How to make a strong anti cheat?

I want to protect my game from exploiters, and make an anti-cheat.

Cheaters can use getconnections() to disable or fire the connections on local scripts.

My friend made an example anti-cheat, but the guy that exploited my game still bypassed it.

Please note that getconnections() is a function that is included in the exploits. This function is used to get a list of connections to the specified signal. I found that it can fire, enable, disable the function so it is able to bypass the anti-cheat

Here is the basic code that I found on v3rmillion to disable the connection in local script

for index, connection in
pairs(getconnections("script path here")) do
connection:Disable()
end

How can we defend our games from the cheaters and not get bypassed by the get connections function?

19 Likes

You can’t. If the connections on the client are breaking your game or giving an advantage to exploiters or whatever it’s probably time to stop trusting the client.

14 Likes

You can’t protect anything on client, the best you can do is to move most important things to server and do sanity checks on remotefunctions and remoteevents if you have to use them.

11 Likes

There are 2 rules when making an anti exploit
1:Dont trust the client
2: DO NOT trust the client

27 Likes

Developers use to focus on making anti-cheats instead of focusing on actually making the game safe. Making an anti-cheat won’t be that useful if your code is not enough safe to cheaters.

Each time I start working on a new project I’m not really worried too much about making an anti-cheat, in most cases an anti-cheat won’t be necessary since they also use to affect players that aren’t cheating/glitching and there isn’t that much that can be exploited in most cases if the project is done correctly. I instead focus on building a strong and safe code structure, with lots of sanity checks.

A sanity check or sanity test is a basic test to quickly evaluate whether a claim or the result of a calculation can possibly be true. It is a simple check to see if the produced material is rational. The point of a sanity test is to rule out certain classes of obviously false results, not to catch every possible error.

Making an anti-cheat is not a bad idea or practice, but they should not be the main and unique way to defend from exploiters. The idea of anti-cheats is to fight cheaters but a bad code can cause anti-cheats to be as useless as having no anti-cheat or even worse if it tends to affect legitimate players. If you want to make a strong anti-cheat follow this basic rules:

  1. Design your own anti-cheat, each project is unique and it should have a special anti-cheat that covers the issues related to that project.

  2. Keep it in a low profile, your anti-cheat should refrain from triggering itself in most times, you only want to show it up when you’re sure a cheater is on the ground.

  3. Don’t rely on it, it should only be a helping hand that takes care of problems that are not fully covered by sanity checks.

    Having a reinforced house with walls made out of steel is safer than a house made out of hay with no doors protected by a dog.

  4. Hide it, keep your anti-cheat always on the server side, client-side anti-cheats are… well, not that useful. A lot of knowledge and hard work will be needed to make a client-sided anti-cheat that could be bypassed in matter of hours or days. You don’t want anybody to access your anti-cheat.

  5. It should solve problems, not prevent them. Sanity checks and Filtered Enabled are already doing a great job on preventing exploiters, anti-cheats should be there to solve the problems that an exploiter already caused.

    Don’t make your anti-cheat focus on preventing someone from getting infinite points but instead make it focus on removing those infinite points if someone already has them.

Here are some posts talking about security more in depth and not just focusing on anti-cheats.

https://devforum.roblox.com/t/how-can-i-protect-my-game-from-being-stolen-or-exploited/1180488

51 Likes

I know this is kinda outdated buy i think your kinda wrong there.If your experienced enough you can make a fully secure client sided anti cheat.

2 Likes

It’s impossible to make a fully secure client anti cheat. The most you can do is make it harder to bypass by checking if the script is still running, you can send signals through chat events since most remote spies don’t listen to them, and there are also ways to crash most script decompilers. But there is no 100% working client anti-cheat, anything that runs on your PC can be modified by your PC. (I make client anti cheats for classic swords)

17 Likes

This is definitely important, I once got falsely banned from a game because they probably used a free model anti-exploit that was made a different type of game.

3 Likes

My solution on making a client sided anti cheat impossible to be deleted was just making sure that none of these local script was deleted then I have 2 remote events called Kick1 and Kick2 I was also checking if one of them got deleted I would use the other one immediately.

Hey bud, I just wanna say…Kick1 and Kick2…so what happens if either of those remotes are deleted?

Also, what happens if they hook the .__namecall of either of those remoteevents…and makes their FireServer() return nothing?

So basically you fire the remote but they make the FireServer() function of sending data to server basically become an empty function() return end.

1 Like

So the local script will detect if one of them or all of them gets deleted then it will quickly fire through the second and last they was gonna delete because I have a childRemoved event which allows me to send a request through the event before it’s gets deleted forever.

So what happens they they getconnections(childRemoved)? and then they also hook those anticheat’s remote’s namecalls to return nothing…meaning they dont fire to the server anymore.

2 Likes

But yeah I’m not sure. But most of the exploiters dosent know how to script anyways

Remember, there’s exploiter forums out there. They can easily get scripts for games and such, copy-paste, and now they’re cheating. All they need is a brain that can type on a search bar to try and find the free script that they’re seeking.

Only the masters actually take the time to reverse a game and make cheats for it, the kid with jjsploits is just gonna search it up and copy paste it.

4 Likes

To be honest you shouldnt really concentrate on doing that as long as you do like bool or int checks on server you should be fine first make then worry

2 Likes

Some times you need to code custom anti-cheat for every way of cheating, like detecting if a player is flying and detecting if a player has impossible stats. there are a lot of good anti-cheat assets and tools already made, i suggest searching them up.

You can only detect if the player is doing impossible stuff in experiences like flying or one tapping but you can’t detect if a player is using a hack client on their computer directly.