Test.rbxl (226,1 КБ)
yeah
yeah definitely
also good job on this btw
Why have you put the actual validation code in an external location, and why have you obfuscated it? This makes it look extremely suspicious.
Why does this block client-sided Instances completely? That’s a part of almost every single game in existence, and adding one with this code running kicks the player. Why is there a special check for ReplicatedStorage
that does the exact same thing as everything else? And I have to say that these Scripts are very inefficient and will really destroy the performance of any large game, such as one that has multiple maps that are :Clone
’d around.
I have to ask if you generated some of this code with ChatGPT, because stuff like this:
, really doesn’t make any sense.
in principle, you may be right, but are you sure you read the warning in my article? (everything in the screenshot: it was for a test in the studio itself, when I changed the view from the Server to the Client)
by the way, CHATGPT doesn’t really help with anything
Then can’t the exploiter attach a response to the request, there’s no real way to block dex or any other exploits, I’ve manageed before to block synapse and fluxus but it sadly doesn’t work anymore Injection Detection Module
I know this, but I didn’t try to make it so that with a 100% chance of detecting all exploit injections, I just did the detection on bad scripts like DEX - and it’s works
I’m commenting on the quality of this code, because it has a lot of problems that don’t make it a good fit for actual usage. I wouldn’t encourage novice developers to try and learn from this code because of that.
I didn’t say that this is a profitable way to detect exploit, it can be said as a template for other anti-cheats - for those who are interested in it (example). but now I know what can be improved in my system
Hi, so I went ahead and tried to give a more thorough set of criticisms:
Instead of writing the custom function isRestrictedService
, you can just use the built-in table.find
.
Even better, instead of using a Linear Search, you can use a dictionary:
-- List of restricted services where Key should not be created
local restrictedServices = {
Workspace = true,
ServerScriptService = true,
ServerStorage = true,
ReplicatedStorage = true,
StarterPack = true,
StarterPlayer = true,
StarterGui = true,
Lighting = true,
Players = true,
Teams = true,
}
-- Function to check if an instance is in the restricted services
local function isRestrictedService(instance)
-- returns `true` if restricted, `nil` if not
-- " or false " can be added to the end to make
-- it return `false` if not restricted instead, if need be
return restrictedServices[instance.Name]
end
Why not use something like HttpService:GenerateGUID
instead of writing your own custom function?
At least you could have written for _, i in game:GetDescendants() do
instead, which is shorter and does the same thing.
You are very inconsistently keeping Services in Variables. Generally, people define all their Services and main Variables at the top of the Script.
Why is this Script obfuscated? It wouldn’t make a difference to add Variable names, the Luau compiler already strips local names, and this Script is so simple it really makes no difference other than making it look suspicious.
GitHub Script
local l = f:InvokeServer(k.Parent.Name, k.Name)
This variable can be nil
very easily
if o and l then
if o.Value ~= p then
e.AntiCheat:FireServer(k.Name, "adding instance with wrong key - exploit.")
end
elseif k.Name == "Key" then
if k.Value then
if k.Value ~= p then
e.AntiCheat:FireServer(k.Name, "adding instance with wrong key - exploit.")
end
end
elseif not o and not l then
e.AntiCheat:FireServer(k.Name, "adding instance with exploit.")
end
All someone needs to do to circumvent all of these checks is to create an Instance that is multiple levels deep (i.e. in game.Workspace.Model
) and give it a Key
child with the value from GetKey
, this will cause o
to be valid but l
to be nil
, which bypass all of these if
-conditions.
so, I noticed there really is a lot of unnecessary stuff here. I’ll have to redo everything now
Also, it doesn’t get rid of old Keys
, so they can end up getting spammed somehow:
The Script has renamed all the Animations under the default Animate
Script, which means setting custom animations through them won’t work.
it is best to make simple anti-cheats that will prevent the player from changing in a way that is not necessary (for example, fly mode, changing speed, jump height and noclip)
Its a lot more effective to prevent the exploits you stated in the server. With rollback and input validation you can do it without any false flags although its not as simple ig
Players can simply replicate that work around and not get detected.
This script only works for the script kiddies and not actual exploiters.
they can hook remote or “isRestrictedService” function i suggest doing server checks instead of wasting time on client anti-cheats because they will eventually get bypassed also i doubt this would work on actual executors that are paid but if it does it still doesn’t change the fact that this can be bypassed even if you were to check if “client” is reacting to server or not that wouldn’t work because exploiters can modify the payload that’s sent to the server
Client anti cheats make exploiting harder but if the exploiter knows what he is doing then the anti cheat will get bypassed because the anti cheat is running on their machine which means that they have full control of it
I am pretty sure that it’s supposed to be a placeholder of what the handshake/heartbeat should look like. If this is the case @RIP_Bombs, please add a warning about it.
would it not be better to increase the delay on the loop as your invoking the client so many times that it could cause performance issues?