generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
We use cookies to offer you a better experience. By using Roblox.com, you are agreeing to our Privacy and Cookie Policy.
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Scripters, let's have a discussion about exploiters

Previous Thread :: Next Thread 
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 08:41 PM
They're getting smarter and finally have started only fairly recently to start exploiting remote input or other things that replicate.

For example, PF is having a bunch of hackers doing stuff with the camera and such. Berezaa is having people teleport ores to them.

Are we going to just have to live with these exploiters and just have a dedicated security person or two for popular games? What do you think we can do additionally? Remote input validation doesn't seem to be enough when most people implement it. What if someone sends input that causes an error? Et cetera.


Report Abuse
Klink45 is not online. Klink45
Joined: 06 Jun 2011
Total Posts: 26054
14 Jul 2016 08:42 PM
Wow, so they can break into games with FE now?
rip

u sicko!
Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 08:43 PM
Well...yes and no. Filtering still WORKS and it probably will be very rare if it ever happens that someone has an exploit that bypasses it. However, the problem is however much FE does, there's still other problems.





Report Abuse
InsidersNetwork1001 is not online. InsidersNetwork1001
Joined: 25 Nov 2013
Total Posts: 1875
14 Jul 2016 08:44 PM
yeah FE can be disabled and LoadString enabled using RC7 and DLLInjectors because DLL's that have the same names as legit DLL's overide the memcheck.


https://www.roblox.com/meme-item?id=442305757
Report Abuse
pinballboy7 is not online. pinballboy7
Joined: 12 Mar 2009
Total Posts: 1485
14 Jul 2016 08:44 PM
So they can exploit remote input? Cool...just make sure the remote input is double-checked by the server.
Report Abuse
kools is not online. kools
Joined: 11 Jan 2009
Total Posts: 1659
14 Jul 2016 08:45 PM
You can try and eliminate exploiters with an instant vote-kick system, it will get to them faster than ROBLOX's "report abuse" flow.

You can also trust the client less and less with FE.

There will always be an exploit, it's important to know that all you can do is patch. Sometimes it's not worth it, because unless there is a competitive scene to uphold, players are only hurting their own experience.
Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 08:48 PM
@pinballboy7

There's a few problems for that. First off, let's say someone wants a mobile ads system. How do they tell the server? They NEED an ad money event even if it isn't called that. They can have a throttle queue server-side but this is just more work for the developer.

What if I pass them garbage input? What if I TRY to make it break? What if it's expecting one data type and I pass an entirely different one? We can wrap it in a giant pcall, I suppose, but that's another threat. Malicious users (competitors of your game too) could go into lots of servers and break core functionality.

I suppose we could all wrap it in a giant pcall, but sometimes there's a lot more you could need to verify than something easy like a shop GUI event.


Report Abuse
kools is not online. kools
Joined: 11 Jan 2009
Total Posts: 1659
14 Jul 2016 08:51 PM
@RangerDelta

That's an interesting idea. I would have never thought to sanitize and validate all user input in ROBLOX. But there will always be methods in lua to check types, the existence of keys, et cetera. Don't fear. No need for the large pcall.
Report Abuse
Lord_Narwhal is not online. Lord_Narwhal
Joined: 05 May 2012
Total Posts: 3242
14 Jul 2016 08:52 PM
we're pretty much hopeless until roblox patches


Add 13,000 posts
Report Abuse
iJacobness is not online. iJacobness
Joined: 20 Jan 2014
Total Posts: 4944
14 Jul 2016 08:54 PM
no we arent, everything is handled by the server for my stuff, and if a player even tries to inject a script, they are kicked.


r+://393244197r+://393244224r+://393244262
Report Abuse
Lord_Narwhal is not online. Lord_Narwhal
Joined: 05 May 2012
Total Posts: 3242
14 Jul 2016 08:55 PM
"no we arent, everything is handled by the server for my stuff, and if a player even tries to inject a script, they are kicked.
"

you should share that injection kicking code brother

!!


Add 13,000 posts
Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 08:57 PM
I think wrapping your remote input handling in pcalls is probably pretty wise and when there's an error save the player and the error to a Trello or something.

@iJacobness

EVERYTHING is handled by the server? How is EVERYTHING handled by the server?


Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 08:57 PM
Because now you need to check for EVERYTHING, and a pcall is much simpler than checking for the type of the data and every possible error condition.


Report Abuse
iJacobness is not online. iJacobness
Joined: 20 Jan 2014
Total Posts: 4944
14 Jul 2016 08:58 PM
That was a bit of an overstatement, I suppose, the only stuff really handled by the client is guis, and control input


r+://393244197r+://393244224r+://393244262
Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 09:00 PM
Well, let's say you have a shop. It's going to try to find the string value passed to it on the server-side shop because you're smart and didn't let the client tell you about the data of the item it wants to buy.

It expects a string name. Someone with a game similar to yours is mad and wants to beat you because you're a way better scripter. He hires exploiters to ruin player experience, and go pass instances where a string is expected. That sort of thing.

I have been in the game development community as some of you have known and I think that could definitely happen.


Report Abuse
iJacobness is not online. iJacobness
Joined: 20 Jan 2014
Total Posts: 4944
14 Jul 2016 09:05 PM
its just gonna lag his client, as long as FE is enabled.

also, narwhal. stuff is stored in the CoreGui.


r+://393244197r+://393244224r+://393244262
Report Abuse
Lord_Narwhal is not online. Lord_Narwhal
Joined: 05 May 2012
Total Posts: 3242
14 Jul 2016 09:06 PM
what


Add 13,000 posts
Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 09:07 PM
Not sure how anything would lag their client...no...they can send remote input...you need to handle it with REs/RFs, which can be fired.


Report Abuse
kools is not online. kools
Joined: 11 Jan 2009
Total Posts: 1659
14 Jul 2016 09:07 PM
That is one type check. Though, ROBLOX should find some way for scripts to fail silently. (Like a debug mode)
Report Abuse
iJacobness is not online. iJacobness
Joined: 20 Jan 2014
Total Posts: 4944
14 Jul 2016 09:09 PM
So dont even check for a remote event, unless one is fired before that; one that is hidden or something. Then exploiters probably won't know which one is which, and mess up.


r+://393244197r+://393244224r+://393244262
Report Abuse
Lord_Narwhal is not online. Lord_Narwhal
Joined: 05 May 2012
Total Posts: 3242
14 Jul 2016 09:10 PM
i feel like the biggest issue is that exploiters can fire RFs/REs




Add 13,000 posts
Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 09:11 PM
iJacobness no offense you are honestly speaking gibberish right now. They WILL find your RemoteEvent / RemoteFunction no matter what, security by obscurity never worked for anyone and it only harms the developer. Not sure what you mean by don't even check....check what....


Report Abuse
RangerDelta is not online. RangerDelta
Joined: 10 Jul 2016
Total Posts: 1194
14 Jul 2016 09:11 PM
@Lord_Narwhal

Well at the end of the day as others have stated as long as they have local script execution they can do anything a client can and it must be this way, which also means that they can fire remote input.


Report Abuse
lolb3 is not online. lolb3
Joined: 16 Jan 2010
Total Posts: 2268
14 Jul 2016 09:12 PM
you can literally just stop a script
Report Abuse
iJacobness is not online. iJacobness
Joined: 20 Jan 2014
Total Posts: 4944
14 Jul 2016 09:12 PM
I know, I suck at explaining things. But unless your remote event does something huge, its not gonna make any lag.


r+://393244197r+://393244224r+://393244262
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image