From what I see he passed 3 values to your “remote event” RebirthEvent with insane values.
You should never let client fire values to the server except boolean value, positions or other non-damage, non-money stuffs, they are not to be trusted.
You should also have sanity checks before giving players money.
P/S: I hate hackers too, they are the reasons many games are dead despite the developers’ huge efforts
Remote spy.
That suggested me to thinking about a backdoor in the server sides of your script. First, please check any free models that you use for scripts. If you found a suspicious and malicious script, delete it.
Obfuscation is neither necessary or for convenience. What it does it just basically converts your current code to a more complicated version to understand it but still does the same thing.
You can’t fully secure a remote event, but the best way you can secure it is doing sanity checks in the server side.
They can so you should always defend ur backside as well.
Remote spy is an exploit script that exploiters can inject. All it does is detect and send a message in the console when a remote event is fired.
It is not a backdoor I believe as it can be done via the client side.
Can you define the “message” being sent to the console?
Oh, so it essentially tells the exploiter the arguments of a fired remote event received on a client.
I doubt that’s the entire script as it must have something to pair up with using those arguments unless I’m wrong again.
Yes. It is not the whole script but remote spies are normally used to find weaknesses in games so they can produce exploit scripts. All remote spies do is allow you to know when a remote event is fired.
You cannot get the whole script via remote spies but if they are local scripts it is possible for you to get them via a exploit.
My best advice is try to google search something like “(your roblox game name) exploit scripts” and inspect and determine which script the hacker most likely used.
I would recommend Never trusting the client do not use a remote event to add rebirths, change it to be on the server & remove that event.
You can also make a anti-stat exploit (! use at your own risk, it can cause false positives if there’s a big multiplier !)
game.Players.PlayerAdded:Connect(function(plr)
local function check()
if plr:FindFirstChild("leaderstats") then
for _, userStats in plr.leaderstats:GetChildren() do
if userStats and userStats:IsA("IntValue") then
local old = userStats.Value
task.delay(.1,function()
local now = userStats.Value
if now >= old + [threshold] then
userStats.Value = old
end
end
end
end
end
end
while task.wait(.1) do
check()
end
end)
I DO NOT RECOMMEND USING THIS DUE TO FALSE POSITIVES, THIS WAS POORLY WRITTEN: I RECOMMEND YOU NOT TO TRUST THE CLIENT AND DONT HAVE REMOTE EVENTS THAT ADD STATS
btw the script is in a “Script” in ServerScriptService
You can not stop them from doing this, but your having sanity checks at all.
This is what your doing.
FireServer Arguments —> Server Gives Item
This is what you SHOULD be doing:
FireServer Argument —> Server Checks if they have money —-> Server gives item.
That is what I’m doing, they are somehow bypassing it. I’ll work on it a little though and try to find errors in my code.
lol its kinda funny actually to see somebody exploit on a simulator
i wouldnt even attempt because the grind on simulators doesnt end
the progress of proceeding is just an illusion
he basically did this remoteEvent:FireServer(value)
you did not put a server check on your server script to make sure that whatever that value that is passed is manipulated so your server script after receiving that value trusts the value Instantly and thats exactly the mistake you made. you broke the “Never Trust The Client” rule
the fact that he is saying what his doing in the chat shows that he is either taunting you or just doing whatever he wants but i assume he is taunting you because if his able to do what his doing right now, he doesnt need the chat for it
he is showing you that your rebirth remote event is unsecure
what you need to do is look into the server script that handles the rebirth remoteEvent and rewrite its code
this is a video i recommend you to watch
I have found where my code has gone wrong and I’ll be fixing it Asap!
I made the big mistake of finding and passing the price through the client meaning they could put in a custom price. I am fixing it right now and I’ll update y’all if I need anything!
Here is a video I made that might also help prevent hackers
If you’re saving that users data, you should purchase the Datastore Editor plugin, plug-in the Datastore name once you get the plugin, search the datastore for the players UserId (assuming that’s how you format your datastores) and simply remove any saved data they had. This way you’re effectively resetting their stats back to normal.
You could also setup a remote intended for bait that only works legitimately if the user has what the server calls for. If an exploiter tries to exploit such “unprotected remote” when it actually is protected, you can issue a ban, or some other troll to make them feel bad for doing what they did. Usually issuing bans agaisnt exploiters isn’t usually a good idea because it can have false positives if you don’t structure your code properly, but something as simple as marking their UserId into a datastore which teleports them to a troll game is better than a ban.
this actually wont work anymore, i suggest to not make anything like this and just do good security practice. exploiters can have over 10 or 20 alt accounts and their not stupid to keep getting banned 20 times in a row and also it is always unlikely that it is a dumb exploiters who is trying to break your game. these are likely people who have searched up online, done their research well that they know how to break a game in a little over 20 minutes
its surprising to me how devs spent hours on their anti cheats and then i saw a legit tutorial on how to by pass anti cheats. and the exploiter in the video from scratch and by passes the anti cheat in a little over 20 minutes even tho this was his first time by passing the anti cheat of that specific game
yes, the exploiter did get kicked by the anti cheat a couple of times during that entire 20 minutes but its not like he cant come back with an alt account
short term solutions (anti cheats) (bans) (whatever you name it)< forever solution (good security practice)
any type of anti cheat on the client is all bad practice because these are not the toxic kids you think of when you think of an roblox exploiter breaking your game. it is only when an experienced exploiter shares the solution that makes you think these toxic kids by passed the anti cheat, do it on the server
It appears you have missed the point of what I said:
What I meant by this was sanity checks, which in turn cannot be bypassed unless the exploiter has something set on the server side that is actually true for them (such as a datastore, which cannot be used from the client). As long as you setup sanity checks correctly, the only thing an exploiter can do to your game is use physics based exploits, but even those don’t last very long with simple workarounds (for example, collision groups).