What do you mean by that? Do you mean implementing custom checks? If so at some point I’m going to add a more official way to do that but at the moment you can just add your checks in the main section.
Custom punishments/repurcussions.
Ah. Well, actually, my anticheat doesn’t punish players which is actually completely intentional.
I use the mindset that punishing the player is bad if there can be false positives, and false positives are okay as long as it doesn’t detriment the user. It’s extremely hard, actually impossible in a multiplayer environment, to make an anticheat that’d be perfect enough to never have any false positives, so, I take an approach of sort of embracing that there will be false positives. The anticheat is designed in a way where its very effective at preventing a lot of movement exploits altogether without effecting the user at all under normal conditions. Speed, teleportation, and noclip (even non exploit kinds) are the biggest three, and the three the anticheat is most effective at stopping.
For example, for speed and teleportation checks, I try to place the user where I expect them to be if I think they made an invalid movement. Since this happens each server tick, and thus every time physics occurs, other players and server code will work completely normally even if they’re trying to exploit, and things will look completely normal to other users (its effectively completely prevented). If they teleport, it will appear like they’ve simply moved forward a little, if they speed hack, it will look like they’re walking completely normally other than a little stuttering, and if they noclip, they’ll appear like they’re just smooshing their face on the wall.
It might sound like it can’t really be effective, because what’s stopping exploiters from continuing to exploit? And the answer to that is really just general game security.
As long as your game is properly built, your remotes are set up correctly, etc, you should really never have to worry about exploiting at all. The concept is the same as filtering enabled, but, instead of filtering changes the client makes to certain objects, I’m filtering movements the client makes to their character.
Just like filtering enabled, what is not explicitly disallowed can absolutely be abused, and just like filtering enabled, even if the client is trying to make changes that aren’t allowed, they’re not punished for it.
2 Likes
Yes, you have a point there. However, my opinion tends to differ slightly. With enough programing skills (and a bunch of time), one can make an anti-exploit with nearly no false positives. Which would make 99% of the bans completely accurate. While the 1% can actually appeal to a moderator or etc.
My viewpoint is, if an exploiter gets a weak punishment from anti-exploits. It will allow them more time to bypass the exploit. So I prefer banning as a way to deal with possible exploiters. Although realistically, I normally make a discord webhook that notifies me of the username, so we can go to the exploiters server and deal with it appropriately.
I suppose you’re technically correct, but, since my anticheat is entirely server sided, there’s not really any easy “bypass” its more so just finding what isn’t checked for and working from there.
And, while this is not really any sort of proof that that is the case, I’ve also had a couple friends help me pentest the anticheat and so far we’ve not been able to find anything we can abuse.
1 Like
This isn’t how my anticheat works, what you are describing isn’t the speed prevention, its simply an extra. On top of that, a loop like you are describing is not nearly fast enough, you need your loop to be synchronized with network changes (which currently doesn’t exist, but is coming as PreSimulation), otherwise you need a loop running at at least 180 tps (3 * client fps) to get around it ~100% of the time (2 * client fps will work about 60-80% of the time iirc).
Running a loop (even on Stepped/Heartbeat which should be synced with physics) will not quite work since the speed is getting updated by the network, and, you aren’t currently able to run code immediately after this happens. The effect is that, regardless of how many loops you set, or what events you use for sync, you will never ever be able to perfectly sync WalkSpeed with physics. The effect is that their speed stutters every frame or so and effectively averages out to some value very close to their WalkSpeed depending on how many times the change made by the exploiter succeeds.
As I mentioned before, I believe the new PreSimulation even that will be coming out soon will be the first time this is possible. The sync code is basically just a very simple, very low cost way to break most “speed hack” scripts you’ll find off Google, and, its unlikely that someone without knowledge on what they are doing will be bale to get around this. (The reason for this is because Velocity is updated using WalkSpeed before your Stepped code will run, meaning if you really want to get around this the only consistent way is to update Velocity on Stepped)
However, regardless, this behavior inside of the anticheat is simply an extra to make it more annoying for an exploiter to speed hack by trying to force the WalkSpeed to stay synchronized and mess up behavior, its intended purpose is not to prevent speed hacking and this is not related to the speed check in the anticheat. The actual speed check itself is completely unrelated and works as intended with or without the sync code.
