Anti exploit not working?

Hexcede · September 2, 2020, 4:47am

Server-side only checks are the way to go. Implementing client checks is simply delaying the inevitable. As I said above, think of your client code like an exploiter can both read and edit it. This is pretty much exactly what exploits do, they simply do it in an indirect way by changing little pieces of functionality.

An exploiter could do any of the following to bypass your check in a minimal amount of code (10ish lines) with any modern exploit:

Make IsA return false for their BodyMovers/BodyGyros
Override the :Kick function & the :FireServer function
Disconnect your ChildAdded connection
Change the event returned by .ChildAdded to a custom one
Use a function you call (e.g. IsA, FireServer, wait, or Kick) and produce an error or permanently yield
.Disable the script (and yes, they can hide this easily)

Client anti exploit code is not reliable.

MJTFreeTime · September 2, 2020, 2:50pm

@Sudden_Demise Did you not see our previous replies? I specifically mentioned that @PixelIGPM8 could have both client and server side anti exploit measures. I agree with @Hexcede’s reply above.

If you read earlier, server-side checks are not able to check BodyMovers/BodyGyros, while client-side checks are. The thing is, client side checks, and checking for BodyMovers/BodyGyros is very likely not a sure-fire to prevent expoiters from flying. Reasons? I think @Hexcede covered that well enough.

Here’s, once again, my reply from earlier on what direction I believe @PixelIGPM8 should take:

MJTFreeTime:

So @PixelIGPM8 do you have an idea of how you’d want to do other checks, such as checking the distance from the ground/speed? Or would you like some help with that?

And if anyone has any other ideas, please feel free to help and bring them up!

EDIT: So, one idea is to keep what you originally had, but add onto it with the extra checks from the server side. So that you’d have one localscript that would handle those checks, but in the event that exploiters messed with the localscript, you’d still have the server-side checks.

So the server-side script could handle these checks: The players’ distances from the ground, and the speed/velocity the players are traveling at.

And the client-side localscript can handle these checks: If the character has a BodyMover or BodyGyro in it (like you originally did).

And sorry, that was my bad. I didn’t realize that you can’t check BodyMovers or BodyGyros inside of the characters from the server until they mentioned it - that explains it.

One of the problems I could see happening with the above, is that someone could mess with the RemoteEvent(s) sent between the localscript and script and potentially error/jam the script if they send it a certain way, and the script isn’t prepared for those situations. So the safest way may be to just have server side checks, as it does most of the “heavy-lifting” anyways, and is more reliable and secure in comparison to client side checks anyways,

Any ideas for the server-side checks?

Ryfiles · September 2, 2020, 3:22pm

Not to lie but @Sudden_Demise has a point.

Because IT Will NOT replicate to the server.

Server Sided Anti-Cheats can only stop exploiters that come to ruin your game ‘server sided’

Hexcede · September 2, 2020, 5:11pm

However, as I explained above, physics will replicate to the server. This is why the exploit even works at all, if something is happening for other players it has to be replicating something. Tuning your physics anticheat to your game is extremely important for this, for example, vehicles and such will have their own physics, which I go over in my article a little.

The instances themselves will not replicate, however, introducing client checks is almost never ever worth it. Technically, yes, its true that you can’t stop all exploits from the server easily however physics is by far the hardest but also isn’t particularly much difficulty. The problem is, that even if you check on the client, it can be bypassed far more easily than it was for you to create it, the amount of people it will stop depends on its complexity, and, even then, it will only stop the people with more basic understanding of the exploit they are using.

Ryfiles · September 2, 2020, 5:12pm

What about the following?

FPS, WalkSpeed, JumpPower, etc.

Hexcede · September 2, 2020, 5:14pm

I don’t know what you are reffering to “FPS” with (unless you mean FPS unlocker which is actually permitted by Roblox), but, I go over specifically WalkSpeed and JumpPower in my article and explain how you might implement a decent fly check, and there is discussion on noclip and such in replies.

WalkSpeed and JumpPower are both by far the easiest physics exploits to mitigate from the server.

RawEggTheGreatIX · September 2, 2020, 6:47pm

for my post I was inferring walkspeed changes, but yeah like what you said

Sudden_Demise · September 2, 2020, 6:49pm

I know that client code is not reliable however OP was referring to making a client-based anti-exploit. I know all about client code and it being able to be read/modified by exploiters, I also did recommend using server-checks.