the form of aim-bots, auto-hotkey style scripts, and general automation of game-play.

SummerEquinox · October 27, 2021, 5:59pm

This is not a secure method. Exploiters can actively see what arguments you pass to the client by hooking into Remote listeners. Any exploiter who even remotely knows what they’re doing can immediately counteract this.

Your best weapon against exploits is sanity checking.

geometricalC2123 · October 27, 2021, 8:31pm

I’m confused , what are sanity checks?

GolgiToad · October 27, 2021, 8:48pm

There is a link a few posts up explaining it. Short version: check on the server to make sure the remote event makes sense.

koziahss · October 27, 2021, 9:03pm

I mean you could in theory “hide” it by destroying it on the client. But, not only isn’t that entirely secure but it defeats the entire purpose of having a RemoteEvent in the first place.

I am interested. What type of information are you trying to validate here? I am sure this question is more helpful

LordEmotionless · October 27, 2021, 9:07pm

I also though at making this but I was too lazy to make it

BJCarpenter · October 28, 2021, 1:00am

I got a good one:

So, in a wargame, like, RISK!, but with Fog Of War, so you only see tiles, next to one of your units I delete each tile (country) on the map, locally, at the start.

game.Players.LocalPlayer:WaitForChild(“ClearCache”).OnClientEvent:connect(function(Tab)

local obj = nil

for i = 1, #Tab do

table.insert(CamList,Tab[i].Name)
table.insert(CFrameList, Tab[i].CFrame)
table.insert(RotList,Tab[i].RotVelocity)


obj = Tab[i]
obj.Parent = nil		
end

end)

Whenever a Player moves a unit, I send a list of the new tiles he can see, and replace the old tiles he can’t see, with a B/W picture, like StarCraft…

game.Players.LocalPlayer:WaitForChild(“ClearTile”).OnClientEvent:connect(function(Obj, NegObj) – object is a list

for i = 1, #Obj do

local cloud = container[Obj[i].Name]
cloud.Decal.Transparency = 1
cloud.Transparency = 1
cloud.OldInfo:ClearAllChildren()

if cloud:FindFirstChild("Mesh") then cloud.Transparency = 1
	 cloud.Mesh:Destroy() end

Obj[i].Parent = workspace.globe

end
wait(.5)
for i = 1, #NegObj do

 NegObj[i]:clone().Parent = container[NegObj[i].Name].OldInfo
	greyOut(container[NegObj[i].Name].OldInfo[NegObj[i].Name])

		NegObj[i].Parent = nil
	
end

end)

An exploiter could just get rid of the Deletes, but I REALLY want to do it this way, 'cause it works…

Oh, also he has a list of all of the tile’s .Names…

What would be a goo sanity check on this: Checking if he can see stuff he isn’t suppose to see?
(I’m not gonna kick 'em. Just lower his odds of winning every battle, so that he spreads it around and I make even more people think that they are just bad at the game…)

bongusbingis · October 28, 2021, 1:29am

To sum up everything that’s been said:

1.) You cannot hide remote events from the client, nor should you try to. It will be ineffective at catching exploiters and will make it 10x more difficult to actually use them in your game.
2.) Utilize sanity checks on the server. The client should be a “reflection” of the server, so to speak. Example:

--Serverside Code

SomeEvent.OnServerEvent:Connect(function(player)
    if player.Name == "bingusbongis" then
       -- Allow the below code to be executed because their name is "bingusbongis", reflecting the client-sided code. This cannot be bypassed in any way because it's running on the server
    end
end)

-- Client-Side Code

if player.Name == "bingusbongis" then
    SomeTextButton.Visible = true -- Only make the text button visible to the client if their name is "bingusbongis"
end

SomeTextButton.MouseButton1Click:Connect(function()
    SomeEvent:FireServer()
end

3.) While sometimes effective for exploiters who have no clue what they’re doing, anyone who is remotely experienced in scripting (and is exploiting) will be able to bypass any client-sided “admin” checks or anything like that and modify your client-sided code in any way they desire. Make use of sanity checks like I explained above.

BJCarpenter · October 28, 2021, 2:08am

Can you think of a foolproof sanity check for my FOW ex.?