Hacker can get a random Number in a script or local script?

Since character modifications like that will replicate (client & server are affected by it) as far as I’m aware, You can probably just make a script on the server (as far as I’m aware exploiters can’t affect server scripts) to kick them if their WalkSpeed is above 16.

I don’t know too much about this stuff but this is my knowledge.

have gonna say i have a little anti-cheat that blocks the speed at 16 or anti fly and i would like to prevent hackers from deleting it or disabling it for use a speedhack or fly after

Flight is a much harder character-based cheat to prevent, but like I said you can make a script on the server to kick players if their WalkSpeed goes above 16 somehow, I think that’s an option since WalkSpeed changes affect both the client who changed their WalkSpeed and the server.


Edit from the 1st of November 2023, I no-longer use Roblox for any of my projects/endeavors as I do not wish for my projects to be locked into this centralized ecosystem, Roblox have made horrific decisions in the past and there is nothing stopping moderation or a hacker from permanently nuking my project from orbit.

Examples: Project A is on Roblox, Account is hacked, Project is deleted.

Project B is standalone and hosted via a dedicated server on a VPS, Account is hacked, A few misuses of permissions and account is disabled temporarily via the server itself but the project is perfectly fine aside from minor damage caused by misused account permissions.

Think before using platforms like this, Their blessings can also be curses.

The Server cannot detect when a client changes their WalkSpeed, since it’s not replicated.

What the people are saying up above is basically it is impossible to fully protect yourmlocal scripts. So, instead do this

  1. Don’t protect your scripts.

Not all exploiters know how to program and the exploiters that do program are not especially quick. So what I would do is not bother to prptect it at all.

  1. When you find that there is an exploit around UPDATE!

I think the best way to defend against exploiters is to release the game with no exploit prevention at first then update the game with it included. The reasoning behind this is that it will catch out the exploiters who are using outdated scripts.

There is another principle I also like to follow.

Exploiters are human

They make mistakes. It is important to catch these mistakes in the code they write.

They also value time. They will not bother to exploit a game when it takes too long to crack (such is the reason why people use code obfuscation) they also will not exploit a game when either there is no reason to exploit or the exploit does not offer any extra fun.

If I can sum it up

  • There is no silver bullet for exploiters instead update the game revery week or 2 and all the exploits will eventually fail
Here is a list of what you can try

Detect when remote events stop from server
Detect the changes to the character on the server what other players see e.g. position, accessories, clothing
Detect when remote events fire a lot from the server
Detect any errors on the client
Use a sort of “control” so that you can know instantly when an exploiter is exploiting e.g. testing if a brick is see through on client
Code obfuscation on client
Combine exploit prevention with the core game mechanics into a single remote
Put code into modulescripts
Rename modulescripts and remote events
Do not be afraid to ban
Data validation on both client and server

Of course none of these ways are a silver bullet infact however I wouldvsay the most important way to keep exploiters out of your game is simply to update

I thought it was replicated, I guess I was wrong.


Edit from the 1st of November 2023, I no-longer use Roblox for any of my projects/endeavors as I do not wish for my projects to be locked into this centralized ecosystem, Roblox have made horrific decisions in the past and there is nothing stopping moderation or a hacker from permanently nuking my project from orbit.

Examples: Project A is on Roblox, Account is hacked, Project is deleted.

Project B is standalone and hosted via a dedicated server on a VPS, Account is hacked, A few misuses of permissions and account is disabled temporarily via the server itself but the project is perfectly fine aside from minor damage caused by misused account permissions.

Think before using platforms like this, Their blessings can also be curses.

The best way for movement based anti-cheat, is to either remove all client control of their player, and have them send remote events for movement, in which the server accepts or denies the event, and moves the model itself… The downside for this is, there will be significant input lag… Of course one way to somewhat solve this, is to have the client move the model on its side no matter what, and then later verify with the server or something… But I have no idea if that would work.

Another thing you could try is by verifying if said movement from the player is valid. Have some form of loop that checks player’s movements, with their walkspeed, jump height, gravity, etc… and ensure that between the last loop iteration and the current, they did not go over said limit, and if they did, to do what’s called rubberbanding, where you rubberband them back to what is possible between the time.
Do not kick them, as people with bad connection may send movement packets that are delayed, making the server think they used a speed hack, teleport hack, etc… when they didn’t… so rubberbanding is the best outcome for this solution…

If you want to prevent no-clips, or like, if someone deleted a part to no-clip through it, you will have to implement ray-casting along with the movement, to check if it is possible…

popular minecraft servers often do rubberbanding, along with checking if the player moved through a block, and if so, move them back in front of the block. They even send alerts in the server console for admins to check if the player is in-fact cheating, or just having awful connection.

1 Like