[FE++] Best server sided non physics anti-exploit for your Roblox game!

FE++

What is FE++? FE++ is a fully server sided anti-exploit for your Roblox game.

While filtering enabled is good for preventing exploits, there are a few nuances which can be exploited. This anti-exploit patches all of these small little nuances.

These nuances in the Roblox replication allows exploiters to bypass some server sided security and makes it a pain for developers to code it.

For example exploiters can delete joints inside the character which can allow them to bypass most movement anti-cheats.
Also the FE-God mode vulnerabilities can be used to stop a lot of stuff.
Additionally exploiters can display inappropriate animations and even construct private parts which is really bad if children play your game!

FE++ aims to fix all of this with a simple elegant script.

This anti-exploit is not a movement anti-exploit! Instead it complements movement anti-exploit you use by patching some bypasses. This means you can(and should) use any movement anti-exploit along it.

Benefits

  • FE++ is lightweight and standalone. You only insert the script to your game and it does its thing.

  • It is fully server sided and works by security by design meaning it cannot be bypassed.

  • It never false detects and it only prevents the action from happening, like filtering enabled.

Features

  • Invalid Humanoid Deletion ( Incompatible with any usage of .Parent = nil, please use :Destroy() instead ) - Stops an exploit which exploiters can use to become invincible.

  • Invalid Hat Mesh Deletion - Stops deletion of meshes inside hats and other accessories.

  • Multi Tool - Stops exploiters from selecting multiple tools to utilize other exploits.

  • Inappropriate Animation - Stops an inappropriate animation which can be used in an adult only manner.

  • Hat Joint Deletion - When the Joint connecting a hat is destroyed the networkownership of the hat gets sent to the player, this prevents hat animation hacks which again can be used in an inappropriate manner.

  • Anti-Anti-Respawn/Anti-god - There is a god exploits which a hacker can use to not make their character respawn. When the anti-exploit detects that a player has not respawned, even when they should have it respawns them.

  • Anti-RootJoint/WaitJoint deletion - When the “Neck” joint is removed from a character, it dies. This however does not apply for the “RootJoint” and “Waist” joints, which allows exploiters to move the character while not moving their HumanoidRootPart. When the Anti-Exploit detects that either one is removed the Humanoid is killed.

  • A customisable animation whitelist/blacklist system. You can either use a blacklist/whitelist mode and which either prevents the said animations or only allows them. This is off by default but if you want you can enable this check.

Download

While the code is licensed under CC0 meaning you don’t have to give credit. Still giving credit would really be appreciated. :slight_smile:

Source code:

local Players = game:GetService("Players")


-- // If you want to use a whitelist mode for animations instead of a blacklist.
local USE_WHITELIST = false
-- // If you want to whitelist / blacklist an animation enter it here.
local ANIMATIONS_LIST = {}


local function protectHat(hat)
	local handle = hat:WaitForChild("Handle", 30)

	if handle then
		--[[
			This code prevents exploiters from abusing the NetworkOwnership
			of hats that are detached from the character.

			Then the hat weld is removed from the hat, the network ownership
			of the hat is set to the server.
		]]
		task.defer(function()
			local joint = handle:WaitForChild("AccessoryWeld")

			local connection
			connection = joint.AncestryChanged:Connect(function(_, parent)
				if not connection.Connected or parent then
					return
				end

				connection:Disconnect()

				if handle and handle:CanSetNetworkOwnership() then
					handle:SetNetworkOwner(nil)
				end
			end)
		end)

		--[[
			This code prevents the deletion of meshesh from hats.

			Exploiters can exploit this in various different ways.
			When the hat mesh is deleted it is simply parented back.
		]]
		if handle:IsA("Part") then
			local mesh = handle:FindFirstChildOfClass("SpecialMesh") or handle:WaitForChild("Mesh")

			mesh.AncestryChanged:Connect(function(child, parent)
				task.defer(function()
					if child == mesh and handle and (not parent or not handle:IsAncestorOf(mesh)) and hat and hat.Parent then
						mesh.Parent = handle
					end
				end)
			end)
		end
	end
end

local function killHumanoid(humanoid)
	if humanoid then
		humanoid:ChangeState(Enum.HumanoidStateType.Dead)
		humanoid.Health = 0
	end
end

local function onPlayerAdded(player)
	local function onCharacterAdded(character)
		for _, v in ipairs(character:GetChildren()) do
			if v:IsA("Accoutrement") then
				coroutine.wrap(protectHat)(v)
			end
		end

		character.ChildAdded:Connect(function(child)
			if child:IsA("Accoutrement") then
				protectHat(child)
			elseif child:IsA("BackpackItem") then
				local count = 0
				
				--[[
					This code prevents exploiters from selecting multiple tools at the same time
					to utlise other exploits.

