A Guide to Making Proper Anti-Exploits

In a localscript? Can’t that be exploited

I’m not sure how can server REPLICATE THE HUMANOID PROPERTIES FROM THE CLIENT… But I’mma test it it might be cool and easier for anti cheats

all my example code avoids using properties or methods that potentially rely on the client for information, and I am fairly certain the client determines the FloorMaterial property because it makes no sense for the server to calculate this information, which is why I opted for using my own raycast in that example. I also specifically stated in a section of my guide that the client controls states, so exploiters can spoof that state to bypass a state check.

that still relies on the client, which means it isn’t reliable at all and can be spoofed by exploiters. My entire guide went over the fact that the client cannot be trusted at all.

All good tips from you but I must imply you try this detection script I found.
Powerful exploit detection, simply just add it into a local script. The creator did get banned for this item so do be castious!

This relies on a client-side check, which can be disabled easily by an exploit. My entire guide goes over the very fact that client-side anti-exploits are close to completely useless. It was also stated by someone in that post that this relies on undocumented client behaviour that can change at any time and immediately break the check, causing it to potentially trigger false positives for every player trying to join your game.

I understand where you’re coming from with the client side disabling part but how can I remove a game’s anti-cheat scripts on the client if my injector can’t successfully execute any code?

Proof

Proof

I want to say that this place was made using different people anti-exploit guide and it even has some code develop from your guide but the link that I provided has been the best overall in detection. Even without this script the game still has great security measure from you and other guides and I do thank you for that! :smiley:

that video doesn’t prove anything, you showed something that ran obfuscated code so it’s difficult to determine whether or not it works against all script injection, and even for that matter, all it takes is for the developers of the script injectors to create something at their level which prevents this check from working.

EDIT: what I mean by the obfuscated code not proving it works is that since I can’t tell if the obfuscated code makes any attempt to disable the anti-exploit, it cannot be proven that it does actually stop the anti-exploit

Most modernish exploits have autoinject, which I think can inject the exploit before any Luau code runs. Have you tested that?

With Luau going open source, I don’t think its unreasonable that your method will be fixed soon. Exploits just have to start using the Luau rather than Lua.

Great question and what a good point to make!
Well my answer for you is… Yes!

What's words without proof right?

I did test for false positives haven’t gotten any, still working to find any.

But just as stated

Sadly what @Reapimus said is true, but its good to have this code still to show you that you could or may I say could have check for injections.

1 Like

Have you tested a case where the injected code tries to disable the check before it can fire?

1 Like

To be honest I think that would be useless to do as you already mention

And I’ve tested the script with other executor’s and they easily bypass the script and can be removed client sided but still it was a good script. Still you way is the “Proper way” :wink:

Though, the creator can multithread by coroutine.wrap so if the script is deleted, the code still runs

1 Like

I tested this case just now and it seems that this behaviour was either never a thing or it was fixed at some point by Roblox, so this wouldn’t be an option (I tested deleting a script in one case, and disabling it in another).

This is great base system for an anti cheat but, the no clip sends lots of false positives… not sure if I am doing something wrong, had to slightly adjust to not cause errors.

local cast1 = workspace:Raycast(playerState.lastPosition, CFrame.lookAt(playerState.lastPosition, character.PrimaryPart.Position).LookVector, playerRaycastParams)
			local cast2 = workspace:Raycast(character.PrimaryPart.Position, CFrame.lookAt(character.PrimaryPart.Position, playerState.lastPosition).LookVector, playerRaycastParams)

		
			if cast1 then
				if cast2 then -- if cast1 and cast2 exist
					local depth = (cast1.Position - cast2.Position).Magnitude
					if depth > THRESHOLD then
						print("The player triggered the check!")
					end
				else -- if cast1 exists, but not cast2
					print("The player is likely inside of the object!")
				end
			end

That’s exactly what os.clock is for. It’s used for high-precision benchmarking. It’s not useful for finding the time but it is more useful and precise than tick() for finding the difference between two times. So this is completely backwards advice.

the noclip check was an example, if you’re getting false positives you should increase the threshold.

It appears only the inside of object is printing, how much between casting should I wait before creating one? What else should I be doing

the cast should be running each physics frame for best results.

Is there a way to possibly help with performance, from my past experiences ray casting like this is commonly causes lots of lag.