Would of been nice if you actually made an anti exploit rather than saying “your anti exploit sucks”
2 Likes
I’d also like to add onto this, Just try to stay away from the client, often these big anti exploit developers use very old or broken methods to achieve stuff which isn’t normally done, Things which Roblox doesn’t intend people to abuse.
Using these methods doesn’t just protect you, but puts you at a fault as well, It takes one person to leak these methods, it takes one person to report these methods, it’s as if you’re fire trying to stop water, it honestly just wont get anywhere.
Stick to the server, It’s secure, and safe.
2 Likes
but when you forget to be specific to the title “Client” because a server anticheat doesn’t suck and never will unless your pure garbage at lua then it probably will
How is this relevant?
It is the truth, no arrogance that I can see in the title.
Yet again, why are you posting this? You don’t seem to know what you are talking about.
Seeing a few of these replies on this post is the exact reason why we keep getting multiple “Anti-Exploit” post a week that are nothing more than a speed check and a :Kick() call.
11 Likes
I do not write anti-exploits, and the point of the post wasn’t to show off any. It was to bring to light why and how some of the posted resources here can do better and not be subject to being heavily criticized.
Something I didn’t really touch on was how difficult it can be to write something which can accurately detect exploits. I gave writing one a go, just to see what it was like, and it’s not easy. There’s a lot you need to take into account when trying to detect something like speed, such as if velocities are being modified due to BodyMovers or constraints. Or if they were flung because physics.
Obviously this sort of thing just isn’t my strong suit, and I myself probably fell victim to a bad practice I was unaware of. My goal for the post wasn’t to say people suck at what they do. I completely understand that the title can lead one to believe otherwise, but I just wanted a quick, attention-grabby title so more people would see this.
Not everybody can take criticism, and I have good reason to believe that this forum has driven aspiring developers away because of shortcomings in their resources. There’s nobody to blame for this, I completely understand the demotivation from receiving any amount of backlash on a project that has taken any amount of time to finish.
I hate to see any talent go to waste because of some pretty easy-to-fix problems, so I wrote this post with the intent for anti-exploit developers to read this and learn from their mistakes.
My passable anti-exploit if you're interested
--[[
nohax
@author: jelliedbanana
@date: 1/25/2022
@updated: won't be updated lol
]]
--[[Variables]]--
--Services--
local Players = game:GetService("Players");
--Character--
local char = script.Parent;
local hum : Humanoid = char.Humanoid;
local hrp : BasePart = char.HumanoidRootPart;
--nohax--
local raycastParams = RaycastParams.new();
raycastParams.FilterType = Enum.RaycastFilterType.Blacklist;
local lastValidCF = hrp.CFrame;
local velocityModifiers : {BodyVelocity} = {};
local lastValidGroundCF = hrp.CFrame;
local flyStartVelocity = Vector3.new();
local flightTime = 0;
local FLIGHT_TIME_THRESHOLD = 0.5;
--[[Functions]]--
function getRaycastIgnoreList()
local ignoreList = {};
for _, v in next, workspace:GetDescendants() do
if v:IsA("BasePart") and not v.CanCollide or v:FindFirstChildOfClass("Humanoid") then
table.insert(ignoreList, v);
end
end
raycastParams.FilterDescendantsInstances = ignoreList;
workspace.DescendantAdded:Connect(function(desc)
if desc:IsA("BasePart") and not desc.CanCollide or desc:FindFirstChildOfClass("Humanoid") then
table.insert(ignoreList, desc);
raycastParams.FilterDescendantsInstances = ignoreList;
end
end)
end
getRaycastIgnoreList();
function detectNoclip() : boolean --Returns true if there is a part between the player's current position and last recorded position
local origin : Vector3 = lastValidCF.Position;
local hrpPos : Vector3 = hrp.Position;
local dist : number = (origin - hrpPos).Magnitude;
local direction : Vector3 = (hrpPos - origin).Unit * dist;
return workspace:Raycast(origin, direction, raycastParams) ~= nil;
end
function onDescAddedToChar(desc)
if desc:IsA("BodyVelocity") then
table.insert(velocityModifiers, desc);
end
end
char.DescendantAdded:Connect(onDescAddedToChar);
function computeVelocityModifiers() : number --Returns the magnitude of all body velocities acting on the player
local moddedVelocity = 0;
for i, v in next, velocityModifiers do
if v and v:IsDescendantOf(char) then
moddedVelocity += v.Velocity.Magnitude;
else
table.remove(velocityModifiers, i);
end
end
return moddedVelocity;
end
function detectSpeed() : boolean
local vel : Vector3 = hrp.AssemblyLinearVelocity;
local horizontalVel : Vector2 = Vector2.new(vel.X, vel.Z);
local speed : number = horizontalVel.Magnitude;
local maxAcceptableSpeed = hum.WalkSpeed + 5 + computeVelocityModifiers();
return speed > maxAcceptableSpeed;
end
function main()
local isNoclipping = detectNoclip();
local isSpeeding = detectSpeed();
--print(isNoclipping, isSpeeding);
if isNoclipping or isSpeeding then
hrp.AssemblyLinearVelocity = Vector3.new();
char:SetPrimaryPartCFrame(lastValidCF * CFrame.new(0, 2 + hum.HipHeight, 0));
--In my tests without this offset, the script would place anyone caught by this in the floor and infinitely
--flag them for no-clipping.
