I’m looking to develop an antiexploit targeting a few aspects of the player that require input. Stuff like movement is fine (I can check that on the server), but the issue I’m facing is that I don’t know a way to grab input data (mouse clicks, buttons held down etc) server-side (probably because it doesn’t make sense to design architecture like that in the first place!)
I’m confident that I’d be able to grab user input from the client in a LocalScript, and then send that to the server via a RemoteEvent, but I’m not aware of how to secure that system; it would be easy for an exploiter to remove the LocalScript from their client and halt any data being sent to the server to validate.
Is it feasible to grab input sent by a client from the server; failing that, how would I go about securing my RemoteEvents & LocalScripts to prevent an exploiter from bypassing the system?
Well, for the remotes, add some fake arguments if you want. I’ve done that on a few systems, making it mutate which argument is the invalid one. You wonder how I could’ve kept that protected, well if you run some module scripts code as the game loads, but on the client’s side, then immediately nil it afterwards, theres a bit more protection.
However… exploiters can also see nil’d & actively running code/scripts
I am curious what it is you are trying to secure from the client’s input… the amount of false positives you will go through kinda sucks…
I’m hoping to detect input from the client, ranging from the speed at which they click their mouse to whether their input is recursive (autoclickers & macros respectively).
The overall aim is a closed system where I can see what the player is pressing, validate it server-side and assign a karma score in conjunction with other modules that check things like movement speed and position, etc.
The only issue that I can see with using RemoteEvents to accomplish this is that the client could potentially delete the script that fires the event, therefore starving the server of data from the client. I could check for this server-side, and kick the player if data isn’t received by the server after X minutes, but that’s still a reasonably large amount of time for a user to exploit and wreak havoc on the server.
Not sure what your ultimate goal is with a karma score, but if your just trying to prevent hacking then stick to server scripts with triggers from remote events.
The client can completely wipe out your game on their machine at any time. Just make sure nothing in your scripts requires the client to be valid. Or if it does need to be valid, then setup a quick check that runs just before your script runs to make sure the pieces you need exist and that they are what they are suppose to be.
I have a module script that I setup just for the purpose of validating important pieces to keep scripts from breaking.
I suppose that the best course of action is to check whether the server is receiving data from the client periodically, and if that fails X times in a row, disconnect the client.
I would not recommend this. Exploiters rarely stop firing remote events. All this would do is make it so players who get ping spikes eventually get kicked after enough strikes.
