Hey Robloxians! I am currently trying to make a basic WalkSpeed anticheat for the client (Because exploits run on the client)
I have a vast knowledge of Exploits like Synapse X, Script-Ware, KRNL, Etc.
I wanna know how to fix these as they’re simply bypassed.
ANTICHEAT
--// Parent: StarterCharacterScripts
local Player = game:GetService("Players").LocalPlayer
local Char = Player.Character or Player.CharacterAdded:Wait()
Char.Humanoid.Changed:Connect(function()
if (Char.Humanoid.WalkSpeed > 16) then
--// I use a remote here with 0 arguments to kick the local player
end
end)
But the issue is it’s bypassable with hookmetamethod (A function in exploits)
They can simply use code to make a check to see if it’s “WalkSpeed” and from the “Humanoid”. It’ll then return it as example: 16, which tricks the client into thinking it has 16 walkspeed (When it doesn’t)
Do you know any bypass to this hookmetamethod trick?
It’s not a good idea to run an anti-cheat on the client. Just want to get that out of the way first
But if you insist on it being on the client, you can try this:
local Player = game:GetService("Players").LocalPlayer
local Char = Player.Character or Player.CharacterAdded:Wait()
Char.Humanoid:GetPropertyChangedSignal("WalkSpeed"):Connect(function()
if (Char.Humanoid.WalkSpeed > 16) then
--// I use a remote here with 0 arguments to kick the local player
end
end)
Yes I know it is not recommended but exploits work from the client, so basically they can still run a hookmetamethod call to bypass it I will show an example
local old
old = hookmethamethod(game, '__namecall', function(self, ...)
local args = {...}
-- they do checks here
return 16
end)
so basically I can set my speed to 50 then run this, it will trick my anti-cheat into thinking I have 16 walkspeed. Goes same with FireServer.
I had glanced over the rest of your post. Sorry. I assumed the code didn’t work and you just needed a fix for it.
I do not work in anti-cheat, so I don’t really know how else to help. I usually have a friend of mine that is way smarter than me in anti-cheat make one for my games. I cannot help you any farther. My sincerest apologies!
mind that they can simply Destroy or disable the script. They can hook :FireServer() or .WalkSpeed check. The only thing you can always rely on is serverside anticheats. However you can parent your script to nil, stopping most of the exploiters (like 80% of them can’t actually script). I’m also afraid you cant detect hooks like that and exploiters can use tpwalk to bypass it easily.
Disabling only works if you’re using non-threads.
Destroying does nothing to the script because thats not how lua works
You don’t see exploiters casually putting :Destroy() on the script do you? They just hook functions and that’s it.
There are some things you can do to make it harder for exploiters to break your scripts by doing things such as adding
script.Parent = nil
at the very top of your script (yes I know exploiters can see nil instances but this makes calling :Destroy() on it useless),
but uh yeah it is possible to detect hooks both function and metamethod hooking, a brief concept of how hookfunction works: when you call a function such as :WaitForChild or :GetService you are actually calling the __namecall metamethod lua function (you can read about it here)
what basically happens is it modifies the __namecall metamethod function to say “hey if this function is called make it do x instead” in the long run it intercepts you calling the function and reroutes it to their own
Finally client-sided anti-cheats are not bad they’re called bad because they can be bypassed (so can serversided anti-cheats but nobody seems to care), client-sided anti-cheats at least will catch your average skid that has no knowledge of lua and uses basic scripts and even if an exploiter with knowledge of how to bypass stuff joins your game it will at least delay them.
So basically, setting the Parent to nil would slow them down? (I use a remote event to kick the “LOCALPLAYER” automatically passed in the more, so would it even work?)
if it’s a client-sided anti-cheat firing a remote event to the sever to kick the player or kicking the player on the client is not the way to go, I would recommend crashing the client instead with something like this:
“Their machine, their rules.” You as a developer do not have the ability to control what code the client executes, but you can respond to it. Unfortunately there is nothing you can do on the client side that will be foolproof hence why you should “Never trust the client.” and other quotes like “All user input is evil.” but I’m sure you get the point.
The most common approach against players attempting to teleport, increase their speed, fly etcetera is to observe how much distance they have covered in a given time frame, and if it is considered too fast to take action (e.g if they travelled 10,000 studs horizontally in a second, perhaps they are not the typical user), this is done on the server of course, as it is the only thing you can truly control and trust.
Can you show me examples for how to check if they teleport within too far of a frame? Would I use like (OldRootPos - Root.Position).Magnitude > (Distance)?
Exactly something like that, though do be warned if a player falls from a high distance they could potentially trigger it, so handle horizontal and vertical distance separately (with a large tolerance for declines in vertical height), and account for what material they are standing on.