else
lastValidCF = hrp.CFrame;
end
task.wait(0.1);
end
while true do
main();
end
4 Likes
That isn’t the purpose of this post. The purpose of this post is not to give an open source anti-cheat free model script to everyone. The purpose of this post is to explain to the people who make inaccurate anti-cheats WHY they’re inaccurate.
Offensive or not its the brutal truth.
The purpose of this post is not to give an open source anti-cheat free model script to everyone. The purpose of this post is to explain to the people who make inaccurate anti-cheats WHY they’re inaccurate.
I suggest you actually understand why this post is here before giving criticism on it.
Use the information from this post to create a good anti-cheat instead of asking for a free model that has the anti-cheat done for you. That’s the point of this post in case you didn’t know.
7 Likes
Server anticheats suck too, a basic speed check have to take in account the user’s ping, velocity (which can cause a false positive at any point because of how much the physics engine likes to fling) last position seen by server and the magnitude between the last and current position (which can also cause a false positive if the anti-exploit can’t integrate with the game’s admin system) which can still be bypassed given you teleport back and fourth confusing the server’s lastPosition variable.
tl;dr Server anti-cheats suck even more because of how high the false positive rate on them can be.
3 Likes
It is very unfair to continue to cover the truth of this post which is to tell to all developers who create resources in this case anti exploit that are incompetent, from a person who doesn’t even know what is talking about.
It is offensive to say this to Developer that uploads Amazing resources such as anti exploit on the dev forum.
Following the post author’s reasoning and yours, Nobody should publish his resources anymore.
I’m not saying that all of the resources and anti-cheats put in the DevForum are horrible. The OP is just stating the flaws with the bad ones and how you can fix it. You should take the advice instead of being offended by it.
If you want to see an actual useless post, with most of them having useless replies, take a look at this:
A Useless Post (Make sure you read the ignored content)
https://devforum.roblox.com/t/real-reason-why-roblox-is-down/1638614
5 Likes
At this point you have to be trolling. There is no way you missed the point of the post this hard even after it being explained to you.
4 Likes
The problem is that most of the “amazing resources” are not amazing, let alone resources.
4 Likes
This post was not directed at those who don’t make these mistakes.
2 Likes
As the person who wrote the code that he used in those screenshots, I am happy he wrote this post. Just because it was my second attempt at making an Anti-Cheat doesn’t mean I shouldn’t be told it sucks. Criticism can lead to being a better coder. If no-one told me how bad ORANGECAT Anti-Cheat V1 was, I would have thought that using humanoid.Running was a good idea for speedhack detection which is not good at all. I rewrote the anti-cheat and learned a few things about ROBLOX itself so I won’t make that mistake again. If no one makes posts like these, they won’t know why people are calling their new resource bad or why cheaters are bypassing their anti-cheat.
9 Likes
Alrighty, going to leave my take on this post.
I agree with you, Anti-Exploits can be quite bad, especially if they aren’t thought about thoroughly before production. It has always been, and always will be the most practical to stay away from the client as much as possible, In fact this has been reiterated one too many times, that’s kind of getting old now.
On to my next point, this post already exists, in the form of one you just linked in your original post, as well as another one that can be found right here: A complete guide ~ How exploits work & how to best prevent them - #5 by Autterfly. I would recommend searching before making a post that already exists (just so it doesn’t end up like the AC posts)
Last point, about the whole “title is harsh thing” being said in this thread, they really aren’t wrong, but nor are they right. I do believe the title could be something more like “Why Anti-Exploits have the tendency to fail” or something less personal. The “Your” directs it at people which is, in general, not good practice. (a bit ironic…?) I personally don’t care, people can say what they want and it doesn’t really affect me personally but yeah the title is fine if you really feel like getting up in there face (and risking it)
In general the post is fine, this thread is fine, and people just need to think more about their Anti-Cheats. I do not intend on replying to anything that may have not been thought over. Just my 2 cents.
