(DISCONTINUED)Secure X: Anti-Cheat software for ROBLOX

DISCONTINUED
I don’t think I have enough experience to fulfill this project. Source will remain until 2021, when it will be deleted. Fork now.
https://github.com/Void-Frost/Secure-X

Cool, how did you made it? I’ve seen many popular games like:
Jailbreak, Adopt Me, Welcome to Bloxburg, etc.
That doesn’t have anticheat.

It’s really basic right now, but its just a settings module script for tweaking options, a server side script that will perform a custom disciplinary action (kick, ban, kill, respawn, anything it is programmed to), and a client side script that reports information to the server as it is seen on the client (walkspeed, other things that you’d have to see on the client to prevent/detect)

You can see the full code and everything on the GitHub repo I linked, also you can download a .rbxl of the game (empty baseplate)

Why is the anti speed hack client sided leaving it vulnerable to exploiters? it also looks like it’s relying on security through obscurity judging by some of the names and comments, which is also unsafe.
This isn’t setting a good example for contributions to this repository.

Interesting, I’ve actually never heard of the scripting part of an anticheat

Because, unless you’re using some sort of speed detection by position change (which isn’t always reliable, i don’t believe) the server value of WalkSpeed remains constant, unless they change it on the server (which they can’t without taking advantage of a vulnerable RemoteEvent that has remote code execution, which is the game developer at fault, not roblox)

You do bring up a very valid point about security by obscurity, unfortunately I’m not sure what else to do

This system is very insecure. There is a massive blatant security flaw in your system.

The way you try to detect speed hacks is by using a remote event to tell the server what walk speed the client is. This is extremely insecure! The server is completely trusting the client and as a result, this anti-cheat system can be easily bypassed.

Besides walk speed is not a good way of detecting speed hacks [which I assume you are trying to do]. The client can just use a different method of speeding up, maybe BodyMovers or just writing their own movement script.

True, didn’t put it any client authentication yet like a GUID that the remoteevent MUST detect, otherwise it doesn’t function.
Will def do that soon.
You have a point for the custom movement systems, but I really don’t think that happens often, especially as most games are insecure to the point where changing the walkspeed is enough.

Well, what I would recomend is a script that detects the name of any hack program / Cheat program and so it kickes you out of the game.

This is not realistic. I can EASILY just write my own program to edit my WalkSpeed, and this would leave literally 0 trace besides the WalkSpeed value which would be changed.

And yes, major exploits that leave traces will be identified later.

EXAMPLE: GUI’S

Yeah, you are right, but not many people would know how to script any program like that, cause those programs are made by profesionals.
(EDIT): but yeah ur right, it would be very insecure.

That’s also insecure.

A server based anti cheat using the method you described (position checking) would solve the custom movement issue without anything extra needing to be added.

Also, position checking isn’t unreliable and other anticheats have done it without any issues.

This is also false.
Literally the code is:

game.Players.LocalPlayer.Character.Humanoid.WalkSpeed=100

that single line of code will give you extra speed with the right injector.

Ok, I’m confused.
Explain how it would be insecure to have a localevent that sends a long, unguessable string of characters to a remoteevent that checks it and makes sure it’s ok, and doesn’t run the code if it’s not.

I’m confused as to how that possibly leaves any holes, unless you’re talking about a decompiler that can get the source code of the LocalScripts (I believe that is a thing that can be done)

Not trying to come off as arrogant, I’m quite literally asking you to explain that beacause I really don’t know what about that is insecure.
Thanks

Completely relying any information from the client is a bad idea. Exploiters have full control over their client. Even if you decide to encrypt your data, exploiters can figure out how to decrypt it. It’s simply easier and more secure to run your anti-cheat on the server.

Just run the entire anti-cheat on the server, it’s much more secure.

You are depending on the client. It’s like giving a murderer a knife in Murder Mystery 2 (love that game). Of course the Murderer will kill people. Same with the client, you are giving them access to bypassing any anticheat. And if the exploiters find this out, they will act on that. Your making the server lean on the client when it should be the other way around.

Ok, so, what would you guys suggest for securing a RemoteEvent in any circumstance? If using a password is unreliable (which I somewhat disagree with, don’t know of any exploits that would allow you to bypass that, especially because 99% of the authentication is on the server, but that’s neither here nor there) then how am I supposed to secure a RemoteEvent in the case that one is neccesary (which they aren’t right now, but WILL be later, in detecting GUI’s that are on the client, etc)

This is a situation where you don’t need a RemoteEvent in the first place. You should just focus your efforts on protecting the server.

But… there is?
If you want to stop clients from using admin gui’s, dex, etc. Those GUI’s are only on the client.

Also, im asking for future reference as well, in making any game, how would you PROPERLY secure a RemoteEvent, besides a password?

Also, hacked tools, hopperbins (used for noclip by spawning btools), etc, etc etc.

This is such a great idea for Roblox games defending against cheaters in game.