How do I make a good anti exploit
Many people ask! How do I make an advanced anti exploit?
Well Its actually very easy… lets move to our first section:
How do exploits work?
Firstly what is an “exploit” an exploit Is a most likely executor that attaches into the roblox systems to allow the user to inject scripts like: fly, speed, noclip & more.
Heres are the steps of the exploiter doing to inject scripts:
- Joins a game
- Attaches the executor (unless auto-attach)
- execute scripts
We want to stop them from doing doing the 2th, 3th step but sadly we cannot detect them “Attaching executors” but we can detect Executing scripts by detecting changes, comparing normal movement to there movement, more! lets go to our second section…
Never Trust The Client
Why should I not trust the client? - This Is because exploiters have FULL Control about there client so they can spoof there speed, JumpPower, health, etc.
Here Is a quick code an exploiter can type in seconds to bypass your Humanoid.WalkSpeed Check.
local oldindex = mt.__index
setreadonly(mt,false)
mt.__index = function(indexed,property)
if indexed == "Humanoid" and property == "WalkSpeed" then
return 16
end
return oldindex(indexed,property)
end
setreadonly(mt,true)
See how easy It for them to spoof stuff?
Therefore you should NEVER trust the client, If you’re gonna make an anti exploit make sure its always Serversided This Is because they can: Spoof your checks, disable/delete the anti cheat, Just ignore it in usual.
Creating a serversided anti exploit
When creating a serversided anti exploit you CANT Do your normal checks of Humanoid.WalkSpeed or Humanoid.JumpPower or even Humanoid.Health
Then you might be asking, How will you detect distance (speed, fly, teleport) exploits or any exploit… that’s easy all you need to do is check with Magnitude
you can check for speed exploits you can check If the Magnitude Is higher then then players walkspeed+[threshold] the threshold should normally be 3 or 5 without a threshold you will automatically get detected Just for walking!
here’s an example:
local pos1 = Vector3.new(player.Character.HumanoidRootPart.CFrame.Position.X,0,player.Character.HumanoidRootPart.CFrame.Position.Z)
task.delay(1,function()
local pos2 = Vector3.new(player.Character.HumanoidRootPart.CFrame.Position.X,0,player.Character.HumanoidRootPart.CFrame.Position.Z)
if(pos1 - pos2).Magnitude >= player.Character.Humanoid.WalkSpeed + 3 then
player.Character:SetPrimaryPartCFrame(CFrame.new(pos1))
end
end)
Lets move Into specific sections of how to stop exploiters In different types!
Stopping Remote Abuse
Exploiters can see If you have a remote that can help them In advantage and abuse it for example If you have a money remote they can make a loop to fire it and they earn thousands of thousands of Cash! So how do you block this?
Firstly If you have argument for how many cash they earns so you can select a custom amount when fired then make a limit for an example If the remote has an argument like this
Remote.OnServerEvent:Connect(function(plr,cash)
plr.leaderstats.Cash.Value += cash
end)
It’s unsafe! since exploiters can fire while task.wait(.1) do Remote:FireServer(game.Players.LocalPlayer,50) end
, and boom they have 50 cash every 0.1 seconds!
So let’s do something like this
local timeLimit = .25 -- You may customize this
local timeLeft = {}
Remote.OnServerEvent:Connect(function(player,cash)
local timeDS = timeLeft[player]
if timeDS then
local from = timeDS - tick()
if from < timeLimit then
return;
end
end
timeLeft[player] = tick()
player.leaderstats.Cash.Value += cash
end)
Although remotes that add leaderstats values, kicks, etc Is very Unreliable + exploitable, you should only do this from the server since this is counted as “Trusting the client”
Onto the next section:
PVP Exploits
You might be asking, how will I patch PVP Exploits? Well, that’s easy In-order to check If they’re using reach exploits just use a distance check this can be done using distance checks!
do a magnitude check and if they are very far from his target you know they are using reach hacks; although I think it will be better to not do the action since It might be a laggy user…
handle.Touched:Connect(function(hit)
if hit.Parent:FindFirstChild("HumanoidRootPart") and hit.Parent:FindFirstChild("Humanoid") then
local hrpDist = Vector3.new(hit.Parent:FindFirstChild("HumanoidRootPart").CFrame.Position.X,0,hit.Parent:FindFirstChild("HumanoidRootPart").CFrame.Position.Z)
local currentDistance = Vector3.new(plr.Character:FindFirstChild("HumanoidRootPart").CFrame.Position.X,0,plr.Character:FindFirstChild("HumanoidRootPart").CFrame.Position.Z)
if(currentDistance - hrpDist).magnitude >= 15 then
-- User activated the check!
return;
else
-- fire your damage functions
hit.Parent:FindFirstChild("Humanoid"):TakeDamage(15)
end
end
end
Game Mechanics
How should I interrogate the anti exploit Into my game mechanics so It wont detect the player using them as “exploiting”?
In this case you can add a special boolean Into the player that will only be activated by the server do not check it by client since they can enable it, and If they have it temporarily shut off the anti exploit until its enabled…
This is not recommended
Punishments
What type of punishments should you punish your exploiters with?
Heres a list:
- Kick (Kick the user for exploiting)
- Ban (Ban the user for exploiting)
- Forceback (Teleports the user to latest position recorded)
- Ban world (Create a game and teleport the exploiter to it whenever they joins)
- Ban cage (NOT RECOMMENDED: Teleport a user to a ban caage)
- Control (SetNetworkOwnership of all character parts/baseparts to nil after a couple of seconds back to the player)
- Null zone (Teleport the player to the null zone better known as “Deadlands”)
Guides
There is plenty more awesome guides you should visit, see:
Reapimus Guide: A Guide to Making Proper Anti-Exploits
Dandcx Guide: How exploits work and how to combat them
Updates
I will be constantly adding more to this guide so make sure to keep looking!