3 Likes
Haha, Valve has been made a mockery of many times for their anticheat. You can bypass it using garbage code with ease.
Some games with high-quality anticheats (that Roblox could partner with the services used/develop their own) are anticheats like Riot Vanguard (Valorant) and EasyAntiCheat (Epic Games/Fortnite).
Of course creating an anticheat is not easy, especially on a game that revolves around user generated content however Roblox has also denied developers the proper access to patch exploits themselves and has given little to no support regarding the issue. They have brushed it off time after time and it’s gotten to the point where it’s a major problem.
yeah… im not giving some chinese company my credentials.
(even if epic is chinese owned aas well and has bought kamu, the company who created easyanticheat)
2 Likes
In case anyone else believes that Roblox hasn’t done anything since FE being forced, I think that it’s fair to mention them creating a faster Lua VM which had some new security measures, as well as them usually “patching” exploits every week when there’s an update (although, usually these aren’t very effective and get unpatched after a few hours).
Also, what is this “proper access”?
Ironically, at one point it was referred to as a “rootkit” because it turned on at boot and installed a driver onto your computer without permission.
2 Likes
Valorant’s anti-cheat is very bad. It blocks random programs. It conflicts with WallpaperEngine, the program I use for my wallpaper. It is also very sketchy requiring to be started at launch and needs a restart to disable/enable. I don’t trust it and many people would quit ROBLOX if it was used.
5 Likes
I love how this topic is formatted. Anywho, this is a good topic for anyone trying to learn how to develop proper anticheats.
For users that don’t know what properties are good for serverside exploit checking, here are a few:
- HumanoidRootPart.Position (get the previous frame position and current) and get the magnitude of both of them. Something like so (PreviousPos - CurrentPos).Magnitude
- Noclip every frame between current and previous position of their HumanoidRootPart. If the raycast result returns something, they clipped through something they shouldn’t have.
For the noclipping every frame, it sounds extreme, but it works amazingly. Running it with Parallel Lua and optimizations (listed below) you can easily make an anti-noclip that scales with large player counts and relatively low script activity.
Raycast noclip optimizations:
- Parallel Lua. Use :ConnectParallel on the RunService.Hearbeat connection.
→ This ‘combines’ all threads to cut down on a lot of lag. Not entirely sure how it actually reduces lag, but it does if you check out Script Performance before and after implementing Parallel Lua. - Create a “chunk cache” system where noclippable (anchored=true, cancollide=true) parts in a 50x50x50 area are cached. This can be done with GetPartBoundsInBox. Players can then request already cached chunks instead of repeating GetPartBoundsInBox every frame.
→ The reason you’ll want to do this is because if you have a huge part count, even with Parallel Lua, running small raycasts every frame will cause a lot of lag if it has a massive FilterDescendantsInstances list. The smaller the filter list, the less script activity it’ll use up. - Don’t check for noclipping if the player hasn’t moved.
→ If the player hasn’t moved less than 0.01 studs, they’re standing still or moving at a snails pace. You shouldn’t perform raycast checks unless the player is actually moving.
If anyone has any questions or additions to my optimizations, let me know!
4 Likes
I’ll use this reply as a reply to four responses to my post.
Regarding the idea that Roblox hasn’t done anything since FE being forced, that is indeed false. I am very aware of Roblox’s “patching” and “security improvements” over the past few years however we have yet to see a patch that critically effects exploits globally (similar to one on the level of Filtering Enabled which caused many popular exploits to go offline for months if not years).
Regarding my discussion about “proper access”, I will explain exactly what I meant. By “proper access” I am talking about the access to read and/or modify instances in CoreGui, have more client state changes available, access to Roblox-locked services that would benefit the anti-exploit community if they were unlocked, etc. I forgot to add how useful it would be if developers were able to hook functions in order to block them from being used. This would be a MASSIVE step towards proper security of games.
I do understand that what I am asking for “proper access”, that it is indeed a possible security risk hence why I said it’s extremely hard to patch exploits on a game that revolves solely around user-generated content.
The last thing I’ll address is the comments about the anticheats I mentioned and China. As for Riot Vanguard and it’s false positives, I completely get that. It’s very annoying to have random programs blocked by an anti-cheat however bugs are a key step to improving a product. Let’s also not forget that Riot Vanguard is a much better anticheat compared to the weekly Roblox “patches” on exploits (fixed by every exploit within 12 hours).
As for China and it’s data laws and whatnot, I was using those anticheats as examples. I said that Roblox could partner with them, never said they had to.