Anti Cheats - Where Do I Start?

Have you tried making a good anti-cheat? We could work on it together if you’d like.

I already have one that is universal, and has linked bans, discord bot and alt detection.

Thank you for the offer however I already have one I have been maintaining for about a year without any issues

Wow, it seems nice. Great job

Here are some resources from my experience:

Don’t make an anticheat. Secure your remote events first, and then minimize the damage that could be done. Don’t try fixing something that can’t be fixed.

I’d recommend looking throught the following resources, they can help you alot:

The point of client side’s anti cheats, is to basically make it an anti-tamper, you basically check the most important functions and the current stack by forcing an error to appear, you can detect some exploits with this, in some cases you can detect hookmetamethods (namecall,index,newindex) with that aswell, and sometimes you can get the exploit environment and use their functions if the exploit is terribly bad, roblox already gives you tools to detect CoreGui, Injection, Execute, the problem with them is that they can get spoofed with math.random(), so It makes the client script thinks that everything is fine.

You also have to make a ton of debugging in each “Important function”, you can do that with debug library, even though you also have to make sure It isn’t spoofed, there are other methods such as using variables and checking if the variable result isn’t spoofed, the problem begins when you realize they can use wait(9e9), to basically stop the thread, using task.wait(9e9) won’t stop the thread in most cases, so that’s an L for wait(), this is where handshakes come from.

You can improve Its security by making keys that are extremely long and random, you can also make a function on the server to check how much has passed since the last handshake, for example, if an exploiter tries to fire the handshake before 15 seconds they will get kicked, there are multiple ways to secure handshakes.

If you want to detect character exploits without having to worry about spoofs, you can make a script with runcontext to client, then add it into an actor, and place it on services like localization service, (I think this works without the actor as well), (It will still run), then make it immediately destroy itself, so the thread actually runs, without having a local script enviroment, keep in mind this is a temporal solution, since smart exploit devs might have bypassed actors, by using loadstring in the environment.

EDIT: I said “localization service”, since exploiters can use DescendantAdded, to disable client scripts before they run, if they are placed in ReplicatedFirst.

Uhm oh guys I was asleep sorry…!

Wow I’m gonna read all y’all’s responces (THANK YOU ).

Pretty cool posts!

Just a few questions:

In TheLiker’s post, could you explain the “CypherFunction”? I’m pretty confused about that. nevermind I just looked at the other post lol

Also, in your post (Creating proper anti-exploits), you had a little poll and one of the options was how to integrate mechanics into the anti-cheat. [If you want,] could you elaborate on this?

Wow did you write all those code snippets? Cuz if you did, you put a LOT of effort into that!

I didn’t even think of checking if a value was an integer! I’m not entirely sure if the validating function is protected against NaN values; but great post!

Say and you had a teleport command, if you teleported; they will be detected, so basically compatibility with the teleport command so they won’t be detected.

Ohhh okay so I was correct. Thanks for those posts by the way!

For anyone who wants to provide something: I’ve updated the list of things I need help with in the original post!

my current project uses the following:

1: never trust the client which means no matter what never let remote events do anything without doing sanity checks.

2: have a small anticheat to deal with critical client side exploits such as the immortal humanoid exploit.

3:game design makes exploiting unfeasible, this means gameplay that allows all players to say fly around or teleport as well as being able to hinder a players movement even if they are travelling at 5000 miles an hour.

later down the road I have plans for a system that records a players movement and determines if their behavior is suspicious or not, but because of the nature of my game there are some anticheat methods that I cant add such as a speed cap.

My biggest tip: Utilize both the client and server.

Here you are giving bad advice! Why wouldn’t I make another layer of security? Also if you didn’t know Handshakes exist…

I believe that anti-cheats should be made on both the client and server.
Most people will say the client can be hooked, the client can be disabled, and other copy-pasted comments from some research they did in a few seconds.

In reality, the client can be a very powerful tool to use for anti-cheats; it can also be protected from disabling, destroying, hooking, and more; you just need to experiment, find out, and learn.

I say the best anti-cheat is the server, and client working together.

Yeah and aren’t there things you can’t detect with server sided anti cheats?

Looked at doing this before had some of that done.
I like the “Hacker Bait remote” the best.

I was thinking I’d have one of those bait remotes and it would do smthn in game like send a message or do some other trolling to the hacker.

Man I wish other games would do that lol

“GodModeTest” would be a for sure ban for a hacker …

You can pretty much detect most character exploits, like teleport, and so on, but you can’t detect whatever the player changes their walkspeed, jumppower since It doesn’t replicate to the server, hence why you need client sides anti cheats most of the time.

Also, It depends on the type of game.