How to Approach Writing An AntiCheat

AntiCheats, in the general case, are targeted towards preventing exploits in a specific manner. A lot of the time (and for a lot of games), this is targeted towards Remotes - whether event or function. This tutorial won’t be too in-depth but if you’d like to request how to write an AntiCheat for a specific thing then I can add it to this; just leave a reply.

Lets take Tower Defense Simulator as an example. You can have 5 towers, no more (but you can have less). Either way, the server knows what towers you do have and therefore what towers you don’t have. If I fire a Remote telling the server to place a tower I don’t have when I know my game does not provide that option on the client, well I now know they’re an exploiter. An example of what this may look like:

local ReplicatedStorage = game:GetService("ReplicatedStorage");
local RemoteEvent = ReplicatedStorage:WaitForChild("RemoteEvent");

local PlayerTowers = {
	[SomePlayerInstance] = {
		"Tower1",
		"Tower2",
		"Tower3",
		nil,
		nil
	}
}

-- Assume that PlayerTowers was made when/before the game started

function PlayerHasTower(Player, Tower)
	local LocalTowers = PlayerTowers[Player];
	if (LocalTowers) then
		return (table.find(LocalTowers, Tower)) and true or false;
	else
		Player:Kick() -- Failed to retrieve towers; sometimes bugs can cause this or poor data management
	end
end

RemoteEvent.OnServerEvent:Connect(function(Player, ...)
	local Args = {...};
	
	if (Args[1]:lower() == "place") then
		if (Args[2]) then
			if (PlayerHasTower(Player, Args[2])) then
				-- Place the tower
			else
				Player:Kick() -- Player tried to place a tower they don't have
			end
		else
			Player:Kick() -- Player tried to break remote, assuming that you can code correctly
		end
	end
end)

To generalise this, we are making sure that the server agrees that the player does indeed own or has access to these things. If they don’t, they’re firing the remotes by themselves and trying to exploit the game which we don’t want.

Another pretty common one is for games like Bubblegum Simulator. To open eggs, we want players to be within x studs of the egg before they can open it. We also want to make sure that this egg actually exists. An example may look like this:

local ReplicatedStorage = game:GetService("ReplicatedStorage");
local RemoteEvent = ReplicatedStorage:WaitForChild("RemoteEvent");
local Workspace = game:GetService("Workspace");

local GameEggs = Workspace:WaitForChild("Eggs");
local EggsTable = {};

for _, Egg in next, GameEggs:GetChildren() do
	table.insert(EggsTable, Egg.Name); -- Insert the name of an egg into a list of eggs from the instances
	-- It's better to do it this way since it's automatic and you won't have to keep writing out a new list when you add/remove eggs
end

function EggExists(Egg)
	return (table.find(EggsTable, Egg)) and true or false;
end

function M(V1, V2)
	return (V2 - V1).Magnitude;
end

RemoteEvent.OnServerEvent:Connect(function(Player, ...)
	local Args = {...};
	
	if (Args[1]:lower() == "openegg") then
		local Egg = Args[2];
		if (Egg) then
			if (EggExists(Egg.Name)) then -- Assuming the 2nd argument is the model/instance of the egg and not a string
				-- You should check if the player has enough money before or here
				local Character = Player.Character;
				if (Character) then
					local Magnitude = M(Character.PrimaryPart.Position, Egg.PrimaryPart.Position);
					if (Magnitude <= 10) then
						-- Open egg if they're within 10 studs of the egg (you can change 10 to what you deem appropriate)
					else
						-- Player tried to fire a remote from too far away
					end
				end
			end
		else
			Player:Kick() -- Again, player tried to break the remote, assuming you can code properly
		end
	end
end)
10 Likes

I wouldn’t really call this an anti cheat, it’s more of a guide to creating logical sanity checks that prevent severe bugs to occur. These should be mandatory where anti cheats are more or less optional. Most exploits are just abusing replication that roblox has by default causing issues. Good guide anyway.

5 Likes

Not necessarily. In Tower Defense Simulator, they fire a remote with the name of the tower that you have selected. The client will detect this by itself. However, exploiters can alter the tower. As TDS are competent developers, if they get a tower that a player does not have coming through to the server, it’s 99.99% an exploiter trying to be shifty. I think the most common exploits are with remotes; as you said, replication is a big target of exploiters whether it’s network ownership or network manipulation. As for Bubblegum Simulator, the only time you can press a button to open an egg is when you are within range of opening that egg, so if they’re firing it when they’re not close enough, they’re firing it through other means - hence they’re exploiting. Appreciate the feedback nonetheless.

2 Likes

Exploiters shouldn’t be able to alter towers that would affect game play, that would be the developers fault for leaving a vulnerability in the game. As for bubblegum simulator, same thing applies, the developer is at fault if they aren’t doing sanity checks leaving vulnerabilities of remote abuse. No matter the game, sanity checks must be mandatory though some may be forgotten and figured out later on.

The guide is on writing conditional statements validating if the arguments from the client are possible, this should be however, done regardless and when writing code in mind that exploiters can fire remotes with any arguments they want.

In a way, I guess they are “exploiting” your lack of server sided validation but when it comes to the term “Anti Cheat”, most people are thinking about replication issues rather than remote security. This guide seems exclusive to remotes so perhaps you should change the title to “How to secure your remotes”

PS: I’m not saying this is unhelpful, it’s definitely helpful to beginners. I’m just suggesting a title change to something more related.

