What hackers can/cant do

Resources Community Resources
#1

9/30/23: People are using this as their entire basis of their anticheats. No. Roblox anticheats and cheaters have evolved so much since 2022.

Old Post (why)

5/26/22: Note, due to developments in the past few months and ROBLOX taking more action against exploiters, the post may be out of date. Revision 3 of the thread coming soon!

In this resource, I will talk about what hackers can/cant do, since this topic is not discussed (at all).

First, we need to talk about Clientside vs. Serverside.

Serverside

Serverside means something that only the server can see, or something that everybody can see. For example, Workspace is handled on the server, so everybody can see Workspace but no single user can change it* without changing it through the server. This also applies to ServerScriptService but in a different way, i.e. no one user can see besides the server itself.

Clientside

Clientside means something that only the user (the client) can see. For example, if the user inserts a part into Workspace without doing it through the server, nobody else can see that part. Local scripts operate under Clientside.

Now we can get into the juicy part!

Hackers can operate anything via clientside† such as inserting parts, inserting a GUI into StarterGUI or CoreGUI (such as Dex or InfiniteYield), which nobody else will be able to see. This is why local anticheats are required as the server cannot detect if somebody inserted a hack GUI into their Starter/CoreGUI.
Note: Hackers can view and edit local scripts in a client service (such as StarterPlayer)

Hackers cannot do anything Serverside (with a few exceptions and footnotes) such as running serverside scripts, looking inside a Server service (except client and server services, such as Workspace* or ReplicatedStorage) or viewing server scripts.

Note: Hackers can look into ANY LOCALSCRIPT OR ANY MODULE SCRIPTS. Your local and module scripts are NOT SAFE unless they are in a server service, so your module scripts are DOOMED either way. D O O M E D.

Now, some exceptions. For the exception for serverside, hackers can run Serverside scripts if they have a backdoor. Also, hackers can do a few thing to their avatar‡ / §, such as custom animations, moving limbs in unnatural ways, and moving their character (flying, noclip, also includes changing states).

§: Hackers can (sometimes) remove their clothing under specific circumstances, but this rarely comes up. They can remove their shirts if first their torso/arms/legs are removed while keeping the humanoid… alive, then re-inserting them using some cheeky method I don’t understand or get. I’ve seen it happen, so I know its true, but if anybody can elaborate then please tell me.

‡: Mentioned by exxtremestuffs, this is a side effect of Network Ownership, which is explained below, read exx’s post here

†: TopBagon mentioned that if you have things like an IntValue or a BoolValue in your character, hackers can remove it and server scripts could break, read his post here

*: ihavoc101 mentioned this, exploiters can move unanchored objects without backdoors using network ownership, view his post here

Noteable replies:

What hackers can/cant do - #20 by BakDoor

What hackers can/cant do - #23 by Hexcede

What hackers can/cant do - #34 by GamEditoPro

If I missed anything, please let me know (I will add it above) and thank you for reading!

Some resources for you to check out:

Why Your Anti-Exploit Sucks
How to make a strong anti cheat?
Exploiting Explained (mostly terminology I wont explain here or we will be here for hours)
How you should secure your game - A beginner guide for secure networking and developing anticheats
Concept: Client Anti-cheat possible?

69 Likes
About hacking and what hackers can/cant do
Opinions on possible hack avoiding
#2

I have a question can hackers steal scripts? If they can view scripts can’t they just copy and paste the scripts and basically steal your game?

8 Likes
#3

They can only steal LocalScripts, but only if they are from a client service. (i.e. a service the user can view and interact with, such as StarterPlayer and its children)

4 Likes
#4

I’d also like to revise the statement:

Exploiters can actually manipulate unanchored objects within Workspace without backdoors. It’s done by abusing something called network ownership, where Roblox lets clients control unanchored parts to help ease physic calculations on the server. Fixable by:

Part:SetNetworkOwner(nil)

on important unanchored parts.

I hope this helps.

22 Likes
#5

Thanks for the info! I’ll change it and add you into the credits.

1 Like
#6

Here’s another thing some people aren’t aware of: exploiters can destroy stuff in their character and it’d replicate to everyone.

For example if you place ValueBase inside character, like IntValue for stamina or BoolValue for block (which I see quite often and is pretty bad idea), they’d be able to destroy it and you wouldn’t be able to access it from server either. This can easily cause server scripts to break

11 Likes
Does anyone else validate characters?
#7

Thanks for telling me! I’ll update the post tomorrow, it’s hella late here

#8

Yes, it is stored on local RAM, and advanced programs such as Synapse can steal a game file of all local things.

3 Likes
#9

I did mention something like that, as a developer with (a lot) of assets being stolen with Synapse X its something to look after

1 Like
#10

Sadly basically impossible, I don’t know any anti-hacks that counter it. Since it doesn’t interact at the same level as developer controllable scripts I believe.

2 Likes
#11

They can see workspace scripts but cant change them ( this is why you need to make your scripts in server script storage)

#12

They can’t see the workspace scripts source either.

3 Likes
#13

Short answer: they don’t
Long answer: Certain exploits have the ability to decompile the bytecode of your script. No Luau source code is provided to the client, only the bytecode to be interpreted by the engine, which is why “stolen” scripts are often not representative of the original source.

To visualize how Lua code is compiled, this is a handy site (though keep in mind Luau has a different compiler). If you’re interested in Luau specifically, there’s a visualizer built into the command line tool in the official Luau GitHub page.

4 Likes
#14

One thing I’d like to point out is that this is a side-effect of Network Ownership, which gives clients limited control over the physics of their character and surrounding physics objects.

1 Like
#15

Although, you cant control other characters (which are obviously unanchored) since those are client-server replicated.

#16

I’m sorry to hear that. You can possibly negate the damage caused from place copying by placing items the client doesn’t need to access in ServerStorage and Server modules in ServerScriptService.

2 Likes
#17

Nah, its fine. Most of the assets I use are server scripts and cant be copied, so if somebody copies a car of mine all they have is a wacky car with no scripts (and the joints/welds/springs/etc are fake and handled via scripts, so bonus up yours)

1 Like
#18

I could use that advantage as a honeypot.

#19

Actually they cant, even if its in workspace it will show up as an empty script to them

#20

So on the topic of keeping your maps safe here is what I personally recommend although it only works on some types of games, what I personally recommend is loading your game in chunks… heres how this can work.

So, lets say your game is an RP game and you have 5 different maps the size of a size of one baseplate, lets break that baseplate up into 4 chunks.

image
image935Ă—866 44.1 KB

Now, with these 4 chunks (blue dot is player, blue circle is the load radius) the client will be able to see what is within that blue radius and that’s the only parts on the client they’ll be able to see.

image
image967Ă—868 54.1 KB

Now, lets say they were in quadrant 4.

image
image967Ă—868 57.9 KB

Okay… but how do we accomplish this? My personal recommendation is first understanding how remotes work and then you will be able to accomplish something like this by using a RemoteFunction (Client → Server → Client)

Please note this is not a set fix for something like this as someone who truly wanted your map could fetch just the parts of it they wanted although it keeps you slightly safer from complete map saving.

2 Likes