What loop to use for anticheat

also most remote spy’s are absolute trash and can be spammed with remote events in order to prevent them from seeing the code. You can exclude events but devs already have an edge on this because it’s pretty easy to flood their remote spy. So yeah a good remote spy is probably worth a lot of money to exploiters out there

Because clash royale doesn’t rely on client side for gems related stuff. Just because something is made in c doesn’t mean you can’t read it. Reverse engineering exists and is free

1000% there is exploitable client sided functions in clash royale. Why does nobody do it? Because the people who have tried, failed. Simple as that

I wouldn’t even think that far lol people found ways to get free stuff by turning their wifi off and on, ddos attacks on the opponent, glitch that makes it so their deck only has 1 card, etc. This is why I’m trying to tell people that exploits are not everything. They are small in the grand scheme of things

Because all gem transactions go through the server and the server does the transaction processing. You can’t do anything on the client side to stop that. Only way to exploit is with a backdoor. You don’t seem to have any idea on what you are talking about

I do. There’s much more to a game than just a data store. I’m not going to sit here and explain detail for detail what exploiters can and can’t do lol. There has been 0 successful exploiters in that game. Do you think pulling a card out of your deck to place it into the arena is a server sided function? No.

It is server sided because it goes through the server. You don’t know how video games are made

This is an incredibly naive solution, and not good advice.

The system you are describing is extremely common, and extremely easy to bypass.

You seem to be forgetting; exploiters can decompile and read all of your client-sided code.
This means that they can decompile, and read your anticheat code, and figure out what algorithm the client uses to validate itself to the server.
Once an exploiter has this figured out, all they need to do is disable your anticheat, and have their injected code spoof the response the server wants.

There is also no guess-work needed, as you seem to believe.
Any message the server sends to the client, can be intercepted by exploiters.
This means that exploiters can simply hook the event that the server is firing to the client, and thus they have the exact value that is supposed to be your line of protection.

Once again, this is horrible advice, don’t do this.

The server knows which cards the player has in their deck and which cards they have previously placed successfully and thus it also knows which cards the player has available at the moment. The server also knows how much elixir the player has at the moment. The server can also check whether the location where the player is requesting to spawn the card is valid. So the server can easily determine whether it should accept the player’s request to place a card.

In a game like Clash Royale, I don’t see a reason why all critical game logic couldn’t be handled on the server. I mean, the player just chooses which card to spawn and where to spawn it. After that the player can’t control the troops further and thus the server can do all the movement and fighting logic without having to consider the validity of any further player input.

So the client just sends requests to the server and renders things. Any invalid client side behavior will stay on the client. I believe the requests are relatively simple to validate in a game like this.

This simple player interaction avoids problems present in some other genres like FPS-games where it can be difficult to determine whether a player is skilled or using an aimbot, whether their movement is legitimate or whether they are shooting through a wall or legitimately when they are near a corner.

It’s been years since I played Clash Royale so correct me if I’m wrong about how the gameplay works. But if it works as I remember, what kind of things can the client try to exploit in Clash Royale?

The only thing I can think of is that the exploiter could have an algorithm do the card placement decisions for them if they find an algorithm that plays better than them. But the algorithm will still only be able to do valid card placement.

Wow. Someone that actually has an informed response. Amazing how people liked the other responses but not yours. Well, I don’t care about that. I love your response. Thank you for explaining this to everyone. This is the kind of information that would help people.

Wow your response got 3 likes. You know how to win people’s popularity, so impressive man. Strokes your ego

Anyways, wonderful response man. It’s so good that games like Clash Royale can run optimized entirely on the server with 0 lag and my beautiful HEE HEE HEE HAW emotes can gracefully save the day from this little thing called ROBLOX. The WHOLE POINT of my message was for it to be in regards to what is possible on ROBLOX. The message you specifically replied to, I was not talking other platforms… and I CLEARLY acknowledged that the best solution is to use an anti cheat on the server, just like other platforms do everything on the server. You could’ve saved yourself the popularity contest by just actually taking the time to read the entire forum and see all of my messages and THEN make a good response like RoBoPoJu did. He made one of the best responses here. Props to him for actually using critical thinking skills. So the bottom line is, whether or not my model is bypassable or not is completely besides the point. It’s simply an option for this little thing called Roblox. I know that’s so hard to imagine that Roblox isn’t as wonderful as other platforms in terms of server sided performance, but yeah… it definitely doesn’t perform as well yet. Eventually someday we won’t even be having this conversation and local scripts will be deprecated and everything will be on the server. When will that day come when 99% of server scripts perform perfectly well? Could take 20+ years easily.

I already said that even without remote spy it’s incredibly easy to still access and intercept the data needed.

This anticheat model, as I’ve said before, is incredibly easy to bypass. It also provides issues like players with bad internet getting falsely flagged for cheats. In fact, this model brings more problems than solutions. It’d be worth not having a client anticheat at all at that point. Server anticheats are the point of focus.

I don’t think exploiters are “all-powerful beings”. 90% of them are just script kiddies who couldnt code to save their lives.

This will also happen if you use the anticheat structure you suggested. It could completely ruin performance on lower-end devices depending on how frequently the server checks.

I strongly suggest you do your research before replying to this.

I already said this

Thank you for contradicting yourself and proving my point Since anti cheat is a waste of everyone’s time, you might as well use one that works to defend 90% of them.

Sending a number to the client once every 5 seconds is going to ruin performance? Clear lack of understanding how the anti cheat works.

I am genuinely convinced this forum is just bots who don’t know how to read and think their opinion is more important than the facts.

I know you already said that.

