How to Secure your Game Against Exploiters
Вставка
- Опубліковано 7 чер 2024
- There's no such thing as the perfect anti-cheat/exploit system but this video explores how to go about patching some common vulnerabilities.
MERCH ► shop.gnome.codes/
DISCORD ► / discord
TWITCH ► / gnomecode
TWITTER ► / gnomecoderblx
WEBSITE ► gnome.codes/
TIMESTAMPS ►
0:00 Intro
1:19 Protecting Remotes
5:12 Network Ownership
8:35 Magnitude checks
10:46 Speed hacks
15:55 Fly hacks
26:22 Demo
28:02 Outro
I am a former exploiter and own synapse. Most exploiters are children so you only need to really worry about speed and fly hacks, however, there are more experienced exploiters that can manipulate remotes and network ownership which will completely ruin your game. Thanks for publishing this video because I myself did not know about the network ownership one.
s
it is true most exploiters are script kiddies
I also own a couple of exploits including Synapse X (sadly my router blocked it :sad_face:) and I know about network ownership and how it works. I don't know how an exploiter would forget about part:SetNetworkOwner(nil) because devs use that alot.
Ye that's what I was thinking, but maybe it's better to make a strong anti-cheat because experienced exploiters will eventually get in your game.
Ur cringe 😂
Experienced coder here, great way of explaining a not all too easy subject for learners in a funny story. Keep it up
I totally agree, he turned this scenario from a big and scary thing into a simple and easy thing. I hope I start seeing less of these remote vulnerabilities in good games.
It’s kinda the most easy type of anticheat to make I’ve ever seen lmao and it never was hard to do something like that tf ?
You mean scripting?
@@_Sickk scripting = coding in this case
Exploiters are easy to deal with when I am in the game, I just delete them from the game and run a script on the server that will constantly check if they are in game and delete them from it, But if I am not in the game, Those filthy exploiters can get into mischief. This tutorial was useful for child-proofing my games from the fifthly darn kids who try to exploit.
It's good to note that you can actually throw in dummy args in your remotes. Catches a LOT of people. E.G. Instead of completely removing the item price argument here, we could catch exploiters by keeping it, and comparing it to the itemPrices table. If the price isn't the same, then obviously, someone messed with the remotes. Little things like this add up a LOT. In one of my games, I caught a few people just by letting them think they could manipulate the force behind knockback.
And, as the game gets more complex, the anticheat becomes easier to bypass. Be prepared to look through a lot of randomly released scripts when you make a release!
Note: Exploiters will happen. Don't spend too long fighting them, your game's release is more important!
Now im curious what you did with those exploiters.
once you catch them you can do whatever you want until you ban them...
this is a minor inconvenience for whoever is trying to exploit in your game - to be honest i dont think this is a good idea as you'd have to actively update 2 scripts and one mistake in one could cause your some of your playerbase to be flagged - in my opinion its never right to kick the cheater as to restricting their access.
@@yesil_hiyar7335 I mean, I'd never kick an exploiter either. Also, it may be a minor inconvenience but it has always flagged hundreds of exploiters on my end.
@@LogoDev that’s fair enough but it just seems like it’d be more messy to send dummy arguments
In my experience a solid portion of exploiters are teens/adults with depressing lives who waste their disposable income gaining unfair advantages over children because it gives them some semblance of control and power in their worthless lives. The reason I know this is because I was there once when I was 18-20 and I am still in many of their communities on Discord.
NEVER underestimate the passion of greed and toxicity behind the exploit community. Imagine your defensive layers around your game are like a cheese grater, and the exploits are the cheese. No matter how small you make those holes in the defense, the exploiters will tirelessly work towards squeezing through the cracks and microscopic holes. Never stop updating your game, and always stay in the loop and keep up with exploit communities. Stay safe gamers, peace.
Wow you motivated me to secure my scripts even more now. Danke!
