RemoteEvents password?

Hello Developers!


I would like to know if I secured the remote event from intruders or not


Button


Script in button:


local module = game.ServerScriptService.EventPasswordModule
local ModuleScript = require(module)

script.Parent.MouseButton1Click:Connect(function()
	local Password = math.random(0,999999999)
	ModuleScript.GenPassword(ModuleScript, Password)
	game.TextChatService.BubbleChatConfiguration.ImageLabel:SetAttribute("Status", Password)
	script:SetAttribute("Status", true)
	task.wait(0.0005)
	script:SetAttribute("Status", false)
	game.TextChatService.BubbleChatConfiguration.ImageLabel:SetAttribute("Status", nil)
	
end)

LocalScript in script:


script.Parent:GetAttributeChangedSignal("Status"):Connect(function()
	if script.Parent:GetAttribute("Status") == true then
		local rPassword = game.TextChatService.BubbleChatConfiguration.ImageLabel:GetAttribute("Status")
		print("Client to Server "..rPassword)
		game.ReplicatedStorage.RemoteEvent:FireServer(rPassword)
	end
end)

ModuleScript:


local module = {}

function module:GenPassword(Password)
	script.Parent = game.ServerScriptService
	print("Gen: "..Password)
	module.GetGenPassword = {
		["Get"] = {
			["Password"] = Password
		}
	}
end

return module


RemoteScript:


local module = script.Parent.EventPasswordModule
local ModuleScript = require(module)
local Event = game.ReplicatedStorage.RemoteEvent

Event.OnServerEvent:Connect(function(player,rPassword)
	player.PlayerGui.ScreenGui.TextButton.FireName.Text = "["..Event.Name.."]"
	player.PlayerGui.ScreenGui.TextButton.WorkText.Text = "Work = False"
	if rPassword == ModuleScript.GetGenPassword["Get"]["Password"] then
		player.PlayerGui.ScreenGui.TextButton.WorkText.Text = "Work = True!"
		ModuleScript.GenPassword(ModuleScript,0)
	end
end)

Will this help protect remoteevents from intruders?

3 Likes

I don’t think it even works, when you require an module, it returns the original value, and cannot be changed globally. and having a “password” to secure a remote event is pointless. also what are you trying to do??

1 Like

kinda pointless? I do this so that the attackers could not farm in afk mode.
this system works great, there was one vulnerability in it, but I already fixed everything!

what do you mean farm in afk mode? cant you just use debounce for each player respectively?

this system is made so that the event can only be activated if the player presses the button.
cooldown can also be added separately

btw, where is GetGenPassword? how do you get the password? if its not generated in server side yet?

re-read the module script carefully, pay attention to the Password variable

Update: [“Password”] it’s like a vault, as soon as a password is generated, it is immediately added to this vault

ok but the GetGenPassword should still be nil because GenPassword has not been called in the server, i believe exploiters can just do remote:FireServer(nil) and after the first remote call they can just do remote:FireServer(0)

local module = script.Parent.EventPasswordModule
local ModuleScript = require(module)
local Event = game.ReplicatedStorage.RemoteEvent

Event.OnServerEvent:Connect(function(player,rPassword)
	player.PlayerGui.ScreenGui.TextButton.FireName.Text = "["..Event.Name.."]"
	player.PlayerGui.ScreenGui.TextButton.WorkText.Text = "Work = False"
	if rPassword == ModuleScript.GetGenPassword["Get"]["Password"] then
		if rPassword ~= 0 then
			player.PlayerGui.ScreenGui.TextButton.WorkText.Text = "Work = True!"
			ModuleScript.GenPassword(ModuleScript,0)
		else
			player:Kick("Failed Password!")
		end
	end
end)

ok, but would that still work for normal players without exploits? because after the first remote call, you cant get pass the if rPassword ~= 0 then if

just try it for yourself, it always works, there are no errors

Update:

i can already see that it doesn’t work, and you can still do remote:FireServer(nil), BUT, after the first remote call, you cant do anything and everyone gets kicked if they try to click the button, because you set the password as 0, and you have a rPassword ~= 0 check which is conflicting

I can’t read your code because it’s so unorganized and looks pointless. Consider using a tool like Stylua, please. From what I understand from the title, you are trying to protect a remote with a password. For example, a local script can lock itself with a password that is stored on the server; if the client tries to fire a remote without a valid password, the remote will simply not let the backend run. There are many factors that can make this possible or not, but from my perspective, it’s technically possible, but in practice, it might be a different story. A lot of people know that exploiters use tools like remote sniffers, which essentially let them monitor remote activity. I’m not sure how they work, but if the exploiter can see the actual data sent through the remotes (where we send the password), then there is no way to make this happen. If they can’t see the information sent or received, though, it’s very easy to make it happen; simply lock a script right when the game runs, and unless they pull up some assembly code in their executor, you are safe. This is at least what I think; if I’m wrong, please correct me. I don’t get the point of you doing this. Hackers always find a loophole; there is no such thing as hacker-proof code. They will always find a workaround.

From what I know from talking with some of the devs that worked on quite large games they can. The data meaning like the Numbers/Strings/Objects etc that they are meant to represent. And whatever content is inside local scripts is also visible/replacable/destroyable. Wether that has changed I’m not sure (With byfron owned by roblox) But it was a concern and possible around 2020

1 Like

I was talking about tools called (not referring to) remote spies. You can’t check the game’s memory; that’s why I made the “put assembly code in your executor” joke. If you generate your token (password) in the local script, you then need to fire it to the server, and then the server lists it and remembers it. The ways on the server are whatever you feel like it, even if you wish to make a folder in a non-replicated service and put string values with names. The question here is whether those tools can actually see what information is being sent through a remote. You can check the received information; that’s why we make the password on the client and make the server remember it, but if those tools can also see the information sent from the client, well, then that’s not possible, but still, I don’t see a good point to making this a thing. This should be a discussion and not really help, because this is a concept of theory and is meant to prove something possible. These methods are not reliable and shouldn’t be used in real practice. All of that stuff aside, if anyone knows about this question, please share. I actually want to know more about it. Again, if I’m wrong, please correct me; this is only my point of view, and I don’t want to influence anyone’s opinion.

2 Likes

I will now try to hack the system, if it works out, I will definitely write how its I did it, and maybe I will fix it

1 Like
game:GetService("LogService").MessageOut:Connect(function(msg)
	msg = msg:split(" ")
	
	if msg[1] == "Gen:" then
		print(msg[2])
	end
end)
1 Like

not bad, but it’s not possible to get the code
example:

Please note exploiters can read what you are firing & sending across both networks.