Yes, deleted parts can be done through connections and Noclipping.
We aren’t exactly sending “Functions” per se. We are sending scripts that will be parsed.
They need to account for every check. I’ve actually made an exploit bypass before with an executor. You have to make a bypass for every possible string.
I’m not very knowledgable with metatables. In this situation, is there a way for the client to check if game has a metatable set to it, or to overwrite the current set metatable?
Not possible. The security level for localscripts are too low. Most exploits are security level 6, and 7-8 in rare cases (Synapse X or Script-Ware)
It would indeed be useful if developers were able to have higher security permissions. Still, it would be a security issue if we can access metatables (Force purchase gamepass, etc)
Yeah, it’s extremely easy for exploiters depending on the “level” of their exploit, one of the most popular exploit also known as Synapse has many functions and some of them allow you to overwrite metatables by unlocking them and locking them.
Whenever I go about making an anti cheat here’s the first thing in mind
Step one:
Understand that exploiters are going to bypass any anticheat
Step two:
With step one out of the way, what can I do to create an anti-cheat that can expose the basic exploiters.
Personally I like to do a “fake remote value”
local adminRemote = ReplicatedStorage.AdminRemote
local admin = false
local command = "kick"
adminRemote:FireServer(admin, command)
on the server
adminRemote.OnServerEvent:Connect(function(player, hacker, command)
if hacker then
-- ban them
elseif player:GetRankInGroup(123456) > 10 then
-- do command
end
end)
Personally this is what you should be striving to do, and you can catch some people in the process
Alright, so our new problem is fake workspace detection.
Is it performant to attach .DescendantAdded and .DescendentRemoving to the DataModel, and .Changed events to every single instance in the workspace to keep this table maintained and up to date?
If it isn’t, that leaves a possibility to change some random model’s name somewhere, ask the client if they saw it, and if they didn’t, bingo. Fake workspace.
oops, I misread the question;
I’m assuming vLua returns a function or executes code directly by parsing it then using a wrapper, if so, it can still be bypassed.
I agree that this would be really difficult to bypass since you could also have custom bytecode to prevent them from using their own parser but, once an exploiter finds their way around, they could release the exploit and, it’ll be a waste of time to constantly patch it since there will almost certainly be a way around, we can hope that parallel lua may make server side detection more feasible.