Aeroiqz V2 | Anti-Exploit | Review


#1

code --[[

place me in startergui or startercharacterscripts
made by scriptednate

–]]

local blacklisted = {

"BodyGyro";
"BodyPosition";
"BodyVelocity";
"BodyAngularVelocity";
"RocketPropulsion";
"BodyThrust"

}

local player = game.Players.LocalPlayer;

local character = player.Character or player.CharacterAdded:Wait()

local humanoid = character:WaitForChild(“Humanoid”);

local backpack = player:WaitForChild(“Backpack”);

local torso = character:FindFirstChild(“Torso”) or character:FindFirstChild(“UpperTorso”)

local root = character:FindFirstChild(“HumanoidRootPart”);

local function destroy()
player:Kick(“Nice try exploiter, say good bye!!”)
player.Character:BreakJoints()
humanoid.Health = 0
root.CFrame = CFrame.new(1,-10000,1)
end

coroutine.resume(coroutine.create(function()

game:GetService("RunService").RenderStepped:Connect(function()
	local exploiters = {}
	# humanoid.Changed:Connect(function(t)
		if t == "WalkSpeed" then
			table.insert(exploiters,player.Name)
			print('exploiter added')
			humanoid.WalkSpeed = 16
			destroy()
		else
			if t == "JumpPower" then
				table.insert(exploiters,player.Name)
				print('exploiter added')
				humanoid.JumpPower = 50
				destroy()
			else
				if t == "HipHeight" then
					table.insert(exploiters,player.Name)
					print('exploiter added')
					humanoid.HipHeight = 0
					destroy()
				else
					if t == "Name" then
						table.insert(exploiters,player.Name)
						humanoid.Name = "Humanoid"
						print('exploiter added')
						destroy()
					end
				end
			end
		end
	end)
	backpack.ChildAdded:Connect(function(obj)
		if obj:IsA("HopperBin") then
			obj:Destroy()
			table.insert(exploiters,player.Name)
			print('exploiter added')
			destroy()
		end
	end)
	character.ChildAdded:Connect(function(obj)
		if obj:IsA("HopperBin") then
			obj:Destroy()
			table.insert(exploiters,player.Name)
			print('exploiter added')
			destroy()
		end
	end)
	humanoid.StateChanged:Connect(function(oldstate,newstate)
		if newstate == Enum.HumanoidStateType.StrafingNoPhysics then
			humanoid:ChangeState(Enum.HumanoidStateType.RunningNoPhysics)
			table.insert(exploiters,player.Name)
			print('exploiter added')
			destroy()
		end
	end)
	humanoid.Running:Connect(function(speed)
		if speed > 17 then
			table.insert(exploiters,player.Name)
			print('exploiter added')
			destroy()
		end
	end)
	root.DescendantAdded:Connect(function(t)
		for z,x in ipairs(blacklisted) do
			if string.find(x,t.ClassName) then
				table.insert(exploiters,player.Name)
				print('exploiter added')
				wait()
				t:Destroy()
				destroy()
			end
		end
	end)
	torso.DescendantAdded:Connect(function(t)
		for z,x in ipairs(blacklisted) do
			if string.find(blacklisted,t.ClassName) then
				table.insert(exploiters,player.Name)
				print('exploiter added')
				wait()
				t:Destroy()
				destroy()
			end
		end
	end)
	character.ChildRemoved:Connect(function(obj)
		if obj.Name == "Humanoid" and root ~= nil then
			table.insert(exploiters,player.Name)
			print('exploiter added')
			destroy()
		end
	end)
	character.DescendantAdded:Connect(function(t)
		local tool1 = character:FindFirstChildOfClass("Tool")
		if tool1 ~= nil and tool1 ~= t then
			table.insert(exploiters,player.Name)
			print('exploiter added')
			destroy()
			tool1:Destroy()
			t:Destroy()
		end
	end)
	repeat wait()

until game.Players.LocalPlayer and game.Players.LocalPlayer.Character and # game.Players.LocalPlayer.Character.Humanoid

local plr = game.Players.LocalPlayer

local char = plr.Character

local hum = char.Humanoid

hum.StateChanged:Connect(function(oldstate,newstate)

if newstate == Enum.HumanoidStateType.StrafingNoPhysics then
	plr:Kick("You've been kicked for noclipping")
# end

end)

	# return exploiters
# end)

end))

There’s the script. Any suggestions to add on. You may use it if you want to

Anyway I can upgrade any system to implement.