					When a player selects a tool, we count the number of tools. If there are extra
					tools selected we simply parent them back to the backpack.
				]]
				task.defer(function()
					for _, v in ipairs(character:GetChildren()) do
						if v:IsA("BackpackItem") then
							count += 1
							if count > 1 then
								v.Parent = player:FindFirstChildOfClass("Backpack") or Instance.new("Backpack", player)
							end
						end
					end
				end)
			end
		end)


		local humanoid = character:FindFirstChildOfClass("Humanoid") or character:WaitForChild("Humanoid")

		--[[
			This code prevents the invalid deletion of the humanoid object.

			An exploiter can delete their humanoid, which replicates to the server
			allowing them to achieve god mode. When the humanoid is deleted this
			code parents it back to the character.
		]]
		humanoid.AncestryChanged:Connect(function(child, parent)
			task.defer(function()
				if child == humanoid and character and (not parent or not character:IsAncestorOf(humanoid)) then
					humanoid.Parent = character
				end
			end)
		end)

		humanoid.StateChanged:Connect(function(last, state)
			if last == Enum.HumanoidStateType.Dead and state ~= Enum.HumanoidStateType.Dead then
				killHumanoid(humanoid)
			end
		end)

		--[[
			This prevents a certain god exploit where a hacker can make themselves not respawn.

			It first checks that the game uses the normal character loading system, to prevent
			games with custom respawn systems from breaking. When the player dies it is checked
			if they have respawned, if not then this automaticly respawns them.
		]]
		if Players.CharacterAutoLoads then
			local connection

			connection = humanoid.Died:Connect(function()
				if not connection.Connected then
					return
				end

				connection:Disconnect()

				task.wait(Players.RespawnTime + 1.5)

				if humanoid and workspace:IsAncestorOf(humanoid) then
					player:LoadCharacter()
				end
			end)
		end

		local animator = humanoid:WaitForChild("Animator")

		--[[
			This handles the animation blacklist/whitelist.


			A player can play any animation that is a. owned by Roblox or b. made by the game creator.
			This can be exploited by a hacker, to for example play an inappropriate animation.

			It is hardlocked to prevent an inappropriate animation (rbxassetid://148840371).
			You can also add animations to blacklist/whitelist to the ANIMATIONS_LIST table.
			If you set USE_WHITELIST to true it will use a whitelist mode,
			meaning only the animations in the table are allowed, else it only prevents the
			animations in the list.
			NOTE: The animation may still appear on the client, but it never appears on the server or other players!
		]]
		animator.AnimationPlayed:Connect(function(animationTrack)
			local animationId = string.lower(string.gsub(animationTrack.Animation.AnimationId, "%s", ""))
			if 
				animationId == "rbxassetid://148840371" or
				string.match(animationId, "[%d%l]+://[/%w%p%?=%-_%$&'%*%+%%]*148840371/*") or
				USE_WHITELIST and not table.find(ANIMATIONS_LIST, animationId) or
				not USE_WHITELIST and table.find(ANIMATIONS_LIST, animationId)
			then
				task.defer(function()
					animationTrack:Stop(1/60)
				end)
			end
		end)

		local connections = {}
		local function makeConnection(Conn)
			local connection
			connection = Conn:Connect(function(_, parent)
				task.defer(function()
					if not connection.Connected or parent or humanoid and not humanoid.RequiresNeck then
						return
					end

					for _, v in ipairs(connections) do
						v:Disconnect()
					end

					if humanoid and not (humanoid.Health <= 0) then
						killHumanoid(humanoid)
					end
				end)
			end)

			table.insert(connections, connection)
		end

		--[[
			This code prevents the abusing of deleting the rootjoint and/or waisjoint.

			When you delete the neckjoint the character dies, this however does not apply
			for the rootjoint and the waistjoint. Meaning hackers can abuse this to detach
			themselves from the humanoid rootpart to do all kinds of stuff.
			When either joint is removed the humanoid will be killed.
		]]
		local humanoidRootPart = character:WaitForChild("HumanoidRootPart")
		local rootJoint = humanoid.RigType == Enum.HumanoidRigType.R15 and character:WaitForChild("LowerTorso"):WaitForChild("Root") or humanoid.RigType == Enum.HumanoidRigType.R6 and (humanoidRootPart:FindFirstChild("Root Hip") or humanoidRootPart:WaitForChild("RootJoint"))

		makeConnection(rootJoint.AncestryChanged)

		if humanoid.RigType == Enum.HumanoidRigType.R15 then
			makeConnection(character:WaitForChild("UpperTorso"):WaitForChild("Waist").AncestryChanged)
		end
	end

	if player.Character then
		task.spawn(onCharacterAdded, player.Character)
	end

	player.CharacterAdded:Connect(onCharacterAdded)
end


for _, v in ipairs(Players:GetPlayers()) do
	task.spawn(onPlayerAdded, v)
end

Players.PlayerAdded:Connect(onPlayerAdded)

Make a script inside ServerScriptService and paste the code there.
https://www.roblox.com/library/8392627053/Anti-Exploit-FE-Anti-Exploit

If you wan’t to contribute you can do so on the github

Also if you want to have this automatically on all of your games here is a plugin that adds the script:
https://www.roblox.com/library/8424271140/Anti-Exploit-Auto-add-FE-Anti-Exploit

Please tell me in the replies what do you think? :wink:

73 Likes

First of all it seems you don’t understand how animation works. Exploiters can’t just reupload an animation and have it work for any game. Only animation created by Roblox or by the game creator can be played in the game. So this check isn’t useless at all.