What you are describing with punishment is impossible to do in a networked physics scenario without false positives occurring, if you want to punish players for detections, you should do that yourself, but, there is a very good reason I do not want to implement this into my anticheat for physics exploits.
You will always end up detecting players as cheating no matter what you do. There is no way around this without the ability to accurately monitor and account for network speeds, which you can’t do as they can be spoofed quite easily. If a player is lagging, or their physics are a little desynchronized, e.g. from throttling, or their internet is slow, they likely won’t even know they are getting flagged, but they might end up randomly being punished because of these false positives.
The only way to make this more reliable is to add a ludicrous amount of additional threshold to reduce detections due to smaller discrepancies, but, in my opinion this defeats the purpose of the anti exploit and still doesn’t solve the problem.
Here is an example scenario. Say that a player’s internet freezes up for a moment, say 4 or 5 seconds (this happens often and you might not even notice). The player will have moved approximately 80 studs with a default WalkSpeed in this time, and, to the server this will appear as if the player has teleported about 80 studs in a single frame. This is a ludicrously high amount for a player to move under normal standards, but, this sort of thing happens all of the time due to network instability or server instability. If the server itself is lagging this can happen too.
4 Likes
Ok yeah I get your point. It worked in studio so I just assumed exploiters could exploit it.
I have updated the main post with a new link. I made a change last night to the repository, separating each feature into a separate repo and adding them as sub modules in the main repo, turning it into a sort of “hub” repo.
My intent is to keep the main repo updated with the latest stable commits to each feature. Likewise, those will correspond to releases on the github page, that way the main repo is never out of date with the latest stable release.
Additionally, since I last updated this post, the anticheat has seen a lot of big improvements to compatibility and its overall effectiveness thanks to the members of my game’s Discord server and some contributors on the github repo who have all been very good at helping me find areas of improvement and various compatibility issues, bugs, etc.
The anticheat is close to receiving a full overhaul, modularization of checks for ease of use and easier modification, and a first fully fledged release. I have a lot planned.
2 Likes
Ngl, I can’t find the exact file to insert into my game like it’s so confusing for me. Please help.
You can find an rbxm file on the releases section of the repo. This has the anticheat module and a starter script under it, you can just insert it into your game and if you need to you can configure it differently by editing the module.
2 Likes
I cant find the “repo” thing or the “releases” section
1 Like
Hey there I saw an executable file called “rojo.exe”, anyone know what this does? (I found it in the GitHub page for this anitcheat and it gets flagged by my pc.)
Rojo is the tool I use for organizing the source code as .lua files, you can find it here:
https://github.com/rojo-rbx/rojo/releases (their site is https://rojo.space)
You’re downloading the source code (probably as a zip file or something). That file is from a GitHub workflow I have set up (under the .github folder) which automatically creates the .rbxm file when I push a new release.
You can download the latest rbxm for the anticheat here, though, I am no longer working on this anticheat:
2 Likes
Oh, I did download a zip of it and I was wondering. Thanks!
1 Like
Where do I put this line of code? I’m slightly confused.
It’s not really as simple as putting the code somewhere, sorry. I discontinued the anticheat, as well as the project its from at this point. Not sure about the rewrite I mentioned either, for the time being.
Yes! Security by Obscurity should never be relied upon, and an open source server-sided anticheat, unlike closed-source clientsides, doesn’t rely on Security by Obscurity!
Is this rewrite cancelled or is it still going to happen? I’m in desperate need of an anticheat for my obby game and was curious if this rewrite will happen or not.
Yes, I am no longer working on this and I’m no longer able to do any rewriting. You can still use the code though, and you can make your own based on it.
4 Likes