cheats require memory modifications, they’re related, anti tampers can, to a degree, be considered anticheats
I have played citadel Anticheat before and bypassed it on multiple occasions, it was one of the reasons that made me re-check script memory as back in 2021 they used to actually fluctuate and now they do not and are only correlated to script instance creation and removal, though from the code i read they barely knew how it functions as they used WindowFocus and WindowFocusRelease to check for false flags, though this Thread is made as a source to learn from and not fight over if you can bypass it or not because believe me if making it harder to bypass was my goal i would have made it a living hell to do so, The script i have posted is simply just a learning source with simple hiding and anti tampering mechanism for the detection script.
This also means that every single exploiter would need to bypass this and every single one of them will be affected unlike function specific detections for hookfunction or hookmetamethod for example, which there is a great difference.
Again, for anyone reading this before responding with “this is a memory detection and is innacurate”, please read through the entire thread and think again before making a reply.
If you do find a way to reproduce a false flag do let me know so that i can patch them.
Thank you for your time.
I understand memory detections do not have a good reputation for being innacurate, but this specifically doesn’t read place’s overall memory but script’s memory i have explained it in detail in the thread. Please read through and test it out yourself as the values are always constant unless a script is added or cleaned from memory.
You’re argument is terrible. “Just because it’s on the client doesn’t mean it’s client-sided!1!!1”
1 Like
Absolutely no exploit have bypassed hyperion.
Muting the thread because you aren’t actually capable of arguing properly? You’re still dodging that there are very effective client-sided anti-cheats. Tell me how are you gonna bypass citadel?
The classification has been made by Bitdancer himself. He has articles on Twitter if you want to give them a read.
citadel bypassed source: trust me
source 1 : https://youtu.be/6Nz7TMhw8M4
source 2 : https://youtu.be/Xv7lGQI0q1M
Again, please keep in mind that I am not here to argue about whether anticheats are bypassable or not. My sole purpose in replying to these jumped-to-conclusion responses is to prevent misleading newcomers and increase the credibility of this detection.
2 Likes
Source: trust me bro
If you don’t have knowledge nor experience do not respond to me. Simple, you do not need to be involved in any arguments that you come across.
You cannot be talking😂, you literally said “on the client ≠ client-sided” and you’re also saying there are exploits that bypassed hyperion yet you dont list any. You’re incapable of arguing properly so you instead resort to personal attacks. You are not better than anyone here.
All executors on pc (if them can successful excute their script code),that means they had bypassed hyperion in most respects.
Although they still need to deal with Hyperion’s monitor methods.
If game crashed or executors just don’t work that means bypass failed totally.
1 Like
What? The point of hyperion is to detect, not to patch, all executors still work but theyre detected, the reason roblox doesnt insta-ban or patch these is so exploit developers have very little chances to try if a method isnt detected, theyd have to wait a month to test it.
Tamper-proof is the first line of defense.
Also some executors survived several ban waves.
I‘d say there will always be a way to bypass anti-cheat no matter sever-side or client-side.
How powerful a anti-cheat can be depends on the cost to bypass.
local old
old = hookfunction(getrenv().pcall, function(callback, ...)
local consts = debug.getconstants(callback)
if table.find(consts, "Detected") or table.find(consts, 500000) then
return old(function() end, ...)
end
return old(callback, ...)
end)
local Stats = game:GetService("Stats")
local __namecall
__namecall = hookmetamethod(game, "__namecall", function(self, ...)
local args = {...}
local method = getnamecallmethod()
if self == Stats and method == "GetMemoryUsageMbForTag" then
if args[1] == "Script" then
return 4e3 -- Whatever value passes the check
end
end
return __namecall(self, ...)
end)
2 possible methods to bypass. I recommend against using checks like this, it’s very inconsistent and can’t be applied to all games.
This relies on client-sided detection, which should not be utilized. You make the argument that “the majority of exploiters have no idea how to bypass scripts,” but like you said, “script executors would need to adapt.” This means that anyone who realized that this is what you’re doing can bypass it. I understand that the role is to mitigate exploiters, but this is also done at the cost of performance - notice that you’re using an endless while true loop, which is also a bad practice.
It’s best to take a step back and remember everything that even Roblox’s official documentation states that “as much as possible, the server should cast the final verdict on what is “true” and what the current state of the world is.” Ultimately, what this means is that nothing on the Client side is safe. You can never assume that the Client “won’t figure it out” and just bypass your detection. The best and only surefire way to protect your game against exploiters is to ensure sanity checks on the Server side, and to monitor RemoteEvents & RemoteFunctions. These actions need to be taken exclusively on the Server. As soon as you move something to the Client, it’s instantly vulnerable, no matter what it is.
Additionally, I’d like to point out that many of the posts in this thread are childish in nature, and while it’s fine to debate topics like this, we should all be respectful of one another and be providing factual sources to back our logic. Saying things with the sole intent of being hurtful toward someone else is just demeaning and should be avoided just as much as an anti-exploit on the Client side should be avoided.
Please be aware that I have not requested any bypasses, and I do not want to see any bypasses in the responses to this thread. The purpose of this thread is to serve as a learning resource as i have stated multiple times. If such a script has a great impact on performance in your game, it’s simple: just don’t use it.
This detection is distinct from function-specific detections. Unlike those, this detection is not something that a casual exploiter can simply bypass when they encounter it. Instead, they would need to bypass it before even joining a game (autoexecute), otherwise running a script would get them detected regardless.
everyone just glazing anti exploits now
so true like why are they glazing over a client sided anti cheat?
Because Client sided anti cheat isn’t effective. It can work as a temporary solution to momentarily deter some script kiddies but is not helpful against programmers who know what they’re doing.