2 Likes

You’re missing what I’m saying completely… in Tower Defense Simulator, you can NOT fire a remote event with a tower you do not have (provided that you are not exploiting). Hence if they ARE firing a remote with a tower they do not have, they are exploiting. In Bubblegum Simulator, you can NOT press a button to fire a remote if you are not in range of the billboard gui with the button (provided that you are not exploiting). Hence if they ARE firing that remote, they are doing it through other means - aka exploiting.

Writing conditional statements can vary completely. You can do anything with a conditional statements. This guide is an insight on how to tackle certain - common - aspects of games.

And I won’t be changing the title because, as I said in the first part of the guide, I am open to requests; not limited to remotes.

2 Likes

So just check if the player is the one that’s suppose to fire the remote, it’s a basic sanity check especially if you’re providing a remote per player (which isn’t really necessary, it’s not like you’re spamming the remotes to the point where you’d need a remote per player)

You could probably safely assume that the person is exploiting, however, bugs and glitches do exist with Roblox characters to the point where you can fling other players.

How about covering replication abuse with latency in consideration for every player.

1 Like

Again… completely missed what I have been saying. There is a central remote. It takes multiple arguments. One is for the command you wish to “execute” and the vararg is for the arguments you wish to pass. If you, as the developer of a game, know that someone does not own x, y or z and yet they are telling you to spawn x, y or z despite not giving you the option to, they are exploiting. Play Tower Defense Simulator and you will understand what I mean. You can not even try to spawn a tower you do not have equipped without exploits. Simple.

As for this, I have no idea what you mean; I’m going to partially assume it’s because you’ve worded it in the most obnoxious way possible in hopes that I will cower and cry “yes god, you’re correct” and partially because I have never experienced this or ever even heard of it prior to now.

I’m pretty sure a kick won’t harm them, they could also report the bug instead of trying to abuse it, /shrug.

I’m sorry, I don’t own anything to mess with remotes so I wouldn’t be able to, I’m just aware that those who possess such applications are. You’ve never specified it was a central remote, you just simply stated that everyone has their own remote.

I don’t like how you’re being passive aggressive, I have no intention whatsoever on making you “cower and cry”. And this should be relatively simple, replication abuse is just abusing Roblox’s replication system, in short, teleportation, speed hacks, flying (physics related to the character). Latency in computing by definition means “the delay before a transfer of data begins following an instruction for its transfer.” ~ Google, but in this context just means considering a client’s internet connection. Poor internet connection could appear that a client is “teleporting”, however, if you are able to identify the internet connection before hand, you can combat this.

I never once said anyone has a remote, I said the server is checking for a tower and a place event, which you can see in the script example.

That’s just me… nothing else to say.

Does not sound like something I could combat without some sort of guide myself (I don’t see how it all ties together). As for all the examples you listed, these are achievable without replication lag so I guess there are multiple approaches to what you’re wanting to combat.

An anti cheat without considering replication lag will result in a lot of false triggers going off especially for those with poor wifi or on mobile. If you join a game, occasionally, you might see some people freezing, then teleporting. Anyway, I suggest looking into writing an anti cheat for that and adding that to the post.

My bad, I read this without the “with a tower”.

AntiCheat’s are usually deal with general exploiting concerns like speedrunning. Not really specific situations based of your game. I would call this a guide to sanity-check your remotes. (I would give more examples though, for people to get the gist of how to secure their remotes).

Nope usually when people refer to them they mean general issues.

Um. Go off, I guess?

AntiCheats can vary a lot and have no requirements or set standard so I don’t really think you can define it other than as something that prevents abuse of any aspects of a game. Whether it’s remote abuse, flying, speed hacking, god mode…

Again, it’s not sanity checks but I won’t explain myself for the 20th time so you can read if you wish.

Not what @0Shank is saying. What you said:

Not what AntiCheats, in the general sense, do. AntiCheats generally target widespread exploits such as speed, fly, etc. This kind of “AntiCheat” should just be a sanity check.

My favorite words when scripting are:

Never Trust The Client

Those are compulsory checks made on the server side if you want to prevent any exploits or cheaters making changes on the server side, an anti cheat system would mean, a system that would detect any exploits or any forbidden actions done by the player, e.g. speed hacking, no clipping, flying, auto-farming etc…

This is a guide on how to approach it, not how to complete one.

?

Checking remotes to see if something is reasonable to prevent exploiting is called sanity checks
What are Sanity Checks? - #3 by Elttob.

Example:

Your guide is showing how to do sanity checks, (securing remote requests).

Ok, well in roblox people define an anti-cheat as something which prevents general issues and isn’t coupled to your game. Checking remotes isn’t called an anti-cheat it’s called sanity checks.

1 Like

Ok but anti-cheats can be specific to your game. Cheats can be specific to your game… so why can’t the reverse be true? Makes no sense.

It doesn’t really matter if it makes sense or not, that’s what it means in Roblox. Probably unintuitive but that’s how people see it.

1 Like

A more accurate title would be “How to Practice Sanity Checking” or something along those lines, cause these are just sanity checks, not really an anticheat.

An anticheat is usually it’s own separate script/entity running - with its purpose being solely to handle and combat cheating. This tutorial is just doing sanity checks aka applying logic to your server-client communication (remotes) - which helps stop exploiters, but isn’t really what you call an anticheat.

Nice guide though.

3 Likes