A majority of exploiters who do script their own stuff and know what they're doing are definitely an older audience (Older teens to adults). They also make up like 0.1% of the general roblox exploiting community as a whole. Although a huge number of them are not living depressing lives at all. Often times we just exploited because we liked trolling. Another thing to note is a lot of games player bases are entirely built upon exploiters. For example Fencing, Dollhouse Roleplay, Twisted Murderer, Jailbreak, Etc. I primarily scripted because it was a fun way to see how roblox's engine works and how to exploit that. I totally agree that exploiters will find any little thing to exploit and bring destruction to any game. I quit exploiting earlier this year due to personal reasons and of-course, the upbringing of byfron.
you have outdone yourself once again, while most "hackers" are just script kiddies there are a few you gotta worry about so this video of yours is perfect to make games safer while also teaching new coders how it happens in the first place, well done and great job, keep it up.
Yeah, as someone who has never touched roblox studio and exploiting it's interesting
Yeah all it takes is one experienced programmer to reverse engineer your game and release a script for the masses
I'm glad you made this video for people who don't really know how exploiting works. I used to not understand but once I started using exploits in my own game I realized that a lot of my games were insecure and had remotes that could manipulate datastores, spawn admin-only items, etc.
He forgot to talk about teleporting
And spawning instances on client
@@flowckey well the anti speed cheat part of the script easily removes teleporting off the list, and if you do spawn instances on the client side, the server wont count it because the script is server-side. sorry that im responding after 2 weeks.
@@Blade3337R I do believe that spawning instances on client would be counted as in Jail Break but I think the falling mechanism would take that in charge. No worries, I also don't check my notifications often.
These do work, but the floating check will flag on high ping players, yes you can whitelist that but then cheaters can use blink to hold network packets, another problem is if the player's game is like tower of hell, falling down will flag, vehicles will flag it. There is also a very knew method that it overpowered, but I won't mention it as most regular exploiters don't have access to this method.
Simple way to check to see if someone is falling or not! VELOCITY and CFRAMES! Both on the Y axis. Check if they are floating using racyast and then time that. If they're hovering over a part longer than a couple seconds and their velocity behavior is acting off then kick them for suspicious client behavior.
@@40kq hey that means i place a high down velocity and teleport boom or tween.
To fix the issue with the jumping issue for the speed hacks you could only check the distance on the x and z axis with this formula: dist = sqrt(abs(dist.X) + abs(dist.Z)) where dist is the old point minus the new point or the other way around (doesn’t matter because I used abs().
why sqrt?
@@legendarykatarEuclidean.
bookmarking for later on in my development; thank ya for pointing these things out! i had a relative grip on how speed/fly exploitation prevention worked, but never knew about Network Ownership and such. genuinely helpful, dude!
Network ownership manipulation is pretty much patched for the most part.
you make the best development content gnomecode!
there is suphi kaner too that does in depths tutorials. You should totally check it out
Hello gnomecode! Currently at tower defense serie, ur tutorials are so good! Keep it up!
Your tutorials that go over various aspects of lua scripting are the most helpful that I could find and I've learned a lot through your previous tutorials to where I am confident that I could start a little project with the knowledge I have gathered. Thank you so much.
Thank you, that's great to hear. Best of luck with your future developing!
@@GnomeCode Thanks! I will keep the luck with me!
I really wish he would make a seried expanding on this anti-cheat system, id love to hang around and learn more about it and also create one along the way
As someone that has been building a game, this system is absolutely amazing as a case study and something to build upon and I am highly supportive of this video except for in the case of reverse engineering.
Wouldn’t it be better to host this in a module and pass a script to the player so then if they remove it you can import it again with a small loop and a check?
Hey, I have a tip for you Gnome: when making functions and declaring variables, use a colon to set its data type. That way, the autocorrect works.
Gnomecode is the real legend that will always make us happy :)
you can create 2 new positions and ignore the y value in the speed check completely like
local v1 = Vector3.new(root.Position.X,0,root.Position.Z)
local v2 = Vector3.new(lpos.Position.X,0,lpos.Position.Z)
And get the distance with those (this will fix the spikes in speed when jumping/falling and allows for lower walkspeed detection)
Great video as normal man! 😀
Thank you this is pretty useful keep up the work.
