What hackers can/cant do

TheShowCaseMaker · February 16, 2022, 5:11am

Amazing explanation! This is a good way to secure most of a map, but this could cause massive server lag if you prefer unions over messages, and sudden executions of any scripts (if disabled and re-enabled upon loading). That is something to look out for. I will add you to the post!

TheShowCaseMaker · February 17, 2022, 12:44am

smol edit (new noteable replies)

Hexcede · February 17, 2022, 8:50am

This is different than property changes because its physics which is entirely different than other replication.

But, there’s a legitimate exception, which is descendants of a player’s character. All descendants of a player’s character can be deleted on the client, and this change will replicate to the server (the result is identical to setting instance.Parent = nil on the server).

This is how what’s usually called “FE god mode” works, exploiters will remove a player’s Humanoid instance (immediately inserting a local copy on their client), which means there’s no Humanoid to take damage. (Kinda funny, and it makes a lot of sense if you think about it)

What many people don’t know is that this applies to everything in the character. Tools, descendants of those tools, joints, meshes, clothing instances, etc can all be deleted by an exploiter, and these changes will go to the server.

This is also exactly how exploiters create “FE parts”, by deleting the mesh and joints of their own hats, which they can then control because they will have automatic network ownership.

This is unfortunately pretty difficult to solve if not impossible for us devs, but, things like FE god mode can be mitigated by simply replacing the Humanoid, which used to have some delay since you couldn’t reparent an instance during an AncestryChanged event.

Luckily this can now be solved better with the task library so the instance can be reparented instantly:

-- In server code, when humanoid removed (e.g. AncestryChanged)
task.defer(function()
	humanoid.Parent = character
end)

vs this which causes a warning:

-- In server code, when humanoid removed (e.g. AncestryChanged)
humanoid.Parent = character -- Something unexpectedly tried to set the parent of Humanoid to Hexcede while trying to set the parent of Humanoid. Current parent is NULL.

TheShowCaseMaker · February 17, 2022, 5:51pm

Thanks for the explanation! I’ll add you to the noteable replies.

TheShowCaseMaker · February 19, 2022, 2:55am

gonna have to do the le bump, i made a CRITICAL CHANGE regarding avatars

UltraYummyChocolate · March 13, 2022, 7:34pm

†: TopBagon(Profile - TopBagon - DevForum | Roblox) mentioned that if you have things like an IntValue or a BoolValue in your character, hackers can remove it and server scripts could break, read his post here

~~I don’t think that’s true, they can only destroy their replicated values, server won’t be affected~~

Also, player characters are known to need a lot of checks before replicating and/or removing, so after all if you have :findfirstchild and nil checks you are alr (in a local script because server scripts wont be affected)

TheShowCaseMaker · March 13, 2022, 7:40pm

Things in your character replicate to the server, thats how the scripts could break, if a hacker deletes a vital item and the server cant find it then it go BREK (thats what pcall is for kids)

UltraYummyChocolate · March 13, 2022, 7:41pm

~~oh right I forgot that they could delete it on join lol~~

UltraYummyChocolate · March 13, 2022, 7:42pm

~~what about if i, from a server script, call instance.new(“value”), set the parent to the character? in that case its replicated from server to client so there’s no issue right?~~

TheShowCaseMaker · March 13, 2022, 7:43pm

That would not work, because the client can delete anything in its character. No workarounds. Checks must be placed on the server before calling anything in the client.

UltraYummyChocolate · March 13, 2022, 7:44pm

~~the client can delete anything in its character, but it will only be deleted for him~~

TheShowCaseMaker · March 13, 2022, 7:44pm

Anything the hacker deletes in his character is replicated in the server. Stop please

TheShowCaseMaker · March 25, 2022, 7:06pm

CRITICAL EDIT: info on local scripts and module scripts

GamEditoPro · March 25, 2022, 7:10pm

Exploiters can read and delete server scripts if it in player’s character. You can test this in Studio - delete healing script, and you won’t heal anymore.

tin_nim · March 26, 2022, 3:25am

Ummmm if i have a terrain generation script client sided and a module which contains the property of the terrain, Am I doomed to be copy(I use perlin)

TheShowCaseMaker · March 26, 2022, 4:15pm

Either way your doomed to be copied because hackers can steal anything in workspace, client-sided or not (just server scripts are excluded from this)

dogpower12x · March 27, 2022, 1:47pm

Exploiters can’t read server scripts in the character, but yeah they can delete it.

commitblue · March 27, 2022, 2:04pm

Did you try it with an actual exploit? Your command bar or your simple cursor can’t prove it 100%

GamEditoPro · March 27, 2022, 2:09pm

No, i’m not use any exploits. But roblox studio can “simulate” exploits from the client, if you delete something or add new local script.

commitblue · March 27, 2022, 2:10pm

But exploits can do more stuff than just localscripts. Like getrawmetatable, etc.