Hello! I’m trying to achieve a Anti-Exploit Script for my games / groups (FE). Currently, I’m trying a Nil LocalScript that detects humanoid OnChanged. I don’t know how safe this is (Can the player deactivate it somehow, etc). Feedback is appreciated as well.
So basically how safe would this route be, or should I do a ServerScript instead that detects players velocity to fix common exploits like WalkSpeed / JumpPower.
NEW Question: How would I detect by the Server is the player has an Altered WalkSpeed. I could do Velocity over time, but what if the player is in a vehicle or use a trampoline / conveyor belt?
If you have a localscript in PlayerGui that gets parented to nil, they shouldn’t be able to detect it and it should still operate correctly. I use this method in a Script Builder admin.
No matter what you do, the exploiter will always have the upper hand. It is their PC, and they can do just about anything. Your anti-exploit script will, at best, defeat popular copy-and-paste exploit scripts. The exploiter can delete your script, the only question is how hard it will be for them to do so.
You should validate on the server side as much as you possibly can, and only use client-side mitigations after having done that.
NEW Question: How would I detect by the Server is the player has an Altered WalkSpeed. I could do Velocity over time, but what if the player is in a vehicle or use a trampoline / conveyor belt?
You would just have to track their position/velocity and base it on the situation, but kicking is very risky.
A live case is Apocalypse Rising, where getting flung would just crash your client, not fun.
So overall it’s a per-case basis, you have to make your own solution (for the most part).
WalkSpeed is unreliable because players can force their character to move fast without changing WalkSpeed. You would have to use velocity monitoring as you pointed out, but also track the mechanics which could impact the player’s velocity (vehicle, trampoline, etc) to determine what the “correct” maximum velocity for them is.
Some exploits have a custom function that allows a script to get all instances parented to nil so an exploiter could easily disable your AE script.
I would suggest either putting the AE code in a crucial script or having a sort of pinging system in the AE script to ensure the server that it’s still there and not disabled.
Hide code in the Animate script for StarterCharacterScripts. Good mask and you can do something about checking server-side whether or not animations are being properly executed (i.e. is JumpAnimation playing when they jump?).
If you are worried about people stealing your code to use it or reverse engineer it for potential exploits, obfuscate it. Hard to make heads or tails out of things like this:
The whitespace won’t do a thing for you; code does not compile style which means if they get their hands on it via decompilation it will be prettified automatically.
I realized this long after when I saw my game get stolen and the code was less ugly than I intended. It’s still pretty hard to figure out since I removed all single line comments(block comments dont contain any instructions). Also most of my code is in one client and one server script, only making things tougher. At this point I just obfuscate because I know nobody can possibly have the original code beyond like June 2016 or so. It’s worth the effort for my own satisfaction.
If they were stealing the actual script it should be there. Now it wont be there regardless of how they steal it since I removed them from any copy uploaded to roblox.
You can’t “steal the actual script” unless they have deliberate access to your game, in which case that’s a whole other issue entirely.
But no, comments of no kind produce instructions or embed in the bytecode. However living under the assumption that people depend on comments alone is a bit naive due to the large amount of people who read and write code without comments because it’s simply “faster”.
