How to prevent exploiters from flying?

Daw588 · October 7, 2019, 11:17pm

I am trying to prevent exploiters from flying, my method works on some exploits (tested by some random exploiters) and some of them wasn’t detected, I want also no false positives. So How can I?

local player = script.Parent
local humanoid = script.Parent.Humanoid
local encrypted_name = math.random(1, 9999)

encrypted_name = encrypted_name * encrypted_name + encrypted_name / encrypted_name

script.Name = encrypted_name.. encrypted_name.. encrypted_name.. encrypted_name

function removeExploiter(player)
	if player then
		if game:FindFirstChild("Players") then
			if game.Players:FindFirstChild(player.Name) then
				game.ReplicatedStorage.ExploiterTempBanned.Value = player.Name
				game.Players[player.Name]:Kick("AntiExploit: You are temporarly banned for exploiting, if you think that is mistake, contact with owner!")
				humanoid.MaxHealth = 0
				humanoid.Health = 0
				humanoid:TakeDamage(100)
			end	
		end
	end
end

humanoid.PlatformStanding:Connect(function(isActive)
	if isActive == true then
		removeExploiter(player)
	end
end)

--[[
	
humanoid.Running:Connect(function(speed)
	if speed > 99 then
		humanoid.Health = 0
	end
end)

humanoid.Swimming:Connect(function(speed)
	if speed > 99 then
		humanoid.Health = 0
	end
end)

]]--

If you wonder whats the top line doing, it is making script less suspicious for exploiters, so they don’t think thats anti-exploit…

Kensizo · October 7, 2019, 11:18pm

Just constantly check if a player has a body gyro anywhere in their body, if they do, kick them. Thats what I do. Also, don’t kick players client sided, or check for exploits there. Make sure its all server sided, and kick them on the server.

Your checks for the body gyros will have to be client sided, a simple way to make sure the player doesn’t disable/remove the script is to have the server fire the client and check for a response, if the script responds, its still there, if not, then the player deleted it. ( this might not be the best method FYI. )

Daw588 · October 7, 2019, 11:20pm

I am rewritting my antiexploit which is 7 months old, to make it server-sided and put it to ServerScriptService. One more little question, can exploiters (really good ones) to be able to access server sided files?

Kensizo · October 7, 2019, 11:21pm

No they cannot ever, no exploit can access server sided code. Only modules and local scripts.

Sebastian_Wilson · October 7, 2019, 11:21pm

If I’m correct you’ll actually want to be doing checks on the client due to instances that are created on the client will not appear on the server so checking if a gyro is added to the character will prove nothing as the server will not see anything.

Daw588 · October 7, 2019, 11:22pm

What about “real” hackers, can they? I am asking since I dont want to have stolen place.

Kensizo · October 7, 2019, 11:22pm

Yeah my bad, you are correct, I will edit my post and add that there.

@Daw588 There is no such thing, your server sided code cannot get stolen, at any point of time

Sebastian_Wilson · October 7, 2019, 11:22pm

The simple answer is no. Hackers/Exploiters whatever you call them cannot access information not replicated to them.

0x_7777 · October 7, 2019, 11:53pm

You give advice to not “check for exploits [locally]”, but then the second part of your post tells him to check for BodyGyros on the client.

Checking for anything locally is flawed. A cheater can simply spoof whatever mechanism you have that “verifies” your anti-cheat is “untampered”.

Check exploits via the server. That is the bottom line.

0x_7777 · October 7, 2019, 11:55pm

There have been exploits in the past that have allowed for RCE, but vulnerabilities like that are beyond the scope of the Devforums and are essentially impossible for regular game developers to prevent.

In everyday cases, no, exploits can not interfere or read server code unless you explicitly allow them to.

metryy · October 8, 2019, 1:05am

You can check if their HumanoidRootPart’s position on the Y axis is above the highest reachable position (i.e your tallest part?) in the game and set their position to where it previously was prior to them reaching that position (don’t punish the player; physics bugs /flinging could occur). There are ways to bypass this but it’ll stop a good amount of flying attempts.

anxyeity · October 8, 2019, 12:15pm

I’d do something along the lines of:

HRP.ChildAdded:Connect(function(Obj)
	if Obj:IsA("BodyForce") or Obj:IsA("BodyMover") or Obj:IsA("BodyGyro") or Obj:IsA("BodyPosition") then
		LocalPlayer:Kick("No exploiting")
		warn(LocalPlayer.Name .. " was exploiting")
	end
end)

colbert2677 · October 8, 2019, 1:18pm

And the exploiter would easily disable that. Not the best idea. The warn would also remain on the client console and not be sent to the server.

sz_s · October 8, 2019, 3:00pm

Like other contributors have already explained in this thread, this method is inherently flawed since the client can just delete the remote or choose to never fire it. For true anti-exploit protection the checks would need to be purely server-sided (and do not rely on any assumptions about the client).

sz_s · October 8, 2019, 3:03pm

Sorry, could you explain a bit more about your method here? What are you detecting and where?

JustMikami · October 8, 2019, 3:08pm

So I Would Have 2 local scripts , one with the anti exploit and such and one just to secure the anti exploit so if either one is deleted the player gets kicked , one of the scripts also has a detector if the remotefunction gets deleted , this is just my method of doing it since i do not think both scripts can be deleted at the same time instantly.

kinkocat · October 8, 2019, 3:21pm

They can disable both of those rendering it useless, im not saying it wouldn’t work. In most cases it will work fine cause most exploiters just don’t care enough but you could get by that pretty easy with a little knowledge (that most exploiters seem to lack.).

JustMikami · October 8, 2019, 5:19pm

it also kicks the player if any of the script is disabled(sorry forgot to mention) its a really simple way of making a anti exploit.

BlockFaceSteve · October 8, 2019, 5:58pm

A method we have previously used is this:

On the server, we loop through all the players continuously. For each player we do the following:
Raycast vertically down to find the floor/object the player is standing on.
If no object is found, we do a subsequent set raycasts in a circle around the player, searching for thin walls/objects they may be hanging off/from.
If no objects are found we assume the player to be floating/flying. We increment a “trust value” for that player by some amount.
We continue to check players, increasing the trust value every time we fail to detect the floor.
When a player’s trust value exceeds a limit, i.e. say 10 failed floor detections, we punish them. (kick, kill, anchor, snap to ground, etc)

The trust value helps reduce false positives, i.e. players being flung across the map, jumping off a building etc.

Hope this helps, any questions drop them below

Autterfly · October 8, 2019, 7:16pm

You’re accomplishing the exact opposite. What’s more suspicious, ChatScript or a bunch of random numbers?

No, it’s on the client, it can be spoofed, that’s it.