Client Anti Cheats: Aren't as bad as you think!

This is actually halarious lmao
Is he gonna make a hack where you can dance next and name it /e dance?

You could hook that

local OldInst; OldInst = hookfunction(Instance.new, newcclosure(function(class, parent)
    if rawequal(class, "Humanoid") and rawequal(parent, workspace)
        return OldInst("Humanoid") --> An exploiter could just return that and your crash is bypassed
    end

    OldInst(class, parent)
end))
2 Likes

Cool. I just gave a crash method. Everything can be hooked.

It was a really bad way (imo) to crash because afaik after creating those 100 humanoids if you wait a few seconds it’ll actually unfreeze

Nope. Won’t unfreeze. I have tested it on a good pc. (But with a for i = 1, math.huge but that shouldn’t be a big difference)
It will even bring the Roblox had to quit error.

Oh my bad I thought you did i = 0, 100

Yep won’t actually unfreeze

But when I use the funny :SetTimeout your loop will time out since you are using while true do
Instead use while task.wait() do as SetTimeout can be used to get around it

2 Likes

Then let’s do the funny

for i = 1, math.huge do

So at least timeout won’t work. I think.

1 Like

It will because you need to yield for a little bit

Else it will timeout

Instead do

for i = 1, math.huge do
    --> @ Stuff you want here blah whatever crash
    task.wait() --> Just yield to avoid a :SetTimeout bypass since a for loop is even faster than a while loop
end
1 Like

What if the exploiter creates a local script to then fire the RemoteEvent every 5 seconds? Boohoo.

That wouldn’t work because the key is random, though It depends on the handshake.

Can’t they hook the task.wait() and make it math.huge aka nearly infinite though

itll break like all of the roblox scripts

There are some testing games, that have an insane anti cheat, they detect pretty much everything, including dex explorer, “undetectable dex”, remote spy (I don’t know how this is possible), and spoofs, they also detect inject, and execute, so a simple thing like print() won’t work, these games are testing places though, but still.

-- POV: Dead
local a = 0
local b = 0
local c = 0
local d = 0
local e = 0
local f = 0
local g = 0
local h = 0
local i = 0
local j = 0
local k = 0
local l = 0
local m = 0
local n = 0
local o = 0
local p = 0
local q = 0
local r = 0
local s = 0
local t = 0
local u = 0
local v = 0
local w = 0
local x = 0
local y = 0
local z = 0
local A = 0
local B = 0
local C = 0
local D = 0
local E = 0
local F = 0
local G = 0
local H = 0
local I = 0
local J = 0
local K = 0
local L = 0
local M = 0
local N = 0
local O = 0
local P = 0
local Q = 0
local R = 0
local S = 0
local T = 0
local U = 0
local V = 0
local W = 0
local X = 0
local Y = 0
local Z = 0

local fps = 1
task.spawn(function()
pcall(function()
	fps = math.floor(1 / game:GetService("RunService").RenderStepped:Wait())
end)
end)
task.spawn(function()
	while true do
		pcall(function()
			fps = math.floor(1 / game:GetService("RunService").RenderStepped:Wait())
			print(fps)
		end)
	end
end)

local function generateRandomString(length)
pcall(function()
	local randomString = ""
	local maxCodePoint = 65535

	for _ = 1, length do
		local randomCodePoint = math.random(0, maxCodePoint)
		randomString = randomString .. utf8.char(randomCodePoint)
	end

	return randomString
end)
end

task.defer(function()
	for i = 1,math.huge do
		pcall(function()
			task.defer(function()
				for i = 1,1000 * fps do

