I am working on an anti-exploit and I know that the namecall metamethod of game can be overwritten to alter the return of other methods such as disabling client side kick, or in this case changing the arguments to “FireServer” or just completely blocking the remote event from firing. I realise that it is important to kick from the server for this reason, but a remote event seems too obvious to bypass, even with a ping system as some other anti-exploits have included. For this reason, I’m wondering if there are any other reliable ways of transferring data from the client to the server to trigger a kick.
So far I have tried giving the player network ownership of a part inside of game.Terrain and triggering a kick by setting the position of the part. This seems like it would also be simple for an exploiter to bypass, as they could simply destroy the part.
Any help would be kindly appreciated.
P.S. (Yes, I know that you shouldn’t trust the client, etc… and I am making a server side part of it too. However, I would like to at least stop the script kiddies from bypassing the client side script)
I totally agree with your approach. There is a large number of exploiters that don’t have any real knowledge about the process behind exploit programs they are using, so making things harder and implementing a simple client side anti-exploit along with main server side exploit is deffinitely a good idea (just be sure to update it from time to time). About remote communication? I struggle with making a good anti-exploit script myself too, but remote communications seems to be the only way. Bypassing :Kick() is possible, unless you add additional layer of security, which makes the game for exploiter unplayable. That way, they won’t have any other choice but leave the game. But again: number of cheaters that actually know the process behind their exploits is much lower.
If it’s on the client, it can be bypassed. There is nothing you can do on/within the client that would not be bypassed by a capable exploiter committed to exploiting your game. If you want it to be full proof, it needs to be detected on and handled by the server.
What I tend to do with my anti exploitation scripts is twofold. I utilize Remote Functions (ooo fancy) to catch exploitation. Basically I have 1 main anti exploit script that handles the remote function. If you’re unaware, a remote function allows you to specify a return parameter. What I end up doing is on the server pushing a request to all clients, and the client checks for remote events. Since it’s generally impossible to accurately tell if a client has deleted a remote event, script or whatever accurately… you sorta need to trust it in this case. I end up pushing a request every second to make it hard for exploiters to delete and pull a bait and switch on me.
So, you push a request every so often to the client asking to check for remote events, and other things. Then if any are missing, or the exploiter deleted the script/remote function, then the server ends up with no response and kicks the user.
What I also tend to add within this script is the rest of the anti exploit, such as anti auto clicking and a variety of other things. It’s a better approach, since the exploiter cannot delete the script without getting kicked.
Bear in mind even if the exploiter is kicked they can still download map geometry, and in addition to this they can access and view scripts on the client, though they will need to decipher variables seeing as no one has broken LuaU yet, so your milage with this may vary.
You’re better off using a remote event to do this. Then exploits without access to getconnections wouldn’t be able to disable the pinging functionality.
You’re missing my point. BindableFunctions and RemoteFunctions can only have one function defined on the client and one on the server. Although exploiting them both (because they’re on the client) easy, it is significantly easier to hijack Functions as opposed to the Events.
How would I go about making my ping system harder to spoof? The first thing that comes to mind for me would be a dynamic key but I don’t know how to do that.
The most efficient way of using server - client dynamic communication in anti exploits is using Keys.
Generate Key on Server → Client Catches Key → Client Mixes Encodes / Encrypts Key → Passes Key to Server → Server Decodes / Decrypts Key checks if it’s correct → repeat
In this case you can simply have a timeout limit for the client to send a remote to the server.
If it takes longer than 5 seconds for them to send anything to the server they must’ve yielded the remote / name(index)call, there on you kick them.
If they where to get detected you can yield the remote event from firing to the server which would get detected. The only way for a exploiter to bypass this would be for them to get your encode / encrypting functions then generating key passed to client, then manually firing it from client to server to keep the dynamic communication alive.