How To Improve This Anti Exploit Script

Feel free to correct me if I got things wrong or missed things out.

Wow thanks for the suggestions. I didn’t expect to have this much replies and this much views on my first post. Thank you for the support :smile:.

1 Like

They can edit the __namecall. Your script would only work if they hookfunction’d the Kick method. Plus, exploiters can time out any crashing attempts through ScriptContext:SetTimeout.

They can cause it to break by editing the globals or constants, ive said this before there are lots of ways for them to do this, or they can falsify correct information so your anti cheat can report “all good”.

1 Like

uhh i dont recommend using a plugin because it’s never fun to deal with backdoors.

ALSO obduction doesn’t rlly help with exploiters lol.

Thing replicated to the client are not replicated to the Server, this is why many people use Local Scripts for their Anti-Cheat and use a Server Script to handle other stuff, for example if a client deletes a script the script still exists in the server therefore there’s no way to detect it in the server other than using a local script.

It can be disabled in seconds but it is worth mentioning that not all exploits can do that and not all exploiters are real ones, majority of them turn out to be skids.

Yes, but it will only protect your game for a couple of days until one person publishes a disable anti-cheat script on those script websites. Then all the hackers will just disable it. Also, most exploits can just use the Disable (If there are no checks for that) or modify metatables to some extent, so maybe not all exploits can do it, but 90% can.

What you’re describing is just a flawed system. To understand what I’m talking about, research server-authoritative design.

Then. Do a destructive method. Delete all local scripts in game. Cause a client side melt down. So nothing works. Delete all remotes. Break the workspace. Etc. If tat happens. Then a hacker is wasting their time.

Best way to improve this: make a server-sided script. If you don’t have one, your game is not going to be safe from exploiters.

They can see instances parented to nil, and they can just prevent the meltdown from happening anyway.

I am coding a client sided anti cheat myself for fun and what I have done is do stuff like not be so obvious. For instance, instead of using connections to check for properties being changed, I instead just add a loop and check if they’re changed directly. Like if I wanted to detect the StrafingNoPhysics state, I would use :GetState() instead of humanoid.StateChanged. I do this to prevent exploiters from disabling my connections. To prevent people from spoofing their values I simply create a new object, set whatever property to game, and then if they attempt to spoof whatever i’m trying to secure they’ll also edit the trap and they’ll get kicked. For seeing if something is added, again use a loop but use :FindFirstChild. An exploiter will not be able to spoof FindFirstChild as it would break the game (if this was in an actual game.) One last thing I do is I secure the kick remotes via generating random names for them using HttpService:GenerateGUID(). I basically have a folder which has all the remotes in it. I then have two remotes: The main kicking remote and a fake remote (both of which have randomly generated names.) I do this to prevent exploiters from being able to spoof my remote via checking if the names are not equal to the kick remote. The only way an exploiter could spoof the remote is by spoofing EVERY remote and if this was an actual game doing that would leave them spoofing an important remote and therefore the game would break. I also use a module script to handle the anti cheat and then once the module is required I destroy the script that requires it and I parent the module to some place safe such as the chat service. Destroying the module would simply parent it to nil and the function getnilinstances() exist so yeah. I also crash when the player is kicked to prevent them from trying to spy on the remotes or something like that (I use a custom method for doing this because a repeat until nil/while true do crash can be bypassed by setting SetTimeout to 0.1.) The game isn’t finished yet but I have had some friends test previous builds I made with a similar style that I have going on and they had no idea what to do. It won’t prevent ALL exploiters but it’ll prevent most of them.

Apologies for the really long post but I just wanted to share what I had. I personally dislike server sided anti cheats (aside from a server sided noclip check using ray casting) because of the false positives they can generate.

Wow…, smart. Can I see your script. I’am interested in your script since I’m a beginner well not actually, but I have learn all of the basic. Message me if you want to show me the script. Also I didn’t quite understand your explanaition because it looks very confusing to be honest. Maybe I’ll understand if u message me and give the script example.

It doesn’t matter if they can see local scripts. If you kill the local scripts. The actual game stops functioning. And at that point, Its just going to leave them done for.

Aside from that. I think you forget its a constant battle. It isn’t going to be. Ok done, and move on. Its going to have to be something thats maintained and handled repeatedly with new and creative ideas. Hence making them fight again. And this just loops.

There isn’t no set fix. You just have to keep muddling it when they figure it out.

“Creative” client-sided anti-exploits will always be bypassed by many exploiters. There’s no point in spending so much time and effort into a system that will not stop exploiters who know what they are doing. Just make a very simple client-sided anti-exploit. It’s all you need. It will stop script kiddies who don’t know what they are doing. You can never stop the exploiters who know what they are doing no matter how much effort you put into your client-sided anti-exploit.

1 Like

If you really wanted to mess up a hacker. Just create your own bytecode conversion. And keep it on the server. Each script will have a remote. Sent to the server. And the server will return the instructions back. Hence creating ALOT of asynchronous functions and ALOT of problems when trying to understand what is happening. Sure its a performance dip. But thats the deal you trade for security.

P.S. Thats an example. From my own ideas. It means no hacker can read your code and you practically create your own code under the Lua VM. It just needs to be sent to the server with a signed signature of some sorts (That can be spoofed - One time conversion). And well. Done.

These script kiddies you talk about. They dont do it themselves. They just steal the code from the people who know how to code. So either way your idea if flawed as a better scripter would release a bypass. and the script kiddies would use it.

You don’t need to use repeat Roblox already has implented features. Such as: playerInstance.CharacterAdded. also, you don’t need to add a repeat to LocalPlayer, because the script runs when the LocalPlayer is already added in.

An Anti Cheat running on the client can be disabled, as well as a client anti kick can be ran by an exploiter.

You should most likely figure out a way around this.

I’m talking about client-sided anti-exploit. All you could really add are some client-sided checks to make sure walkspeed/jumppower isn’t changed and that there is no bodyforces in their character, for example. An advanced scripter wouldn’t bother making a specific script for your game to disable the anti-exploit because it’s as simple as deleting a remote on their client or deleting the localscript entirely on their client. If you are making an extremely complex client-sided anti-exploit that interferes with the user experience (such as using a lot of resources/causing lag), all you are doing is hurting your game and its community. You aren’t going to be stopping any exploiters that know what they are doing.

Depends on how your code works. Code smart. Dont code in segments.

Want a module to store constants. Create an asynchronous function to return those constants unchanged. To beat a hacker. You need to understand what target they’re trying to go for.

But like I have said. You do take that bargain. Optimisation for Security. Finding a balance between them is key. And it is possible. Games such as bloxburg have anti cheats that do this. Because they code smart.