Insights on exploit prevention

Hello! I’m fairly (not terribly) new to the roblox API, but… I have developed my own game
it’s a pvp fps shooter game that is mostly server sided ( since one match would consists of less than 5 players).
The only problem that i have in mind are exploiters… I have scoured through the devforum and other forums that “may” contain roblox game exploits, so i would understand them and prevent them.

The thing is there are a lot of vague information on how to detect them, and i tried to do my own from the information i got but it lags my server (because it checks every player in the server every second or so… )
I am wondering if there are any insights to prevent exploiters ruining my game and my legit player’s experience?

*** edit: i have seen what ripull has made to detect the most common exploits like no clip, fly , teleport, jump and stuff. but i haven’t gotten the grasp on how they work and how can we do to prevent them without degrading the performance that much?***


I do a lot of trickery when it comes to preventing exploits:

  1. Script Obfuscation, renames every variable and function name to a random amount of underscores, very satisfying to look at.
  2. Randomised networking keys and instances, all different each server.
  3. Function environment and ModuleScript trickery to prevent most methods of tampering with the client’s script environment.
  4. Encrypting certain parts of code in LocalScripts with my own custom Lua VM which is randomised each time I update.

This is only a few things that I do to combat exploiters, I have many other tricks that I use.
Most of the stuff I mentioned above (1,2 and 4) are all automated.


The first thing you want to think of is securing your remotes. Only run code on the server when the client requests it, when it is appropriate to.

For flying, you could try to detect the amount of time a player is not on the ground. This might not work well if you have a game that involves a lot of falling, but for an FPS, it should be fine. You could either raycast, or use the Humanoid floor material property. Also, you could listen to the Humanoid State Changed event, I believe the flying exploit just changes that to some state that allows you to fly.

For teleporting, just keep track of the position every once and a while. If a change in the magnitude of two positions is large, then that means they have teleported. Keep in mind that this will alert if you teleport players yourself, so on respawn, or just moving players via the server such as when a game begins, make an exception (on the server, obviously.)

For no clip, you could try raycasting from the character’s torso every so often, and if it hits a part, they are inside of one? Not really sure how to go about this, but I’m sure someone else can help.

As for jump, I’m not sure what you mean. Make sure JumpPower doesn’t go above a certain amount?


4 posts were merged into an existing topic: Off-topic posts

1 Like

@selfhood I have a simple anti exploit script, here’s the link. Aeroiqz V2 | Anti-Exploit | Review


Also keep in mind that for the people suggesting using client side scripts to detect exploits, that exploiters can view the source code of these scripts. You could try to obfuscate them, but an experienced and determined exploiter will always be able to get around it.


yes, i’m aware of client side anti exploit on being easy to disable, also thanks @voidage and @pyrotenics for the replies.
the good rule of thumb is just not to trust client i suppose


from i’ve seen from 3ds’ video on a guy on devforum that “supposedly” skidded the pseudo generated key to secure RE and RF’s was proven to be useless or easily bypass-able. or is there a better way to do it? since exploiters can read what the server sent to client


I don’t think you should waste your time with whatever kind of client-server “encryption” people mess with. Like you said:

exploiters can see what is sent, and they can view the code itself as well.


@pyrotenics hmm is there a way to detect esp from server-side ? the thing is i might be able to scan the core gui for any changes (injected gui’s) but i can’t stop them from getting the location of any player in the game in result they can use aimbot


Not even close. The trace it leaves behind is not only the entire script but also a dangling variable in your _G, and everything the function uses is also vulnerable.

Hiding client code is not a solution that ever works.


Well, you could print out, if a player runs a script. I reccomend patching the players script.


Probably two of the biggest replies you’re going to get in the future are “don’t trust the client” and “do server-side checks on your remotes” - those are the two best ways and only real ways anyway. Anything else is fairly extraneous.

Furthermore, there are already tons of threads on the DevForum regarding exploit prevention. Have you tried reading any of those first?


i have 20 pages opened and bookmarked


exploiters could even rewrite _G and shared variables too hmm


Security through obscurity isn’t real security. The least you’re going to discourage is an exploiter who’s looking to sift through your code. You’re only shooting yourself in the foot by making your own code confusing just to “stop” a casual, who probably won’t even look much at your code in the first place.

What “trickery”? This word “trickery” has been thrown around several times in the response with no attempt to explain it. That makes bringing it up moot.

In the future, also, when you post code to the DevForum, please post it in a code block so that it’s readable to anyone looking at your code. Out your code between three backticks to accomplish that.

– Your code


Yes, but how is the client going to view the code in this function, or disable it? I know a certain… someone who has some experience with viewing the source code of local scripts, through an in game explorer, or saving the game. I am not trying to be sarcastic, I am actually curious.

Edit: Does overwriting _G just stop any functions in it running?

1 Like

No. _G is just a normal table. Any exploit can access it, and threads can easily be messed with on top of that.


i remember someone say that something in while true do end loops can’t be hijacked, but they can delete the whole script anyways right ?


All of these methods are fairly ineffective. Security through obscurity is not real security and will generally just cause your code to be slower and harder to debug (especially with the VM!) rather than actually disrupting the exploiters.

Likewise, having network keys is a terrible idea! Exploiters can read all remote traffic and instantly and automatically take your key.

@selfhood As @Voidage said in so many words, use a good client-server model. Don’t trust the client and you won’t need to waste your time trying to secure the client - it’s generally a fruitless endeavour.