Preventing/Detecting Metatable Hooking?

Hello, what I am trying to achieve is to be able to detect or event prevent metatable hooking. I was informed that exploiters were executing scripts that would trick the game into thinking that something like walkspeed is the normal (16) while it is actually something different, like 200. Is there a way to detect/prevent this? This is not only for walkspeed, but also for all other properties. I have been trying some things, but they have not worked.

3 Likes

Even if you manage to do this, the client can always just choose to remove the detection. You should always have any anti-exploits on the server.

I know you said not specifically for walk speed, but here is a solution nonetheless. Just check if the speed is greater than your max speed + 1.

For some reason, if WalkSpeed is set locally, it can be checked server-side using Humanoid.Running

So I recommend you check their walkspeed server-side by doing this:

local Players = game:GetService"Players"

for i,v in next, Players:GetPlayers() do

    v.CharacterAppearanceLoaded:Connect(function(b)

        local Connection1 ; local Connection2

        local Humanoid = b:FindFirstChildOfClass"Humanoid"

        if Humanoid then

            Connection1 = Humanoid.Running:Connect(function(c)

                if c >= 17 then

                    b:Kick("WalkSpeed change")

                    Connection1:Disconnect() ; Connection2:Disconnect()

                end

            end)

            Connection2 = b.AncestryChanged:Connect(function(_,NewParent)

                if not NewParent then

                    Connection1:Disconnect() ; Connection2:Disconnect()

                end

            end)

        end

    end)

end

Players.PlayerAdded:Connect(function(v)

    v.CharacterAppearanceLoaded:Connect(function(b)

        local Connection1 ; local Connection2

        local Humanoid = b:FindFirstChildOfClass"Humanoid"

        if Humanoid then

            Connection1 = Humanoid.Running:Connect(function(c)

                if c >= 17 then

                    b:Kick("WalkSpeed change")

                    Connection1:Disconnect() ; Connection2:Disconnect()

                end

            end)

            Connection2 = b.AncestryChanged:Connect(function(_,NewParent)

                if not NewParent then

                    Connection1:Disconnect() ; Connection2:Disconnect()

                end

            end)

        end

    end)

end)
2 Likes

Thanks for the reply! Great code for me to test. However, what if the exploiter changes something like jump power? My game has a thing where every player may have different jump powers. Also, is I am trying to find like a universal fix to detect metatable hooking. Do you think there is one?

Unfortunately, you cannot detect these metatable hooks. The best you can do is check as many things as possible server-side.

Hm, I also have a problem with exploiting hit boxes. I cannot check it on the server because they only do it locally. Is there a possible solution for this?

What are they doing? Are they increasing the size of their own melees or what?

Exactly. I tried to do a check for hitbox size and they somehow tricked the game into thinking it is the normal size.

I’d consider it impossible to do what you’re asking. At most it would end up being a cat and mouse game where you go back and forth with exploiters patching things and them finding ways around it. You should never rely on security checks from the client.

You need to add server side checks for whatever you’re trusting the player to provide. If the player says he’s successfully shot another player in the head, you need to do some server-side checking. For example, perform a ray trace between what the player has said it’s shot and the character, and determine if it was actually possible to do.

If it’s expanding the size of a melee weapon then calculate the distance between the two characters, if it’s over something like 8 studs (I dont know how big your weapon is) then you should ignore what the player is saying.

If it is truly impossible to verify this information on the server (without client->server communication), then there is nothing you can do to prevent someone from exploiting it.

Hm. I am asking because I was shown a game where the game actually detected the hitbox, even when the exploiter attempted to trick the game using metatables. So, I believe it is something that the developer did to be able to get the un-tricked hitbox.

I have tried this, but it proves to be… somewhat useless. The exploiter can still hit people within that radius, even without swinging the weapon in that direction.

I don’t know your use-case specifically, if you’re just using a .Touched event then do it on the server?

The exploiter can still hit people within that radius, even without swinging the weapon in that direction.

What if I had my mouse sensitivity up really high and span around whilst swinging the weapon? That would have the same effect, without using exploits.

To give you any more advice you’ll need to give some more details

If you wanna combat this. I recently found a replacement Touched event that lets you do Touched stuff completely server-side. The event is called LocalSimulationTouched. Just connect the part to the event server-side and you should be good.

Unfortunately that event is deprecated :grimacing:

1 Like

They can make the hitbox into a box around their whole character. While standing still, can damage anyone around them.

Do server-side .Touched events fire if a player has locally made a part bigger? I wouldn’t have thought so, but I haven’t tested it… If that is happening that’s really weird behaviour :face_with_raised_eyebrow:

Deprecated doesn’t mean it won’t work. Plus, Roblox barely, if ever removes these deprecated things. They literally clog up the API because someone doesn’t wanna use pascal-cased XYZ function.

This is the only alternative he has or the only good one.

It is indeed inside a server side script. It’s supposed to happen apparently.