Is this a working protection of the LocalScript from deletion?

Petrovu4R · April 26, 2022, 7:27pm

I don’t know why you deleted your answers, but I’ll still answer them

Okay, no scripts/videos.

at least explain in words how to read “:GetFullName” if you delete an object whose full path we are trying to read

This can theoretically be done in the studio as well

Video

hatespine · April 26, 2022, 7:30pm

How do you answer an answer, anyways, I deleted them to prevent random roblox bots coming in my mailbox. And they asked me to install exploits to do that, which I won’t do.
Btw also just did in the simple console the fireevent with false information and it passed through

Petrovu4R · April 26, 2022, 7:35pm

What false information?
The server reads the location of the script on the server, and compares it to the location locally with the player, and since in my case I did not delete the script, but simply disabled it, everything works okay.
Kinda like what I said in the beginning

hatespine · April 26, 2022, 7:36pm

what I meant by false information is basically what you did, sending the information of one script in another script

hatespine · April 26, 2022, 7:38pm

You might as well add a waitforchild in “Script”, because you might error

hatespine · April 26, 2022, 7:43pm

@commitblue There it goes, the anti-[anti-exploit] This would be an example of how it works, there’s classes that cannot be checked but I made this script just so you understand how it’d work

local exploitEvent = game:GetService("ReplicatedStorage"):WaitForChild("RemoteEvent")

function doExploit(localScript)
	if not localScript:IsA("localScript") then return end --Not needed, I just like it
	
	localScript.Disabled = true	
	localScript.Changed:Connect(function()
		exploitEvent:FireServer(localScript:GetFullName())
	end)
end

function onExploitStart()
	for i, v in pairs(game:GetDescendants()) do
		coroutine.resume(coroutine.create(function()	
			if v:IsA("LocalScript") then
				doExploit(v)
		    end
	    end))
	end
end

game.ChildAdded:Connect(function(child) --Not really needed unless the anti exploit makes new scripts after some time
	if child:IsA("LocalScript") then
		doExploit(child)
	end
end)


onExploitStart()

Petrovu4R · April 26, 2022, 7:53pm

Are you kidding me? This is my script, which I showed above, but reworked
Secondly, I said it myself, I know it’s a workaround.

Please reread the topic, I added a clarification there so that there would be no more misunderstanding

Petrovu4R · April 26, 2022, 7:53pm

This is excluded if you mean the script on the server.
The server changes LocalScript’s name, and after that LocalScript’s event is triggered
(script:GetPropertyChangedSignal(“Name”):Connect(function()
event:FireServer(script:GetFullName())
end))
And after that the server checks it, but for the script not to move by accident at this point, the server has this command:
event.OnServerEvent:Wait()
Before moving the script.
Believe me, I tried to make it so that accidental kicks were not at all. But yes the script is not perfect, but it does not change its essence (as it is possible to perfect it, but why?)

You tell me, you understand that this protection is not bypassed?
On the condition that you can only delete the script, NOT disable, namely delete.
You can download the file I left right now, go into the studio, and make sure that the command (Object:GetFullName) won’t work if you delete that object

hatespine · April 26, 2022, 7:56pm

that doesn’t change the fact that it can be exploited, and that’s what we are talking about, exploiters can also create an instance (localscript) identical to the real one, same name same parent same everything but no code in it and bypass it with getfullname

also I’m fixing my script because there’s services that don’t allow security checks

Petrovu4R · April 26, 2022, 8:00pm

Bullshit, it’s not possible.
You can’t create a local object and tie it to a real one

Petrovu4R:

They can’t do that.
For by this logic, they create a script (object) that only exists locally with this player, but then tethered to it real? By literally changing the script on the server itself, so you can change the local script to any player, and manipulate the game of other people. This is nonsense and definitely not possible.
It’s impossible to create something locally, and make that local object, be linked to the real one, so to speak, replacing its original.

