How do I make a good anti exploit

Many people ask! How do I make an advanced anti exploit?

Well Its actually very easy… lets move to our first section:

How do exploits work?

Firstly what is an “exploit” an exploit Is a most likely executor that attaches into the roblox systems to allow the user to inject scripts like: fly, speed, noclip & more.

Heres are the steps of the exploiter doing to inject scripts:

1. Joins a game
2. Attaches the executor (unless auto-attach)
3. execute scripts

We want to stop them from doing doing the 2th, 3th step but sadly we cannot detect them “Attaching executors” but we can detect Executing scripts by detecting changes, comparing normal movement to there movement, more! lets go to our second section…

Never Trust the Client

Never Trust The Client (unless you got ways to protect it but it will always be bypassed sometime)

Why should I not trust the client? - This Is because exploiters have FULL Control about there client so they can spoof there speed, JumpPower, health, etc.
Here Is a quick code an exploiter can type in seconds to bypass your Humanoid.WalkSpeed Check.

local oldindex = mt.__index
setreadonly(mt,false)

mt.__index = function(indexed,property)
	if indexed == "Humanoid" and property == "WalkSpeed" then
		return 16
	end
	return oldindex(indexed,property)
end

setreadonly(mt,true)

See how easy It for them to spoof stuff?
Therefore you should NEVER trust the client, If you’re gonna make an anti exploit make sure its always Serversided This Is because they can: Spoof your checks, disable/delete the anti cheat, Just ignore it in usual.

Creating a serversided anti exploit

When creating a serversided anti exploit you CANT Do your normal checks of Humanoid.WalkSpeed or Humanoid.JumpPower or even Humanoid.Health

Then you might be asking, How will you detect distance (speed, fly, teleport) exploits or any exploit… that’s easy all you need to do is check with Magnitude you can check for speed exploits you can check If the Magnitude Is higher then then players walkspeed+[threshold] the threshold should normally be 3 or 5 without a threshold you will automatically get detected Just for walking!

here’s an example:

local pos1 = Vector3.new(player.Character.HumanoidRootPart.CFrame.Position.X,0,player.Character.HumanoidRootPart.CFrame.Position.Z)

task.delay(1,function()
  local pos2 = Vector3.new(player.Character.HumanoidRootPart.CFrame.Position.X,0,player.Character.HumanoidRootPart.CFrame.Position.Z)

  if(pos1 - pos2).Magnitude >= player.Character.Humanoid.WalkSpeed + 3 then
      player.Character:SetPrimaryPartCFrame(CFrame.new(pos1))
  end
end)

Lets move Into specific sections of how to stop exploiters In different types!

Stopping Remote Abuse

Exploiters can see If you have a remote that can help them In advantage and abuse it for example If you have a money remote they can make a loop to fire it and they earn thousands of thousands of Cash! So how do you block this?

Firstly If you have argument for how many cash they earns so you can select a custom amount when fired then make a limit for an example If the remote has an argument like this

Remote.OnServerEvent:Connect(function(plr,cash)
    plr.leaderstats.Cash.Value += cash
end)

It’s unsafe! since exploiters can fire while task.wait(.1) do Remote:FireServer(game.Players.LocalPlayer,50) end, and boom they have 50 cash every 0.1 seconds!

So let’s do something like this

local timeLimit = .25 -- You may customize this
local timeLeft = {}

Remote.OnServerEvent:Connect(function(player,cash)
     local timeDS = timeLeft[player]

  if timeDS then
    local from = timeDS - tick()
    if from < timeLimit then
       return;
    end
  end
  timeLeft[player] = tick()
  player.leaderstats.Cash.Value += cash
end)

Although remotes that add leaderstats values, kicks, etc Is very Unreliable + exploitable, you should only do this from the server since this is counted as “Trusting the client”

Onto the next section:

PVP Exploits

You might be asking, how will I patch PVP Exploits? Well, that’s easy In-order to check If they’re using reach exploits just use a distance check this can be done using distance checks!