Yessss I needed this
Thanks man this helped in my doors recreation you made a tutorial for :)
Damn excellency as always
Thanks for the tutorial keep up the good work love your vids man
As a former member of rblx modding & exploiting community with the roles of “pen tester” traditional exploits can be very dangerous but a lot of traditional exploiters that manipulate the client are “script kiddies” with either no or very little knowledge of lua and how the environment works when unloaded or loaded/running, more experienced exploiters tend to exploit things like back doors (despite back doors not being considered exploits under Roblox’s TOS we will refer to them as exploits), backdoors can’t be very harmful too a game for reasons that likely don’t need to be explained
Thanks gnome code! I'm working on a SCP horror game with acp's! I'm still working on it. I hope it's good!
I was doing an anticheat for my game today ima add some of this thx gnome!!!
Gnome code!!!@ Love your tutorials man
I develop hack clients as a way of learning (not distributing) and although I sometimes use it in some games to check if it works, I send it to the game owners once I'm done with it to get it patched.
one of the few cases where i'm okay with exploiting
It's okay to admit that you just make Ui and use public API's. We all know you don't know how to properly construct an actual executor.
I'm just commenting for the algorithm. Another great video!
Thanks for that!
interesting... thank you for your tutorials, they helped me alot.
Cheers!
Hello GnomeCode! I really appreciate all the resources that you've provided to us, and it's definitely helping me become more of a seasoned developer, but I wanted to ask about an issue that comes with the AntiExploit. All the tutorials from this series have gone into one game I have made where I test and store these scripts for reference in future projects. In the video "The Dark Arts of Troubleshooting," you go over fixing and explaining out the process of finding and troubleshooting errors within a trampoline script. Well with that same trampoline, I am testing the AIR TIME feature and have found that I am getting rubber banded to my originalGoodPosition. If there is any way that I could overcome this, then I would greatly appreciate it as I am still learning and do not have a solution yet for on-the-spot problems. Thank you!
been subbed since 20k!
Yet again gnomecode knows just what we need at the right time, thanks gnomecode :) (I actually really needed this so thanks)
You can simplify this by just checking the humanoids floor material instead of raycasting, if it ~= air then they are touching the ground.
But what about if they are jumping
That's awesome. Thank you for informing me about the network owner stuff, didn't know that, will certainly be useful!
GnomeCode delivers!
I'll definitely use this video, but can you also make a video on console compatibility please. If not do you know any videos that would help me.
About Anti "fly". If player froze client or get lag spike, he/she will tagged as cheater
I mean , we dont want tab glitchers
yeah. plus, roblox is not exactly notorious for having great server connections. i think the best solution would be to not serve any bans for it, but rather save the position where they last made contact with the ground and if it goes over that 3 second buffer then set them back to the ground.
I know this is a big ask but could you make a video about redoing some of the tower Defense code as I cannot get past a certain part in the tutorial as the collision group code and body gyro keeps saying it is deprecated
cool one gnome!
billy mc'mischief is a piece of work
Hey just wondering when you are gonna make part 8 of your doors series?
I clicked on the video as soon as I saw it thank you
i use a custom system called CID and CMSG.
cid just stands for client id, and cmsg is custom message.
For the speed check, surely you could just ignore the y axis when checking the distance moved. You do
DistanceMoved = (Vector3.new(lastposition.x, 0, lastposition.z - Vector3.new(root.position.x, 0, root.position.z)).magnitude?
Curse you, Billy McMischief!
