In my game I’ve been dealing with constant exploiters lately. Flying, Noclipping, teleporting, speeding, and I made a working anti-cheat for all of those. I thought I had made my game cheater-free but now people are apparently going invisible using exploits. Any ideas on how they are doing this and how I could combat it?
4 Likes
Remove layered clothing would be a good start since layered clothing is notorious for allowing people to become invisible. It usually has absolutely nothing to do with exploits. People bypass certain clothing items and it causes invisibility and other bugs. Sometimes they abuse certain game mechanics where the game would allow them to do such. R6 was studied a lot more by exploiters than R15 so I bet if you disabled R6 it would cripple their ability to go invisible
2 Likes
Game is R6, no layered clothing is allowed.
3 Likes
What if you check their Transparency every time it changes?
Exploiters make changes on their side aka client-side, you can’t check what client did within a server.
If you’re talking about client-sided detections, oh boy, bypassable very easy
I have been thinking about this system where you just place a clone of the clientside anticheat every few seconds using a server script, but im really sure thats not gonna work since i have never made a anticheat (hopefully it does work)
Enable the “RejectCharacterDeletions” property in workspace, since the exploiters can delete each of their limbs
1 Like
Anti-cheats should be more client focused, In my opinion
Its highly unlikely now that a player can gain server access which can affect everyone, rather check if they do any internal behavior which can then possibly be checked on the server - which isn’t really necessary: unless you don’t really want accuracy of detection.
For example,
-
most simple invisibility scripts just play an animation which moves the torso/character really far away,
-
if they have server access they would simply shrink the player’s BaseParts to a really small size, to avoid detection.
The problem with server-side and client-side working together is that i can be quite slow and is quite a daunting task to do with applaudable results.
1 Like
The reason client doesn’t work is cuz they can just delete the script and make the anti-cheat stop working.
1 Like
I am going to try implementing this, thank you. I’ll get back to you to see if it works.
1 Like
Wouldn’t you simply detect for its removal? just a question…
1 Like
It might help, but i think the exploiters can disable their joints (i don’t know exactly what RejectCharacterDeletions does) and therefore their limbs could fall into the void and getting deleted, which could still make it invisible but it might make the exploiter die
1 Like
Correct, however they will not die if the legs/arms fall off, only the torso or head (i think)
1 Like
You can’t, I tried this already. I even tried detecting the anti-cheats script deletion inside of a DIFFERENT script, but they still deleted that one and then the other one. 
1 Like
What about 2 scripts checking the deletion of eachother?
they can delete them at the same time or use more advanced methods(although most exploiters won’t) like hooking remote calls so the server will never know anything went wrong
This is also easily bypassable. This issue should’ve been solved with RejectCharacterDeletions outside of abusing layered clothing bugs.
You can implement a heartbeat where it communicates to the server every so often to confirm that it’s still running. Exploiters can replicate this, so you’d need to implement some sort of key that changes and is encrypted that the server can then verify. Obfuscation is also useful. All of this is more work than it’s worth since exploiters basically only exist on mobile now as all PC executors are detected.
What about cloning the client anticheat on the server every few seconds?
Like, add the anticheat, disable it and clone it (and enable the clone, delete it right before a new one is added) every few seconds
I don’t believe it’s possible for a server script to clone a local script and have it run on the player’s client. I could be wrong, though. Without the local script being obfuscated, it would just take an exploiter decompiling the script and hooking a few things. There are sometimes clever tricks to check if these are hooked, but it’s not too hard to mitigate these tricks.