A complete guide ~ How exploits work & how to best prevent them

Well, if the player exploits on a game with my anticheat in set, then, the player gets banned permanently, and the ban gets saved to the game’s datastore, so it will permaban them from ALL servers.

1 Like

The banning itself (and the administration which you implied by saying “admin”) isn’t the anti-cheat though. The measures you’ve previously mentioned are either ineffective or create false positives, so I’d be careful if you’re still using them.

If any false positives happens, i can add a notification to let both administrators and normal players to be warned that if something bad happens to them, they get falsely banned. However, the ban can be undone by using datastore editor, the downside to it is having 150 robux.

1 Like

Yes but that contradicts what I am saying, I am explaining how to get the Name of the workspace while it is randomly changed rather than an object or instance in workspace

This is actually similar to one of the many methods I use to detect Dex, or any other CoreGui parented exploit.

Seeing as exploits can edit CoreGui, spawning errors are actually useful, as you can compare them for any inconsistencies, then kick an exploiter before they can even cause an issue, as interacting with any CoreGui element whilst injected, most of the time, will kick you.

I actually managed to break dex’s decompiler entirely preventing them from reading any of my module scripts / local scripts.

How did you do that? As I am curious, if you don’t mind, would discussing the details of your methodology in private be alright? I’ll shoot you a DM on here with my communication name and the numbers on said preference.

1 Like

I am sure it‘s better to explain it there, do you know how much this is important? Other devs really would learn from this.

Theres another possibility. They can use the workspace function, which instantly gets the workspace. It is also possible that they can use workspace.Name.

2 Likes

He probably did not break DEX. But rather the LuaU decompiler of an exploit.
The method probably works by having Lua code which somehow messes up the conversion and/or decompilation. It is probably done by having too many variables in some way as many decompilers have a limit for it.
I don’t suggest you use anti-decompile methods though because an exploit creator can patch the method and they don’t even need to decompile the script for exploiting it.

Error logging is a great thing. But remember exploiters can easily patch ScriptContext error detection by just hooking to the error event and removing all events which are generated by exploits.

1 Like

I don’t suggest you use anti-decompile methods though because an exploit creator can patch the method and they don’t even need to decompile the script for exploiting it.

I wouldn’t worry too much. Dex has not been updated in months and searching it on google provides you with an old version. Even if the script executor has a built-in script hub with Dex, they’ll need to update that too.

But the thing is. It is likely that the script breaks the decompiler of an exploits not Dex. High quality exploits will patch these methods if they become public.

Just adding onto this, scripts never implement their own decompilers. They are always provided by the exploit, and a lot of exploits tend to be made by highly competent people constantly updating them. Just follow best practices.

4 Likes

For this issue, it’s way easier to just check the X and Y coords, while letting raycasting handle the Y coord (flying, jump height, etc)… with that being said, you should not kick the player the first time it triggers.

I apologize, I meant to check the X and Z coords, as the player walks on these coordinates, which means it ignores falling, jumping, etc.

My anticheat works somewhat like this:

check every players dX and dZ coordinates every second, if theyre above the max walkspeed (something like 25) ± a few studs/sec for lag, I flag them and if it happens again theyre kicked and logged

But I disable it only when there’s a server-wide command, like i’m teleporting everyone back to the lobby so ill fire a BindableEvent located in ServerStorage to let the anticheat script know to ignore the logs for a few seconds.

2 Likes

All this could be fixed if FireServer() Automatically Passes the Player AND the Script that fired it, The Server can then Check if the Script is nil or if it’s parent is also nil.

If it is , then it is possibly an exploit.

If Roblox does add this , then yes , it will break many games , but it would be a simple fix by putting a comma and an extra argument. This will also ensure that scripts that fire remotes must at least have a parent of some sort instead of having nothing or nil as a parent.

That can stop a lot of exploiters who like to fire things in their tracks!

Roblox has no way of doing this. Their code isn’t magically immune to exploiters changing it.

The only reason Player can’t be spoofed is because the server has an open connection to the client and can verify that it matches the real one. A script is completely stored in the client, and can not be verified.

3 Likes

But Aren’t Both Players and Scripts Instances? Anything could be passed from the client to the server and so forth.

Im pretty sure you can pass an instance of a script to the server , or at least SOME type of connection with the script for the event that it fired.

If it can be done with players Automatically , Im pretty sure they can do that as well.

There should be data on where the connection from the fired event came from anyways.

In the simplest terms I can put it: it’s not possible at all.

It’s not about instances or Roblox event connections. I’m talking about the actual connection over the internet from the player’s computer and the server. Since the client has already verified who they are to the server (via security cookie), the server can verify that the player instance sent is the same as the one that was verified.

There is no such thing for other instances, as they exist entirely in the memory of the client.

3 Likes