Hi, I have a question about exploits to ensure I am taking the correct approach to prevent it. I want to know what exploits can’t do, for example, can exploits modify client game code at run time? or are they just external scripts injected into the game?
Thanks in advance~
They can just about edit and read anything in memory, so there really isn’t a “limit”, at least locally.
Um sorry? Could you clarify if they can edit variables inside a live running localscript? Other than disabling the script itself.
They can’t indirectly modify the code in your game scripts, although afaik they can modify variables, locals, hijack your functions and such.
They can modify code and edit running variables, make hooks, and generally mess with Lua.
Ah, I see. Thanks.
The limit is… the exploiter’s imagination.
Basically just never trust ANYTHING on the client and use FilteringEnabled and you’ll have no problems.
Well… secure FE. People expect just FE alone to save their game.
That is secure FE
Yeah, I’m just saying.
Basicly exploiters can access anything that is on the client(Module scripts,local scripts,variables,events). They can’t access ServerScriptService & ServerStorage, since these are on the server and not client also they can’t view server scripts. If you’re events aren’t secured they can fire them and put through variables you assign to fire things on the server.
Exploiters can do anything imaginable on their own computer, whether it’s messing with your variables, changing your code, or even stealing the physical place and all your LocalScripts.
Just think of it like this. If an exploiter wants it they are going to get it.
Keep in mind that when trying to stop exploiters, you should never try to detect exploits client-side. The exploiter will always win. Instead, monitor the position, orientation, and velocity of their avatar and body parts on the server, as these are calculated on the client and sent to the server.
Here is what most exploiters, using pre-made code executing exploits can do:
Here is what advanced exploiters can achieve if they wish:
No exploiters can actually run code on any server. Some games are particularly stupid and allow for loadstring execution via a remote (this is so silly, I cannot comprehend it), but if you put code on the server, as long as filtering is enabled, assume that what you see on the server is correct as long as it isn’t from a client.
* Only a few exploits are capable of this, and in a very limited fashion
** Some exploits can only execute lua instructions or have a very limited environment
† Only one exploit on the market I know of is capable of this, but keep it in mind.
Not NEVER detect client side, protecting your client is good at stopping most unskilled hackers, it just shouldn’t be your ONLY line of defense.
Ok, I see your point, personally I still wouldn’t bother though.
I was wondering, but didn’t want to create a new post for this - can exploits somehow disable module scripts or prevent their code from running?
Yes. An exploiter can do whatever they want with their own computer.