Client Side Anti-Exploits

OnceCrowned · September 7, 2022, 3:44am

Let me clear this up this debacle. I am all for server sided sanity checks, but the full dismissal of client sided checks is completely naive and foolish.

The whole point of my client sided checks were to make it more difficult for exploiters to even reach my server sided checks, let alone view the way my games work.

Also:

I do not do client sided kicks

There’s no way to detect it like that. I will not be disclosing my method, but you have to detect the behavior of the GUI instead of the GUI itself.

Ylsid · September 7, 2022, 6:44am

I’d like to mention it is not possible to write unreadable code. Hard to read, yes, but if the computer can read it so can a sufficiently able human. Currently the most commercially available and very popular anti-tamper obfuscator is probably Denuvo, and even that is bypassed after a while.

OnceCrowned · September 7, 2022, 6:47am

Hi. The computer generated output from the bytecode is not always accurate and going through the bytecode manually is a pain in the butt. Nobody is that dedicated.

Ylsid · September 7, 2022, 6:49am

You would think! They do exist! Probably not for less than the highest bounties though. Cracking as a subculture has existed for as long as software protection.

Cffex · September 30, 2022, 2:40pm

My awful opinion: try to ruin their experience, this will likely depend on what kind of game you’re making, for example:

Let’s say that your game is heavily based on UI’s, put all the code that functions the UIs into 1 single local script, and put a client-side anti-exploit inside the local script.

The exploiters will try to delete that local script that has the anti-exploit inside it, but that will make the game unplayable, thus making the exploiter leave.

I am unaware of ways this could be bypassed so if there is a way, please let me know.

ATrashScripter · October 1, 2022, 1:45am

This actually seems like a good idea, although my game is a fighting game so I doubt there will be much difference because the exploiters can just fire the remotes anyway. Although if the server can somehow detect that the local script is disabled, that’d be great.

Cffex · October 1, 2022, 5:03am

Any changes made in the client can not be seen by the server, but that excludes changes to some properties of the character/humanoid such as

walk speed, JumpPower, Character’s CFrame, Animation (I’m not sure), and some more.

So unless there is a hacky way that I don’t know, you can’t detect whenever a local script has been deleted or disabled.

ATrashScripter · October 1, 2022, 5:19am

Sadge, but it would be nice though. I’ll try finding some other solutions for anti-exploits, thanks for the answer though.

Sinkl0z · October 4, 2022, 5:25pm

Hey, I quickly read through your question and here’s a plain answer. If a exploiter got put up against this detection this is most likely the first thing that’d pop up on their mind:

for i,v in pairs(getconnections("script path")) do
    v:Disable()
end

But this isn’t the most stable bypass for an exploiter to run since Disconnected connections is detectable. That’d simply force the exploiter to do this:

local namecall = nil
namecall = hookmetamethod(game, "__namecall", function(self, ...)
   local NamecallMethod, Parameters = (getnamecallmethod or get_namecall_method)(), {...};
   
   if NamecallMethod == "AncestryChanged " and self == "script path" then
       return 
   end
   
   return namecall(self, unpack(Parameters));
end)

the best way to prevent local scripts from being disabled is to make them run in memory. Disconnect them fully from the client(Well not fully since it runs in mem but partially), Its not possible to disable memory or a script that’s running in memory