He could be re-adding them from the server, but again that could be stopped in a plethora of ways. And like you said, what advantage is there to protecting RemoteEvents from deletion? The hacker is just shooting himself in the foot.
1 Like
What if, they set the Source of one of the scripts to ââ? You canât detect it vanilla and you canât fight against it.
I know me pointing this out is useless and just clutters the thread but I think itâs important for people reading to know.
1 Like
Remote events is actully as common as deleting an anti-exploit script. You know they are important in scripting, if you could delete them, that causes most everything to break thatâs from client to server (if on server, for the whole game)
Iâm a little confused on that.
So their game no longer works. Thatâs on them. Your job is to protect other players from bad actors, not protect bad actors from themselves. If they want to screw up their game, thatâs on them.
Protection for crucial systems and other players is best handled on the server. It needs to be done on the server. Develop a robust security system on the server, and then if you still encounter problems you should address them how you see fit as the arise. Catch-all LocalScripts are always bypassable to a determined hacker and they can take just as much time to devise and implement. That time is better spent locking down the server.
1 Like
They set the Source (the source code) of the scripts to an empty script. Effectively, the script no longer has anything in it. But I suppose thereâs ways of detecting that as well.
How does keeping your RemoteEvents existent prevent exploits? I understand that deleting events would likely break the game, but would it introduce any exploits?
Edit: I see, you have a RemoteEvent to shut down the server⌠What if they set the internal syncing id (Which is used to pair up a remote event on the client to a remote event on the server) to a random value? Then your event is never replicated. Thereâs also no way of detecting that.
1 Like
Oh no, I agree. And All of this is on the server. My game is really client to server related, and thatâs why I just want to protect a couple of things, like my remote events, to try to make my game not break in the event of things. Now it may not be 100%, but it does a ok job at what it does.
1 Like
Itâs hard to explain this too. The most powerful events, arenât made, until they are ready to use. Because I had concerns about false firing. They get made and fired within a second to the server to take action. So the event isnât always there and when itâs there, itâs most likely already fired
a client anti-cheat is vulnerable 
terrible idea, get a serversided one.
This is the worldâs most one-sided closed-minded chain of responses, so Iâll break it.
If you want to have a secure client anticheat, youâre going to need to know how to prevent bypasses and hide your code.
There are several ways to prevent decompilation, but there is usually an exploit that can get around these methods. Your best bet for preventing decompilation is to prevent your scripts from being found in the first place.
You can hide your scripts from exploiters in 2 lines.
script.Parent = nil
script = Instance.new("LocalScript")
This prevents getnilinstances and viewing the scripts in dex. If you reply to this saying getnilinstances can find it, I will know you didnât read this post and youâre just cherrypicking information to make your side of the argument seem more legitimate.
Changing the name of your localscript becomes entirely irrelevant if you do this method because they canât find the instance without exploit magic in the first place.
Â
Â
You should have heartbeat checks if youâre trying to relay info to the server (have a remote the client sends anticheat information to at random intervals. if the client does not respond to a heartbeat with legitimate information 3 times in a row, disconnect them.).
With a client anticheat, you need to pretty much rely on human error to detect exploits. It isnât easy and should only be used for detections that you canât rely on the server for.
Yes, it can be bypassed, but the point is to slow exploiters down and prevent common skids from using basic scripts, not to make a bulletproof solution to life.
2 Likes
Exploit knowledge is what makes it safe. If you know about exploits, you will know how to combat them. Just like how syn x users managed to detect dark dex in games using normal scripts.
Donât let closeted exploiters (those who say dont make client anti cheat) put you down.
2 Likes
wouldnt make sense unless you use some sort of gotcha system, like having false remote events that ban the exploiter if triggered.
I have always said this and will continue to do so.
Making anti-cheats on the client is only an attempt to delay the inevitable.
No matter how hard you make it, a clever exploiter will figure out how to bypass it.
Now, you might say that you are making client-sided anti-exploits to stop script kiddies. Still, most of the time, the clever exploiter releases this bypass to the public on popular roblox exploit websites and forums, and script kiddies find the bypass code and execute it. Youâre essentially doing absolutely nothing.
I will say this again, exploiters have complete control over their clients, they can basically do whatever they want, manipulate and delete the scripts, hook events, etc.
Trust me, if Roblox engineers themselves cannot stop executor developers from making executors, then you have no way of fully stopping an exploiter, especially with a client-sided exploit.
2 Likes
you can lol its just roblox doesnt invest to anti cheat that much
Thanks, a Roblox engineer. I guess you know everything that happens inside Roblox then?
Please do not answer me if you have no idea how development works, thanks.
1 Like
am i wrong
Before you answer, answer these to yourself:
Why does HWID ban only last 30 minutes, if roblox clearly knows youâre exploiting?
Why does roblox only patch exploits that their top earning devs tell them about or the media (Looking at you BBC with your 5 roblox articles)?
How can a generic executor made by a bored young adult have much higher power than a client?
Why dosenât roblox keep a log of client activities just like it does with vc? (Roblox clearly states in its TOS that your voice will be recorded for moderation, why not the same for suspicious client activity?, Just pull a valorant already, make a kernel anti exploit.)
1 Like
apparently the roblox community wouldnât be happy if roblox moved to a kernel anti-cheat, tbh I donât blame them with the amount of vulns that have been found on the roblox website etc
1 Like
Who cares if they made a kernel anti exploit? They record your voice the second you opt in for vc, Lol. Why would you be scared if a game accesses your bios, others app and even your os does it too!
I would be more fearful for my voice being heard than have simple resources being accessed for security purposes.
First of all, all of the questions that you have asked are unrelated to client-sided anti-cheats, thatâs why I said you shouldnât reply to posts that you have no idea about.
Now, Iâm not going to defend Roblox on all of the points that you have made, I agree, Roblox should have taken action very early, only this year they have announced that they were adding a built-in anti-cheat system.
I also donât like some stuff about Robloxâs business model, but this whole thread is not about Roblox not wanting to add anti-cheat into their client, itâs about what a developer or a Roblox engineer can do to stop exploits on the client.
1 Like