Is it possible for hackers to bypass :kick()?

I found a post somewhere (But I forgot where it is xD), and it says that it is possible for exploiters to to create a working anti-kick, that prevents them from being kicked from the game. Is this possible? If it is, then how do they do it, and how can it be stopped?

4 Likes

No. Kick disconnects the client from the server. It’s complete network severance. Not even an exploiter can avoid it.

3 Likes

Technically you could overcome it by logging into another account.

Another note is how you design your kick system. Make sure that the system stores the player’s UserId as a reference to who is kicked, not the username (usernames can be changed).

Also, make sure your kick system is server-side. For some odd reason, you can kick the LocalPlayer with Kick(), which just asks for badly-designed kick systems.

4 Likes

if you use :Kick() on the client, it can be bypassed, same goes for basically every cheat detection method you attempt to implement that is clientsided.

they bypass it by changing callback functions in the metatable, when the client kicks itself, that callback can be changed by exploiters, as refrenced in this script:

local getrawmetatable = getrawmetatable or debug.getmetatable
local make_writeable = make_writeable or setreadonly or changereadonly or change_writeable
make_writeable(getrawmetatable(game), false)
local backup = getrawmetatable(game).__namecall
getrawmetatable(game).__namecall = function(u, ...)
   local m = ({...})[select('#', ...)]
   local packed = {...}
   local a = {}
   for i = 1, #packed - 1 do
       a[i] = packed[i]
   end
   if m == 'Kick' then
       warn('Kick attempt at ' .. os.time() .. ' (' .. tostring(unpack(a)) .. ')')
       return true -- this tricks the game into thinking it was kicked, while it never disconnects itself.
   end
   return backup and backup(u, ...) or u[m](u, unpack(a))
end

you are better off simply kicking the player in question from the server.

8 Likes

It’s avoidable for an exploiter if kicking is implemented on the client-side by modifying the function to run under their own, quite a bit of games are susceptible to this. You can easily find methods such as this to avoid it.

1 Like

If you account for Kick being used on the client, then yeah. I wasn’t considering Kick being used on the client, didn’t even know you could use it from the client.

Anything client-wise can, by nature, be bypassed. When it comes to the server though, there is guaranteed severance.

1 Like

Arguably the ability to use Kick from the client should just be removed IMO

2 Likes

That’s not something that’s gotten “popular recently”, that’s always been an existing method for removing players and it’s a terrible one especially considering how a client can easily circumvent the code or make the loop timeout or force-stop.

2 Likes

just fire :Kick() from the server