didnt even explain that being able to manipulate movement so easily is only specific to movement (because roblox doesnt do any base security checks for movement because that would very quickly interfere with ALOT of games), and trying to do the same for anything else is 100x harder unless the developer added a foolish remote function or event
@@omgdodogamer4759 "because roblox doesnt do any base security checks for movement because that would very quickly interfere with ALOT of games" Roblox gives devs an option to do it, the only game i saw having balls to enable it is Bedwars in rare cases
Exploits isn't always as straight forward to prevent as you might think. There might be cases where a combination of multiple things causes something unexpected to happen, which will allow the exploiter in question to manipulate something in a certain way. And especially, if you're a small team of developers, finding all of these edge cases is really difficult. You prevent what you can see usually, and what you have time for. Keep in mind that players expect updates almost weekly, so finding the potential weakpoints of your game and patching it, while also releasing new content isn't really that realistic. That being said, sanitizing and rate limiting remotes is something that should always be done. Prevent the obvious, but don't spend too much time looking for and fixing very small issues.
@@awesomesauce-kg9xn not always big games, but, he meant weekly cuz this is practically the norm for updates, especially for rblx devs' games. tho, half a month or a month - too, but potential games are oriented towards weekly updates, that leaves plrs inspired and entertained for such games.
To answer your question: Developers aren't actually lazy; they understand that such exploits can be fixed with just a few lines of code. However, when you implement features that continuously send messages from the client upon hitting walls or objects, it can overload the server. While it may not cause lag with just one player, if the game becomes popular and has such "anti-cheat" features, it could crash the game, making it unplayable due to severe lag. It's all about finding the right approach. Cheaters will always try to find ways to circumvent patches. Most exploits are generated unintentionally by the developers as well, due to small oversights, because they are humans too. Throwing them under the bus because "this is such an easy fix" isn't the right approach. While you might not mean that in a bad way, it is how most people will interpret it.
@@Blackfacenoob if it is a whitelist there wouldn't be a point in an anti-cheat as you would have to manually give it to people, even then that anti-cheat could be bypassed.
Exactly. I couldn't comprehence why people saying other developer being lazy for not implementing something that would exceed the server's memory and then drag down entire physics stepped and the entire game espically when it come to server-side. My best advice is to instead go and do some secure on remotes should be sufficient, that's more concerning than some body noclipping imo. I'd say Client-sided anti cheat has nothing wrong tbh, even if they can be spoofed.
I feel like people arent lazy, its just some SOME game have such complicated fighting/ability systems that code that prevents them from exploiting would interfere with the ability/fighting code.
@@TheLordirlook at stuff like deepwoken and rogue lineage, they have anticheat but people always come up with new cheats to break through it, you can never make a full proof anti cheat Like, even billion dollar companies like valve don't have full proof anticheat for CSGO, what makes you think some random dude on Roblox is gonna be able to do it?
i must inform to you that the information you have provided is false, say this, if i were to run a script that makes all parts inside the game untouchable, it will make it so the part attached to the player to not have touch either, and with that said, the best way to do it is, make a system that detects if the players humanoid root part and head and torso get detected if it goes inside a part, and if it does it teleports the player back where they were 2 seconds ago, and even if they have no collide or smth like turned off touch it will still work if you make a script / local script / module script thats not apart of the part, but as a system that detects the player inside a wall without it
Especially in games like blox fruits. For example: Try teaching system to figure out who's teleporting with in game ability and who's doing the same thing with hacks. And that's the easiest example....
A small note. EVERYTHING to do with the character is managed by the client. The server does zero validation. So, on the client, you can just... set your position anywhere. And the server accepts it. All character physics are on the client.
If you're not doing a whole lot with characters, Chickynoid might be something to consider. Its drawbacks might make it hard to integrate into an existing project, though.
As someone who used to make exploits myself, the "patch" you made is completely garbage.. you can literally counter your patch with one or two lines of code. Developers are not lazy, sometimes they just choose not to interfere with the player's experience in the sense that your anti exploit could falsely flag a normal player.
i dont think a new hitbox could 'falsely flag a player,' as every player would have it, anyway. as for everything else, i agree. however, roblox themselves are taking active steps to make cheating itself very difficult so the rest of the burden lies on games that really take skill into account, like competitive games. some games just dont require that type of treatment.
