MadAntiCheat

MadAntiCheat has been discontinued. However, I have made a successor anti-cheat, BitAntiCheat, which addresses many issues present in this anti-cheat, and is overall much better than this one. https://devforum.roblox.com/t/bitanticheat-a-server-sided-general-purpose-anti-cheat/

Disclaimer: This is an open-source anti-cheat, it is not a top-of-the-line industrial grade anti-cheat. I made this as a side project. This is not made to block all exploiters (ones with scripting backgrounds, etc). This IS made to block script kiddies from just using open-source exploits to ruin games. This anti-cheat is not an artificial intelligence, and can’t detect every exploit that pops up in your game.

MadAntiCheat V2 is a remake of MadAntiCheat V1, which had a lot of flaws, false positives, and unoptimized code. I created V2 in hopes of fixing that!

**Note, this is currently in alpha. Expect there to be updates posted here. **

Installation

In order to install MadAntiCheat, simply go to the github and follow the instructions posted there.
MadAntiCheat (madonox.github.io)

Features

MadAntiCheat has a lot of features packed into it, from administrative utilities to preventing exploiters from using exploits in your games!
Here is a list of all current features:

• Speed check.
• Ping check (anti-lagswitch).
• Administrative gui.
• Screenwatch ability for admins.
• Anti hitbox expanding.
• Anti script injection (not tested I don’t own an exploit client).
• Ability to import admins from external admin systems.

API

While MadAntiCheat V2 is certainly an improvement compared to V1, it can still interfere with external scripts. Because of this, I have made it so that developers can interact with the API to disable certain checks, such as speed.

Getting the API module

In order to get the API module, you can simply do:

local MadAntiCheatAPI = require(game.ReplicatedStorage:WaitForChild("MadAntiCheatAPI"):WaitForChild("MadAntiCheatAPI"))

Once you have the API required, you can begin to interact with it.
In order to interact with any server sided checks (speed, ping, etc), you must use the invoke method.
Below is an example of interacting with the speed check.

MadAntiCheatAPI.invoke("Speed","ignorePlayerNext",game.Players:WaitForChild("Madonox"))

The code above will ignore the player for one check, once that check has passed it will continue to check them.
Speed Check Documentation:

As of now, this is all to the API, I will be expanding on it in the future, though!

If you have any questions, do not hesitate to post a reply about it or private message me.

Surely cheaters can’t bypass this

The only thing that is client-sided is the HBE check, anti-injection, and screenwatch (all of which cannot be fully done on the server). I additionally added security to all the remotes on this anticheat.

Ok, so cheater injects into CoreGui, now what does your module do.
Cheater creates a local character, what does your speed check do.
Surely your ping check can be easily bypassed.

These are the most common exploits that make this entire module useless.

The ping check cannot actually be bypassed, as it is done by invoking the client with a RemoteFunction (via pcall), if the client does not respond within the allocated amount of time, the client gets kicked.
The anti-injection works by comparing memory values, as memory spikes when an exploit is injected. This check becomes active when a user minimizes their Roblox window, as you need to minimize the window / click off of it to view an exploit application. So when the user minimizes, and tries to inject, the system will detect the memory spike and kick them.

The speed check works by using a magnitude check. If the character’s primary part distance is > than the allocated travel time for x seconds, it will teleport them back to that point.

There isn’t any point in creating an anti cheat to be honest, it’s gonna get bypassed with in minutes. Plus the fact that the code is publicly available has well

Local character prevents server side magnitude checks, bypassed.

I can spoof the remote, bypassed.

Injections can occur as soon as the Roblox Player runs. Exploits can run before local scripts even execute, making this useless, bypassed. Cheaters can also just turn off the memory check code, so there is a bypass as well.

There is nothing you can do against exploiters, they can do everything that you can’t as a developer.

Lagswitching is when you toggle your internet connection via software. This can affect combat based games as you would lagswitch, hit a bunch of enemies, then reconnect. The ping check is made to patch that form of exploit.

Half of these checks server little purpose, stuff like anti-injection, anti hitbox expanding, screen watch all are client sided. Not sure if its because I was in studio but I set my walkspeed locally to 999 and ran around for a few mins and it didnt flag anything either

Surely you do realise even if they weren’t aware of this client sided anticheat, that they dont have to minimize anyway? auto-injection and auto-execution are quite common practice

The exploiter can easily hook and modify the InvokeClient request so it always returns true.
Any memory check can be easily bypassed as well by hooking the client-sided functions responsible for returning the values.
Server-sided magnitude checks can’t be bypassed though but they seem overcomplicated in this case.

I believe you’ve spent quite a lot of time on this anticheat but you should understand that publishing client-sided anticheat source automatically makes it absolutely useless.

Indeed, it is possible to make a good client-sided anticheat but it requires a lot of coder’s experience, frequent updates and maybe even an obfuscation.

Local character does not prevent server-sided magnitude checks as the network ownership of the Character is set to the player that owns it.

That’s not what I mean. An exploiter can create their own local character where the server still has the old one tracked, therefore completely bypassing server side checks for teleportation etc.

Actually, lag switches are often hardware-based. That means even console users can use them.

Still, this is made to prevent those types of lagswitches. It basically lets you set a sort of ping timeout.

This is completely false. If you don’t like the post just leave, instead of spreading incorrect information.

Anything created on client will only be accessible to that specific client. Even though you have network ownership to your own character, that doesn’t mean cloning it will suddenly make it replicate.
So no, server side magnitude checks can’t be bypassed (unless they’re implemented poorly)

I never said anything about cloning it.

How is stating facts hating the post? I’m simply pointing out that everything this module was made to prevent can easily be bypassed by almost every exploit available, this is common knowledge.

If a exploiter creates a character on the client the server won’t see it so how am I wrong here exactly?

nor will other clients. the player also won’t be able to interact with anything with that fake character so it’s pointless.

in any case, this is getting off-topic, if you’re actually wondering why you’re wrong DM me and I’ll explain in detail.

valve pls fix

Open source code doesn’t mean it’s inherently less secure. A solid check is a solid check. Closed source or obfuscation isn’t inherently better. There’s a good thread on this the pros of open-sourcing that you might find interesting: The magic of sharing: Why you should open source

Most people using exploits, especially movement based once, don’t actually write the scripts they use. Meaning that as soon as you block it, it’s not like every exploiter becomes effective problem solvers all trying to break through your anti cheat. It’s still going to block a good deal, and if your system is well set-up, you may be able to effectively neutralize the cheat for the most part. At the very least, it’s better than being completely unprotected. I’m sure your players would appreciate at least some of the exploits being blocked, even if you’re not 100% successful.