Actually my code does not replicate the behavior of RequiresNeck. It seems you didn’t read my post thoroughly and just assumed it dublicates the behavior of RequiresNeck.
My code applies the same behavior of NeckDeletion to the WaistJoint and RootJoint which Roblox does not do. This is a really important detection and again isn’t useless at all.

It doesn’t. Only if you use the default dummy as starter character because the joints are named differently. Anyways this is a small edge case which I will probably fix.
However even if it didn’t work it wouldn’t break the behavior of anti-anim as the code executes later.

This is not true. You totally misunderstood the anti-cheat.

14 Likes
  • It is fully server sided and works by security by design meaning it cannot be bypassed.

Until you realize that your anti exploit uses humanoid states which are computed on the client and then replicated to the server…

10 Likes

Yeah the StrafingNoPhysics check was useless so I decided to remove it.

But besides that it doesn’t rely in humanoid states.

1 Like

That is not true at all. It only shows up as destroyed on the client meanwhile on the server it is not. Please verify your claims before you post about them.

4 Likes

Uh tbh I’m not sure about this like, I think an exploiter could run animation from their exploits

No?

1 Like

They can’t. They can only play animations which are approved to a game.

They can however fake animations by removing had joint welds but that is a different thing.

1 Like

Would it detect movement and teleportation, even ping checking to check if those are valid?
Even the most common exploits?

That is not the point.
If you read the post it is supposed to patch non-physics exploits. These include ones which can be used to bypass physics exploits detections, FE God exploits, inappropriate exploits and other ones.

1 Like

Then why is it called the best if it doesn’t handle common exploits like changing movement speed?
It isn’t hard to make a physics-related ANTI exploit. There CAN be false positives but those would be small and you can counter them with something else.

Poor skid you hit him hard lol,
Other thing, when you have time, would you like to add these very cool features to Adonis’ Anti.lua? It would make a cool addition and you could add them directly, while if you don’t I could try to add them too

3 Likes

I didn’t say it was the best movement anti-exploit.
But it is the best non-movement anti-exploit

See Best server sided anti-cheat firewall. Firewall is the keyword which Distinguishes it from a physics exploit.
:wink:

Nonmovement exploits are a very bad thing in Roblox. Maybe even worse then movement ones.

Nonmovement exploits can be used to display inappropriate animations, display gentelia, and break games, and achive God Mode.

A movement exploit can easily be developed by a dev because most people have good knowledge of it, however 99% of people don’t known how to patch nonphysics Roblox exploits (atleast in a performant way).

A physics Anti Exploit would need to be both client and server related, this is the best server sided anti-cheat firewall, not the best client sided anti-cheat. This Anti-Exploit secures FE giving you more space to develop a client/server anti-exploit, this means that your point is not correct :skull_and_crossbones:


Title doesn’t say the same, don’t mislead people.

Call it “The best non-physics related exploit”.


Didn’t know firewall means different from physics.
Damn new definition.

2 Likes

Firewall can have different meanings, the title isn’t misleading :smiling_face_with_three_hearts: I love how usually in anti-cheat/exploit related topics atteact “script kiddies” that always try to discourage the creator from patching some exploits, even if it’s for some days, you should always try your best to patch a vulnerability. Don’t let these people stop you, if you look at every anti-cheat related topic ever, you’ll always find tons and tons of people that just ruin the conversation for everyone and make an argument about how the anticheat wouldn’t work

6 Likes

Yes it would have to, can’t expect the best results without checking the client.

Didn’t say anything about client anti-cheats but ok then.
Client sided wouldn’t work out.

Could you tell me the meaning RELATING to physics?

Yeah maybe the title could be a bit confusing.

However it definetly isn’t “misleading”. Why do some people assume that a simple ambiguity is purposesful misleading.

It is misleading to some people because they would think its the best overall and it can protect your game from ANY exploiter. Isn’t that misleading?

Yeah you’re giving people the wrong idea. And that idea being this is the best anti exploit ever.

1 Like

Client Sided with integrity and sanity checks WOULD work out, if it is supervised constantly by a server-sided script. That’s how Adonis’ AntiCheat works. In this case firewall indicates the fact that this Anti-Cheat fixes some vulnerabilities and bypasses on the serverside, allowing clientside and other serverside script to co-operate in a better manner