this made me laugh too much
@GnomeCode I was just wondering are you done with the doors game
I saw someone talk about this on your discord server. And you even responded. I wonder if that’s why you made the video
Gnome code, are you still doing the Doors series, if so, can you add screech
Oh, my head hurts😵💫
For npcs how would I go to manage make it smooth / not exploitable should I just make a part on the server and for every other client I render for them
9:50
"Billy *clicks* all of these *balls* and moves them towards *him* "
what is bro on about 💀
hey i've been trying to find like a video for a jump pad that changes your gravity and you can walk on ceiling but none has made a video plus i had to remove couple items from my game like a jump orb for a obby and devforum is no help bc i cant post at all
it could really help my game and which you already did with the 2d camera
a good punishment would be after u tp them back to the good pos then there will increase a value called warning and then if they have 3 warnings and do it again you ban them
I think increasing the number of warnings (to 5 or something) would be a good idea, in case there are any false positives. I've read about a genius way to punish players on the DevForum; After an exploiter sets off the anti-cheat enough times, rather than banning them (since they can easily return on an alt. account), instead mess with them. Add random delays to remote events, disable collisions at random, and make their experience frustrating. 😈
@@XaneMyers i mean, delayed remote events, and collisions are client sided, unless the collisions are for a single player game, which then can still be avoided by just turning it back on constantly
So like, yeaaaaaaaaaa
also one way they can do something is trough grabbing themselves and going lightspeed since they are always network ownership of themselves
amazing Video
Thanks. Not like I have players in my game for there to be hackers though.
something i always do is sorta double check, once on the server, once on the client. its a pretty efficient way to weed out basic script kiddies
thanks bro
Byfron Update seems made this Tutorial High-Priority
I understand the speed anticheat but what if your game has some ability which lets you go like 100 s/ps? How will the script detect exploiters in that situation?
another way you can replicate exploits with studio is using the command bar (in view tab)
can you make some sort of ai that grabs you and damages you? (comes with a animaton)
i want a ai like that for a zombie game like biting zombies or whatever
Hi thanks I will try this soon
can't I just use the x/z speed than total speed to counter-act the cheat detection when jumping or falling?
Best way to detect if someone is jumping or falling is to check the character primarypart velocity. For example when you jump your velocity on the Y axis changes, same with falling.
the doors tutorial: imma go get some milk real quick
damn you Billy McMischief!
Hey Gnome code , will you continue the Doors series?
16:25 why not use Humanoid.FloorMaterial ~= Enum.Material.Air for ground checks?
there are ways to spoof floor material, but since most exploiters are skids they most likely wont know how to bypass it.
if you want even more detection you can combine the raycast method and floor material in the video for more security, but it is slightly more tricky to do.
@@Moonzyss_ As far as I am concerned, spoofing floormaterial has never been a big thing because they all got patched a long while ago.
Woah teaching people how to script and teaching people how to defend their games from scripters, never thought I’d see such luxury
Hey that game looks fun! I wanna play it
Billy McMischief is the hero I never knew I needed, lol. Too bad I'm on mobile and can't do anything he did.
If I could I would just 100% the American Girl event game because I swear some of those Doll Stars aren't even placed into the world yet so it's literally impossible to find them all to get the badge for doing so. Plus the in-game clothes are cute and I want more despite not getting to have them outside of the game.
well uhm actually there are mobile exploits 🤓
ty
*Lumber tycoon owner taking notes*
this is still exploitable since you use :getcharacter and use primary parts, the exploiter can touch it then immediantly delete their humanoidrootpart (primarypart) or set the primarypart of their character to nil which will completely break your script
also you could do player:CharacterAppearanceLoaded to wait until the player character loads
AND the anti-speed can still be exploitable since there are certain exploits that detach your hmr and replace it with a fake one that still allows your character to move then it slowly brings the hmr towards it kinda like a lag-back
didn't roblox add an option where deleting any parts of your character would not register to the server? that would be useful to include in the video, since the thing you just said would not work anymore
@@bolekinds no, since its your character you can control it delete any of your bodyparts and such and will replicate to the server since you own your character all of the time until you die, and no detaching your rootjoint wont kill you
@@bolekinds I'm not sure what that change did, but I do know that "invis-flinging" was patched sometime recently by Roblox. Try it and the spinning brick doesn't spin and just…falls to the floor.
I have a request for a series what about a game similar to Pokémon because most games get banned so a customized theme similar to Pokémon?
hey Gnome, can you make a anti-cheat for no-clipping detection? and can you make these scripts bypass owners/admins of the game?
