Hi all, I’ve recently been struggling coming up with solid ways to detect and deter exploiting. So, I have come up with the following:
A picture of the setup:
In a server script:
--In a player added function
while true do
wait(1)
if player.PlayerGui:FindFirstChild("PlayerHandler") then
player.PlayerGui:FindFirstChild("PlayerHandler"):Destroy()
end
local antihack = script.AntiExploit:Clone()
antihack.Name = "PlayerHandler"
antihack.Parent = player.PlayerGui
end
Then, in the local script:
(the following snippet modified from This Post to suit my needs)
local player = game.Players.LocalPlayer
local humanoid = player.Character:WaitForChild("Humanoid")
local MaxHealth = 100
local MaxSpeed = 16
local MaxJump = 50
local Character = player.Character
local Backpack = player:WaitForChild("Backpack")
local HumanoidRootPart = Character:WaitForChild("HumanoidRootPart")
local Bodys = {
["BodyGyro"] = true,
["BodyPosition"] = true,
["Body Velocity"] = true
}
local Btools = {
["HopperBin"] = true,
}
Backpack.ChildAdded:Connect(function(Obj)
if Btools[Obj.ClassName] then
player.Character.Humanoid.Health = 0
end
end)
--Anti Fly
HumanoidRootPart.ChildAdded:Connect(function(Obj)
if Bodys[Obj.ClassName] then
player.Character.Humanoid.Health = 0
end
end)
--Anti FE God / Anti Humanoid Destroyer
Character.ChildRemoved:Connect(function(Obj)
if Obj:IsA("Humanoid") then
player.Character.Humanoid.Health = 0
end
end)
game:GetService("RunService").Stepped:Connect(function() -- get rid of bad stuff.
print("running")
humanoid:SetStateEnabled('GettingUp',true)
humanoid.MaxHealth = MaxHealth
humanoid.WalkSpeed = MaxSpeed
if humanoid.JumpPower ~= 0 then
humanoid.JumpPower = MaxJump
end
end)
Video of it in progress
I understand that doing client-sided anti-exploits are not the best way of going about it, as anything on the client can be modified. However, this script is repeatedly copied into the player’s playergui, so even if they destroy it, it would still run, correct? I am pretty naïve when it comes to what exploiters are capable of. However, would this be enough to stop the average exploiter?
I am taking other measures on the server (protecting remotes, etc), but my efforts regarding the player’s humanoid seem to be futile without doing it on the client. What tips or suggestions do you have? What can I improve, or should change? Thank you for your help!
It doesn’t replicate. The server still recognizes the local script as there, which is why I did the following (in the server script):
if player.PlayerGui:FindFirstChild("PlayerHandler") then
player.PlayerGui:FindFirstChild("PlayerHandler"):Destroy()
end
local antihack = script.AntiExploit:Clone()
antihack.Name = "PlayerHandler"
antihack.Parent = player.PlayerGui
Ah, I see what you are doing now.
I haven’t been on ROBLOX in a while.
I can’t test anything right now, but I think the answer to your question can be found in the answers to a number of others.
Will these loops have a noticeable impact on server-sided game performance?
Are you sure you can access a Player’s PlayerGui from the server in that manner?
If you can access PlayerGui in this manner, what impact will repeatedly creating and deleting your anti-virus (along with its loops and connections) have on the user’s client-sided game performance?
I think there are a few ways to achieve what you are trying to do that have a lower impact on performance. So long as exploiters can stealthily manipulate the game’s metatable, your anti-cheat will never get an accurate depiction of the client’s true game state. Also, restarting said anti-cheat would just make things worse, because it means your anti-cheat would start with spoofed values.
I will say, you can start a thread using a ModuleScript and parent the instance to nil. You can then use the invoked ModuleScript’s code to manage your local anti-cheat from nil. Again, there are ways to get around it, but it’s just another way to add a layer of obscurity and difficulty for less capable exploiters.
Thanks for letting me know! This is one of my first time making an anti-exploit.
I don’t think so, there is a wait(1) in the while loop, so it shouldn’t fire too often.
This one is a definite yes, as you can see from the video in the post:
This is a great question that I am experimenting with. The game isn’t taxing on the client (there are hardly any local scripts in it, and the server scripts don’t spam). But, I’ll have to do some more research on my own about the effects of this method. I will look into parenting a ModuleScript to nil, thanks for the suggestion and feedback!
What prevents someone from disconnecting your connections every few seconds as well? Exploiters can listen to events like ChildAdded the same way you can, and more.
no this is not a good way, an exploiter can easily get around it.
What happens when you “copy” a local script from the server to the client. The server sends the client the information about a local script, and the client can choose to do whatever they want. If they don’t want to run it they don’t have to.
It’s futile to do client security, just secure your game from the server
I understand that client security is futile to a certain degree, but would this stop the majority of exploiters who don’t know how to manipulate the game as well? When the client makes changes to the humanoid, the server doesn’t seem to pick it up (from my tests), which is why I did this.
That is a fair point. I don’t know how easy it is to exploit, or what exploiters are truly capable of (I understand they have access to and can modify anything on the client), but beyond that, I am lost.
Would it work to randomize where this script appears in playerGui (I.e hidden inside one of the screen guis, or a textlabel, etc). Would this be enough to stump/irritate enough exploiters until they give up trying to erase it? Thanks for all of your help, I’m doing my best to understand everything. This is my first time trying to design my own anti-exploit.
you only need one exploiter to release the method for everyone to be able to do it – also you don’t need to listen to humanoid changes to combat a lot of stuff.
you can combat walk speed changes by checking player velocity, flying by raycasting, …
Let me tell you the basic security.
You never trust the client. Trusting that their anti-exploit is not defeated is not the best way of doing things.
No matter how much you try, you are never in control of the client. You can’t make it behave how you want it to be.
Simply put, you must handle anti-exploit server side.
A good amount of it is basically checking if they’re capable of being there. Implementation of that? Not sure. I can think of a couple but I guess I’ll try to implement it first before I’ll tell you.