I've been a exploit/script developer for 8 years since the nofiltering era, and I'm just going to say this is extremely easy to bypass that it's not even funny. Scripts will obviously be intended for non-generalized use, such as specific pin-points. No actual script will be this easy. For instance, if you have a local script that contains gun functions and it calls the local player's camera, instead, I can use metamethod __index to return the wrong class type which would then create an error in the server script itself removing the anticheat completely, this has been done on multiple occasions on many games. Exploits are not easy to fix, all you did was spend 11 minutes trying to patch a 1 line script that can be re-bypassed with again, just 1 line.
you can also remove your character completely then re-call it on the client, and add in the humanoidrootpart (server) after classifying network ownership (if not taken by another exploiter), create a new model type, add it in as local player's character, teleport the humanoidrootpart (local) through the part, delete local humanoidrootpart, and then clone character (server) and add the server-sided humanoidrootpart back inside the local character to make it a serversided character, this is exactly how serversided fake VR worked back in 2021
that's true but you don't realize most exploiters are complete skids who use other peoples code, which most of the time can be caught by simple anti-cheat
@@toby-we3zj the modern economy of scripts used by skids are gigantic all-in-one hubs which are usually maintained actively with features taken from everywhere the owners can get them, meaning that new/better methods of doing something spread quickly into the products that little kids end up using which gives them a lot of the decently made scripts that were usually locked down to people who know what theyre doing or by people who constantly keep up with new releases on forums
As a developer of 4 years... this is just so wrong in every way. Calling developers stupid and lazy, then going on to demonstrate the absolute most basic of exploiting methods, showing a weak very avoidable patch, and refusing to respond to anyone saying how bad this is? Just sad. I hope you didn't trick anyone into buying your obviously terrible course in coding when there are way better completely free courses... P.S. Most exploits are caused by game mechanics that are unavoidable, and linked to remote abuse.
@@joeplayzgames2625 He also says it in the video, does he not? Clickbait is required to succeed nowadays for a lot of cases, I'll agree, but even if we ignore this, The things he shows aren't even a patch. I explained why.
What If You Have A Certain Key That Can Run A Remote Event Function Then People Couldent Use RemoteEvents to Exploit Fx: local script: game.ReplicatedStorage.RemoteEvent:FireServer("thisTextIsTheKey") ServerScript: game.ReplicatedStorage.RemoteEvent.OnServerEvent:Connect(Function(TheKey) if TheKey == thisTextIsTheKey then print("RemoteEvent Is Not From Exploiter") end end)
@@IsokiYT Then they delete the local script. If it is local, it is ran on their computer, meaning their computer can simply choose to not run it. They can also go into advanced things such as remote blocking, and also using remote events can allow exploiters to hack it for loopholes.
@@Sol_Aureus The problem is he doesnt even do that well. Oh, sure, he talked about a "fix" for this problem, but the fix itself is pretty easy to work around and he didnt even show how to implement. The only thing he explained was that things changed on the players client arent directly applied to the server.
@@Dr_mafario Pretty sure touch events don't get called constantly, only when it is first touched and will only be called again if u stop touching it first so quite literally not a fix in the slightest and purely just a waste of resources
It's not as simple as you think. Yes, that is a way to detect cheats, but it can also be incorrect. Many games use client-only aspects, and it is harder to differ between what should be different on the client and what shouldn't. If you have a barrier that players shouldn't be able to go through, this is indeed a way to detect and prevent exploiters from going through it, but it won't be as simple for client sided creations. An example, is a game I am working on, which allows a player to fly around in outer space. The flight system I made for that is almost fully client-sided, and it would be more difficult than this for me to detect the difference between an exploiter's flight system, and my flight system, or to detect if an exploiter edited a value or my game did it. Tbh, Idk who would ever even need flight exploits in a flight game. A better solution to a potentially flawed anti-exploit system that may detect innocents, or people who affected by a roblox bug, would be to instead implement a report system, along with action, chat and movement logging. In many cases, a human-mod system will be better than an auto-mod system as long as the humans are not corrupted or bad. Roblox's overall mod system is an example of a bad mod system, filled with corrupt/lazy human mods and poorly designed AI mods.
Exploiting or Hacking at all is impossible to stop. The hackers/exploiters will win then the game devs/anticheat devs and then it will loop around like that. That's why Roblox paid Synapse to help them instead of keep patching what Roblox tried to do.
bro forgot about firing remotes, hook functions, deleting client scripts, spoofing/metatables, exploiting is unpreventable on a bigger scale game, only roblox can fix it.
@@fitmotheyap not how it works, remote could still be manipulated through hook function, changing parameter values, constants, and upvalues, nothing can be done about it, even game with the best anti cheats like bedwars, can’t even prevent it, roblox already made a pushing step with there exploit detection, significantly reducing exploiters recently, byfron
@@fitmotheyapbypassing checks is as simple as using spoofers to pretend nothing has changed on client, metatables, and now AI program such as external AI aimbot
@@fitmotheyapfor ex: instead of increasing a player speed by humanoid.walkspeed, you can just teleport the player slightly forward based on CFrame and this value could be adjusted to increase speed and completely bypass walkspeed check
@@glyoit1506 You realize that a remote event should only be a trigger, not a activation method. For example if I have a 3d button in the workspace that gives money, and I want the player to only get money when he clicks the button (which has a cooldown), I'd use a clientside remote event to tell the server that the player pressed the button. I could calculate the distance the player is from said 3d button to accept or reject the request for the button press, as well as its cooldown which would be server calculated. Server checks can exist for remote events, so the fact that local scripts from exploiters can fire remote events is not an excuse for an unstoppable hack. For changing constants, the server should always have serverside copies of money and check it for every purchase.
