Hello! Lately I’ve been working on an Anti-Cheat system, I have two scripts the Anti-Cheat and the Anti-Delete:
Both scripts will kick the player if one of the scripts is removed. My problem is if both scripts are deleted at the same time it won’t kick the player.
My first thought was to have an authentication system, so the Anti-Delete script would fire a RemotEvent every second and if the server didn’t get a response for X amount of seconds it would kick the player. After thinking about it I realized an exploiter could fire the RemoteEvent and fake the authentication.
So now I’m stuck, how do I detect if both scripts have been deleted without exploiters being able to tamper with it?
A lot of anti exploits can be fairly easily transferred to the server, I would probably always treat the client as a no mans land that the exploiter has full and absolute control over, theres no amount of fancy stuff you can do on the client that an exploiter couldnt eventually figure out
The goal is just to kick the player if they delete the scripts, authentication isn’t a good idea although the idea is just to have enough time to kick the player. Any way I could do that?
anti delete like for scripts you can use clone and stored script will placed into ServerStorage and folder it then on serverscriptservice a script for checker :FindFirstChild(NameScript) if it nil it will find first the script name on ServerStorage and clone it back and place it, when the Script it gone a value for stop the server working to 1 (IntValue) after cloned and placed it the value will back to 0 and server working back normaly
Yeah thats what my code does, although if you delete both scripts at the same time the scripts dont have enough time to delete it, also I think your system would allow for an exploiter to remove another player’s local script and get them kicked (I think)
Method 1:
You could try to use more than two scripts. I once made a clientside anti-cheat which utilized 6 different scripts in different folders. One in StarterCharacter, another in ReplicatedStorage, etc. This worked very well and made it a lot harder to exploit. (still not impossible)
Method 2 (unbeatable):
Make a serverside anti-cheat. Even I don’t make my anti-cheats fully on the client. First of all, exploiters can see local scripts and find vulnerabilities and go past the anti-cheat. Second, if the exploiter tries hard enough, he could bypass any local anti cheat.
Method 3:
Intergrate the anti-cheat in a game critical script. This would make bypassing the anti cheat hard as the exploiter needs to break the game in a critical way for it to happen. Only way to beat this one is for the exploiter to re-add an edited script.
Final Words:
The disadvantage of remote events is that laggy players often get false positives. This is why I don’t like using remotes for this.
Bypasses for admins could be done serverside with remotes to request a list of whitelisted UserIDs
Those are just some of the ways I have to beat exploiters in deleting anti cheats.
Wasting a lot of time on a client-side anti cheat is a waste of time and should and only has to be mediocre at best. Client side will stop some hackers but the determined ones will easily bypass it. Remember exploiters have a control on the client that is so deep that it’s crazy. Also exploiters can litterly bypass the kick function on the client by overriding the metatable for it.
They cannot delete a server script service script, I think this would be your best bet If you needed a proffesional anti exploit (Server-Sided, Client sided) You should check my anti exploit Its called Anonymous Anti Exploit
The best anti-cheat system you can ever make is to never trust the client.
Do all the logic on the server.
Exploiters can bypass anything that’s client-sided, and anything that is replicated to them.
Serverscripts and modulescripts required by one, is safe, as their bytecode is never replicated to the client, regardless of where it is located.
What’s stopping them from just recreating the client-side security, but just getting rid of the security part of it and just responding to any of the server’s requests?
Of course they can read them, they are replicated to them.
Everything that is replicated can be accessed by them.
However, to correct you: They cannot access the bytecode if required by a serverscript, since it’s not replicated to the clients.
