local HttpService = game:GetService("HttpService")
local ReplicatedStorage = game:GetService("ReplicatedStorage")
local Resource = ReplicatedStorage.Resource
local RemoteEvents = Resource.RemoteEvents
local RemoteEventTable = {}
local FireServerTable = {}
for Number, Instance2 in pairs(RemoteEvents:GetChildren()) do
Instance2.Name = HttpService:GenerateGUID()
table.insert(RemoteEventTable, Instance2)
end
for Number = 1, 10 do
local RemoteEvent = Instance.new("RemoteEvent")
RemoteEvent.Name = HttpService:GenerateGUID()
RemoteEvent.Parent = RemoteEvents
end
local RandomRemoteEvent = function()
return RemoteEventTable[math.random(1, #RemoteEventTable)]
end
local FireServer = Instance.new("RemoteEvent").FireServer
FireServerTable.FireServer = function(Name, ...)
FireServer(RandomRemoteEvent(), Name, ...)
end
while wait(.5) do
FireServerTable.FireServer("String", 100)
end
Script:
local HttpService = game:GetService("HttpService")
local ReplicatedStorage = game:GetService("ReplicatedStorage")
local Resource = ReplicatedStorage.Resource
local RemoteEvents = Resource.RemoteEvents
local RemoteEventTable = {}
for Number, Instance2 in pairs(RemoteEvents:GetChildren()) do
table.insert(RemoteEventTable, Instance2)
end
for Number, Instance2 in pairs(RemoteEventTable) do
Instance2.OnServerEvent:Connect(function(...)
Instance2.Name = HttpService:GenerateGUID()
end)
end
I’m not exactly sure what the scripts are doing? But I can infer that you’re creating remote events with random obfuscated names. However, there are a few issues with the script:
local RemoteEvent = Instance.new("RemoteEvent")
RemoteEvent.Name = HttpService:GenerateGUID()
RemoteEvent.Parent = RemoteEvents
FireServerTable.FireServer = function(Name, ...)
FireServer(RandomRemoteEvent(), Name, ...)
end
Creating remote events locally won’t replicate to the server, so:
for Number, Instance2 in pairs(RemoteEvents:GetChildren()) do
table.insert(RemoteEventTable, Instance2)
end
Wouldn’t return anything
local FireServer = Instance.new("RemoteEvent").FireServer
You can’t index a function for an instance unless it’s a library or it’s a callback
All in all, it seems like majority of the system works on the client which exploiters could easily manipulate. They can bypass obfuscation and use RemoteSpy to hook onto remote events to see what’s being passed and returned and they can see whatever is parented to nil
Just secure RemoteEvents with sanity checks, if they send invalid arguments, they can’t do anything.
There a eight RemoteEvents in RemoteEvents already so it does replicate it does work the arguments are passed through a different remote each time it creates 10 more that do not pass any arguments bad remote spies will not pick them up I think
Ah, ok thanks for clarifying. I’d say it’s kind of good protection because it makes it harder for exploiters to hook onto it, but they could see all of the remotes at once and as I said, obfuscation isn’t the best solution because of multiple ways exploiters could get around them.
Unfortunately, remote spies could possibly view every remote event at once as it only does a minor thing to hook them.
They meant as in making sure the arguments being passed through the remotes make sense
A sanity check basically means verifying that incoming data to the server came from where it’s supposed to.
For example if you have a remote event receiving input from the driver of a vehicle, you would check to make sure that the sender is the same person who is in the driver’s seat. If not, then ignore or punish the player somehow.
If you have a shop system, when a request to buy something comes through you should check on the server that the player has enough money before giving them the item.
Another example would be to monitor the rate that an event is being fired as a way to prevent spamming.
Why not use script context? and check the name of the place that error comes from if it does not match with any name of localscript in the game ban them?
Basically, hook means connecting the remote meaning they could see all of the arguments. For connecting to all the remotes, they could create a simple script:
RemoteEvent.FireServer = function(...)
print(...) -- all the arguments passed
end
A phrase you hear all the time here is “Don’t trust the client.”
What that means is this:
The safest way to use remotes is to work with the assumption that an exploiter may have complete control over their Roblox client. Assume they can see all remote events, know whenever an event is being fired and what arguments are passed. And assume that they can fire any remote they want with any arguments they want, even spoofing the script environment to make it look real. That’s why your primary security measures should be server-side. Nobody can touch it there.
The client can only see instances that replicated or values that were sent to them over a remote event.
If a variable doesn’t get sent to the client, the client will never see it. If an instance isn’t in a place where it replicates to players (such as in ServerStorage), the client won’t see it.