#2

Format code in a code block.

~~~~~
– # code
~~~~~
I escaped the tildes with backslashes.

Without the back slashes:

-- # code

#3

Considering this is on the client: exploiters will be able to disable it completely.

What would be much more secure is to move everything to the server, though you will need to make a few changes. For instance: since the Humanoid’s WalkSpeed and JumpPower do not replicate to the server, you will have to check the distance between their current position and last known position every few seconds or so - if it is too big then teleport them back to whatever their last valid position was.

I wish you the best in your battle to protect games against exploiters.


#4

Also this is fe


#5

It should kick the exploiters if I am right. I have tried it.


#6

Certain properties of the Humanoid automatically replicate (most importantly: their position), therefore you will need to check them to make sure they are not doing things like changing their speed, changing how high they can jump…you get the picture.


#7

But as already mentioned by @Amitean

Personally, I find anti exploits to be pointless. Proper remote communication is key. Do sanity checks on the server side.


#8

As I stated before (and as incapaxx supported) - exploiters will be able to disable it before they can get kicked.

Server-sided checks on the other hand cannot be disabled, which is why it is in your best interest to use those instead.


#9

Okay, I will implement server-side checks.


#10

Anti exploits are definitely important. Sanity checks on your remotes won’t save you from all exploits.


#11

There’s no need to distinguish this anymore. All games have the same protection now, since experimental mode is gone.

As for the script, I didn’t read the whole thing since I could tell by the start of it that it will only work from the client. It isn’t a very strong anti exploit at all since anything on an exploiter’s client can be modified to suit their own malicious needs, but since you already have it I would just keep it as an extra layer. It’ll almost definitely catch some exploiters, but you really need an anti exploit that runs entirely on the server.


#12

First of all please format this in a code block.

Now, sorry to disappoint you but this is almost equal to no protection at all :stuck_out_tongue:

First of all, if anyone in the server changed their walkspeed, every single player would get kicked, because you don’t distinguish players in your RenderStepped.

Second of all, you kick from the client. An exploiter can hook the kick function with 10 lines of code and disable your kick. So yea.

My tips:

  1. Prioritize server-sided checks. Feel free to add client-sided ones afterwards, though don’t fully rely on them, but rather have them as a little “extra” thing. But only if you know what you’re doing!!! If you don’t know how to set up client-sided checks properly, then you should rather refrain from implementing them.
  2. Never trust the client. This is something you will always hear when it comes to securing your games. Check most, if not all imput from the client.
  3. Don’t make the client tell the server what to do! Don’t make some SetCash remote events or such. Don’t make the client tell the server the price of the thing you’re buying.

#13

You don’t seem to use the exploiters table in your script (although it makes sense as Player:Kick() only works on the local player in a localscript) so all the insert lines should probably be removed. Also, I believe that a lot of speed exploiting done recently doesn’t actually change WalkSpeed, so that protection won’t protect from those specifically either.


#14

A common Antikick will make this Antiexploit useless by simply changing the __namecall metamethod from DataModel/game slightly. (As Kiriot22 mentioned)

Also, since you index WalkSpeed, JumpPower etc. exploiters can just check if you index those properties and return a valid value, while they are changed.

Of course the simplest solution would be to just delete or disable the script.


#15

You can always replace the coroutine wrap with the keyword “spawn” Although if you need to pause the routine and add a new input then do keep using it.

Another point to make is that, if you absolutely need a client script, make sure the server is constantly checking it exists. Using a remotefunction is a great way to check, but be sure to make the call a pcalled function with a delay (use the delay keyword to not pause the entire thread) so as to both make sure lag is accounted for and that it will still kick if there is an error.


#16

Your feedback request is incomplete. Code Review is not a venue for open-ended asking of suggestions and showcasing code. Please read the category guidelines.

You are missing:

  • Explanation of code (it’s blatantly obvious, I’m aware, but one would be appreciated)
  • What is unsatisfying about this code to you
  • What improvements you have already attempted to apply
  • What specific improvements you seek in your code

Also, how come you have not corrected your code block? It’s been explained to you how to do so yet you have not corrected the code block above trying to reply to posts. It’s harder to read what you’re trying to post without proper formatting. Please fix your code block as soon as possible.