Most exploits print out some stuff which is not related to your game’s code or debugging.
You can detect A LOT of free exploits and scripts; If you were to ask how? just check for certain words in every console output.
FLYING SCRIPTS
To patch flying scripts you could add aditional hitbox to the player which will always be on ground, if we suspect that player is flying we can set his velocity to 0 and if he’s somehow still moving it means hes flying.
NOCLIP
For noclip just save 2 last positions of the player, and make a raycast between them to confirm that player isn’t noclipping.
MANIPULATING NETWORK
To protect your game from getting exploits on network side, NEVER allow clients to change their networkowner of parts directly through requests, NEVER use usernames to store data and check for admin commands availability, use player ids, NEVER ever ever ever use remote events to pass that player bought a feature in your game from client to server. Use marketplace service directly on backend.
I think thats the basics of how to protect your game.
This seems like quite a poor method of detecting if a player is flying or not. Consider if the player is falling from a cliff, the game would flag them as flying.
This is also bad as sometimes player move sharply through a corner or close a door quickly which can lead to false flags.
This seems really inefficient don’t you think? In my opinion, it’s better (for flight detection) to study how the player is moving. Say, the player is above the ground and their y velocity seems to be still then we can consider them as flying.
For no clip, we use the method you suggested but making it more dynamic by checking the distance the player traveled and the wall the player “no clipped” through.
Best way to patch movement, hitbox and some other exploits is to use rollback net code. It’s server sided so it can’t be bypassed and it doesn’t produce any false flags
Yes. Very important to have client-side physics simulation so that your game doesn’t feel terrible though. Also make sure to add interpolation if you are replicating the state to other clients.
However, I will add this is not always necessary for a “good enough” anticheat measure. There are a lot of games that don’t implement custom physics and server-authoratative movement (i.e PF and Bad Business) they still have good enough anticheat measures to prevent the majority of exploiters. PF in particular has a quite effective rubber-banding system although their interpolation is a bit wacky at times…
It might be me but exploiters can’t change their name fe (server sided)? Why would it help using userids? Names (not displaynames) are unique too. (I use userids too but I don’t understand what’s wrong with names.)
Also one really important thing is that you should always use the official tutorial on making dev products, too many games can have their dev products fake bought because they didn’t check the receipt correctly.
Wrong:
game.MarketplaceService.PromptPurchaseFinished:Connect(function(plr, id, ispurchased)
if ispurchased then -- ispurchased can be falsely made true by exploiters!
-- give reward
end
end)
Correct (from Roblox’s tutorial):
local productFunctions = {}
-- Example: product ID 456456 awards 100 gold coins to the user
productFunctions[456456] = function(receipt, player)
local leaderstats = player:FindFirstChild("leaderstats")
local gold = leaderstats and leaderstats:FindFirstChild("Gold")
if gold then
gold.Value += 100
return true
end
end
local function processReceipt(receiptInfo)
local userId = receiptInfo.PlayerId
local productId = receiptInfo.ProductId
local player = Players:GetPlayerByUserId(userId)
if player then
local handler = productFunctions[productId]
local success, result = pcall(handler, receiptInfo, player)
if success then
return Enum.ProductPurchaseDecision.PurchaseGranted
else
warn("Failed to process receipt:", receiptInfo, result)
end
end
return Enum.ProductPurchaseDecision.NotProcessedYet
end
MarketplaceService.ProcessReceipt = processReceipt
you do know that you can’t change your name to another username if that’s already taken? Why would someone make an admin panel that gives admin to some random username. OP was likely talking about if an exploiter changed their username to a developers name etc
The OP was talking about where in the case someone made an admin panel and it used usernames for validation and an admin that had access to the admin panel via their username changed their username then a malicious user could change their username by paying 1,000 robux to get the username of the admins that they previously had/the username that gave them access to the admin panel.
the best way is to stay server-authoritative, and if your game needs it, you can add the anti flying/no clip scripts. you could also implement Chickynoid
Chickynoid is alright, but I’ve had my fair share of experience using Chickynoid and dealing with its bugs (such as an invisibility exploit that also completely breaks the server… as well as a desync exploit) So I’ve shied away from using it in recent projects. Depending on your game, you can almost always make a better custom physics simulation tailored to your personal use case. I’d like to add that Chickynoid is quite slow, and as far as I’m aware is built to run exclusively at 20tps.
Overall, the effort it takes to implement Chickynoid into your game is only a little less than it would take to implement server-authoritative movement that feels good for your use case.
Chickynoid repository for anyone interested in the source:
