[ QUESTION ] For Dev Forum Scripters

SatoruDev · August 4, 2022, 4:53am

This technically aligns in the “Help” section of the “Help and Feedback” category.
So I have a question for all Scripters of the Dev Forum.
I have some Scripters telling me it is and is not Exploitable, so I am coming to here for a final answer from you. Is _G exploitable, and if so or not. Do you mind explaining it?

Rexinator2400 · August 4, 2022, 5:23am

so _G is basically just like a module in a way without having to using require. It can’t be exploited if it is called from a server unless it’s either local or the exploiter accesses it through a remote event. I’m not as knowledgeable using _G but I Hope that helps

LingBlack87661 · August 4, 2022, 5:45am

Basically, _G is a global table that gives you the advantage of manipulating the values inside. As far as I know, _G is not shared on the client and server (Imagine there’re two global tables. One on the client and one on the server) It’s similar to module script. Technically, there’s a massive difference between them, but let’s get back to our main topic. I would say it’s exploitable on the client, but not on the server. As I said, _G is not shared on the client and server. Exploiters shouldn’t be able to access your server unless you made ways for the exploiter to communicate to the server like remote events, remote functions, etc. However, don’t worry as long as you secure your server script. However, they can access your client easily. Remember, nothing is secure in the client. Exploiters can change any values, fire remote events, and remote functions, modify local variables… in the client to whatever they want since exploiters can access the Roblox environment. They can just do getrenv()._G to access the _G and yeah, it’s pretty simple.

(A further explanation on how getrenv()._G works)
getrenv() is an exploit function to access the current environment of where the code is running. Therefore, when you’re doing getrenv()._G, you’re accessing the _G in the current game environment.

IDoLua · August 4, 2022, 5:55am

Few points on _G for your convenience:

_G is a shared table accessible through all script environments, but it does not give a Client access to Server sided variables, and if a Client calls a function that has Server related dependencies in it, it will error.
If you’re storing anything in _G, you can likely find a better way to store/access it, such as using a Framework.
_G is rather slow to read from/write to, it’s not ideal for performance by any means.
_G is there for convenience factor and backwards compatibility, and it’s not something you should rely on nowadays.

dthecoolest · August 4, 2022, 6:09am

Agreed with @LingBlack87661, to which the answer is it is not exploitable by itself, simply because _G does not replicate between client and server

What is exploitable and matters is explained this video by @5uphi which are remote events and physics network ownership replication, basically anything that can change the server:

Forummer · August 4, 2022, 3:42pm

Avoid making threads that have been made before.