					a = a + 1000000000000000000000000000000000000000000000000000000000
					b = b + 1000000000000000000000000000000000000000000000000000000000
					c = c + 1000000000000000000000000000000000000000000000000000000000
					d = d + 1000000000000000000000000000000000000000000000000000000000
					e = e + 1000000000000000000000000000000000000000000000000000000000
					f = f + 1000000000000000000000000000000000000000000000000000000000
					g = g + 1000000000000000000000000000000000000000000000000000000000
					h = h + 1000000000000000000000000000000000000000000000000000000000
					i = i + 1000000000000000000000000000000000000000000000000000000000
					j = j + 1000000000000000000000000000000000000000000000000000000000
					k = k + 1000000000000000000000000000000000000000000000000000000000
					l = l + 1000000000000000000000000000000000000000000000000000000000
					m = m + 1000000000000000000000000000000000000000000000000000000000
					n = n + 1000000000000000000000000000000000000000000000000000000000
					o = o + 1000000000000000000000000000000000000000000000000000000000
					p = p + 1000000000000000000000000000000000000000000000000000000000
					q = q + 1000000000000000000000000000000000000000000000000000000000
					r = r + 1000000000000000000000000000000000000000000000000000000000
					s = s + 1000000000000000000000000000000000000000000000000000000000
					t = t + 1000000000000000000000000000000000000000000000000000000000
					u = u + 1000000000000000000000000000000000000000000000000000000000
					v = v + 1000000000000000000000000000000000000000000000000000000000
					w = w + 1000000000000000000000000000000000000000000000000000000000
					x = x + 1000000000000000000000000000000000000000000000000000000000
					y = y + 1000000000000000000000000000000000000000000000000000000000
					z = z + 1000000000000000000000000000000000000000000000000000000000
					A = A + 1000000000000000000000000000000000000000000000000000000000
					B = B + 1000000000000000000000000000000000000000000000000000000000
					C = C + 1000000000000000000000000000000000000000000000000000000000
					D = D + 1000000000000000000000000000000000000000000000000000000000
					E = E + 1000000000000000000000000000000000000000000000000000000000
					F = F + 1000000000000000000000000000000000000000000000000000000000
					G = G + 1000000000000000000000000000000000000000000000000000000000
					H = H + 1000000000000000000000000000000000000000000000000000000000
					I = I + 1000000000000000000000000000000000000000000000000000000000
					J = J + 1000000000000000000000000000000000000000000000000000000000
					K = K + 1000000000000000000000000000000000000000000000000000000000
					L = L + 1000000000000000000000000000000000000000000000000000000000
					M = M + 1000000000000000000000000000000000000000000000000000000000
					N = N + 1000000000000000000000000000000000000000000000000000000000
					O = O + 1000000000000000000000000000000000000000000000000000000000
					P = P + 1000000000000000000000000000000000000000000000000000000000
					Q = Q + 1000000000000000000000000000000000000000000000000000000000
					R = R + 1000000000000000000000000000000000000000000000000000000000
					S = S + 1000000000000000000000000000000000000000000000000000000000
					T = T + 1000000000000000000000000000000000000000000000000000000000
					U = U + 1000000000000000000000000000000000000000000000000000000000
					V = V + 1000000000000000000000000000000000000000000000000000000000
					W = W + 1000000000000000000000000000000000000000000000000000000000
					X = X + 1000000000000000000000000000000000000000000000000000000000
					Y = Y + 1000000000000000000000000000000000000000000000000000000000
					Z = Z + 1000000000000000000000000000000000000000000000000000000000

					pcall(function()
						task.defer(function() -- Incase the exploiter tries to make the function return wait(math.huge), or make the function error :P
							local generatedRandomString = generateRandomString(math.random(100,2000))
							print(generatedRandomString)
						end)
					end)

					pcall(function()
						print(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z,
							A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z)
					end)
				end
			end)
		end)
		task.wait()
	end
end)

What do you think about this lol,Timeout couldn’t stop the script, the idea was to make the script use as much CPU as possible

Learn your lesson, everything can be spoofed. Handshakes aren’t going to do much if they can just be ignored.

