Proofing a gun system; Checking mouse details on the server, etc

Something tells me I’m way too overthinking this, so the backstory is hidden in case you need more detail, but if the ending is enough then it’s good with me too.

Details

Hello! I’m new to scripting weapons, but I made my first gun today. I want to make this core future-proof so I wouldn’t have to make another entire system if I ever need range weapons like this for my game, so I was looking for ways to exploit-proof it as much as I can currently.

I’ve stumbled upon what I consider to be a pretty game breaking one. As the RemoteEvent tasked with dealing damage to players is just put in the weapon, I find it very easy to be accessed by an exploiter. Reporting the Mouse.Target as always to be a proper target, specific or not, wherever the player is actually shooting at.

My way of trying to patch this was to send the mouse through the RemoteEvent and let the server do the thinking, even compare the target the client thinks is right to the one the server thinks about. Didn’t work, read this and we’re back at square one.

Is it enough to just send Mouse.Target through, instead of a predetermined value generated inside the LocalScript? I judge not, but I’m looking into more feedback on this.

Also some other alternatives which could help me patch up the system?

TL:DR How to check if what the client says is the mouse’s target is the actual one in a gun system, to prevent ‘aim botting’.

Your help is much appreciated!

(Edit: Solution is the general idea I went with, not exactly how I made it work but it works using Raycasting.)

1 Like

As with all exploit detections, they can be based on a statistical and behavioral analysis.

A statistical analysis for aimbots can be summed up with: “Hit/miss or headshot/bodyshot ratio, divided by a function which accepts total life-time score as its argument (if it’s not too low; otherwise, use a constant number) is above a threshold? Ask for manual verification.” Statistical analysis is nice, but is based on very generalized info and cannot accurately account for skill, so it must always be verified manually.

Behavioral analysis is much more complex and I wouldn’t bother much with it. It must be implemented on the client’s side to get 100% accurate inputs, or with thresholds if done on the server’s side. The most popular examples of these are AI anti-cheats, but those are rare and require lengthy learning processes with a large number of participants. Behavioral analysis basically collects data over time, then runs them through a function, comparing it to previous logs.

It’s your choice really, but a simple statistical anti-cheat is fairly easy to implement.

1 Like

I’m glad you decided to share this info, but it wouldn’t work in my case sadly.

My goal is to create a basic gun system which I can work from on whatever game I decide to make. I also don’t really think it would be something I am capable of scripting.

If whatever project I make do ends up being popular enough that a statistical anti cheat is required, then I will surely take my time to get something done.

Seems more like something that would be implemented into very popular games (feel free to correct me if I’m wrong here. I never knew a lot about anti-cheats, but they always seemed very interesting to me.)

First of all, you should send a part that got hit, the hit position and the origin of the shot.
Get the direction the player is looking at (LookVector of the barrel or something; on the server)

To actually detect exploits, you can create a ray and check the distance between it and the hit.

local distance = Ray.new(shotorigin,lookdirection*5000):Distance(hitposition)
local threshold = 5
if (distance*(hitposition-shotorigin).Magnitude)>thershold then
    --do additional checks
    --call moderator if too many detections
end

It’s not very accurate, but will detect simple “send the wrong position” exploits.

Also forgot to add that you can also compare the sent origin to the server’s origin and whether the part that got hit is too far from the server’s location (only need to check if a character was hit).

3 Likes