STOP blocking DevTools on your server (And how to bypass the block)

Poggu · January 2, 2021, 8:57pm

Lately there has been a lot of servers that would kick you for opening devtools. This might sound like an elegant solution for stopping “cheaters” calling your NUI callbacks with their own data. However it ISN’T

Would you ban knifes because people can kill each other with them? No you wouldn’t, you would concentrate on the core of the problem, why do people even kill in the first place. You can’t just ban the tool because they can be used in a bad way. The same thing applies for devtools, you can open devtools on any webpage you visit and can change anything you want. That looks like a big security risk doesn’t it? Yes you could abuse devtools on the web the same way as you can abuse it on FiveM but there’s one big difference, websites do have some standards they follow and the biggest one of them is that you don’t trust the client, you should threat the client only as a renderer and nothing else. Everything else has to be done on the server, except for one thing. You might need to get some data from the client as in an input, for example their name, you can’t just get their name without them giving it to you. That’s when you actually get data from the client, but that doesn’t mean these data are safe, not at all. You should never think that the client will always give you the data you want, you need to always check if the data you got is what you want. The same thing should apply to FiveM, and it does. However people are not following this and actually trust the client, which then results in people sending whatever data they want to the server and the server will actually accept it, for example you have an event which you triggers every time you complete a job, a lot of scripts get the amount of the money it should give you from the client, which means anyone can just call that event and say to the server that it should give you 9 million dollars, and it will! Instead of that bullcrap the server should be the one knowing how much money it should give you.

So what should you instead of blocking devtools on your server? Protect your NUI callbacks, never send any data from NUI to your server without verifying the data. If you block devtools instead you will most likely just leave these callbacks unprotected, and anyone little bit smarter can bypass your devtools check as it’s still the client telling the server if you opened devtools or not.

Now I’m going to prove you that you can very easily bypass your shitty devtools “protection”. There are many ways which could be used to bypass this “protection”

Just block the request.

In devtools you can easily block any request with a specific url. Open devtools and the network tab before you join the server, then you join the server and get kicked. After you get kicked you should see the request that kicked you in the list, just right click on it and press Block request URL or you can block the whole “domain” to block any request from that resource!

Block “defineGetter” in every iframe created

You can also just block the function that even registers if you opened the devtools in the first place. This method is prefered as you don’t need to get kicked. Just open devtools before you join the server and write this code snippet in the console.

let mutation = new MutationObserver(function (e) {
  if (e[0].addedNodes && e[0].addedNodes[0]) e[0].addedNodes[0].contentWindow.Object.prototype.__defineGetter__ = () => {}
});

mutation.observe(document.body, { childList: true });

What does this code do? It listenes to any change in the DOM and if there’s any change it will automatically remove defineGetter in that window object, as the only elements that get created at the top context are iframes we shouldn’t get an element that wouldn’t have contentWindow. And if there is one element that doesn’t it would just throw an error however nothing should break.

Just disable javascript lol 4HEad (Not recommended)

When you open devtools and press ctrl shift p a little input box will popup where you can write Disable javascript and it will completely disable javascript in your NUI. I didn’t test if it breaks anything when you join the server however expect a lot of shit on the server not working if you do this.

RisWorks · January 2, 2021, 9:45pm

thank you !!

RealDebugg · March 8, 2021, 7:12pm

The only reason I’d see people blocking devtools is to try and prevent people from dumping nui code. Which, even if its easy to bypass… its better than nothing

XDope · March 8, 2021, 8:31pm

As we are discussing about JS here. Can anyone suggest a JS based encryption which can basically hide all the callbacks? Sometimes its very hard to “stop” data transfers done via JS as at least some data needs to be transferred in scripts like character selection, inventory etc

qq_strike · March 8, 2021, 10:49pm

tell me please what information about inventory should be sent from NUI except for this?

is this that confidential?

AussieDropBear · March 8, 2021, 10:56pm

This post triggers me.

SaltyGrandpa · March 9, 2021, 12:17am

Data transfers in JS aren’t the problem. The problem is that the data transfers aren’t being verified and validated before execution. Obfuscation still isn’t a solution.