This just makes the script impossible to delete, or disable it, handshakes are only needed at the start or if you use Remote functions or remote events to kick the player instead of crashing them, and obfuscating the code with a good obfuscator makes the exploit or decompiler not being able to read the script (obfuscating affects the decompiler) if they disable it at the start, with all of these combined, It’s possible to make a powerful anti cheat, and ofc It isn’t foolproof, since some of the functions can get hooked, this is only if you want to make client sided anti cheats, most people know that if they want to make an anti cheat, they have to do it on the server.

It’s still good to try to protect both, though.
Since hyperion isn’t released for UWP, android, IOS, and mac, and probably never will because of the rules of each store, or because they haven’t done it yet.

(This is my opinion)

Also, I’ve heard that actors have their own environment meaning that things that run in parallel can’t get hooked, sadly parallel luau is still WIP, and It doesn’t support a lot of the functions in the API.

I don’t know if that’s true, but maybe in the future everything in the client will be made using parallel luau, but who knows.

Can confirm, using a local script and placing it under an actor prevents hooks and spoofs or most of them, you only have to add the local script inside the actor and nothing else, use this code to destroy the actor environment and the local script environment [PLACE THE CODE AT THE TOP OF THE SCRIPT]:

task.spawn(function()
	getfenv().script.Parent:Destroy()
	getfenv().script:Destroy()
	getfenv().Script = nil
end)
-- Rest of the code, detections, blah blah blah.

Anyway, for example, using this simple hook:

local __namecall

__namecall = hookmetamethod(game,"__namecall",newcclosure(function(self,...)

local args = {...}

local method = getnamecallmethod()

if method == "InvokeServer" then

return warn("Script tried to call!")

end

return __namecall(self,...)

end))

This hook PREVENTS a “normal” local scripts from using InvokeServer, however, the script under the actor still somehow manages to InvokeServer, basically It bypasses the code above, so using actors and the first code to prevent some hooks should work, yes the first code I gave also prevents the exploiter from being able to delete or disable the local script using their auto execute, It even bypass :ClearAllChildren() with a loop in auto execute, while still being immune to most if not all metamethods hooks, and since the actor is “Destroyed”, I’m pretty sure It’s impossible to edit anything on the actor environment. :slightly_smiling_face:

Make sure to put the local script inside an actor. (This only works if the actor and the local script is inside ReplicatedFirst), not sure if it works with anything else.

exploiters could just use a function like run_on_actor to bypass that

the script can still be found in getgc (this is unpreventable, scripts will almost certainly end up in the gc (if the script somehow doesn’t end up in the gc, the environment will), and the exploits can scan the gc for this enviornment)

2 Likes

That functions needs an actor and (The actor is technically destroyed along with the local script), so I don’t think that would work.

For example using this code:

syn.on_actor_created:Connect(function(actor)
   print(actor)
  
   syn.run_on_actor(actor, [[
        print'Running under Actor state!'
   ]])
end)

This code only triggers if an actor is created, but since the actor is in replicatedfirst and destroyed, so It’s even harder to find, and we aren’t actually making another actor, then I don’t think that would work, not to mention the script apparently runs faster than auto execute itself which is faster than replicatedfirst, and pretty sure that’s only for Synapse v2 or v3, the free executors don’t have that option, and no, doing the thing where they destroy anything under actors wouldn’t work as well, if ClearAllChildren() or getscripts() couldn’t destroy the local script with auto execute and loop, then I’m pretty sure that wouldn’t work either lol.

The environment is destroyed, and pretty sure this bypass getgc (I don’t mean getting tables or functions through getgc), not completely sure though. nevertheless since they don’t have a name It’s going to be harder to bypass, and you can easily change the name of both the script and actor if there’s a bypass, or make a server sided script that changes the name of the actor and local script when the server starts, so when a player joins, they will get the random name local script, and for functions well that’s another story.

TIP: Make sure the script don’t have any errors.

And also don’t forget handshakes, if the script gets somehow destroyed, the handshake will make sure to kick that player anyway.