ByteBlox, i must inform to you that the information you have provided is false, say this, if i were to run a script that makes all parts inside the game untouchable, it will make it so the part attached to the player to not have touch either, and another thing the expolit can do is just delete the entire part connected to them, and with that said, the best way to do it is, make a system that detects if the players humanoid root part and head and torso get detected if it goes inside a part, and if it does it teleports the player back where they were 2 seconds ago, and even if they have no collide or smth like turned off touch it will still work if you make a script / local script / module script thats not apart of the part, but as a system that detects the player inside a wall without it
That is indeed a great way but the reason games dont do that is having alot of checks for different parts and for each and every player starts to slow down the game a huge amount
That’s probably true. I just suggested the hitbox as a quick potential fix, but the better way to do it would likely just be to fire raycasts and check player position
The best anticheat is detecting client guis or smth like that and banning them. Kinda like adinos admin but better and not bypassable. It will ban Arceus x and codex users quite easily, but experienced exploiters can still bypass them.
explaining how the server knows you're exploiting movement actually helped me understand how i couldnt move for a hot minute in shard seekers, thanks for telling me that man :)
I don't have much experience developing on Roblox but I have a lot of experience when it comes to game development. As you mentioned "game developers" all throughout this video I'll take both Roblox devs and literal game devs into account. Roblox's default collision checks live in the client because (I suppose) Roblox provides you a free server. They can't afford making all these checks by default on the server. That's also why the part generated on the client didn't act the same as the generated on the server one, client had the ownership of that part and calculated everything on the client. Anything that is done on the client is insecure as you discussed on the video but it's generally not as simple as that. Doing calculations like that on the server has a cost, an actual cost, like literally you have to pay more CPU time and generally game developers don't want to increase those costs. A) They don't want a laggy game B) They can't afford it I suppose Roblox doesn't just give out free unlimited servers and those VMs also have their own limits. Doing all these checks on the server (if you don't optimize it well) will make your game laggy as server will have its CPU maxed out. Also the "exploit" you discussed on the video is literally just client-server desync. so it will be just that easy to fix. Only problem is to find out every edge case and have time to fix them all. Taking the examples you gave in the beginning into account, "exploit" also means things like aimbots to you. And these are not easy to fix at all. Lastly, fixing exploits is just a cat-mouse game. You'll succeed but just for somebody else to break your check system and the cycle goes on...
Whats funny is if you’re owned by server, it pretty much fixes a lot of stuff from this. The issue is no one does this because of the huge input delay you get. Note the part you attach could work, but make sure it doesnt make your movement be limited to what the part allows you to, and make sure it’s owned by the server.
You could have the player on the server consist of a humanoidrootpart only that is invisible and just render the other stuff by creating them locally on each client and then predict the movement of the client-side character
@@fitmotheyap it's even noticable in studio with 0 ping prob because when studio play solo ran both client and server on same thread, having the server own your own character was possible and still not affect input delay but after they made studio client accurate to the real client and seperated the client and server to run on their own seperate threads, you will notice input delays even if you didn't increase fake replication lag I don't see Roblox adding server-authoritive characters anytime soon so just add checks to the server, but also trusting the client isn't all bad and it mostly depends on the game.