XDope · March 9, 2021, 8:05pm

I was trying to research how I could verify that the triggers are done via script itself and not anything else.

Poggu · March 9, 2021, 9:07pm

You can’t, just don’t trust the client and validate data.

anonymous2400 · March 28, 2021, 6:53am

I need a video that summarizes the steps : (

Aligator_Dev · August 8, 2021, 8:27pm

The best way for me it’s open devtools on loadscreen, stop on debbuger options wait the game load and delete iframe element of the “detector”.
The most of devtools “detectors” use log functions to detect it so join on server without devtools and see what resource name which log something suspicios and do that.

Null69 · March 2, 2022, 2:52pm

Is there any new method? this is patched by cfx itself

Poggu · March 4, 2022, 6:53pm

New method for what? Detecting if a client is currently using devtools? If so, why would you ask such in a thread that tells you not to do it. Have you even read the content at all or just blindly read the title and saw some random code thinking this blocks devtools?

The_bradge · February 16, 2024, 11:15am

Bypass for:

used by most of the servers.

const originalDefineProperties = Object.defineProperties;

let mutation = new MutationObserver(function (e) {
    if (e[0].addedNodes && e[0].addedNodes[0]) e[0].addedNodes[0].contentWindow.Object.defineProperties = function(obj, props) {

        if (props.hasOwnProperty('message')) {
          console.log('Object.defineProperties called on an Error object');
          return null;
        }
        
        return originalDefineProperties.apply(this, arguments);
    };
});

mutation.observe(document.body, { childList: true });

AngeloneIL · March 18, 2024, 12:41pm

I’ll never understand why you people are so determined to help troublemakers get past any NUI blocking tools

people who use this tool on a server that doesn’t belong to them never have any good intentions, and no I don’t have any callbacks or exploits with my NUI, I simply don’t feel comfortable with the fact that literally anyone ( even without cheats thanks to Poggu ) can mess around with my htmls and steal them if he wanted to this post is ridiculous and only serves people who want to ruin things for others.

also I am sure alot of Hackers are thankful for this guide since they use Devtools in order to disable screenshot-basic from what I heard so thanks alot…

Cx_xD · April 6, 2024, 12:17pm

I got banned on many servers for opening NUI Dev tools there is some new anticheats that will ban you for opening it which I find very counter intuitive as it’s not the best practice to ban just based off of opening NUI Dev tools.

x0r4a1 · April 24, 2024, 8:32pm

What are you even talking about?
The solution he provided here to bypass “anti devtools” is something that everyone with a bit of JavaScript knowledge should be able to do.
If you don’t want to people exploit your server then write a better code.
Maybe we should ask big websites like Amazon or Ebay to disable dev tools because people can abuse it… oh never mind they make server-side checks.

AngeloneIL · April 24, 2024, 8:46pm

most cheaters don’t have that knowledge so why provide it to them? you feel like helping them out?

and that ebay / amazon joke isn’t relevant here you are comparing major companies who have developers with skills above and beyond the skills that the average server owner has

as i said this topic is a life saver for hackers with crappy menus that are visible on screenshot-basic OCR etc

x0r4a1 · April 24, 2024, 9:05pm

I assume you are a server owner so write a good code / make sure your developers write a good code and you are good to go
about your screenshot-basic script - it’s indeed a problem but you can still solve it by making some checks.
Also, even if you will block devtools entirely there are still some methods to do those type of things so my point is to think outside the box, the cheating community is always becoming better and better and you should too.

AngeloneIL · April 25, 2024, 11:30am

as i said this isn’t an issue for my server my codes are well protected against lua executers and anyone who messes with the devtools

not to mention that either way this allows a bigger “audience” to steal my htmls rather than just pros any amature can do that if he reads this post.

i just don’t see why you’d just hand over the information the cheating community wants like that that is all.

STOP blocking DevTools on your server (And how to bypass the block)

Just block the request.

Block “__defineGetter__” in every iframe created

Just disable javascript lol 4HEad (Not recommended)

Block “defineGetter” in every iframe created