I didn’t. If you bothered to read any of what I’ve been saying, you’d know that all it takes is one experienced exploiter to create and distribute a script that bypasses your anticheat.

Keyword of what I said was ‘depending’, and it also depends on the size of the data. But yes, it actually could. Ive had many experiences of lower-end devices freezing up with a remote’s OnClientEvent.

Why is your ego so big buddy
You’re acting like you know everything and you’ve got to ‘teach’ us

All you’ve done is told us we’re wrong and then when we contradict you you start talking about ego or some random thing

Like when you bought up clash royale earlier you said it was lagless and seamless, have you even tried playing it on bad internet? That’s proof it doesnt rely on the client…

I have better things to do with my time than argue with someone uneducated on this topic like yourself. When I have free time, I’d be happy to discuss this with you further.

I appreciate your positive response, but honestly, I would say that a lot of the other replies here are valid as well. I’m not the only one here who’s right.

And while I agree that you shouldn’t sacrifice too much performance for anti cheats, I would still say that a game should have some serverside anticheats. Exploiters are quite common in some games such as Natural disaster survival and Trench war, and they can be annoying in those games. And at least the fly exploits make it seem like those games are lacking anticheats against flying.

If there aren’t many exploiters in the most popular games, that’s probably because of serverside anticheats (and possibly also some client side ones, but as mentioned, client anticheats will not work against exploiters that know what they are doing) that make exploiting useless or nearly useless, and NOT because of a large number of legitimate players.

The most you can do is slow someone down. Client side anticheats best defense is complexity. But once someone solves it, then they will distribute the script that works and you will have to make a new client side anticheat. Remember I have physical access to my own device and can read and edit the memory as I please. There are certainly things that complicate this, but it is impossible to permanently stop cheating from the client alone.

This is technically true, but fundamentally misses the point.

Assuming the game is well designed (potentially might not be) the server is the one giving you cards. So the server has a table of your cards {a,b,c,d}. When you place a card, you would tell the server what card slot you used. Say we used card b. We would send a 2, because that was the index we used. It also sent the position you put it in. The server then knows you placed index 2 (b) on tile 1. It will then give you a new card (which it knows goes into table slot 2 so it updates it’s own table).

The server when it’s sent that 2, 1 command (card index, tilePosition) will check that 2 is either a 1,2,3 or 4 because those are the only valid cards. And then it uses the ‘b’ card it has stored to update the game state both clients draw (you already have the unit there so the update is pretty much ignored on your side). If you attempted to send a 5, the code would ignore you and tell the client to fix itself because an index of 5 makes no sense. It also checks that the position is valid. If you tried placing on the enemy side it would reject it and tell the client to undo the action.

So both the client and the server check the position. The client checks the position first and will only send it to the server if it was valid. The server then checks it was actually valid (and not just a lie from the client) and gets the final say. You can’t send an invalid message to the server if you aren’t cheating (excepting super rare edge cases)

In this case the client did place the card and handle user input and rendering, but the SERVER still did the anticheat stuff by verifying what you told it was true. You just will never see a server sided rejection if you aren’t cheating because the client scripts only allow you to take valid actions by default.

tldr; yeah, the function you described is client sided, but the anticheat for it is server sided and a non cheater will likely never see it.

Unless I’m mistaken, you can detect local scripts deletion only & only if they’re a direct child of the Character. If I remember correctly it works, and the server can detect its entire removal with AncestryChanged. However the point of other people stating that a perfect anticheat doesn’t exist remains. Exploiters have way more tools than you’ll ever have.

Exactly. These last three replies on this forum are absolutely golden and I hope that people understand how useless protecting your game from people who use exploits actually is in the grand scheme of things. RoBoPoJu, tlr22, and Varonex, you all have a perfect understanding of this topic. There are 2 viable options everyone has. Anything else is a waste of time, energy, and limits potential for success.

1. Working for Roblox to help them eliminate popular mobile exploits(Examples: Arceus X and Delta)

2. Making your entire game as high quality as humanly possible and following the same method that the most popular games on Roblox follow(Leaving it to the hands of the experts to work on blocking these exploits entirely)

The more things you protect in your game… the more exploiters will try and tamper with it. That’s how it works. And exploiters are a very small percentage of the population… meaning that a game with superior quality, performance, and design, will always be on top. If you can achieve that from protected scripts, great, but otherwise it is pointless to fear having vulnerabilities in your game just because the fact that mobile executors exist. Also bear in mind the engine’s that run those mobile exploits are weak. The bottom line is this is not in our hands, and that’s why I had no shame in saying the things I said above because my main point is to get people to stop trying to control something that’s not in their hands… unless you want to work for Roblox you shouldn’t be wasting your time on “protecting” your game. No such protection will ever be perfect. Not even Roblox can create perfect protection. But it’s enough that it got Synapse X developers to completely quit exploiting forever.

“Client and server are out of sync” doesn’t mean the game relies on the client in the context you were referencing. With a stable but high-latency internet connection, you will see the entire game freeze with the red wifi icon in the middle. When you try to place cards, the “placeholder” will show in the arena, wait for a couple of seconds, and then go straight back to your deck.

I’m not about to retype what someone has already said, so I’ll just quote it.

Should the actual data itself be outdated/incorrect when checked, or the client timeout when the server checks connection, then that message would show.

We’ve all answered the OP’s question (including you), and all our answers were the same: it’s impossible to make a client-sided anticheat that can’t be bypassed. All you can do is slow exploiters down and maybe pick off the ones who are clueless on what they are doing. All we’re doing now is getting off topic, there’s no real point continuing this discussion…

Sorry we had to argue.
I’ve given up trying to correct you, yes. Don’t get me wrong, I’m not agreeing with you - I still think you’re wrong.