You realize the client handles the humanoid of their own character, therefore the client fires the .Running event? So, they can just stop the event from firing or just spoof the speed argument of the event?
I have made an anti cheat using .Velocity and i already made an exploit to be able to speed hack by changing the position and not the velocity or walkspeed
i donât recommend using velocity
If this AntiCheat gets better and better maybe add a Webhook thingy to log stuff?
Iâve reviewed some of your code:
- Your hitbox expanding is easily bypassed using metatables
- Anti script injection is bypassable since memory can be spoofed
- Speed can also be bypassed, easily.
I didnât test ping check⌠thoe
overall this anti exploit/cheat can easily be bypassed; please test your methods before releasing.
I am not trying to be rude with the stuff above
1 Like
What does the UI look like? Also, how does the screen watch feature work?
As a âSecurity expertâ aka someone with common sense.
If the exploiter finds the correct amount of time you have to do to ping the server back then it can be bypassed. And yes, they will put their time to do that.
This is why you canât say âMy anti-cheat is better than othersâ because it canât be better than others on Roblox.
Go to âConfigurationâ then âAdminâ and add your name or ID just like this:
Then you need to publish to Roblox, and then you have to need to type in chat: â!anticheatâ or something near that because mine is set on â!acâ and if you put a username in it that is in the game right now you can select screen watch and watch him or her where he or she looks and what he or she is doing right now. (You canât see their GUIâs)
Instead of stopping all movement, like shown in your Speed check module,
char.PrimaryPart.Anchored = true
char:PivotTo(CFrame.new(currentPos))
delay(mainWaitTime/4,function()
char.PrimaryPart.Anchored = false
end)
You can instead do something like this:
HumanoidRootPart:SetNetworkOwner(nil)
task.wait(4)
HumanoidRootPart:SetNetworkOwner(Player)
This way, the player will still be able to move however all the movement will be calculated on the server until you return NetworkOwnership. I donât know if executors have the power to regrant themselves ownership, if so, you can just check every frame to see if they have ownership when they arenât supposed to and then just repunish them.
1 Like
Ive always wondered about how to test anti script injection stuff without getting on a alt and getting synapse or something and 90 cryptominers on your pc
Same here, this is why I specified I did not test anti script injection, I donât own any injectors.
One hypothetical way would be to use a VM (you wonât be able to simulate everything an exploit will be able to do unfortunately though).
DO NOT USE THIS ANTI CHEAT:
All this does is use a memory check there is heavily despised by any one who knows anything about anti cheats, it will cause false kicks!
5 Likes
Mhm, also ALL there detections donât work Iâve tested multiple times, I really disagree using this.
1 Like
This. Exactly this. Anti-cheats that rely purely on the client never work and never have worked. Poorly made âanti-cheatâ resources like this one are even the sole purpose I wrote an entire guide on how to write your own anti-cheats, the correct way, and even went over why certain things are good and why others are bad.
2 Likes
This is true, Network Ownership allows the character to be used by the client.
You cannot set the Network Owner to the server, because this will cause delayed movement.
However, your speed anti-hack can stop flying.
So maybe, there are benefits.
Also, ping checks are not as useful.
And you can easily get ping from a player by using Player:GetNetworkPing
Btw, do not use RemoteFunctions.
RemoteFunctions can cause the server to error or stop working.
(More info here)
You also need to focus on the ânon-physicalâ hacks.
Which include Hat bypass(Moving hats around to potentially make an inappropriate images), Permanent Death Bypass(Which is used for reanimation) ,and Humanoid Removal(Which can be used for god mode).
Creating
FE++ is a good example of a ânon-physicalâ anti-exploit.
(Also if Iâm wrong with anything please notify me 
)
This does not rely solely on the client. Additionally, the anti-cheat memory check only activates when the window is minimized, it disables once the window is re-focused. Things such as ping and memory checks can only be done on the client, due to Roblox restrictions.
looking at your code again, I can see the speed check doesnât rely on the client, however the memory check definitely wonât work on most exploits, and the ping check relies on asking the client for information (you donât even account for the possibility the client overrides the invoke callback, with your current code, the exploiter can completely bypass it by overriding this and either never returning, causing it to stop working for all players, or return fake information)
My advice would be to stop trying to focus on preventing exploits from the client, and rather, focus on preventing exploits based on their visible effects as seen from the serverâs perspective. And also if you absolutely must have that ping check that asks the client for information, redesign it in such a way that the request can timeout after a certain period of time (like half a minute) to stop the check being disabled for all players as a result of the exploit.
On another note, your âscreenwatchâ ability wonât work if the exploiter fakes information being provided to it by their client, but I donât imagine that one is as significant.
1 Like
The ping check is not made to stop script-based exploits, it is instead made to stop lag switching, or toggling your internet connection (this can be done via third party software or just disconnecting and reconnecting to internet). Lag switching can be done in combat games to freeze players, shoot them, reconnect, and deal damage. This is made to fix that.
Additionally, I wrapped the RemoteFunction in a pcall on the server, for error handling.
1 Like