Petrovu4R:

In the video you can see that whatever I create duplicates the server will only refer to a particular script, because I made duplicates locally, the server only this script. But even when I started doing duplicates on the server, nothing has changed(Probably every object in roblox, has a unique hidden index)

Video (To see it, go to the original)

hatespine · April 26, 2022, 8:10pm

for the client it’s real, which is what is important for the remote event, lol

Petrovu4R · April 26, 2022, 8:11pm

We need to stop talking about the same things
One more time:
Yes my protection is meaningless in a real game
Yes my protection is easy to bypass, just disable the script
Yes it is.
I admit it and don’t argue with it.
But the fact that my code protects LocalScript from removal is an undeniable fact

Petrovu4R · April 26, 2022, 8:22pm

So, you’re saying that you can create any object local, and substitute the real one for the local one
That is, if I from the server side constantly change the object name.
Can you locally force the server to change the name of an object that doesn’t even exist on the server, while the server will stop changing the name of the real object?
there is only “part1” on the server
the server randomly changes its name all the time.
And you can create “part2” locally
and make the server change the name “part2” instead of “part1”?

hatespine · April 26, 2022, 8:26pm

I’ll check the server side later and I’ll tell you

hatespine · April 26, 2022, 8:26pm

I don’t understand what you mean by real object

Petrovu4R · April 26, 2022, 8:38pm

You can not force the server to change the name of the “fake” part, because if it could be done, it would give huge opportunities

hatespine · April 26, 2022, 8:38pm

what does the server have to do now? we were talking about the client

hatespine · April 26, 2022, 8:39pm

ok so, apparently i saw that your local script is actually cloned from the server, which I didn’t realize until now, that’s the reason you are telling me it cannot be removed, the thing is, this is not a client-antiexploit anymore lmao, it’s just a server antiexploit at this point

Petrovu4R · April 26, 2022, 8:57pm

Well yes, it makes no sense to do protection on a third-party client (to create a local script, with some code, which should protect something)
because we all know that any local script, you can simply delete (stop it working)
That’s why I implemented the protection on the server

Here’s an idea on how to get around my protection:

Quote

Petrovu4R:

Why I have not yet closed the topic:
I have a feeling that it is still possible to find out where an object is even though it has been deleted.
The way I see the server-client work:
As soon as something changes in an object (name, position, whatever) after that goes to send this data to the client, the client receives it, and applies it to locally existing with the same index objects.
For example, even if you delete an object with “:Destroy()” you can continue to read any changes in the name of the object, that is, despite the fact that the object no longer exists, it still exists somewhere in the system. Because you can read its new name, but at the same time, if you get it :GetFullName it will display only the name of the object, it turns out that even after deletion, the object still exists somewhere, and you can say “object.Parent = nil”,
But after the server sends data about the new location of the object, locally it will not move anywhere (because the object was removed), but the data still comes somewhere, and probably theoretically it can be detected and thus bypass my protection.

but I’m afraid it won’t work, and here’s why:
let’s read the roblox wiki.
“Sets the Instance.Parent property to nil, locks the Instance.Parent property, disconnects all connections”
Apparently, after removal, the connections that were responsible for its location are disconnected from the object.
Yes, and it locks Instance.Parent
https://developer.roblox.com/en-us/api-reference/function/Instance/Destroy
If no one gets around my defense in the near future, I will write myself:
protection works, bypassing is not possible, and here’s why (and probably close the topic):
“text”
“roblox wiki”

noahrepublic · April 26, 2022, 9:29pm

I see this is still going, well I think I can end this for us. I quickly made a bypass script that an average scripter could probably make.

Simple form (don’t mind the messy code, it is just quick):

local player = game:GetService("Players").LocalPlayer
local playerGui = player.PlayerGui
local event = game.ReplicatedStorage:FindFirstChild("RemoteEvent")

for i, v in pairs(playerGui.Script:GetChildren()) do
	v.ChildAdded:Connect(function(obj)
		obj:GetPropertyChangedSignal("Name"):Connect(function()
			event:FireServer(obj:GetFullName())
		end)
		obj.Disabled = true		
	end)
end

and if you ever make it so you rename and not move just for some tricks, you could use this to bypass.


local player = game:GetService("Players").LocalPlayer
local playerGui = player.PlayerGui
local event = game.ReplicatedStorage:FindFirstChild("RemoteEvent")

for i, v in pairs(playerGui.Script:GetChildren()) do
	v.ChildAdded:Connect(function(obj)
		obj:GetPropertyChangedSignal("Name"):Connect(function()
			event:FireServer(obj:GetFullName())
		end)
		obj.Disabled = true

		for _, v in pairs(playerGui.Script:GetChildren()) do
			for i, obj in pairs(v:GetChildren()) do
				obj:GetPropertyChangedSignal("Name"):Connect(function()
					event:FireServer(obj:GetFullName())
				end)
				obj.Disabled = true
			end
		end
	end)
end

Try it yourself, run in the roblox studio command bar.