Remote spy for roblox

Basically I ported simple spy (original source code 78n/SimpleSpy) so it could work without exploits

^^^^ showcase

rbxm file :
remotespy.rbxm (37.7 KB)

WHY I RELEASED THIS
The main purpose of this port is not to check how your game remotes work (then again, its up to you how you use this) but to test how sanitized are the remotes are in a different game (for example, in a game where you weren’t the original scripter) without risking getting banned.
Please refrain from replying that this is a quote “fake remote spy” as it adds nothing constructive to the discussion and only wastes time. If you have genuine feedback, feel free to share but dismissing it outright without understanding its purpose is not helpful.

6 Likes

I feel like roblox devs want they users to exploits in they games. Unless its for anticheat testing purposes

1 Like

dude what the hell else would it be for? if the dev isn’t a 6 year old they hopefully know why exploits shouldn’t be built into the game

7 Likes

This is for anti cheat purposes, the reason I released this is for developers who want to pentest their games.

3 Likes

this isnt even a remote spy, this just uses .OnClientEvent rather than actually logging :FireServer, blatantly lying and faking community resources is crazy

6 Likes

Lmao it’s loopback logging :broken_heart:

You can get all of this logging for free if you use a network library as it’d abstract away the remote events into a neat interface that you could then log calls to.

Go and implement a remote spy yourself in roblox then without anything, thats why literally half of the features are missing from the executor.

I made this mainly to test games that I didn’t start out coding.

“I faked it because it’s impossible to make otherwise.”
Do you not see what’s wrong with this?

I do not see anything wrong with that, I think anyone whos a scripter knows that this is impossible to make without “faking” it.

Again, I made this only to pentest games without risking being banned.

What are you pentesting, receiving remotes?
Also, it’s not fully “impossible” there is some methods to get locked metamethods in pure Luau, and I’ve seen hookmetamethod being fully made in pure Luau, which is what I assumed this was.

1 Like

Yes, when I join studio for a different game I’ve never worked on and I want to test if the games remotes are secure I would rather not go digging in scripts to see what they fire since that would take too long.

Again, this was mainly made for pentesting purposes, how its made shouldn’t matter if it doesn’t affect any part of the game which in this case it doesnt.

This doesn’t simulate the exploit, this just receives remotes, it doesn’t “spy” on remotes being sent, let alone the fact that you literally faked it in the video.

1 Like

Yes it receives the remotes… then you can check if theres any vulnerabilities within that remote as the OP said… Pentesting

yeah I dont exactly think there’s much pen testing you can do with an OnClientEvent. I mean I guess it could be a useful tool for debugging OnClientEvent and stuff but other than that I see no real use case

Edit:
Turns out this would TECHNICALLY functiion as a “RemoteSpy” but it is rather bootleg (Also it is missing UnreliableRemoteEvents & RemoteFunctions (realistically for RemoteFunctions implimenting that wouldnt be really possible))

1 Like

Yeah, personally, I wouldn’t use this myself to test vulns since SimpleSpy is supposed to be used on executors and theres just better alternatives/ways. Although this resource is missing loads of features it still technically does the ‘job’ so I dont get why buddys getting kicked around in the thread For example, the script below was used a few years ago with SimpleSpy which could destroy any parts or kick players out due to how poorly the developer implemented their function in without doing any checks etc maybe the same can be used with OPs resource to check if your events are vulnerable to such significant exploits

Game: --Build-to-survive
Updated Status: post
nenv
Scripts --

[[ CTRL + CLICK DELETE OBJECTS ]]
local Plr = game:GetService("Players").LocalPlayer
local Mouse = Plr:GetMouse()

Mouse.Button1Down:connect(function()
if not game:GetService("UserInputService"):IsKeyDown(Enum.KeyCode.LeftControl) then return end
if not Mouse.Target then return end
local args = {
    [1] = Mouse.Target
}

game:GetService("ReplicatedStorage").PlayerEvents.e1214074686.DestroyItem:FireServer(unpack(args))


end)

==========================
[[ KICK PLAYER ]]
local xyn2 = "Playername"
local args = {
    [1] = game:GetService("Players")[xyn2]
}

game:GetService("ReplicatedStorage").PlayerEvents.e1214074686.DestroyItem:FireServer(unpack(args))
[[ KICK PLAYER ]]
==========================

I’m guessing OP was just trying to help those who were familiar with using SimpleSpy in order to find vulnerabilities within their own game but this just heavily lacks features compared to the real deal

Yep, that was exactly what I was trying to do, I will add more features when im available since it looks like I forgot to add unreliable remote events and remote functions.

1 Like

I have updated the script to work with remote functions and unreliable remote events and I’ve also added the ability to clear logs and exclude remotes.

What. Are. You. Pentesting??? You don’t need to know what YOU are sending in YOUR game. The only pentesting for remote spies is bypassing or detecting the hooks these remote spies do, which this doesn’t even hook anything.

1 Like

To check for any exploitable remotes, look at the script above. You can see how SimpleSpy was used to kick players and destroy buildings due to the way the remote was scripted. SimpleSpy (or any other remote spy) allowed exploiters to inspect the arguments being sent and manipulate the remote by re-firing with different arguments— enabling exploiters to fire certain arguments the remote was not intended for, such as a remote destroying parts (as seen in the script) this vulnerability allowed exploiters to manipulate the arguments, potentially being able to target players (which would effectively kick them) or even destroying the entire map.

The same could still be done with OPs version but within your game itself (using the command line)

wow I really needed a script to tell me what my own scripts that I wrote fired! Even if you somehow forgot what you fired yourself (which probably means you did NOT code it yourself). Looking at what’s firing won’t change anything. And as I said before, only things you’d pentest in a remote spy is detecting/bypassing hooks made by it