generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: FE Security Question

Previous Thread :: Next Thread 
Soybeen is not online. Soybeen
Joined: 17 Feb 2010
Total Posts: 21462
17 Apr 2016 08:26 PM
If I have values that are located locally and sent to the server through a Remote Event, could someone potentially edit those values before they are grabbed by the server?

These values will affect things like health, speed, etc after the server receives them.


Report Abuse
LucasLua is not online. LucasLua
Joined: 18 Jun 2008
Total Posts: 7386
17 Apr 2016 08:28 PM
Totally. I could fire up cheat engine, change the values stored on my machine in memory, and then wait for the event to send it to the server. However, you could set it up so that the server notices whenever a value was changed drastically -- like if my health randomly went from 10 HP to 99999999999999 HP, it is a dead giveaway that I tampered with the value.
Report Abuse
Soybeen is not online. Soybeen
Joined: 17 Feb 2010
Total Posts: 21462
17 Apr 2016 08:32 PM
Alright, great, ty


Report Abuse
mycheeze is not online. mycheeze
Joined: 27 Jun 2011
Total Posts: 6748
17 Apr 2016 08:42 PM
Lucas bb, kwestion pls

If you are not using object values and you have a local script that fires things (such as a humanoid and a float so the server can deal the float damage to the humanoid) would the player be able to tamper with it?

>Doesn't know if skids with CE can edit already existing scripts on their client (That they have not created)

I do know that they could make their own script and send the arguments through the remove event tho :v
Report Abuse
MarcusDomitiusScipio is not online. MarcusDomitiusScipio
Joined: 11 Aug 2009
Total Posts: 331
17 Apr 2016 08:43 PM
wiki.roblox.com

Start from the beginning.
Report Abuse
ray_1 is not online. ray_1
Joined: 18 Feb 2011
Total Posts: 464
17 Apr 2016 08:44 PM
yes they can
master hacker cntkillme can confirm


Recommended username: RusticRay_1


Report Abuse
Soybeen is not online. Soybeen
Joined: 17 Feb 2010
Total Posts: 21462
17 Apr 2016 08:44 PM
Everyone thank Marcus for his useful input! :D :D :D


Report Abuse
mycheeze is not online. mycheeze
Joined: 27 Jun 2011
Total Posts: 6748
17 Apr 2016 08:45 PM
tragiq, so now I know clients can just read my local goodies and always get passed security :V
Report Abuse
cntkillme1 is not online. cntkillme1
Joined: 16 Feb 2012
Total Posts: 592
17 Apr 2016 08:45 PM
"Totally. I could fire up cheat engine, change the values stored on my machine in memory, and then wait for the event to send it to the server."
You can't do that anymore (change your health/similar things by directly trying to search and change the value), they 'obfuscate' the health now via XORing it with a value referenced to by itself. You have to be a bit more elaborate in that (it's still easy, just not as easy).

"If you are not using object values and you have a local script that fires things (such as a humanoid and a float so the server can deal the float damage to the humanoid) would the player be able to tamper with it?"
Well the setup is insecure in the first place. You shouldn't let the client decide how much damage to do.
Report Abuse
LucasLua is not online. LucasLua
Joined: 18 Jun 2008
Total Posts: 7386
17 Apr 2016 08:45 PM
The values are still stored in memory on the client, so yeah.
Report Abuse
cntkillme1 is not online. cntkillme1
Joined: 16 Feb 2012
Total Posts: 592
17 Apr 2016 08:46 PM
"tragiq, so now I know clients can just read my local goodies and always get passed security "
They can't read your localscripts/modulescripts, Roblox 'patched' that a long time ago by compiling all localscripts/modulescripts on the server and only sending the bytecode (which actually might be encrypted) to the client.
Report Abuse
Soybeen is not online. Soybeen
Joined: 17 Feb 2010
Total Posts: 21462
17 Apr 2016 08:47 PM
I only have 5 value presets for quote unquote "loadouts", different types of damage resistance, health & speed effectors, etc. I could probably just make a key for each preset that is sent, and leave all value inscribing to the server.




Report Abuse
LucasLua is not online. LucasLua
Joined: 18 Jun 2008
Total Posts: 7386
17 Apr 2016 08:47 PM
I remember changing my money in tycoons using the usual "donate" tools that let you send money to other people. I find my money in memory, change it, and then use the donate tool to update the server's value. ;)
Report Abuse
cntkillme1 is not online. cntkillme1
Joined: 16 Feb 2012
Total Posts: 592
17 Apr 2016 08:48 PM
'I remember changing my money in tycoons using the usual "donate" tools that let you send money to other people. I find my money in memory, change it, and then use the donate tool to update the server's value. ;)'
'You can't do that anymore'

I already told you, a lot of properties are no longer stored as-is.
Report Abuse
cntkillme1 is not online. cntkillme1
Joined: 16 Feb 2012
Total Posts: 592
17 Apr 2016 08:49 PM
Well, a lot of properties that hold floats/doubles/ints (if not all). Things like Parent/Name/etc. are still stored as you would expect.
Report Abuse
mycheeze is not online. mycheeze
Joined: 27 Jun 2011
Total Posts: 6748
17 Apr 2016 08:49 PM
cn & lucas are really helpful with this stuffs :v

>To bad I don't have a pepe frand who uses CE to ask them dis stuffs
Report Abuse
LucasLua is not online. LucasLua
Joined: 18 Jun 2008
Total Posts: 7386
17 Apr 2016 08:51 PM
I just came back after being gone for at least 6 months. lol

Just reminiscing at this point anyway. Ah, the good old days where engine exploits where literally everywhere...
Report Abuse
Soybeen is not online. Soybeen
Joined: 17 Feb 2010
Total Posts: 21462
17 Apr 2016 08:51 PM
Yeah,

The 'keys' for the server-held presets can be an int value decided by the client, then approved by the server. That should work.


Report Abuse
cntkillme1 is not online. cntkillme1
Joined: 16 Feb 2012
Total Posts: 592
17 Apr 2016 08:52 PM
It's still very easy to create exploits, it's just not as easy to create 'good' ones (albeit I'm sure it's still easy for people like t0t0/booing/etc.).
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image