Would Disabling Loadstring Stop Some Exploits?

Help and Feedback Scripting Support
#1

Hello,

would disabling loadstring stop some exploits? Even if I require loadstring for a script, I can easily do:
game.ServerScriptService.LoadStringEnabled = true
then after the script I’d do
game.ServerScriptService.LoadStringEnabled = false

#2

loadstring is disabled by default. Loadstring can only be used by the server not the client. Exploits use other systems to execute code, just don’t let an unsecure remote run code.

You also cannot write to the LoadStringEnabled property.

image
image786×248 19.5 KB

3 Likes
#3

If you could just enable and disable it with a script like that, a hacker can too. But it doesn’t work like that.

When you disable it, you protect yourself against backdoors in free model scripts and viruses. If you want to enable loadstring, just be careful what you insert into the game.

#4

Barely any backdoors use vanilla Loadstring

Only one backdoor in my lifetime (I have discovered THOUSANDS of them) used the vanilla loadstring method. If they need to use a loadstring, they will use their own bytecode interpreter which bypasses the property, making it impossible to turn off.

1 Like
#5

that’s true, but I think that some people who exploit are doing it to be funny. Meaning, they don’t really know how to script.

2 Likes
#6

What kind of exploits are you looking to prevent? There are many exploits that have fairly easy solutions. For example, if you have a problem with people using scripts to fling people around in your game, you can disable players colliding with each-other (fling scrips use BodyVelocity). In general, even if you found a way to detect that someone has injected into your game and you patched it, the exploiters would find a work-around to your solution in X amount of time. Unfortunately it just turns into a game of cat and mouse, which isn’t really worth your time. Overall, the best way to prevent exploits is making sure that the server handles as much important stuff as possible, and making sure that you don’t forget to leave unsecured remotefunctions and such that can be manipulated through the client, like HugeCoolboy2007 said earlier.

1 Like
#7

right oops…

and yes i found an exploit that does…

(won’t post for obvious reasons)

1 Like
#8

TL;DR;

If you didn’t have code like this

function RemoteEvent.OnServerEvent(_, code)
  loadstring("A=3;"..code)()
end

then you are fine. Using loadstring is OK.

3 Likes