|
| 14 Jul 2016 08:41 PM |
They're getting smarter and finally have started only fairly recently to start exploiting remote input or other things that replicate.
For example, PF is having a bunch of hackers doing stuff with the camera and such. Berezaa is having people teleport ores to them.
Are we going to just have to live with these exploiters and just have a dedicated security person or two for popular games? What do you think we can do additionally? Remote input validation doesn't seem to be enough when most people implement it. What if someone sends input that causes an error? Et cetera.
|
|
|
| Report Abuse |
|
|
Klink45
|
  |
| Joined: 06 Jun 2011 |
| Total Posts: 26054 |
|
|
| 14 Jul 2016 08:42 PM |
Wow, so they can break into games with FE now? rip
u sicko! |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:43 PM |
Well...yes and no. Filtering still WORKS and it probably will be very rare if it ever happens that someone has an exploit that bypasses it. However, the problem is however much FE does, there's still other problems.
|
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:44 PM |
yeah FE can be disabled and LoadString enabled using RC7 and DLLInjectors because DLL's that have the same names as legit DLL's overide the memcheck.
https://www.roblox.com/meme-item?id=442305757 |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:44 PM |
| So they can exploit remote input? Cool...just make sure the remote input is double-checked by the server. |
|
|
| Report Abuse |
|
|
kools
|
  |
| Joined: 11 Jan 2009 |
| Total Posts: 1659 |
|
|
| 14 Jul 2016 08:45 PM |
You can try and eliminate exploiters with an instant vote-kick system, it will get to them faster than ROBLOX's "report abuse" flow.
You can also trust the client less and less with FE.
There will always be an exploit, it's important to know that all you can do is patch. Sometimes it's not worth it, because unless there is a competitive scene to uphold, players are only hurting their own experience. |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:48 PM |
@pinballboy7
There's a few problems for that. First off, let's say someone wants a mobile ads system. How do they tell the server? They NEED an ad money event even if it isn't called that. They can have a throttle queue server-side but this is just more work for the developer.
What if I pass them garbage input? What if I TRY to make it break? What if it's expecting one data type and I pass an entirely different one? We can wrap it in a giant pcall, I suppose, but that's another threat. Malicious users (competitors of your game too) could go into lots of servers and break core functionality.
I suppose we could all wrap it in a giant pcall, but sometimes there's a lot more you could need to verify than something easy like a shop GUI event.
|
|
|
| Report Abuse |
|
|
kools
|
  |
| Joined: 11 Jan 2009 |
| Total Posts: 1659 |
|
|
| 14 Jul 2016 08:51 PM |
@RangerDelta
That's an interesting idea. I would have never thought to sanitize and validate all user input in ROBLOX. But there will always be methods in lua to check types, the existence of keys, et cetera. Don't fear. No need for the large pcall. |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:52 PM |
we're pretty much hopeless until roblox patches
Add 13,000 posts |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:54 PM |
no we arent, everything is handled by the server for my stuff, and if a player even tries to inject a script, they are kicked.
r+://393244197r+://393244224r+://393244262 |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:55 PM |
"no we arent, everything is handled by the server for my stuff, and if a player even tries to inject a script, they are kicked. "
you should share that injection kicking code brother
!!
Add 13,000 posts |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:57 PM |
I think wrapping your remote input handling in pcalls is probably pretty wise and when there's an error save the player and the error to a Trello or something.
@iJacobness
EVERYTHING is handled by the server? How is EVERYTHING handled by the server?
|
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:57 PM |
Because now you need to check for EVERYTHING, and a pcall is much simpler than checking for the type of the data and every possible error condition.
|
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 08:58 PM |
That was a bit of an overstatement, I suppose, the only stuff really handled by the client is guis, and control input
r+://393244197r+://393244224r+://393244262 |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 09:00 PM |
Well, let's say you have a shop. It's going to try to find the string value passed to it on the server-side shop because you're smart and didn't let the client tell you about the data of the item it wants to buy.
It expects a string name. Someone with a game similar to yours is mad and wants to beat you because you're a way better scripter. He hires exploiters to ruin player experience, and go pass instances where a string is expected. That sort of thing.
I have been in the game development community as some of you have known and I think that could definitely happen.
|
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 09:05 PM |
its just gonna lag his client, as long as FE is enabled.
also, narwhal. stuff is stored in the CoreGui.
r+://393244197r+://393244224r+://393244262 |
|
|
| Report Abuse |
|
|
| |
|
|
| 14 Jul 2016 09:07 PM |
Not sure how anything would lag their client...no...they can send remote input...you need to handle it with REs/RFs, which can be fired.
|
|
|
| Report Abuse |
|
|
kools
|
  |
| Joined: 11 Jan 2009 |
| Total Posts: 1659 |
|
|
| 14 Jul 2016 09:07 PM |
| That is one type check. Though, ROBLOX should find some way for scripts to fail silently. (Like a debug mode) |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 09:09 PM |
So dont even check for a remote event, unless one is fired before that; one that is hidden or something. Then exploiters probably won't know which one is which, and mess up.
r+://393244197r+://393244224r+://393244262 |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 09:10 PM |
i feel like the biggest issue is that exploiters can fire RFs/REs
Add 13,000 posts |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 09:11 PM |
iJacobness no offense you are honestly speaking gibberish right now. They WILL find your RemoteEvent / RemoteFunction no matter what, security by obscurity never worked for anyone and it only harms the developer. Not sure what you mean by don't even check....check what....
|
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 09:11 PM |
@Lord_Narwhal
Well at the end of the day as others have stated as long as they have local script execution they can do anything a client can and it must be this way, which also means that they can fire remote input.
|
|
|
| Report Abuse |
|
|
lolb3
|
  |
| Joined: 16 Jan 2010 |
| Total Posts: 2268 |
|
|
| 14 Jul 2016 09:12 PM |
| you can literally just stop a script |
|
|
| Report Abuse |
|
|
|
| 14 Jul 2016 09:12 PM |
I know, I suck at explaining things. But unless your remote event does something huge, its not gonna make any lag.
r+://393244197r+://393244224r+://393244262 |
|
|
| Report Abuse |
|
|