How does making client scripts, joining a server and cheating work?

How does this work

I have 0 experience with coding cheats for gmod, and I’m not really interested, but I do tend to get curious on how alot of things work and how, one of the main reasons I like programming,

So, did this person just make a random .lua file, I assume in the Lua file he added a console command to link to his function then binded it in game yes? then in the function it had spawn entity (shipment name) * 10 where his eye trace or something like that right?

I would like to know how it works, I don’t want to use it or I don’t need the code, just how it works,
Same with the ATM one, does anyone have the file for the bruteforcer? cause I wanna read the source code,
I get very interested on how something works and I’m very curious,

Most likely there is sv_allowcslua 1 on this server and the shipment mod doesn’t have secured networking.
It’s quite easy, I’ve used a similar thing like this to give myself infinite cash on a server using X Hitman by Wolf Halez

As far as I’m aware, you need to over ride the console setting sv_allowcslua with a memory editor or module. from there you just run whatever code you want. In terms of cheating, this usually means intercepting net messages and changing their functionality.

How would one go about making networking secure?

I’m assuming the shipments are created from clientside and then sends a net message to the server to actually create the entity. They couldn’t spawn those clientside, so they must be sending a net message to the server to create the shipment regardless if they meet the requirements to spawn one. That’s just what it seems like to me though.
If that’s the case, you’d want to find where the net messages are received for creating the shipment, and modify it in a way to ensure the player meets the requirements to spawn it.

I’m not really interested in bypassing sv_allowcslua and such, I’m not interested in making and using hacks, I’m more interested on learning how it works, education purposes

You can’t create entities that will be networked from the client. It will most likely be a concommand that hasn’t got enough checks, or something along those lines.

Don’t trust user-input. If a client sends data to the server saying drop a crate ( or 20 ) here, trust me, I paid for it… and the server trusts it without question; that’s insecure. That’s what appears to be happening in the video.

Make sure data is verified, and never trust user-input.

I’m interested now, would you mind sharing the story Ace?

The ATM hack is very simple. It’s a bruteforce script that basically tries 0000 through 9999 on a certain players atm account which is easily accessible through console. The atm script requires the user to be near the machine to input a pin. Then all the attacker has to do is try 9999 codes at very quick speeds. This only takes about a minute.

He’s not telling a story, he’s pretending to be the client saying “here, trust me, I paid for it” with terrible grammar.

Ah, I thought he meant he paid for it through a personal experience. Oops.

Yes and no.
If you aren’t going to trust user-input, you can aswell disable all derma and concommands (which would basically make the gamemode unplayable).

The whole point is to run safety checks on the servers side and keep sv_allowcslua set at 0.
If someone manages to cheat throught it - you can report him to Garry and he’ll get VAC banned for using 3rd party software to bypass it.

DarkRP has a command called /makeshipment I think he is exploiting that one, maybe it have some leaks.

it’s a coderhire addon he’s exploiting, just like how me and the other ignogs exploited some atm mod that made a grand or so on coderhire. basically, you run a lua script that calls a modified net message that basically tells the server to do something that it really shouldn’t be doing, but FUCK serverside checks right?

I think the creator of that addons 3d car dealer (if it’s the same one) had nasty ones too, we were deleting/stripping players weapons, and then eventually just deleting every entity.

rocketmania doesnt believe in serverside verification

urghh you guys, you make me cringe whenever you try to talk about hacks / exploits.

basically everyone is a shit coder these days so this happens:

[lua]
if SERVER then
net.Receive(“GiveMoney”, function(ply)
local amount = net.ReadInt(16)
ply:RemoveMoney(amount)
end)
end

if CLIENT then
local function myMenu()
– … dframe shit
local amount = 500
if amount < 0 then return end – hehe, that’ll stop them sending negative money!!
net.Start(“GiveMoney”)
net.WriteInt(amount, 16)
net.SendToServer()
end
end
[/lua]

[lua]
– my pro hack.lua
– give yourself 99999 cash.
net.Start(“GiveMoney”)
net.WriteInt(-99999, 16)
net.SendToServer()
[/lua]

I knew a guy that didn’t believe in showers.
Now he is living in the woods with other hippies.