Feedback on my anti exploit script layout

Ph4ntomize · March 31, 2021, 7:09pm

A couple of weeks ago I made a new and kind of efficient way to detect and prevent basic exploits in games. I’ve been further developing it to do better and implemented it to send chat messages and Discord messages when the player is kicked (not shown in code below) However, to prove that it is really as effective and efficient as it could be, I need feedback from other creators.

The code below takes place in one script located in ServerScriptservice, so no need to worry about client issues. Any feedback is appreciated!

local BannedObjects = {"BodyGyro", "BodyPosition", "BodyForce"}
local BodyParts = {"Head", "Torso", "Left Arm", "Right Arm", "Left Leg", "Right Leg", "HumanoidRootPart"}
local AllowedGuis = {"BubbleChat", "Chat", "Freecam", "ChatMessageHandler", "ChatInstallVerifier", "OtherGuiNamesHere", "SetupQuickJoiners", "HDAdminGUIs"} -- These guis are automatically inserted into the PlayerGui so I included them here

game.Players.PlayerAdded:Connect(function(Player)
	Player.CharacterAdded:Connect(function(Character)
		local Humanoid = Character:WaitForChild("Humanoid")

		Humanoid:GetPropertyChangedSignal("WalkSpeed"):Connect(function()
			if Humanoid.WalkSpeed ~= 16 then
				Player:Kick("Your WalkSpeed changed to "..Humanoid.WalkSpeed)
			end
		end)
		
		Character.DescendantAdded:Connect(function(Descendant)
			if table.find(BannedObjects, Descendant.ClassName) then
				Player:Kick("A "..Descendant.ClassName.." was found in your "..Descendant.Parent.Name..".")
			end
		end)
		
		Character.ChildRemoved:Connect(function(Child)
			if Humanoid and Humanoid.Health ~= 0 then
				if table.find(BodyParts, Child.Name) then
					Player:Kick("You were trying to remove your "..Child.Name..".")
				end
			end
		end)
	end)
	
	Player.PlayerGui.ChildAdded:Connect(function(ScreenGui)
		if not table.find(AllowedGuis, ScreenGui.Name) then
			Player:Kick(ScreenGui.Name.." was found in your PlayerGui.")
		end
	end)
end)

Autterfly · March 31, 2021, 7:18pm

None of these checks actually fire off. Local changes to WalkSpeed don’t replicate to the server, and neither does adding physics objects to the character or Guis to PlayerGui.

Pythonaixx · April 1, 2021, 7:27am

Its good that it is not a local script so it won’t be able to get deleted by an exploiter

MrchipsMa · April 1, 2021, 1:40pm

The problem is that check player speed won’t work because the player can use a metatable to index it so that it return 16 but in fact its more than a hundred you can try use humanoid.Running(speed) and then check if the player speed is more than 40 then kick we check more than 40 because this .running return the absolute player speed so they might get glitched and the speed can go over 16

BullfrogBait · April 2, 2021, 3:35am

If you change it to a local script it’ll still be terrible.

AllowedGuis can change because Roblox can change the names of their Guis, so it’s safer to not check for players inserting them at all. Also exploiters will use CoreGui instead of PlayerGui. CoreGui isn’t accessible by a local script or serverscript.

Also they can just remove the local script. Use magnitude and sanity checks in your remote events and you won’t have to worry about exploiters.

Nautilous32 · April 4, 2021, 11:53pm

good start; but unfortunately it wont work as expected; changes that happen from the client will not replicated to the server, what that means is that even if the events are triggered, they can only be listened to from the client