A complete guide ~ How exploits work & how to best prevent them

Resources Community Resources
,
#85

Can you patch dex? Or detect when new things enter Core GUI

#86

you could try something like

game.CoreGui.DescendantAdded:connect(function(child)
   if (child.IsProbablyBad()) then
        flagPlayer()
   end
end)

keep in mind tho that an exploiter could simply do this to get around it:

for i,Connection in pairs(getconnections(game.CoreGui.DescendantAdded)) do
    if Connection.SomeCodeSignature == "x35\x41\xDE\xAD\xBE\xEF" then
        Connection:Disconnect()
    end
end
1 Like
#87

not possible. it would depricate older games with inactive devs and i don’t think adding a new remote instance to make this solution is very reliable, as an exploiter could just hook their remote firing events and fake their script instance.
your best bets are to just

  1. not allow remotes to do anything that grants insane powers (such as GetAdmin:FireServer()
  2. for sensitive remotes, such as stuff to do with shops and cash, be sure to write atleast basic encryption for them, and do server checks to make sure its nothing outrageous (like if someone buys something for negative cash, then their cash would actually increase, so check the cash that they’re spending)
#88

What do you mean? should I replace with Dex’s name?

#89

no, you need more in depth checks, because you could just do this

local dex = Instance.new("ScreenGui")
dex.Name = tostring(math.random())

...

dex.Parent = game.CoreGui
#90

In general roblox players more often use synapse. an exploit program. But the good news is that it is a local script. And exploiters can’t run scripts. but unfortunately there is a way:
The exploiters can fire RemoteEvents GetService (“ReplicatedStorage”): WaitForChild ( “remoteEvent”): FireServer () remoteEvent.OnServerEvent: connect (function (player) player.leaderstats.money.Value = player.leaderstats.money.Value = 10 but I use different methods.

2 Likes
#91

Or make them miserable. Make them think that they’ve gotten away with it. Right when they think they’ve won, delete their progress and make them miserable poor souls. Take no mercy…

#92

They don’t even need to do that, they can still do workspace, as it’s a forced function. Workspace will always refer to the workspace no matter the name you give it.

#93

Exactly, keep a simple client-sided anti cheat which wipes out the script kiddies and also include a server sided one for general protection.

#94

As for remotes, I make the server be deciding whether events should be handled or not (debouncing, attack cooldowns, etc) not the client

#95

In my game, still in development, I’m creating a series of ‘traps’ to block exploiters, detecting within Server Script some illicit code created in LocalScript.
Once the exploiter is detected, it is banned and its activity is recorded in a log in the DataStore.
So far, I think this is all standard procedure.

My concern is: is there any automatic way to report the exploiter to Roblox, thus forcing your account to be locked, thus preventing this exploiter from remaining active on the network and creating more problems?

#96

I know a lot about this topic. Since I have exploited in the past. You might as well not try to make an anti cheat on the client that is undetectable. Detecting hooking requires way too much effort and it isn’t worth the time. I don’t know how hazzelwood managed to accomplish this for strucid.

#97

Exploiter is getting stronger and stronger, most of anti cheat is hardly detect player cheating. Such as bedwar game they don’t even detect speed hack. Roblox allowed us to open CoreScript is Roblox file, if I am right then the Roblox file is the key to access higher level script. Only best option is to minimize task done by client. I just found out replicated storage is bit unsafe, they can fire to another client and can fire it self, safe place to put event is put it on workspace.

My method to prevent hacker randomly fire remote event unauthorized :

  1. Once server started running, change all remote instance name to random in a loop every 5 seconds.

  2. You need to keep 1 remote function that is specially named ‘GetRemote’

  3. If player joined… Server must allow newly joined player to get all remote as fast as possible.

  4. Once player got all remote function, server will not allow player to get remote anymore.

1 Like
#99

Inefficient check, they can set their humanoid state to Physics and use CFrame to move like god speed without changing AssemblyLinearVelocity.

#100

All of these are just minor inconveniences to exploiters and will eventually be bypassed. All you’re doing here is creating more work for yourself as a developer.

The best thing you can do to secure your games is sanity checks — that is to say you verify the information the client is requesting to/from the server.

1 Like
#101

Can’t you just check their ping, and scale the offset value off of that?