I want to achieve a way that checks if the client deletes certain localscripts Client-Sided, the issue is that in my last post about passing a GenerateGUID between the client and the server each 2.5 seconds and if the client doesn’t response back with the key inside of 8 seconds, the server would’ve kicked the person, have a lot of people complained about how bad of an idea it is,
If someone could tell me how i achieve this (with what functions/events/properties), i would appreciate it.
I’ve been experimenting with this and I made it so multiple localscripts watch out for each other in a way that if either of the localscripts are deleted, then kick the player locally. This worked out for me since you can’t delete two localscripts at the exact same time - there’s always a slight delay.
I don’t know how well this works out with actual exploits, but writing a code which deletes all the localscripts at once will successfully kick you or by trying to manually delete them all in explorer during playtest.
I don’t think that’s good. I believe exploiters can remove RBXSignalEvent from local scripts (Changed event).
Do you have any sources on this? The most beneficial would be if a person who has previously exploited or made exploits could hop onto the thread and share their opinion.
I’ve heard it somewhere. However, I am unable to find the source again. I’ll try to find it.
Exploiters can access signal connections and Disable/Fire it and replace the function connected. Regardless if you expect clients to respond back in a timeframe you will have to take account for clients with slow PCs or bad internet. If a client didn’t finish loading the game they won’t send any remotes but queue them up instead.
This wouldn’t work, as they can just change the script source.
on the script itself you can do
script.Parent.ChildRemoved:Connect(function(Child)
if Child == script then
– Script Has Been Removed.
– Do what must be done here
end)
script.Disabled.Changed:Connect(function()
– Script Has Been Disabled.
– Do what must be done here
end)
or you can use a remote and have another script check if its there, but whats to say they dont delete that script first. This is best as the script will protect itself, e.g when its about to get destroyed you can create a clone of the script so it appears as if it was never deleted in the first place, or just outright ban them.
I have experience with both, for the sole purpose of anti-exploits. They cannot directly remove them from your script but they can attempt to remove the remote event from replicated storage. They can also call :FireServer().
There are 2 types of exploiters. Client Only, And Full injection.
Full injection tends to be a paid exploit and can effect the server
Client only works like a local script and will only show changes for the player.
Full injection is game breaking and can change anything in the server
Full injection is very harmful to games and should be your main cause of concern.
Can fire client and fire server. Can try to use modules
can remove localscripts and serverscripts
Client only isnt as game breaking but still allows for some things like allowing a player infinite jump, speed, flying teleportation, aimbot, animations and noclip
Can only fire server. Can try to use modules
Can remove localscripts
So for proper anti-exploit you will need 2 scripts, one on the server side, one on the client side. Both of them should never be disabled use .destroyed events and .disabled events on both of them. You can have them do a sanity check on one another through remote event and should the remote event not be there: If its client, kick the player, if its server then shut the server down ASAP
I have found that you can use the dev console and memory stats to check for some of the exploits.
If they make any errors or use print() at any point, the dev console script will catch them.
if they are using high usage scritps or removing a ton of parts or creating a ton of parts, the memory stats will pick up a big difference in the clients usage. You can somewhat make an average of the clients usage and have an allowance for lag and other things. injecting a exploit itself creates lag while it gets set up into the game, and on top of that some scripts can cause strain.
Just remember there are many methods of catching and handling exploiters, Personally i recommend hacker lobbies, so they can ruin the game for each other. Usually when you ban them they just create another account if they want to do it on your game again.
There is no way to exploit in a way so you can do whatever you want on the server.
You don’t need to fire a remote to kick the localplayer, this can just as fine be done locally.
The remote event is only to server as a sanity check, the scripts themselves will still have their own protection with the .destroyed and .changed events as i mentioned before.
The general idea is that if they somehow managed to get around the .changed or .destoryed, the sanity check will fail.
In other words, its fullproof. You put two scripts and 1 remote event and from then on they cant do anything to remove your anti-exploits.
Edit: Also people 100% can change the server, ive seen it done
What do you mean? How does this justify your “full injection” statement? And there’s no such thing as .Destroyed?
Well true. But you can check if the child is removed, so you go to script.parent and check if its removed that way
None of this is correct in any way.
Listening for destruction / disabling of scripts on the client is not remotely foolproof: it can be circumvented extremely easily with a few lines of code. As a general principle, time spent preventing exploits on the client is time wasted because a dedicated exploiter can always bypass your protections.
Any server-sided effects brought about by exploits are only ever due to limited cases of client-to-server replication, such as physics, or by developer error such as installing a backdoor or a poor implementation of remote handlers.
Although you can check for this, there is no point doing it. It will not protect your game against exploiters.
as for full injection. it can change everything you can using ‘script’.
So leadeboard stats, killing other players, turning invisible, never dying, removing your scripts, breaking your workspace, creating new parts, changing gravity, changing lighting.
The list goes on, and on. If you have no clue what im on about, look at
synapse x (Full injection)
jjsploit (Client Only)
well you will still need to check for them flying and stuff. but an exploiter who doesnt fancy being banned will just remove your anti-exploit.
You can check speed. Speed = Distance / time
if they tp or speed/fly they wont be allowed to go faster than the speed you specify.
to do this i logged 2 locations. using them i can calc stuff, then if they are going faster then you set them back to the first location (‘rubber band’ them).
You can do anti infinite jump by checking for when the player jumps and if its more frequent than it should be they are infinite jump.
you can check for walkspeed changes
you can check for camera focus / cframe changes to anti aimbots
however if you read the post. they are asking about stopping exploiters from tampering with the anti-exploit scripts.
So you are correct in saying that it wont stop the hackers from hacking. But it will stop them from tampering with the anti-exploit scripts which is what was actually asked about.
I know that this is very very old but I just wanted to imply that, you said “you can’t destroy multiple at once”, but you can:
for i,v in pairs(–path:GetChildren()) do
if v.Name == “Name1” or v.Name == “Name2” then
v:Destroy()
end
end