Ways to patch common exploits?

Ok, so literally I have to deal with exploiters every day, and I am looking for a permanent solution. How can I patch common exploits such as:

1] Walkspeed Exploits/JumpPower Exploits
2] Noclip Exploits

How can I patch these via Server Script? I have tried some hacky solutions, but I can’t find the best method in order to do so. Any suggestions?

Please keep in mind client scripts can just be deleted, and, I am using FilteringEnabled. So I need a good serverSide FE solution.

19 Likes

I think for noclip you could identify areas where noclip hacking is common and automatically kick/ban or at least flag any player who enters an illegal region (inside a wall, etc)–I’d make sure there’s a margin of at least a couple of studs though so that legitimate players with some slight lag don’t get flagged as hackers by mistake.

With speed hacks, you could kick or flag players who travel an unnaturally long distance in a very short amount of time–again, with a margin so that innocent players with lag don’t get flagged by mistake. If your game has teleporters or other fast transport systems, make sure those are taken into account too. With jump power, same thing but vertically. In both these cases, it shouldn’t be an automatic kick or ban unless it’s continuous over a certain period of time–I’d hate to be banned from a game because physics glitched out and I got flung across the map by a signpost.

3 Likes

For no clip raycast from their last position to their current position and see if it intersects anything solid. If so teleport them back to where they were (or to the point where the ray hit.) If your game involves teleportation add in a bindable event that lets you teleport them but not teleport themselves.

Walkspeed and jumppower are much harder to detect on the server side. They’re easy to check on the client (check if their speed is right) however this does little to deter expert exploiters. If they’re smart they can either delete the code you use to check or block the message from reaching the server. Having something in place will prevent a majority of exploiters (script kiddies) however.

4 Likes

Monitor workspace for changes and update it back from ReplicatedStorage if a property unnaturally changes.

3 Likes

While this can be applied across an entire map, it may not always be the best solution. It could cause players with some lag to get teleported back when they try to go around corners, which is not fun at all–especially when trying to escape from an enemy.

4 Likes

Pretty sure you can make it super hard to however but having all client code in one localscript in nil, and all server client traffic through one RemoteEvent and one RemoteFunction. That way, if they delete the code, the game is unplayable, and ditto for the networking elements.

4 Likes

You don’t need to monitor WalkSpeed and JumpPower serverside, you just need to initiate the kick from the server.

2 Likes

You cant monitor it serverside. If the game is FE, then values such as ws and jp don’t replicate from the client, and since clients have good old physics ownership of their character, they can ping around all they want unless you detect teleportation on the server or have some BA clientside anti exploit.

4 Likes

Just did a quick check, pretty sure Humanoid properties of character automatically replicate, thus you can in fact monitor it from the server.

Additionally, I was saying that you could monitor it from the client’s end and if something becomes odd then inform the server that it’s appropriate to kick them.

1 Like

There are ways to do speedhacks that don’t involve changing walkspeed and which are arguably a lot easier to do than most if not all “script kiddies” exploits, so even that might not be effective for all or even most exploiters.

1 Like

Pretty sure there was one that actually sped up the animation or something back in 2014.

Hey guys remember 2014, when every little motherlolno thought Cheat Engine made them a l33t hacker?

5 Likes

Not only are you then sacrificing readability for security, but this doesn’t even do that good of a job.

I don’t think I’m allowed to say why, though. Just know it doesn’t help.

2 Likes

Readability could be maintained by just putting it in a script that every other script relies on in some legitimate way. Sorta like a keystone. Depending on how it’s done, it could be made in a way that would force an exploiter to rewrite half the code to do their nasty hacker business–which would deter even professional exploiters.

1 Like

Exploiters wouldn’t have to rewrite any code. Again, I can’t talk about how or why on the public sections, but there is something clever hackers have at their disposal that you’re not thinking of and likely don’t know about.

1 Like

Hey, that’s what the other options are for. A hacker can’t make itself speedy to all clients without it being possible for the server to notice with the methods I suggested.

1 Like

For walk speed you could determine if someone is walking faster than the games currently set walk speed.

1 Like

Development support isn’t public though.

Nevermind, since when is it public?

2 Likes

To combat exploiting, all of your checks need to be on the server. Furthermore, they need to check only the position of the player, as almost everything else can be spoofed by the exploiter.

In theory, an exploiter can change everything about their client, including removing and replacing your exploit-checking code but reporting to the server that everything is OK. They can even report a Velocity of 0 while they’re moving, report a WalkSpeed of 16 while using 200, or report touching parts they aren’t touching. Fun fact: the server listens for the client to say it touched parts in some cases, so exploiters can spoof touched events! You need to do magnitude checks for those on the server.


The most reliable way to combat the listed exploits – which are all character movement exploits – is to check the HumanoidRootPart’s position on the server every frame.

Here are some checks you can do using the last frame position and current position:

  • Did they walk through a CanCollide = true part between the last frame and current frame? (use raycasts)
  • Did they move impossibly far between the last and current frame (e.g. 100 studs), such that they must have teleported?
  • Log when they’re on the ground using raycasts. Is their current position too high from their position when they were last on the ground? If so, they’re jumping higher than possible for their JumpPower.
  • You can calculate their velocity using (current pos - last pos)/frame time, then…
    • Are they hovering in the air without a negative Y velocity? Have they been doing it for a few seconds?
    • Are they walking faster than their walkspeed? Have they been doing it for a few seconds?

These checks cover…

  • Noclipping
  • Teleporting
  • JumpPower changing
  • Flying
  • WalkSpeed changing/Speed hacks

You will sometime get false-positives. This can be because the client has high ping or because the server isn’t checking often enough. You should only punish the player if they trip these checks often within a short time period. Your punishment should also not be severe: respawning or teleporting the player back to the last valid position is enough to deter exploiters and not harsh enough to deter real players in rare false-positives. Kicking or banning is too severe and not necessary. Exploiters won’t want to exploit anything if their exploits just don’t work.

99 Likes

10/10 Remember to quote this man ppl

2 Likes

While a good post, a lot of your suggested security measures can be repeatedly tripped off by laggy players, which can be extremely annoying to get constantly teleported back. A reasonable number of you players will be playing from Brazil, know that.

3 Likes