Preventing Exploiters from firing Remote Events

Exploiters are clients as well, the code they execute is executed as a local script, you can’t say “this exploiter is not a client” or “this exploiter is not executing their code as a local script”.

Just do a sanity check. Make sure the remote is fired at the right time with valid arguments.

1 Like

Have the remote in replicated storage, acquire the reference to it with a local variable and set the remote’s parent to nil. Use the reference variable to call its functions. Only stops free exploit users.

local RemoteEvent = -- Location of your remote event.
local FireServer = RemoteEvent.FireServer -- Leave this part.
FireServer(RemoteEvent, Argument1, Argument2, Argument3) -- Only change the Argument1 - 3 etc of what you wanna send over.

Basically try not to use :FireServer() as that’s what can be logged.

The way provided isn’t 100% unloggable however it is on Platforms such as Synapse etc.

Additionally, the first Argument for :OnServerEvent is the Player that fired it, what I do is make the second Argument the Player it should be.

If both Argument1 and Argument2 match then proceed, if not, kick etc


That doesn’t make sense, using . instead of : isn’t any better, : just passes self as its first argument.
If anything: it is slower, since LuaU optimizes method calls.


You can’t, sure you could get the client to have a randomly generated string but that only protects you against people that don’t know exploiting well.

That’s not how life works…
All you are doing is swapping a colon for a dot, and your doing that on the client.
Anything stored/ shared/ fired on the client is accessible to the client to read and alter;

You want to share data between client scripts, but you don’t want it to be exploited so you put the data in a string value and fire a bindable event with nothing to notify other local scripts you want them to read something… so the local scripts goes to this path of where the string value is and goes to read it by doing .Value, it can still be altered without touching the string value because the local script is trying to get data stored on the client.

It’s secure tho, as stated - it doesn’t log with hacking software such as Synapse.

what do you mean by “it doesn’t log”?

He means that scripts which only detour __namecall aren’t going to pick up the .FireServer call, which is true. But I don’t think I’ve seen such a script for a year, they all use double hooks now.

I dont quiet understand this part

Additionally, the first Argument for :OnServerEvent is the Player that fired it, what I do is make the second Argument the Player it should be.

What are “Double Hooks” ? (30 chrrrs)

A remote spy can still detect the :FireServer wont it?

You can use something called nil parent to hide your scripts if that helps everyone. You could also try obfuscating scripts which might help out. Also you can’t really stop exploiters from firing remotes.

what is a “nil parent”?

30 characters

If you don’t script.parent = nil it will be a lot harder for exploiters to find your scripts

Do you mean make the script parented to nil so I can hide my key? Or something also can you explain what you mean by obfuscating the script.

Yes you can hide your script, a capable exploiter will be able to find it but it will be harder. Obfuscating is a technique of jumbling up a script so it’s hard to read just search Roblox obfuscator and you put your script in and it does that and it will be very hard to figure out what it means. I can give you a link to one when I get on my pc.

Also this might be helpful if you want to hide your remotes Remote Objects Parented To Nil Never Fire - #3 by Dummiez

After I fire it how do I retrieve it to fire it again?

It will throw off some exploiters who just expect everything in the game to have an appropriate parent, but they can run getnilinstances() on the client to retrieve anything with a nil parent.

you can’t entirely stop exploiters but you can throw off most of them