By “ANY exploiter” I am talking about exploiters trying to use remoteevents in a malicious way, for example by trying to make an insta kill exploit by manipulating your own weaponsystem.
Imagine a plugin which “encrypts” scripts and game objects.
What I mean with this is the following:
A plugin, which, for example, takes every single script and remoteevent, every folder etc. and renames it to gibberish like “sxAiIXeis291k”, and changes any reference to that object written in scripts accordingly so that no script errors happen.
Now imagine a plugin which goes by this principle, and not only “encrypts” every object name, but also every single script variable name and function name you have in scripts.
Would making such a plugin be possible, and wouldn’t this render exploiter useless, as your game code would be impossible to read?
And even in the case of someone successfully decrypting your code and making an exploit, couldn’t you just run your plugin a second time and update your game so that their exploit doesn’t work anymore as every name and variable in your game has changed?
I’m not sure. However, I’ve considered doing this in games to stop people stealing the game, and reuploading it to the Toolbox. I guess the only way to find out is to test it.
They don’t have access to your code. If anyone is going to the trouble of decompiling your scripts, simple variable renaming won’t deter them. Also, there are two kinds of hackers. People who learn how to do a particular hack from YouTube, and people who know what they’re doing. The people who learn from YouTube aren’t going to be reading your variables, and the people who know what they’re doing won’t care.
Synapse X can, from what I’ve heard, and in fact, I have known and reported (to Roblox) one person who did use Synapse to steal a Flee The Facility map (Fac0). Unfortunately, Roblox did nothing, but there’s an rbxm file of Facility 0 circulating around Flee The Facility based Discord servers.
Are you sure that exploiters can’t access code? How else are, for example, arsenal exploits created in which people manipulate remoteevents to make wallhacks/instakills?
Nothing can steal a full Roblox game from the client. You would need a massively obvious fire-everybody-on-the-dev-team scale oversight in how replication is handled to do so.
Because you don’t need scripts to access RemoteEvents. A RemoteEvent sends a signal over your network. Just about anything can send a signal over your network. A lot of things that take advantage of RemoteEvents do two things. They’ll read the information that RemoteEvents send, and allow you to send your own. You can use this and some reasoning to figure out which RemoteEvents do what no matter how they are named.
But for the record, the client can see anything in Workspace, ReplicatedStorage, Lighting, etc. Nothing in ServerStorage, nothing in ServerScriptService, nothing created by another player, no other players’ GUIs, and it can’t see Scripts no matter what. ModuleScripts and LocalScripts are compiled to bytecode before the client receives them. They can be stolen but they must be decompiled. Last I checked, there aren’t any good tools to do that with Lua, and Roblox doesn’t use Lua’s standard bytecode anymore so a decompiler would need to be custom-written for Roblox, and it’s a lot of work.
But wouldn’t renaming them make exploits not able to access them anymore as their previous name can’t be found anymore? What if you just do a server restart every 3 days where this plugin renames everything again so that exploit creators have to update them every few days?
So it might stop exploiters who don’t know what they’re doing. Possibly. It depends on how their particular exploit worked. But it wouldn’t stop someone who knows how to do things for themselves. And trying something like this is no excuse for poor server-side validation. You still need to make sure the client isn’t doing anything suspicious when the server receives a RemoteEvent.
Wouldn’t synapse use GetService(), meaning the script has no purpose,
I know that most developers test out there script like obfuscating by actually owning the exploit in this case synapse, so unless you have synapse you can’t really test the script out.
Obviously its no excuse, but done WITH server-side security makes exploits for your game impossible, correct? And you didn’t answer my question, there is no way of going around the fact that exploits (which are relying on your remoteevents) are not working anymore as RemoteEvents names have changed right?
This wouldn’t stop every exploit there is, but it would certainly stop RemoteEvent manipulation (Except if there is some way to access remoteevents without using their names)
Any exploiter may be able to see the names of the objects by just using an explorer. And then using that information to change their code.
I know Jailbreak does something like that. Changing ReplicatedStorage name to some random strings.
This should be able to stop most of the “free scripts” that don’t use game:GetService().
This is called obfuscation. And you can learn more about it here.
Maybe what you can do with this is delaying the time any exploiter will discover what every function does. And what remote he wants to “attack”.
But it’s not incredible, there are a lot of deobfuscators out there.
I mean, you could write a script that changes everything on every client.
If you change the name for ReplicatedStorage, for example, and set it to something like “WlXY_llGBGdp”, and then leave it like that, it would be the same as calling it “ReplicatedStorage”. Exploiters will code their scripts with that name, or just calling game:GetService().
The best thing you can do, afaik, is add the most verification you can add, on the server.
And if I restart my game servers every 3-4 days or so, run this plugin, and then update my game to the newly encrypted version, every exploit made by people up to this point which accesses object names (like RemoteEvents) would now not work anymore right?
Well yeah, but the people who made the exploits would have to update their own exploits again right? Because all names changed and their exploits don’t work anymore?
Encryption doesn’t make things illegible. “Encrypting” a string just change its characters.
If you have a big game, exploiters will be following you, and they’ll just change the variable names and reupload it to forums.
Don’t forget, if exploiters just use game:GetService() this will not make anything at all.