I think i figured out a way to prevent exploits fully

Every player gets a localscript that is attached to their keybind.

When the player moves, the key the player clicked is fired to the server so the server can make sure if the key they pressed makes sense with where they should be.

If where they should be does not make sense like if they clicked W and they went up it means they were flying.

and if the player moves and there is no keybind detected then it means that localscript was modified and thus they should get kicked.

3 Likes

I’m not sure if this is the right category for this post.
The system you have explained would need to be extremely precise to prevent it from thinking normal movement counts as exploiting.
Replication lag might also cause some problems.

3 Likes

It’s a simple way to put it, and you’re right, but exploits will never be completely stopped, as they always find a way to enter the server and be undetectable.

2 Likes

They could just disable the local script. Also, how about slopes?

3 Likes

We create a copy of the player character that is stored as data in the server.
The server uses the player character data from the keybinds and sort of simulates what will happen to the data of the character in response to those keybinds.

If the character doesn’t go in accordance with those keybinds then kick

If they disable the local script the server stops receiving information and kicks the player

1 Like

They could just disable the script and replace it with their own script that fires keys that make sense but aren’t actually being pressed.

4 Likes

So I press W, Server simulates/thinks that I should be moving forward. I get a ping peak/drop, all simulation values broken, and I got kicked?.. The Sync for that kind of “simulation” its not possible when dealing with ping.

If I press SpaceBar to jump, what ur server simulation does?
It supose Im going up. If I add Velocity to my HRP while on Jumping or Freefall HumanoidState. I will be able to make multiple jumps on air, and your server will think Im jumping normally.

As Pokemoncraft told you. What about terrain slopes? or what if I replace your LocalScript with a custom one? I know, probably the “server simulation” will notice Im moving weird, comparing the Keybinds simulation with my real position on server… But, again, and the Lag? Impossible to keep an accurate simulation just expecting signal from client.

Maybe adding a ping check to create some room between the simulation and the values read by the server. “Never Trust the Client” becomes a hard task when making anticheats like that

7 Likes

Sure this works assuming they cannot send you fake keys pressed (which is doable by using getrawmetatable or just deleting your script and hook their own), and there is 0 latency between the server and the client.

So the answer is no.

3 Likes

You know I think i figured out a way to stop teleport hacks and maybe flying

Are you forgetting that exploiters can delete your local script or just simulate fake key presses? Instead of trying these obscure methods to stop exploiters you should instead try and design your game in a way where it won’t impact any other player hence if someone cheats this will then result in the exploiter getting bored and leaving your game.

Don’t focus too much on the anti cheat instead focus on your game. Just have a decent client side anti cheat and then update it from time to time. The more attention you give to exploiters the more people will exploit your games (weird but it’s true)

3 Likes

This wouldn’t work in real game environments. Roblox physics exist (which are known to be glitchy), and also an exploiter can either manipulate remote data to fire keybinds, or even manipulate the UserInputService in order to fake keybinds. You should never trust localscripts in the first place unless you know what you’re doing.

A better method to do basically the same thing you’re doing is detect the Velocity Magnitude for X and Z and compare it to a maximum walkspeed as follows:
Server Script:

game:service("RunService").Stepped:connect(function()
   for _,v in pairs(game:service("Players"):GetPlayers()) do 
      if (v.Character.HumanoidRootPart.Velocity.Magnitude.X > 30 or v.Character.HumanoidRootPart.Velocity.Magnitude.Z > 30) then 
          -- teleport the user back
      end
   end
end)

This is only an example.

For what it’s worth, a lot of multiplayer games do something like this. Rocket League, for example: It IS Rocket Science! The Physics of Rocket League Detailed - YouTube

But

  1. You can’t use a LocalScript, that’s on the client and so can be exploited
  2. You can’t do it at all, because RemoteEvents aren’t built for this sort of thing
  3. It needs to be built into the engine from the ground up, but ROBLOX doesn’t have server-authoritative physics and it would be an absolutely massive shift in how their engine works
  4. The system will have false positives
  5. People will still find ways around it

We could have super advanced AIs that learn hacker’s movements.

Mmmmmmmmmmm you should get on that then :slight_smile:

3 Likes

As a cool experiment, try setting the network ownership of the character to the server. You’ll notice that while you’ve just stopped all physics exploits, your keypresses feel a bit delayed and clunky.

A lot of games outside of Roblox hit a middle ground like you described, where a local character does instant movement while the server tracks a more accurate position. However, kicking or banning for this is full of false positives. The best experience will be in teleporting the player back if the server prediction gets too far away from the client one.

4 Likes

ooooo… maybe every 30 seconds we set network ownership of the character to the server and then back to the player.

1 Like

they could just spoof the data

1 Like

now personally there is no way to stop exploiters, they always get more and more advanced and you just have to adapt your game to make sure they can fine bugs for their use