do a magnitude check and if they are very far from his target you know they are using reach hacks; although I think it will be better to not do the action since It might be a laggy user…

handle.Touched:Connect(function(hit)
   if hit.Parent:FindFirstChild("HumanoidRootPart") and hit.Parent:FindFirstChild("Humanoid") then
       local hrpDist = Vector3.new(hit.Parent:FindFirstChild("HumanoidRootPart").CFrame.Position.X,0,hit.Parent:FindFirstChild("HumanoidRootPart").CFrame.Position.Z)

       local currentDistance = Vector3.new(plr.Character:FindFirstChild("HumanoidRootPart").CFrame.Position.X,0,plr.Character:FindFirstChild("HumanoidRootPart").CFrame.Position.Z)

       if(currentDistance - hrpDist).magnitude >= 15 then
             -- User activated the check!
             return;
        else
             -- fire your damage functions
             hit.Parent:FindFirstChild("Humanoid"):TakeDamage(15)
       end
   end
end

Game Mechanics

How should I interrogate the anti exploit Into my game mechanics so It wont detect the player using them as “exploiting”?

In this case you can add a special boolean Into the player that will only be activated by the server do not check it by client since they can enable it, and If they have it temporarily shut off the anti exploit until its enabled…

This is not recommended

Punishments

What type of punishments should you punish your exploiters with?

Heres a list:

• Kick (Kick the user for exploiting)
• Ban (Ban the user for exploiting)
• Forceback (Teleports the user to latest position recorded)
• Ban world (Create a game and teleport the exploiter to it whenever they joins)
• Ban cage (NOT RECOMMENDED: Teleport a user to a ban caage)
• Control (SetNetworkOwnership of all character parts/baseparts to nil after a couple of seconds back to the player)
• Null zone (Teleport the player to the null zone better known as “Deadlands”)

Guides

There is plenty more awesome guides you should visit, see:

Reapimus Guide: A Guide to Making Proper Anti-Exploits

Dandcx Guide: How exploits work and how to combat them

Updates

I will be constantly adding more to this guide so make sure to keep looking!

Wow! Amazing tutorial! I needed this so much!

I like the idea of people making things like this so people can learn how to do it themselves instead of getting it instantly ready then having issues with it.

Thats the goal, I do not want people to automatically just take a model, and boom they have a good anti exploit - I want them to learn.

Stop trying to start an argument out of nothing, you’re just being rude to someone trying to benefit others.

image1104×815 202 KB

Your advice on remote security is completely ineffective. Limiting the remote in that way does not prevent exploiters from abusing it. Having a remote that just gives you money is inherently flawed and is by definition trusting the client (to fire the remote appropriately).

My “money remote” was Just for players to know how to stop players from abusing remotes;

And Limiting the value is very ineffective but most exploiters are dumb and would think they can now generate 10B cash and boom they get banned/kicked or smth-

It does not show how to stop players from abusing remotes.

Most exploiters are not that dumb. You shouldn’t make up fairytale examples because they do not reflect reality. An actual exploiter will figure out the upper limit for what they can request and just sit there firing the remote repetitively for 20 minutes.

This works as a honeypot sure, but accounts are expendable, and they’ll figure it out eventually. You’re better off not doing this at all.

What about the time limit? they can not spam it if the cooldown is forsay 300 seconds (5 minutes) - Also the post was rushed and I said i will continue updating it

If the time limit is 5 minutes then the reward loop of your game doesn’t work for 5 minutes.

Don’t rush tutorials and resources. These are meant to help people, not to get cheap attention. You do more harm than help this way.

Instead of limiting the money or do some cooldown on the remote , just do it in the server. There’s no reason to handle money giving on the client

To add, the server should be completely orchestrating the gameloop. It should be deciding when to award money, you should never need a remote for this.

I had rushed It since I wanted to help people make “anti-exploit” and was In a hurry of alot of stuff to do - as I said I will be updating It constantly, editing…

I agree with this 100%, but some people still use money remotes for literally no reason

So just tell them to not, maybe try showing them sanity checks with a shop gui

I will thanks for the suggestion, I’ll probably edit it tomorrow its like 6 PM for me, and i have some stuff to do

The guide has been updated for better remote security! adding more for example magnitude checks soon… (how to do magnitude checks)

Added magnitude check! Give me more ideas of what to add

ok, just a small question but where would you recommend putting the anti-cheat?

ServerScriptService, as an normal script.