Roblox Anticheats

FancyDucc · May 1, 2024, 10:25am

Hi, so recently i decided to start development of an anti cheat, I want to try detecting injection on roblox, but I have no idea where to get started. How can i detect an executor in my game?

Dev_Peashie · May 1, 2024, 11:07am

(this is just my thoughts)
Some devs claimed they were “able to achieve it”, idk, out of my league…
I prefer to trust Roblox engineers that will do the best they can to patch anything they can over time, and placing specific security/sanity checks. Taking in count specific behavior that should not go out of the limits of what I know its possible on each game/place.

I tried many weird stuff… like “injecting” remotes fires in clients for reading their client scripts, guis, and stuff, even if they delete it on childAdded, theres a chance I get a response on server to verify everything still normal on them. As usual tracking/measuring positions, looping set properties, increase level of “risk” per player the more weird stuff I find in them, like measuring weird stuff/behavior that should not happen.
Warning them if Im reading unusual behavior, to see if they stop, or increasing the risk level until they get kick.

I think, that the majority of the exploiters really dont know what they are doing, so its pretty easy to catch them. The other low percentage probably theres no way to catch them… so… rely on Roblox engineers that eventually could fix it.

TheRealANDRO · May 1, 2024, 12:27pm

FancyDucc · May 1, 2024, 12:31pm

Yes of course, I do focus on the server side of the anticheat, its just that this is an interesting topic, ive seen it done before so thats why im asking

NyrionDev · May 1, 2024, 12:58pm

The real issue is that often the low percentage creates the exploits for the high percentage and advertises them through servers outside of the platform. So it becomes a cat-and-mouse game between devs who make sneaky client-sided checks and anti-devs that reverse all their checks and find loopholes(since you can’t really trust the client). Although that doesn’t mean we can’t have our piece of fun in the process

And obviously server-sided checks are the way to go, but adding a few client-sided ones is a fun way to calculate the determination of your game exploiters by checking the time it takes for them to figure it out and counter it.

Dev_Peashie · May 1, 2024, 1:11pm

Yeah weird ideas to have some fun, just for fun.

I hope I was not misleading my suggestions. Ofc server checks are key. Experiment weird client checks its just for fun.

FancyDucc · May 1, 2024, 1:38pm

I do very weird things for fun

girl_Picies · May 1, 2024, 2:48pm

An example of anticheat
go to startercharacterscripts
create a script
and code someone like this:

local human = script.Parent:FindFirstChildWhichIsA(“Humanoid”)
if human.WalkSpeed > 16 then
–Your anticheat Metody
end

ProPlayerCookie · May 1, 2024, 2:50pm

and a cheater will just delete the script…

wf_sh · May 1, 2024, 2:50pm

If only it were that simple ‎ ‎ ‎ ‎

girl_Picies · May 1, 2024, 2:53pm

Its not a localscript but you can use the same metody in serverscriptService it just a example

ProPlayerCookie · May 1, 2024, 2:54pm

sorry that i said script even though i meant a local script, and a serversided script in this example wont work, because the walkspeed only updates on the client

girl_Picies · May 1, 2024, 2:58pm

Obviously in the serverscriptservice there are more methods but if you loop the script it works on the server

12345koip · May 1, 2024, 3:05pm

If you loop that script, it won’t work on the server because when an exploiter changes the walkspeed it does not replicate. However, you can use tick() and RunService.Heartbeat to detect changes in the character’s position and calculate how fast they are moving from that.

I’m not sure this is possible, but you can to stop the majority of the things an executor can do, including:

Flying
Speed hacking
Teleporting
Spamming remotes

girl_Picies · May 1, 2024, 3:07pm

If game use vectors of moviments the anti exploiter can kick you without exploit

girl_Picies · May 1, 2024, 3:22pm

So the exploiter does not destroy the script
can script an infinite amount
while true do
task.wait(0.6)
script:Clone()
end

local human = script.Parent:FindFirstChildWhichIsA(“Humanoid”)
if human.WalkSpeed > 16 then
–Your anticheat Metody
end

12345koip · May 1, 2024, 3:26pm

That method will make a ton of the same script and use a ton of memory.
If the exploiter has a script injector, they can just write something to destroy those scripts as soon as they are cloned (e.g. ChildAdded, DescendantAdded).
They can just destroy that script that clones and delete the clones.

By the way, I know about the other issue you mentioned to do with anti-cheat. That’s why you would need to tweak any anti-cheat to fit your game and mitigate false positives.

girl_Picies · May 1, 2024, 3:33pm

but all time is destroy make a clone

12345koip · May 1, 2024, 3:49pm

I already mentioned the ways around this. They can just use ChildAdded or DescendantAdded to detect these scripts and stop them before they have a chance to clone.

Even if they don’t stop them, making so many of the same script that do the same thing will really impact memory. Besides, you are only checking walkspeed once.

Dev_Peashie · May 1, 2024, 3:57pm

Im highly against of client-side checks. But in my experience, injecting an event into clients to fire back to server could give you a clue if they are exploiting. If you dont get back the response its for sure they are deleting the script/event.
Eventually they could notice they should respond, but, gives you some database about your players.

As I said, is just for fun, but it could give some interesting data