Oh, so it essentially tells the exploiter the arguments of a fired remote event received on a client.
I doubt that’s the entire script as it must have something to pair up with using those arguments unless I’m wrong again.
Yes. It is not the whole script but remote spies are normally used to find weaknesses in games so they can produce exploit scripts. All remote spies do is allow you to know when a remote event is fired.
You cannot get the whole script via remote spies but if they are local scripts it is possible for you to get them via a exploit.
My best advice is try to google search something like “(your roblox game name) exploit scripts” and inspect and determine which script the hacker most likely used.
I would recommend Never trusting the client do not use a remote event to add rebirths, change it to be on the server & remove that event.
You can also make a anti-stat exploit (! use at your own risk, it can cause false positives if there’s a big multiplier !)
game.Players.PlayerAdded:Connect(function(plr)
local function check()
if plr:FindFirstChild("leaderstats") then
for _, userStats in plr.leaderstats:GetChildren() do
if userStats and userStats:IsA("IntValue") then
local old = userStats.Value
task.delay(.1,function()
local now = userStats.Value
if now >= old + [threshold] then
userStats.Value = old
end
end
end
end
end
end
while task.wait(.1) do
check()
end
end)
I DO NOT RECOMMEND USING THIS DUE TO FALSE POSITIVES, THIS WAS POORLY WRITTEN: I RECOMMEND YOU NOT TO TRUST THE CLIENT AND DONT HAVE REMOTE EVENTS THAT ADD STATS
btw the script is in a “Script” in ServerScriptService
You can not stop them from doing this, but your having sanity checks at all.
This is what your doing.
FireServer Arguments —> Server Gives Item
This is what you SHOULD be doing:
FireServer Argument —> Server Checks if they have money —-> Server gives item.
1 Like
That is what I’m doing, they are somehow bypassing it. I’ll work on it a little though and try to find errors in my code.
lol its kinda funny actually to see somebody exploit on a simulator
i wouldnt even attempt because the grind on simulators doesnt end
the progress of proceeding is just an illusion
he basically did this remoteEvent:FireServer(value)
you did not put a server check on your server script to make sure that whatever that value that is passed is manipulated so your server script after receiving that value trusts the value Instantly and thats exactly the mistake you made. you broke the “Never Trust The Client” rule
the fact that he is saying what his doing in the chat shows that he is either taunting you or just doing whatever he wants but i assume he is taunting you because if his able to do what his doing right now, he doesnt need the chat for it
he is showing you that your rebirth remote event is unsecure
what you need to do is look into the server script that handles the rebirth remoteEvent and rewrite its code
this is a video i recommend you to watch
2 Likes
I have found where my code has gone wrong and I’ll be fixing it Asap!
I made the big mistake of finding and passing the price through the client meaning they could put in a custom price. I am fixing it right now and I’ll update y’all if I need anything!
1 Like
Here is a video I made that might also help prevent hackers
1 Like
If you’re saving that users data, you should purchase the Datastore Editor plugin, plug-in the Datastore name once you get the plugin, search the datastore for the players UserId (assuming that’s how you format your datastores) and simply remove any saved data they had. This way you’re effectively resetting their stats back to normal.
You could also setup a remote intended for bait that only works legitimately if the user has what the server calls for. If an exploiter tries to exploit such “unprotected remote” when it actually is protected, you can issue a ban, or some other troll to make them feel bad for doing what they did. Usually issuing bans agaisnt exploiters isn’t usually a good idea because it can have false positives if you don’t structure your code properly, but something as simple as marking their UserId into a datastore which teleports them to a troll game is better than a ban.
1 Like
this actually wont work anymore, i suggest to not make anything like this and just do good security practice. exploiters can have over 10 or 20 alt accounts and their not stupid to keep getting banned 20 times in a row and also it is always unlikely that it is a dumb exploiters who is trying to break your game. these are likely people who have searched up online, done their research well that they know how to break a game in a little over 20 minutes
its surprising to me how devs spent hours on their anti cheats and then i saw a legit tutorial on how to by pass anti cheats. and the exploiter in the video from scratch and by passes the anti cheat in a little over 20 minutes even tho this was his first time by passing the anti cheat of that specific game
yes, the exploiter did get kicked by the anti cheat a couple of times during that entire 20 minutes but its not like he cant come back with an alt account
short term solutions (anti cheats) (bans) (whatever you name it)< forever solution (good security practice)
any type of anti cheat on the client is all bad practice because these are not the toxic kids you think of when you think of an roblox exploiter breaking your game. it is only when an experienced exploiter shares the solution that makes you think these toxic kids by passed the anti cheat, do it on the server
It appears you have missed the point of what I said:
What I meant by this was sanity checks, which in turn cannot be bypassed unless the exploiter has something set on the server side that is actually true for them (such as a datastore, which cannot be used from the client). As long as you setup sanity checks correctly, the only thing an exploiter can do to your game is use physics based exploits, but even those don’t last very long with simple workarounds (for example, collision groups).
You need to have sanity checks on the server the way to do this is by not letting the client decide how many rebirths they are eligible for, just send a remote on the client and on the server check for how many rebirths they are eligible for and give them
simple terms of what i was trying to say: no bans issued to player if sanity check fails because issuing a ban to an exploiter is a short term solution
exceptions:
if the game is paid access
if not banning them will threaten the game’s security in some way
After the LuaU update the way hackers get your code results in the loss of whitespace and function/variable names. In other words if you named a function
function oalskdjalkvnsf()
it would look like
function f1()
to them.
Making up complicated names and compacting/spacing out code will only make it harder for you.
you could make a modulescript that makes a math.random() number, then on the client, require that modulescript and fireserver with the math.random() number as an extra argument, then on the server, it’ll check if that math.random() number is the one on the module and then it’ll give it the coins/gems, if not, ban them
Cant the exploiter just read that value?
This only applies to local functions. Global functions can have their variable names read:
your code:
local function imCool() end
function imcooler() end
their code:
local function v1() end
function imcooler() end