Ideas for anti-exploit

topcst · November 1, 2020, 4:16pm

I’m currently developing an anti-exploit which I plan to make accessible for every roblox user to help combat exploiters without the stress of needing to develop their own anti-exploit.

I was just wondering if anyone has any ideas of any features i could include, Currently im planning

Anti Walkspeed
Health detection (Max and current)
Jump Power

The settings is in a module script so you can disable/enable certain aspects of the anti-cheat upon changing values and the script is fully server sided.
Here is the current code:

--// Module
local Settings = require(script.ModuleScript)

--// Services
local Players = game:GetService("Players")

--// Functions
local function Refresh(Player)
	--// Variables for player
	local Player = Players:WaitForChild(Player.Name,60)
	local Character = Player.Character or Player.CharacterAdded:wait()
	local Humanoid = Character:WaitForChild("Humanoid",60)
	
	if Player and Character and Humanoid then
		
		--// Walkspeed Detection
		if Settings.WalkspeedDetection then
			if Humanoid.WalkSpeed > Settings.MaxWalkspeed then
				Player:Kick("Caught speed hacking")
			end
		end
		
		print("Checked ".. Player.Name)
	end
end


--// Keep Running Check
spawn(function()
	while wait(3) do
		for _,v in pairs(Players:GetChildren()) do
			Refresh(v)
		end
	end
end)

JarodOfOrbiter · November 1, 2020, 4:44pm

topcst:

	local Player = Players:WaitForChild(Player.Name,60)
	local Character = Player.Character or Player.CharacterAdded:wait()
	local Humanoid = Character:WaitForChild("Humanoid",60)
	
	if Player and Character and Humanoid then

Just for the record, that last line there is redundant because if Player or Character are nil, it will error on the second and third lines that I quoted.

Mishaho · November 1, 2020, 5:38pm

I don’t think that health is vulnerable, exploiters can only execute from the client and health won’t be changed on server.

colbert2677 · November 1, 2020, 9:49pm

It’s worth addressing the flaws of what you have right now before thinking about new ideas for anti-exploit. Additionally, your anti-exploit should only be tied down to your game specifically instead of being some monolithic handler that you may not even need.

Remembering the flow of the client-server model is important when developing anti-exploit. All exploit code is ran locally and takes advantage of holes in game security or otherwise to do their bidding. Your walkspeed check is therefore currently pointless. When the client changes their walkspeed, the change isn’t replicated - only the character movement physics affected by walkspeed are. Therefore, it’s important instead that the server verify the velocity/displacement of the character while moving instead of checking the walkspeed property.

Health detection is in the same boat - in fact, there’s no need to do that at all unless your game’s architecture is poorly made. The client’s change to health won’t replicate and it doesn’t have any kind of influence on the server. Health is purely server-sided so you can ditch that check altogether.

JumpPower is in the same position as WalkSpeed; the physics changes replicate but the property changes do not. You should be checking up on the character’s physics according to the Y-axis.

And then finally, my nitpicks: stop using while wait and spawn. Use ipairs instead of pairs when iterating arrays and use the proper function GetPlayers for fetching the list of players, not GetChildren.