Ah yes, the classic client sided anti exploit that can be easily bypassed. I want to change this as much as I possibly can. Is there any other way to secure a LocalScript other than changing its time to something random every minute?
Yes, I know, don’t trust the client. But how else can I make my anti exploit work to the fullest?
This is going to be open-sourced, this is not just for my game.
You can obfuscate your code, implement sanity checks which are fired from the server and expect a response, etc however in roblox you’re never going to have a true and safe local anti exploit, and I think wasting time on it is silly.
Can’t obfuscated code be bypassed by using an un-obfuscating website?
Worse, they don’t even see that it’s been obfuscated. It won’t benefit you.
Is there any point in making a client sided exploit?
No not really, some client sided anticheats work for a short period of time before exploiters find a way around it, so regular sanity checks on the server would do your much better
How would I do this? Sorry, I am not very experienced with RemoteFunctions and all that other stuff,
an example of sanity checking in an FPS game:
Cheater sends a remote event – “I just fired a shotgun and hit a player pointblank”
no sanity checking → server says, hey! that’s a lot of damage, nice kill.
sanity checking →
Where are both players? The shooter is 1000 studs away and floating in mid-air.
Raycast from the shooters’ camera CFrame and see if they were looking at the player. Looks like they’re turned the opposite way… also the raycast indicates there’s 10 different objects in-between them and the target.
Check that they’re holding a shotgun and had enough ammo to have made the shot.
Check that they’re shooting at or above the minimum rate of fire.
Any of these reasons would be reason to say no - the server won’t damage the target, and the shooter is likely cheating.
Bit off-topic here, but give some trust in the client to say where it took the shot from, where it hit, and what it hit. There will be some network delay between the client sending this information and the server receiving it so you need to give slight trust in the client to explain the shot to the server and then the server to allow for some wiggle room, basically checking the distance between past and present to see if the positioning is reasonable.
Red: Data client gave server
Orange: Updated locations of players
Blue: Magnitude of movement between past and present
Green: Maximum distance offset allowed.
I don’t recommend making a client & server sided anti-exploit, they’re pointless in my opinion. Just add sanity checks, like how phantom forces does with their bullet hit verification, here is how I think they done it;
(Client - Server) replication always has a delay;
[[--
Red - Victim on the client's perspective
Purple - Shooter's position on client's perspective (basically the client's position)
Black lines are walls
Light Blue - Victim/Shooter on the server's perspective
Light Green - Server raycast
Gray - Server raycast hit
Pink - Client raycast
Blue - Client raycast hit
--]]
---------------------------------------------------------------------------------(EndPosition - StartPosition)
Server ray’s origin is the Ray’s Position, and the direction is (Shooter.Position - Ray.Position).Unit
workspace:Raycast(RayPosition, (Shooter.Position-RayPosition).Unit, RayParams)
I’m making an anti-exploit model thats open-source, not just for my game. My game isn’t a shooter either.
It’s an example, just make sanity checks dude. Sorry to discourage you, but there’s a ton of anti-exploit community resources out there
