It can be, they can create their own local scripts to replace them, causing them to still pass the check but remove the script.
local script = Instance.new("LocalScript")
script.Parent = blabla
script.Source = 'while wait(1) do print("HI") end'
2 Likes
If I read this simply, you have a local script that you send to the client from the server, then the server generates a random ID, and updates the name of the script to the random ID, and the local script sends the full name back to the server once it detects a change.
Yeah, this wonât work. An exploiter could just create a client side script that waits until the local script is added disable it, wait until the name is changed and then create a spoofed event back to the server which looks (real) but isnât. The server wonât be able to tell because the server cannot tell where client side data comes from.
In essence, yes, you have wasted your time.
Because this has been said so many times.
You cannot trust the client.
And it has been this way for decades.
I will say this, and I cannot stress this enough:
you CANNOT create a fool-proof client side anti-exploit
People, way way way smarter than me or you have tried, and they havenât succeeded, because itâs literally impossible.
All functions are stored in a metatable when called. If you know where this is going, youâll know what Iâm going to say next.
Even if you connect events that detect changes of the parent and name those can easily be unhooked by the exploiter! basically a forced â:Disconnect()â without using the original script.
And yes you can also spoof all the information that the server requires by simply replacing the function you called with a spoofed version using metatables.
This can be easily bypassed by very popular exploit script writers. 
1 Like
They canât do that.
For by this logic, they create a script (object) that only exists locally with this player, but then tethered to it real? By literally changing the script on the server itself, so you can change the local script to any player, and manipulate the game of other people. This is nonsense and definitely not possible.
Itâs impossible to create something locally, and make that local object, be linked to the real one, so to speak, replacing its original.
I get the feeling that Iâm not making myself clear, or youâre trying hard not to understand me
I will repeat 100 times what I wrote in the post itself:
I said from the beginning that this protection does not make sense, as my script can simply be disabled.
Once again: I never said it would protect LocalScript in general, I said it would protect it specifically/only from deletion.
You can disable LocalScript, and give a fake signal, but you canât REMOVE LocalScript.
Just in case, one more time:
Disable, and signal artificially - YES
Delete/Replace, and signal artificially - NO
Yes, the protection has no practical use, but I didnât say it made sense to use it in the game.
It was purely an experiment, which although it has results, it doesnât make sense.
I hope youâll stop explaining/proving to me what I admitted in the beginning
Yes, since the defense has no real application, you could say that I wasted my time anyway.
But so far, no one has been able to remove LocalScript, and continue to report the right data to the server.
That is, my protection really works, but meaningless in the real game
How do they disable all server-side checks? The local script only tells its location.
I donât know what metatable is (probably in terms of terminology)
If you mean they can disable the local script and signal artificially, then read my answer above
I mean they can replace the script by changing the code in the local script.
1 Like
- read the script, and understand that the replacement is not possible (delete/transfer the original, and replace it with another that was locally created)
- is it fun for you all to respond without reading the topic/responses, but by reading only the title?
To quote my reply:
Quotle
I think an exploiter can switch local scripts and delete the real one
1 Like
Just skimming through the server code, but Iâve just noticed that if someone has a ping spike, they could get kicked because a remote could end up firing late, AFTER the server has already changed the location of the localscript.
An exploiter could totally just stop the actual code of the localscript from running and just have the part of the code that stops them from being kicked run, so itâs still the same localscript, just with different code, no deletion or use of .Disabled
What do you mean switch?
if you mean that you can create a local script, and replace it so that it would go from the fake to the status of the original, it is not possible
I explained why:
Qoute
But the thing is that the ârealâ local script is still a local script. The firing of remotes can be messed with and the server can think the fake local script is the real one by the exploiter. So the server will never actually know the ârealâ local script.
1 Like
By the way about what you said (now that you mention it) how can you leave some code on the local script without disabling/removing/moving it?
This is just for the sake of example:
hereâs how do you stop data being sent to the server?
How do you stop a function from running, or anything else?
Tell me honestly, have you read the code?
Do you realize that in my case it is not possible to forge the original script
The original script must exist, otherwise the player gets kicked.
try to remove the original, and make it so that you do not get kicked, it does not work
The client is in control on localscripts, which means they can just stop it from running (or never run certain parts of it) and make the server think it still is because the server needs to ask the client.
The client can stop replicating data of itâs own accord.
This is apparently really easy to do with function hooking, where everytime the localscript tries to call a function, the call gets redirected to one the exploiter defined.
1 Like
Btw, Iâve heard that there are hacks that delete local scripts before the event even fires
1 Like
The server sends the client the localscripts data, so the client doesnât know any localscripts exist before the server sends it to it, not to mention players canât join a server before itâs loaded.
Sorry I meant to say the firing of the event
So itâs still just â.Disable = trueâ
because the script will disable on the client, but not on the server
That is, the client can literally know what is currently running in the local script, and when, say, there will be this line of code
--Original local script
local x = 1
local function xadd()
x += 1
end
xadd()
print(x) --because the fake code will be triggered, the output will be 0
--Fake code
if xadd() then
function xadd()
x -= 1
end
end
the fake code will be executed?
Yes, if itâs in a local script they have full control of the code
Also they can change the information of the remote event being fired, so itâll be bypassed
It will be like the remote event never even fired and then they will delete without getting kicked.