Soybeen
|
  |
| Joined: 17 Feb 2010 |
| Total Posts: 21462 |
|
|
| 17 Apr 2016 08:26 PM |
If I have values that are located locally and sent to the server through a Remote Event, could someone potentially edit those values before they are grabbed by the server?
These values will affect things like health, speed, etc after the server receives them.
|
|
|
| Report Abuse |
|
|
LucasLua
|
  |
| Joined: 18 Jun 2008 |
| Total Posts: 7386 |
|
|
| 17 Apr 2016 08:28 PM |
| Totally. I could fire up cheat engine, change the values stored on my machine in memory, and then wait for the event to send it to the server. However, you could set it up so that the server notices whenever a value was changed drastically -- like if my health randomly went from 10 HP to 99999999999999 HP, it is a dead giveaway that I tampered with the value. |
|
|
| Report Abuse |
|
|
Soybeen
|
  |
| Joined: 17 Feb 2010 |
| Total Posts: 21462 |
|
| |
|
mycheeze
|
  |
| Joined: 27 Jun 2011 |
| Total Posts: 6748 |
|
|
| 17 Apr 2016 08:42 PM |
Lucas bb, kwestion pls
If you are not using object values and you have a local script that fires things (such as a humanoid and a float so the server can deal the float damage to the humanoid) would the player be able to tamper with it?
>Doesn't know if skids with CE can edit already existing scripts on their client (That they have not created)
I do know that they could make their own script and send the arguments through the remove event tho :v |
|
|
| Report Abuse |
|
|
|
| 17 Apr 2016 08:43 PM |
wiki.roblox.com
Start from the beginning.
|
|
|
| Report Abuse |
|
|
ray_1
|
  |
| Joined: 18 Feb 2011 |
| Total Posts: 464 |
|
|
| 17 Apr 2016 08:44 PM |
yes they can master hacker cntkillme can confirm
Recommended username: RusticRay_1
|
|
|
| Report Abuse |
|
|
Soybeen
|
  |
| Joined: 17 Feb 2010 |
| Total Posts: 21462 |
|
|
| 17 Apr 2016 08:44 PM |
Everyone thank Marcus for his useful input! :D :D :D
|
|
|
| Report Abuse |
|
|
mycheeze
|
  |
| Joined: 27 Jun 2011 |
| Total Posts: 6748 |
|
|
| 17 Apr 2016 08:45 PM |
| tragiq, so now I know clients can just read my local goodies and always get passed security :V |
|
|
| Report Abuse |
|
|
|
| 17 Apr 2016 08:45 PM |
"Totally. I could fire up cheat engine, change the values stored on my machine in memory, and then wait for the event to send it to the server." You can't do that anymore (change your health/similar things by directly trying to search and change the value), they 'obfuscate' the health now via XORing it with a value referenced to by itself. You have to be a bit more elaborate in that (it's still easy, just not as easy).
"If you are not using object values and you have a local script that fires things (such as a humanoid and a float so the server can deal the float damage to the humanoid) would the player be able to tamper with it?" Well the setup is insecure in the first place. You shouldn't let the client decide how much damage to do.
|
|
|
| Report Abuse |
|
|
LucasLua
|
  |
| Joined: 18 Jun 2008 |
| Total Posts: 7386 |
|
|
| 17 Apr 2016 08:45 PM |
| The values are still stored in memory on the client, so yeah. |
|
|
| Report Abuse |
|
|
|
| 17 Apr 2016 08:46 PM |
"tragiq, so now I know clients can just read my local goodies and always get passed security " They can't read your localscripts/modulescripts, Roblox 'patched' that a long time ago by compiling all localscripts/modulescripts on the server and only sending the bytecode (which actually might be encrypted) to the client. |
|
|
| Report Abuse |
|
|
Soybeen
|
  |
| Joined: 17 Feb 2010 |
| Total Posts: 21462 |
|
|
| 17 Apr 2016 08:47 PM |
I only have 5 value presets for quote unquote "loadouts", different types of damage resistance, health & speed effectors, etc. I could probably just make a key for each preset that is sent, and leave all value inscribing to the server.
|
|
|
| Report Abuse |
|
|
LucasLua
|
  |
| Joined: 18 Jun 2008 |
| Total Posts: 7386 |
|
|
| 17 Apr 2016 08:47 PM |
| I remember changing my money in tycoons using the usual "donate" tools that let you send money to other people. I find my money in memory, change it, and then use the donate tool to update the server's value. ;) |
|
|
| Report Abuse |
|
|
|
| 17 Apr 2016 08:48 PM |
'I remember changing my money in tycoons using the usual "donate" tools that let you send money to other people. I find my money in memory, change it, and then use the donate tool to update the server's value. ;)' 'You can't do that anymore'
I already told you, a lot of properties are no longer stored as-is. |
|
|
| Report Abuse |
|
|
|
| 17 Apr 2016 08:49 PM |
| Well, a lot of properties that hold floats/doubles/ints (if not all). Things like Parent/Name/etc. are still stored as you would expect. |
|
|
| Report Abuse |
|
|
mycheeze
|
  |
| Joined: 27 Jun 2011 |
| Total Posts: 6748 |
|
|
| 17 Apr 2016 08:49 PM |
cn & lucas are really helpful with this stuffs :v
>To bad I don't have a pepe frand who uses CE to ask them dis stuffs |
|
|
| Report Abuse |
|
|
LucasLua
|
  |
| Joined: 18 Jun 2008 |
| Total Posts: 7386 |
|
|
| 17 Apr 2016 08:51 PM |
I just came back after being gone for at least 6 months. lol
Just reminiscing at this point anyway. Ah, the good old days where engine exploits where literally everywhere... |
|
|
| Report Abuse |
|
|
Soybeen
|
  |
| Joined: 17 Feb 2010 |
| Total Posts: 21462 |
|
|
| 17 Apr 2016 08:51 PM |
Yeah,
The 'keys' for the server-held presets can be an int value decided by the client, then approved by the server. That should work.
|
|
|
| Report Abuse |
|
|
|
| 17 Apr 2016 08:52 PM |
| It's still very easy to create exploits, it's just not as easy to create 'good' ones (albeit I'm sure it's still easy for people like t0t0/booing/etc.). |
|
|
| Report Abuse |
|
|