What can exploiters see within my game?

Trying to plan ahead for some anti-exploit protection for an upcoming game of mine. I’ve never had to deal with this before, but I always do a client/serverside check when it comes to remotes.

Can they see the workspace as I see it in studio? What exactly is the scope of what they’re allowed to see, and what would you guys recommend? My game in particular is a shooter game (PVE-focused with PVP).

They can see everything the player sees. Basically all they can’t see are things locked to the server – such as ServerScriptService and ServerStorage. They can see and steal geometry, they can steal your scripts and modify memory at runtime. They can fire RemoteEvents with false information to the server (pro tip – never trust anything the client sends you, always verify it if possible).

11 Likes

Thank you!

If you happen to know, what exactly does it look like for them? Is it basically the same as studio’s hierarchy?

No, it’s lower-level, although it’s possible for them to make stuff that can emulate that.

Imagine a puzzle. An exploiter can see every individual puzzle piece, but to get the full view they’ll need to put the pieces together. They’re not limited to a hierarchy, either.

1 Like

Awesome, thanks for letting me know.

I’ve already started moving various things within my game to combat this, so I really do appreciate the help.

1 Like

To add to this, a client can never read the source code a server Script, even if it’s in a replicated area.

2 Likes

a while back I was brought to attention by someone who told me an issue with one of my remotes. idk what brought him to tell me about it since he was clearly admitting to me that he exploits but I thanked him anyway and fixed it. I asked how he found out and he mentioned having programs that can see what is being passed between client to server. He even mentioned an ‘explorer-like’ interface. I looked it up on google and discovered one such interface is called ‘Dex Explorer’. I have since tried to detect gui’s not made by me to destroy() them immediately but silly me thinking that would work since they probably parent the guis to nil or something. Either way its best to secure all your code, make tons of checks for legitness. Golden rule is to never trust the client.

2 Likes

A lot of the time, exploiters will parent their GUIs to the CoreGUI, which for some reason, developers cannot get read access to, and then write access to foreign GUIs that were placed by the developer or an exploiter.

2 Likes

Can they read client code?

They should be able to see code on the Client.

1 Like

How much code? How common is this?

To explain further, the player can read and manipulate everything they see and everything that is running on their computer. Code running on the client is code running on their computer, which means they can read it. It’s not as easy as just opening a script and magically having it all readable, but the important part is that they are able to go into the Roblox app’s memory and do things from there if they so desire.

2 Likes

Taking what EmeraldSlash explained, they can read all code running on their computer. (meaning all client sided code), you shouldn’t worry about server Script code being visible though.

Anything stored on their Computer they see it.

Parenting to nil doesn’t help, it’s still in the Memory.

There is no way of preventing this as Roblox doesn’t provide better ways to fight Explioters, us Devs will always loose the game of Cat and Mouse.


What you can do is make sure that important stuff happens on the Server, it doesn’t matter what they can see if they can’t touch it it’s useless.

You have to give up on the part where they can steal your LocalScripts and other stuff Stored on their PC tho.

1 Like

Roblox can’t do anything to prevent it–you’re not losing the game of cat and mouse because of Roblox, you’re losing it because that’s the nature of client side development.

4 Likes