Alright, so I am in the middle of writing an Anti-Exploit script for my game. This will be the first time I’ve paid any attention to vulnerabilities to scripts. Here is a few things I’ve done so far.
Leave VERY little to the client.This includes buying items and displaying information sent by the server.
This is my current anti-exploit script that is a huge work in progress. Keep in mind I’ve never done this style of coding before, I am purely going off what I’ve read and heard.
--[[ Items to check
PlayerSpeed (DONE)
Abnormal time in air(DONE)
Gaining money extremely fast
Comparing Client and server money
Comparing Client and server XP/level
Check if the HumanoidRootPart is there(DONE)
Check if the player is invisible
Check if the player TPs
]]
local MaxSpeed = 50
function Warn(plr)
if plr:FindFistChild("Warning") then
if plr.Warning.Value == false then
plr.Warning.Value = true
elseif plr.Warning.Value == true then
plr:Kick("Anti-Exploit")
end
elseif not plr:FindFistChild("Warning") then
local warning = Instance.new("BoolValue", plr)
warning.Name = "Warning"
warning.Value = false
end
end
local Event = Instance.new("RemoteEvent")
Event.Name = "CheckEvent"
Event.Parent = game:GetService("ReplicatedStorage")
game.Players.PlayerAdded:Connect(function(plr)
plr.CharacterAdded:Connect(function(chr)
while wait(1) do
if chr.Humanoid.WalkSpeed >= MaxSpeed then
plr:Kick("Anti-Exploit")
end
-- PlayerSpeed Check
spawn(function()
local CurrentPos = chr.Head.Position
wait(1)
local NextPos = chr.Head.Position
local distance = (CurrentPos-NextPos).magnitude
if distance >= MaxSpeed then
Warn(plr)
end
end)
-- Anti-Fly
for i,v in pairs(chr.HumanoidRootPart:GetDescendants()) do
if v:IsA("BodyMover") then
v:Destroy()
Warn(plr)
end
end
-- Checking to see if HumanoidRootPart exists
if not chr:FindFirstChild("HumanoidRootPart") then
chr.Humanoid.Health = 0
Warn(plr)
end
-- Checking Stats and comparing Client to server.
end
end)
end)
As you can see, I still have about 5 items left to check, I was getting ready to start comparing Client and server stats inside of the player, and my main question I guess, is it even worth it? If the client(exploiter) goes into the player and gives himself money, it would only show on the client correct?
Meaning I could fire a remote event to return the money the client has and compare it to the money the server thinks the client has. Would that be worth doing or will the server read it as the hacked value since its the player object?
Another question, how would I go about preventing teleporting? Normally it’d be pretty easy except for the fact that this is inside of a mini-game… Meaning that the player will be teleported by the server automatically.
The WalkSpeed check and BodyMover check don’t work because neither the property nor objects replicate to the server. You also don’t need to check if the values displayed on the client are different than the server because as long as the server values are untampered, they’re only visually changing things. It’s akin to clicking Inspect Element and changing stuff around; the server doesn’t care.
I’m not sure if there are any cases where HumanoidRootPart would be missing, but the distance check seems alright although prone to false positives from laggy players. It might be better to teleport them back for something like this rather than warn/kick.
I agree with the not kicking the players for teleport detections part. Kicking players is only going to give them a bad experience. I know one game that does this, and it’s a pain in the rear. The game in question that does this is “Reason 2 Die: Awakening,” by the way. Their entire anti-cheat is just one hot mess.
It’s not worth comparing the 2 values, but in the interest of speed you want to check the values on both sides. Let the client check if the money is enough on their own, and if they think it is, check again on the server. This lets the honest clients save server resources by checking on their own whether they have enough money, and still stops the dishonest clients.
If you want to prevent teleporting, just do a basic check whether they’re supposed to teleport or not, and only do anything about it for really egregious examples. If you want extra surety, you can also check for multiple instances, check ping to make sure it’s not lag, or just make it alert a staff member to check on it.
No, don’t do that. That type of practice is called “security through obscurity” which isn’t true security in the first place. You should improve your client <-> server communication instead of applying a band-aid over poor communication.
And plus exploiters will probably know how it works based on arguments alone.
I’m pretty sure exploiters can remove the HMR and it’d work fine. Since they have ownership of their character anyway, they can just fix any mishaps that goes with removing it either way.
I like to use the head instead as trying to destroy it would instantly kill the player.
The main concept for speed anticheats is to check how fast you’ve travelled since last check, and find out whether that speed is above your allowed threshold.
As for flight anticheats, I just raycast downwards and infront (as I have climbing mechanics etc), and make sure they’re actually in the air (and not in bodies of water for instance).
From then I check how long you’ve been in the air - if you’ve been in the air for over X seconds, then you’ll get kicked. If you’ve stayed on the ground for over X seconds, the timer gets reset.
Obviously there are other methods, but this is mine