Is it better to freeze client or kick?

Help and Feedback Scripting Support
#1

I was wondering if it’s better to either
Crash Client

for _,v in ipairs(game.Workspace:GetDescendants()) do
			if v:IsA("BasePart") then
				v.Anchored = false
			end
		end
		Players.LocalPlayer.PlayerGui:FindFirstChild("MainUI"):FindFirstChild("AntiFly2").Text = "YOUR DEVICE WILL BE CRASHED FOR ATTEMPTING TO FLY"
		task.wait(5)
		while true do os.clock() end

or just simply kick on client?

LocalPlayer:Kick("BodyGyro has been added to HRP, Your data has been saved.")

I am doing this because my anti-exploit is in a localscript instead of a server-side.
Any suggestions is appreciated.

#2

An exploiter could delete either one, they have client control and can delete the localscript. You should only make an anticheat on the server, I’ve been making an anticheat for the server and I might publish it, not sure when though.

#3

crash is better because it can’t be bypassed unless your script is gonna get deleted by exploiter

1 Like
#4

the anti-exploit is found in a mandatory localscript, it handles everything client-related if an exploiter tries to delete, the game becomes unplayable.
I can also detect if it’s deleted on server by using ChildRemoved.

#5

fire a remote that just bans the player from the game

#6

From what I remember, exploiters can edit anything inside of the LocalScript. However, you should probably double check that.

Edit - As for this quote below, you cannot detect something deleted on the client through the server. Think about it this way, I delete a part on my side; the server will still have the part and all other players will still have the part except for me. This is due to the filtering enabled update.

1 Like
#7

If i recall, using remote events for kicking is not very efficient, an exploiter could easily fire it and kick all players.

#8

You can detect anything deleted under character because it’ll replicate, however that’s not the same case for ChildAdded, that’s why i used a localscript.

#9

I have tested this in studio, it will replicate to the server if it’s removed, but not if it’s moved to a different place where it cannot work such as the lighting. You might have already come up with a way to combat this, but I just wanted to include this just incase or maybe I tested this wrong or understood it incorrectly. I hope anything I’ve said helps, good luck.

1 Like
#10

The exploiter can also block the remote to prevent them from getting kicked

#11

Never use the client for anti-cheat. Exploiters can disable being kicked from the client, and or delete your script.

#12

As aforementioned earlier, the script is mandatory, it handles everything including remote events and has a looping check if it’s disabled every 10 seconds.

#13

The thing is that the exploiters can

  • Close any Event connection without having a direct reference to the ScriptConnection
  • Change what certain functions return, like making GetDescendants() or GetChildren() on the Character return an empty table

Which means detecting if anything suspicious is added to any Instance (on the Client) is impossible since exploiters can just bypass by doing one of the above mentioned things.

#14

Some things to add to this, even though it’s not related to the original post

ChildRemoved may not be a reliable option, because the exploiter can still disable the script and change the contents within the script. A better idea would be to clone the local script into the player from a server script, then check if the local script’s disabled property changes, or if its parent is not equal to the player.

#15

I still think that’s unnecessary. Your code should rely only on the client for input, not logic. I think it’s better to let them mess with stuff as they will anyway if you have the script. Instead, you should instead have sanity checks on the server. The client should never be able to mess with others or break the game by spoofing remotes.

#16

Something to add to this, people can edit scripts on the client. They can change local functions and constants too.

#17

You would have to be a very bad developer to allow the player to pass who to kick. Remote events’ OnServerEvent automatically passes player as the first parameter and this cannot be spoofed.

#18

There was once a post where somebody in here game got hijacked and exploiters were easily able to kick all players due to a remotevent that was suppose to be for admins only.

#19

Probably because it wasn’t secured. They either had a backdoor or didn’t check who fired it. Spoofing the player is not possible currently.

1 Like
#20

I am aware that clients should never be trusted however, as i mentioned, you can’t detect anything added by clients on server (ChildAdded), that’s why i used a localscript, until i find a solution that combats this.
Also i already have a server-side script that detects flying but it’s very inefficient and not very quick.

local isNearObjects = (FindPartBeingStoodOn(nearbyParts) ~= nil)
	if not isNearObjects then
		suspicious = true
		FlightHeat = math.max(0, FlightHeat + ((p2.Y - p1.Y) / Config.FlightHeatCooldownRequiredFallSpeed + deltaTime) / Config.MaxFlyingDuration)
		
		-- Figure out a maximum jump height
		local jumpHeightTolerance
		if Humanoid.UseJumpPower then
			-- The '* 1.1' part is in case the humanoid has slight jumpieness from Roblox's weird physics.
			jumpHeightTolerance = (Humanoid.JumpPower ^ 2) / (2 * workspace.Gravity) * 1.1
		else
			jumpHeightTolerance = Humanoid.JumpHeight * 1.1
		end
		
		if FlightHeat >= 1 or p2.Y > LastGroundedAltitude + jumpHeightTolerance then
			Humanoid.JumpPower = 42
			Punish("flying")
			return
		end
	else
		FlightHeat = 0
		LastGroundedAltitude = p2.Y
	end

Inherited from FJAnti-Exploit FJ's (Experimental) Character Anticheat

1 Like