Trying to plan ahead for some anti-exploit protection for an upcoming game of mine. I’ve never had to deal with this before, but I always do a client/serverside check when it comes to remotes.
Can they see the workspace as I see it in studio? What exactly is the scope of what they’re allowed to see, and what would you guys recommend? My game in particular is a shooter game (PVE-focused with PVP).
They can see everything the player sees. Basically all they can’t see are things locked to the server – such as ServerScriptService and ServerStorage. They can see and steal geometry, they can steal your scripts and modify memory at runtime. They can fire RemoteEvents with false information to the server (pro tip – never trust anything the client sends you, always verify it if possible).
No, it’s lower-level, although it’s possible for them to make stuff that can emulate that.
Imagine a puzzle. An exploiter can see every individual puzzle piece, but to get the full view they’ll need to put the pieces together. They’re not limited to a hierarchy, either.
a while back I was brought to attention by someone who told me an issue with one of my remotes. idk what brought him to tell me about it since he was clearly admitting to me that he exploits but I thanked him anyway and fixed it. I asked how he found out and he mentioned having programs that can see what is being passed between client to server. He even mentioned an ‘explorer-like’ interface. I looked it up on google and discovered one such interface is called ‘Dex Explorer’. I have since tried to detect gui’s not made by me to destroy() them immediately but silly me thinking that would work since they probably parent the guis to nil or something. Either way its best to secure all your code, make tons of checks for legitness. Golden rule is to never trust the client.
A lot of the time, exploiters will parent their GUIs to the CoreGUI, which for some reason, developers cannot get read access to, and then write access to foreign GUIs that were placed by the developer or an exploiter.
To explain further, the player can read and manipulate everything they see and everything that is running on their computer. Code running on the client is code running on their computer, which means they can read it. It’s not as easy as just opening a script and magically having it all readable, but the important part is that they are able to go into the Roblox app’s memory and do things from there if they so desire.
Taking what EmeraldSlash explained, they can read all code running on their computer. (meaning all client sided code), you shouldn’t worry about server Script code being visible though.
Roblox can’t do anything to prevent it–you’re not losing the game of cat and mouse because of Roblox, you’re losing it because that’s the nature of client side development.