It’s not like they can remove specific characters from script or something… They just change upvalues and constants (or hook the function which won’t work on my method), now if you obfuscate it, they won’t be able to read it, therefore they won’t know exactly which upvalue/constant to change.
This method is almost flawless.
1 Like
What can I do to prevent remotespy then? Do I… kick a player? somehow reload the remote event?
You can flood the output with prints or just kick the player. I made this to flood the exploiter’s output so that they get no information from any remote event :
for i=1, 40 do -- the 40 is how many lines will you print with an empty space
print(string.rep(" ", i%2))
end
But I think that you shouldn’t flood the exploiter’s output with a remote event that does nothing because the exploiter can add the remote event that is nonsense or just in his way to an ignore list which checks if the remote that was called was that remote and if it was it wouldn’t print anything dedicated to that remote event.
1 Like
Obfuscation comes with deobfuscation.
As I said before, obfuscation is not security!!!
Why?
Multiple reasons:
- If you need to make changes to your obfuscated script (which you always will) it will be a pain to do
- It sucks on performance and readability
- Exploiters can do anything client-sided, I won’t repeat it again
False. There is ABSOLUTELY no way to prevent exploiting or exploits completely. There is no “perfect” method.
Just because your code is obfuscated doesn’t mean your code is safe or secret or hidden. Obfuscation is the same as deobfuscation: with a pattern and some reverse engineering. I am no professional on the cons of obfuscation so I’m not the right person to ask about the “good” and “bad” things about it, sorry for any lack of information as a result.
They would still know how to change upvalues and what are the upvalues and where they are. There is also a script called Hydroxide which is used for finding and changing upvalues and generating scripts that would change them…
How… does… this even protect your remoteevents?
iirc, RemoteSpy is a seperate Gui that records all inbound and outbound Remotes with data being passed on including your “flood”. Repeat sending RemoteEvents is very bad for an obvious reason (performance). RemoteSpy has scrolling (obviously), something I should very much point out. Even then, you can filter out certain Remotes because if the exploiter sees their output being flooded by the same RemoteEvent they would just blacklist it.
Implementing sanity checks should be the right way to do it. You should never pass valuable data along Remotes or allow a weak gatespot to exist and easily be passed through.
Edit: Implementing sanity checks should be the right and ONLY way to do it.
3 Likes
Top tier obfuscators even offer a real money for a person who can deobfuscate it, yet nobody managed to do so.
First two reason that you listed have nothing to do with security, they’re just prices you have to pay if you want your game to be secure. And about the third point, exploiters CAN NOT edit a script character by character, they change some values which results in a different (better for them) outcome. If they don’t know how script works, in which part is anti-cheat written and what method is used for that, it’s very difficult to bypass that.
Lastly, I never said that perfect method existed, they got control all over the client memory, it’s definitely not possible to just prevent all of them.
2 Likes
It is notable that although they cannot edit a script character by character, they can just decompile the script itself and run it on their executors after they edit it character by character. It might prove hard since decompilers are not perfect and they do decompile things incorrectly, but one versed in scripting can just theoretically write every single local script that your game originally have to their desired version. Long as they know how the game communicates with the server, how it set up the framework and GUIs on the client etc.
TL;DR, nothing on the client is truly secure.
Remote spy can also get remote information by say, saving the result in their clipboards, or say put it in a gui that they created. Not to mention they can decompile the script responsible for sending the remote and getting a sense of how it works themselves. Sanity checks are the way to go.
So I made a server script that detects if the player gains too much levels at once which is remotely impossible without exploits and it seems to work as fine as the client script I made, so I guess server sided anti-exploits scripts are better in this case, Since exploits can’t alter server scripts.
Since my game is inspired by an anime, it has teleport skills and skills that will be able to affect multiple players in a certain area so making a script that detects if a player is teleporting without the skill or flying without a flight skill is almost to impossible since players with high ping can accidentally be kicked or banned if the script mistakes them for someone who is using exploits, So I’ll just stick to the script that detects the players level and how much experience that player is getting at once.
Skilled exploiter writing the local script on his own is a fair point (although, realistically that shouldn’t be a case unless your game is a very popular one).
As you mentioned though, decompilers are not perfect and running the code they generated from decompiling a local script will most likely result in an error, so you can’t edit it that way either, plus if your script is obfuscated they can’t change anything.
1 Like
No clipping usually has come false positives, so it’s understandable, but the main reason they can’t do much about these, is that, if you see how arsenal works, you’ll see that you have bomb jumping, you can go across the map super fast without hacks, just explosions and stuff. Teleporting could fall in that and have a bunch of false positives, so 
I originally (in the post before this one) typed up a long boring response about what I think the real cause is, but I was afraid of giving ideas that could inadvertently help new exploiters.
I have seen an exploiter in Arsenal shoot weapons without a cooldown, with unlimited ammo, while standing still shooting through walls at players on the opposite ends of the map. There is way too much that needs to go wrong in order to allow every one of these things to happen. I’m really not trying to down on Arsenal, please don’t think think that I am, I actually think it’s an amazing game! There’s one thing in particular that could cause most of these (even with security measures in place), but that’s a topic for a DM.
It’s true there will be many false positives, but there are ways to dramatically reduce them depending on your game. For instance: tag when a player is being flung by an explosion and make sure they don’t deviate too much from that path; their velocity should also stay inside the expectations. Teleportation is a lot easier to detect rather than flying. Anti-flying is riddled with gotchas, even if you follow some of the best discussions about it on the devforum.
I have a document somewhere that outlines the battle with lag switching including counter-counter-counter-counter measures (hah!). Unfortunately, it’s only possible to go so far with anti-lag switching; but you should be able to catch some! This is partly why some FPS’s have a ping threshold.
You could use remotefunctions and if there isn’t a response from the client the server bans the player.
Wouldn’t be smart, bc of the following reasons:
- If you close the Roblox Microsoft Store App with Alt+F4 or the x, the client doesnt leave the game, and the player acts like the application crashed. If so, the client wont respond to any server events at all…
- If you’ve got bad internet, your client wont be able to receive the requests at all, or the requests will get received like 20 seconds later which would take 40 seconds for just one check…
1 Like
Flying, Teleporting, Speeding, and jumping CAN Be detected on the server, they would just be written differently than local scripts, and much more complex.
However you CAN NOT Detect things like Gui’s, scripts, new instances, and the important stuff on the server. You can only detect character cheats which affect your character’s movements and not the game it’s self…
2 Likes