When it comes to games made in unity for example rust they all have really good anti cheat but roblox has almost non existent anti cheat. Am i missing something? What is holding roblox or developers back from having better anti cheat?
1 Like
Roblox’s anti-cheat is about as good as it can be for what it is. It’s up to developers to implement game logic security, so you’d have to ask individual ones about the problems they have.
3 Likes
Roblox already does as much as possible to prevent cheating, and we’ve seen a big leap forward in built-in anti-cheat, as well as our personal capabilities to make our own.
For example, in the past, godmode was a common exploit in roblox. Now, to tackle the problem, the corescripts automatically respawn common godmode exploiters. These changes are happening a lot, and game developers are becoming better and better at preventing cheating.
In any multiplayer game, there will always be cheating, I don’t think it’s fair to say that unity has a better anti-cheat. The community may give you that impression, but it isn’t right.
20 Likes
Let the developers make their own anti cheat so roblox doesn’t ruin the devs games.
5 Likes
Anything on the client can be taken even on those games as you have physical access to the bits on your machine. This means you can take geometry and locally running scripts from any game as well as change them. This is what allows people to no clip through stuff as they move their character client sided.
As for the server, you should check data that the client sends it to ensure that it is correct and expected. You can do raycasts infront of the character or whatever by a short distance to detect if they are clipping then punish then as you will.
Mostly though, it relies on the developer implementing anti-exploits into their game to prevent unwanted behaviour. Client-side based anti-exploit is almost pointless as the player can just remove the script checking for exploits.
…?
Where are you getting this from? CoreScripts don’t automatically respawn people like that. God mode exploits were simple manipulations of the character in non-FilteringEnabled environments. They’re still possible even now if you have a vulnerable code structure.
CoreScripts themselves rarely ever handle targeted exploits. They do have some implementations as well as some from the backend that do mitigate exploitation attempts but most of anti-cheat work is up to the developer.
6 Likes
Roblox already does A LOT to prevent exploiters. Like, a lot.
If you look at functions such as BadgeService:AwardBadge() you will notice it can only be used on the server. That’s just an example from the top of my head, but there are obviously more of them. For example the reason why loadstring was disabled in localscripts was roblox removing the compiler from the client. By doing that they made it way harder to achieve malicious code execution via exploits.
The roblox client executable, aside of being obfuscated and packed, has many checks which when triggered by an exploiter will cause the game to crash. And they keep adding new ones or changing the old ones. That’s why there aren’t a lot of people who can get past all of them and successfully create an exploit. And when one manages to do that, they have to update it every time roblox updates.
Roblox also sometimes pulls a surprise attack on exploiters: by implementing a new injected dll check, then letting exploiters exploit for a while, and then baaaam, everyone who was detected gets terminated.
The fact that all of this happens behind the scenes doesn’t mean nothing at all is done to address the exploiters issue. Besides, most games do have proper checks on the server to ensure nobody can ruin your gameplay (or at least not significantly).
6 Likes
As another example, on joining the game, if the server detects anomalous behaviour, it will kick you with the error:
Unexpected client behaviour
This is another example of checks being done behind the scenes to check for exploitation.
It’s not just disabled in localscripts anymore. By default, it is disabled in server scripts too. This can be changed in a property of Server Script Service. The use of loadstring is restricted too. It can’t do all the things that it can in default lua, and all those changes where made to prevent exploitation.
I’m not sure where I heard about the check for godmode exploits, but I’m pretty sure it was on a thread similar to this one a while ago (I.E before I became a new member).
It was most likely an outdated point, as it was before the forced filtering enabled update.
Roblox doesn’t do this and hasn’t ever either. This is certainly a developer-created check.
2 Likes
You mean it not being able to run precompiled lua bytecode? That’s not because of exploits, that’s because roblox cannot really sandbox a function created that way.
I’d class “breaking out of the sandbox” as an exploit. It’s not your common client-side exploit, but it’s still an exploit in the literal sense. If I recall correctly, using bytecode allowed you to break out of the sandbox and access restricted things on the server years ago. This let you do things like, for example, give yourself place visits (and free tickets, at the time). Bytecode also let you crash the running Roblox process, if I recall correctly.
With that being said, it’s only tangentially relevant to the topic because clients can’t do any additional cheating using bytecode execution. The removal of bytecode execution is evidence to support Roblox’s dedication to preventing exploitation in general.
2 Likes
Roblox’s anti-cheat system is as good as it can get without invasive methods. Most vulnerabilities on their side get patched within a week, the real issue is that developers often don’t consider exploits when planning their code.
Yes, that’s exactly what I mean. I just couldn’t remember if it can’t run precompiled, or non-compiled code.
I would say that getting around a sandboxed environment is an exploit.
EDIT: Just realised that @Corecii already said that. Never mind
Roblox does loads to help prevent cheaters/exploiters but we just don’t hear about it much. Just because we don’t hear about something doesn’t mean Roblox is not actively looking at it. An example of this is the moderation system. These moderators ban lots of people for exploiting everyday but we don’t hear about it because it is confidential between the exploiter/cheater and the moderator.
As others have said, it is up to the game developers to make their own anti cheat systems as every game is different. Each game has different game mechanics and play styles making it really hard for Roblox to make anti cheat systems. Developers know their games best, not the Roblox staff, meaning developers are the best suited people to prevent cheaters in their games.
I wouldn’t compare roblox to unity about anti cheat systems. I have never used unity but I would assume the game developers make their own anti cheat cheat systems and not the Unity staff for the same reasons as I said above. Lots of the games on unity have bigger teams and full time professional developers making games, making the games more well equpit with anti cheat systems. Lots of the Roblox developers have very small teams, don’t use roblox as a full time job and aren’t professional game developers yet.
Roblox does lots internally to help prevent cheaters/exploiters on things they have control over. An example of this would be keeping the games servers secure so developers can run serversided code securely. Making sure all of their other systems they provide are secure as well. Roblox also gives developers tools to help them prevent exploits like filtering enabled. This is only a couple of things that Roblox does to help prevent exploits on their part.
Developers are the people responsible for making anti cheat systems for their games and not Roblox. However Roblox does support developers by keeping their systems secure from cheaters and actively moderates games for exploiters through the report abuse system.
It’s not related that much; clients can execute bytecode regardless of the setting, it’s just Roblox removed the compiler from the client so people usually skip that step and just generate the unserialised structures instead.