Concept: Client Anti-cheat possible?

That is a possibility, although that is applied for a different case than mine.

1 Like

oops, I misread the question;
I’m assuming vLua returns a function or executes code directly by parsing it then using a wrapper, if so, it can still be bypassed.

1 Like

It definitely can. No anti-exploit is perfect, there are just varying difficulties to bypassing. This one is one of the more difficult ones.

Yeah, it would be necessary to attach some events but, you could also index a value on demand and, you can just track values which you’ve changed.

Indeed, that would be difficult. Still, we don’t need to detect everything, we just need to detect the main issues we have with exploiting.

I agree that this would be really difficult to bypass since you could also have custom bytecode to prevent them from using their own parser but, once an exploiter finds their way around, they could release the exploit and, it’ll be a waste of time to constantly patch it since there will almost certainly be a way around, we can hope that parallel lua may make server side detection more feasible.

1 Like

I believe this is a great time to conclude this conversation. Thank you all for your suggestions and concerns.


Doesn’t vLua have its own interpreter? If so, I don’t understand how this would help. What stops the hacker from just using vLua themselves?

Using vLua’s themselves would just increase the lag, and still get them banned.

Exploiters can easily delete the client side anti cheat script and this topic wasn’t as useful

changing the execution level is literally a line of code

If the exploiter deletes the client side cheat, they will be banned because the server is not receiving a response.

Sorry, I do not understand what you mean. Even if the exploiter executes something on level 8, it still modifies the client, and that is detectable.

I think the key to anti-cheats is to have multiple methods of checking something. For example, something as simple as walk speed:

The first method to add to your script is the basic loop that checks the walk speed value. That will defend against inexperienced exploiters that just change client values.

Then you want another script to check the CFrame value of the HumanoidRootPart every few seconds. Fine-tune it to see what the max CFrame traveled can be.

Use these methods in separate scripts, just to make it a little bit harder to disable both methods easily. The next thing is to copy and paste both of these methods into other important client scripts so that the methods can’t be disabled without breaking other parts of the game.

To summarize, the main key, no matter what type of client anti-cheat you use, is to have several different methods that are harder to combat.

1 Like

As a result of false positives, if a player has high ping he will get kicked. And if the exploiter deletes the anti-exploit the exploit could take it over, firing the remote.


The exploit would have to use loadstring, essentially defeating its own purpose.