Hey there! For the doors tutorial when I make the for i= 1,100 it puts rooms INSIDE the rooms. How do I fix this?
you sure the primary part is entrance?
pov: u tp 2 times at 0.1 delay and u get teleported back where u actually wanted to tp or the anticheat just has an delay so u still can grab all coins XD
How to secure your game against exploiters
Make the game a “exploit simulator” with a built in “exploit” which mimics most actual exploits so everyone is always at equal starting level
are you still going to do tutorials on how to make games ?
Is the DOORS Tutorial abandoned?
thanks for the advices. i also applied the first one while spawning cars it sure fire server the car name but the server will verify if the player really also owns the cars to spawn it if the server knows that the player doesn't then it isn't gonna spawn so the player is just gonna have a lil piece of gui in front of their face but cannot spawn anything lol but i do need more help because this game uses paychecks to pay the players and i can't seem to find a way to make the paycheck relay on the server instead of firing a server even tho for now it has a little security cause it doesn't fire server any amount but the player can still set the timing for the paycheck to appear anyone here can help me please?
how can you keep the speed hack prevention in your game if you have teleports? whenever my character uses a teleporter in my game it says "cheating".
maybe make a variable that doesn’t let the speed hacking anti-exploit if statement block of code run when you’re being teleported
You`re a legend
Hello!
I have one question,
If I hide a client script in server script service, exploiters will see the script by using dark dex or orther explorer?
Also great video!
If you put a local script on the server it's no longer a local script and won't work
@@horse_loyal9740 ok, tyyy
local scripts only work when: they're inside replicatedfirst/player_character/playergui/backpack and or is triggered by remoteevent.OnClientFired
@GnomeCode di you make this video because of that one guy who complained about hackers?
Imma add Billy Mischief to my game lmao
the only issue here is that you used a raycast continuously on the server which can be expensive, a much easier way is Humanoid.FloorMaterial == Enum.Material.Air
nice video
My game has a gui that if an exploiter deletes the game will be ruined
Because in my game there is a tagger that its screen is black (using a gui), how do i make it that the exploiter dosent delte the gui. Because it would be unfair for the pkayers
good video
Can you make a tutorial for a game similar to my supermarket?
hey gnomecode I want from you to continue the doors tutorial for ep8
Imagine writing certain code so that if some kid uses speed hack scripts, he gets a cinematic cutscene shown to the whole server that he cheated and that he's bad at cheating, blows him up and then bans him permanently. Not too good with code so dunno if it's possible.
"casually gives a descriptions for exploiters to debunk"
Can Exploiters View ModuleScripts on the client and is it secure to use them?
I have a question: if I have a teleport part in the game, will the speed/fly anti cheat kick the player falsely?
Yes obv it will kick
It would, but in the teleport script you could add another line that sets the lastGoodPosition to be the teleporter exit.
Yeah. If your game teleports players, you'll have to either set a flag on the server that temporarily disables the anti-cheat right before another server script moves them, or put the teleporting function inside of the anti-cheat script so it can update its variables to "ignore" the teleport.
it will ,but you can make the anticheat ignore the player for like 0.1 seconds while its teleporting while the anti cheat still sets the lastgoodpos,etc by using an bool value.
How do i make Team startercharacters? PLEASE
Gnomecode im new to scripting so im not that advanced but cant you store some values like speed that don't change throughout the game into a constant or add an event listener that listens if a value that isn't supposed to changes the player gets banned?
There is a function called "GetPropertyChangedSignal" that listens if the property that is assigned to it changes or not. For example, Humanoid:GetPropertyChangedSignal("Walkspeed"):Connect(function() ... end)
exploiters are changing their values on the client. this doesnt replicate to the server, and if you use a local script to detect any changes, they will just delete the script.
@@mmcode121 Why not just listen if the file exists or not on the server and on a normal game its supposed to... If not ban em (Maybe simple fix?)
@AnotherDeadChannel because when you delete a local script it doesn't replicate to the server either.
@@mmcode121 No you create an instance of it and save it on the server and when the file is deleted(trigger) it will get replaced indefitenetly til the exploiter gets tired of deleting