How to prevent exploiters from playing their own animations?

MarkoBrainz · June 1, 2023, 7:39pm

Hello! I’m not sure if this is the right place to talk about exploiters and security, but I thought it would be as this is related to animations. But please let me know if I should move somewhere else, as I do not mean to spam.

I recently got into animations, and as a scripter, it is important to me for my game to be safe from exploits that can do major to others.

I found out that animations replicate from the client to the server, so other people can see any animation that you play from the client. This means anyone could just get their own animation ID, set the priority to the highest (Action4) and everyone would see it!

I was wondering if there was a way to verify an animation before playing it. Like checking whether I am the animation owner or something like that?

In other words, a way to prevent exploiters from being able to execute a script like this, and it working:

local plr = game.Players.LocalPlayer
local char = plr.Character or plr.CharacterAdded:Wait()
local hum = char:WaitForChild("Humanoid")

local animator = hum:WaitForChild("Animator")

local animation = Instance.new("Animation")
animation.AnimationId = "http://www.roblox.com/asset/?id=507777826" -- possibly inappropriate animation
animation.Parent = script

local animationTrack = animator:LoadAnimation(animation)

animationTrack.Priority = Enum.AnimationPriority.Action4 -- Setting priority to the highest, so that it overrides all other animations.
animationTrack.Looped = true
animationTrack:Play()
-- everyone can see the animation, because it replicates to the server

-- end of the world.

sybrand725 · June 1, 2023, 9:14pm

I’m not sure but maybe you can do something with humanoid:GetPlayingAnimationTracks(). it is a deprecated method but it still should work and with this you can get all the animations that are playing and with code validate them if they are truly supposed to play and if not you stop the animation. Make sure to put that code in a serverscript obviously.

MarkoBrainz · June 1, 2023, 9:20pm

Can server scripts detect player animations? I’m not sure what kind of info goes to the server and what doesn’t. If I can check the player’s animations at all times from the server that would be great! I’ll try this in a bit, thank you!

sybrand725 · June 1, 2023, 9:26pm

I tried it and apparently it seems like most information about AnimationTracks is lost on the server. I was unable to get AnimationIds on the server. I could only get it on the client. You could give it a shot as well but currently it seems like there is no way to counter an exploiter playing any animation they want.

waves5217 · June 1, 2023, 10:24pm

Undoubtedly true. Notwithstanding this characteristic (among the few ones that replicate), the animation has to be owned by the game’s creator (individual or a group) or Roblox. “http://www.roblox.com/asset/?id=507777826” is default walk animation.

Quite long ago incidents occured because exploiters were able to play random animations, including the sexual ones. No longer possible nowadays.

The only sanity checks worth mentioning are server-sided.

GetPlayingAnimationTracks() really is deprecated as a function of humanoid, but not of animator.

Apart from collecting all playing animation tracks, a Animationplayed event is on hand.

game:GetService("Players").PlayerAdded:Connect(function(player)
	player.CharacterAdded:Connect(function(character)
		local humanoid = character:WaitForChild("Humanoid")
		local animator = humanoid:WaitForChild("Animator")
		
		animator.AnimationPlayed:Connect(function(animTrack)
			print(animTrack.Animation.AnimationId)
		end)
	end)
end)

MarkoBrainz · June 1, 2023, 10:34pm

Wait, so exploiters cannot play any animations that aren’t owned by the game’s creator (or group)? If so, then I do not see the need of having to implement a verification check for every animation then.

absentdenik · June 1, 2023, 10:38pm

The only way would be “reanimations”.

most of reanimations work like this:

Fake rig gets created on client, used to play animations
Welds in real rig gets deleted, allowing exploit to move them freely (patched by workspace.RejectCharacterDeletions)
real rig limbs gets synced with fake rig, that is playing the animation.

MarkoBrainz · June 1, 2023, 10:43pm

Never heard of this, sounds pretty complicated. Is this something I should be concerned about or it’s not that serious? I do care about my game’s security, however, I do not want to spend all of the development time on just securing it from exploiters.

absentdenik · June 1, 2023, 11:04pm

Its just visual, this should not affect your game or give any benefit, especially if you have workspace.RejectCharacterDeletions enabled.

waves5217 · June 1, 2023, 11:15pm

Yes, animation ownership is crucial. And you don’t need animation checks for every animation. A solid exception would be a payable animation. Then you should probably connect AnimationPlayed on server and stop the animation if the player didn’t purchase it.

As @absentdenik said, as long as animation is purely a visual addition (and doesn’t impact other players), it’s typically not worth stressing over.

Luckily, most “reanimations” were patched on first of may this year when workspace.RejectCharacterDeletions became enabled by default.

Nobody does lol.

system · June 15, 2023, 11:15pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.