Rocket League is fully server-sided, but it uses prediction to fix the input delay, Roblox could do the same, calculate server-side, compare with client, if there are big differences between server and client, interpolate to what the server calculated
@@EricPlayZ132 I will straight up say I hate rocket league's way of doing it, played it once and got hella teleported(when I used to not have a good ISP), there is no better system for it in the first place so sure but in the case of roblox I think staying client side is wise, at least 10-20% of the playerbase plays on mobile more specifically phones and tablets and even more play on a bad internet, I have experienced both being on mobile and bad internet, not an issue these days but that's only for me, SA still has no servers and resorts to using NA or even EU, asia roblox has major internet problems during rush hour already and this wouldn't help, US is the only region where they actually have good internet and servers everywhere but a large amount of the population gets throttled daily and another large amount live in not so well connected areas, EU would be by far the least and most affected, europe has servers in every rich country exception being poland having one, but even as of now the average ping hovers around 100 because roblox is roblox, I feel like roblox has to fix connection issues first, furthermore they still have NOT fixed error code 277 which is becoming more of an issue every month, swapping ISPs is not a good solution when they can fix their backend instead Also, I hate to mention it again EU servers are horrible, 100 ping EU while around 200 ping US, US seems to have no problems and ping is as expected, EU hovering around 100 makes hella no sense when other games have servers farther away with 50 ping or less TL;DR This is a bad idea cus EU servers have major problems that won't be fixed ever it seems US has way too many people behind greedy ISPs and many others not living in populated areas SA has no servers Asia has major issues during rush hour
I watched Oaklands grow from the beginning when it was a different game called Woodmill Inc. and the main developer did anticheat so well that he knows the exact exploits which people are loading in. The coolest part is, it doesn't even trigger false positives and you see NO cheaters ruining your game. The community constantly gets people saying "i got false banned", but the logs say otherwise. I don't know how he did it, but i remember some discussions on stack size and how injectors often increase your script stack size and that he was let in to work with an exploit group in order to know how the things work and how to prevent them.
Fair exploits are easy to fix but there are always alot of exploits and most people forget alot of them and alot of them can interfere with the game alot, theres a glitch where if theres a thin part infront of a thick part you can clip through it easy fix. but even more bugs come from that. its less that there lazy I would say and more unsure of all of them because there are alot of exploits that aren't in this video and will never be able to be put in one video unless extreme dedication to every glitch its more something you've gotta get use to. and small glitches can be over looked as long as they don't interfere with your gameplay then it should all be fine. And yes most of the time updates will come and people will just find more and more which is very normal.
I see alot of your videos get backlash from ignorant titles. Such as your prints are useless video that you took down, which there 100% not very useful.
A person who uses universal scripts might also work But if you use specific scripts to do that particular thing or in that particular mode you cannot stop them, the only effective way would be to see if it is executed Lua code in Local Script which would actually be what the Exploiters do and then throw them out of the experience but it doesn't always work there will always be the Exploiters And whether you are happy or not, they can never stop
By the start, title, and comments of this video, I can tell this backfired a lot. I'm not watching it anymore because of that, and I'm sure I can find another great video from his channel.
Way easier to just raycast from the last hrp position and the current one to check if they moved through a part, can also check if the part has can collide turned off on the server. And this noclip method is bypassable if you just set cantouch on that part in hrp to false?? Server sided physics anticheats are limited by the complexity of the games physics
the issue i find with the raycast method is if you were to move around a corner of an object, the ray might hit said corner. Currently looking for a way of fixing it.
The only problem with this solution is that when I want a specific player to be able to walk through a part and no one else, I set the collision to off for that client. If I put that fix, this won't work and and I'd have to use collision groups, which is annoying...
Byte the thing is exploiters are actually more difficult to prevent than you think, pretty much impossible. for the system you thought of they can just delete the part that is attached to them and it wont effect it anymore or for doing something like checks for when the player is inside an object they shouldnt be it will slow the game down for each object or each player you have. then players can also do other exploits that can manipulate their own health or other peoples health they can give themself immortality by giving themself a forcefield or change their location.
@@cclosure giving a player force field makes it so they’re incapable of taking damage with the humanoid:takedamage() function but either way they’re still able to manipulate their max health
@@GrimBeConfused dude. its not gonna slow the server by any amount. its legit also easy to do. and by the way, you're so wrong about humanoid modifications. All they can do to the humanoid is change walkspeed,jump height, platform stand, jump , sit. Im not sure but change humanoid state [if its not dead] could be possible aswell. please stop spreading misinformation without actual checks
Summary: it depends on the games code, for example if an experienced exploiter, well exploits, depending on the games code, they will have a hard time to fix the exploit without it messing up other game mechanics, think of it like this: you want to kill an exploit that is behind a strong wall, now lets say you break this wall to get rid of the exploit but breaking the walls removes / messes code that is working perfectly, you rid of the exploit but your game is broken due to the code that got messed up
No-Clip is not a problem if core systems are secure, also usually PPL prefer smoother experience than secure, soo in shooters you have a lot of exploiters that can shoot through walls, not because they have super advanced cheats, but only because devs prefer raycast on client to make shooting instant for those with bad wifi, i understand them, but still usually you don't need 10 rays but 3, maps are small in 90% of those games and 3 rays are enough
In practice preventions against exploits can often be quite faulty and cause constant issues with players who have poor connection to the game. Additionally when it comes to most Roblox games it's just not worth the time, I can speak personally as yes, I do protect my games when I intend for the game to be played competitively but when it comes to things like quick obbies and simulators, quick profit for little work is the number one goal and thus protecting the game from a minority of players is not a priority.
Absolutely, i always stick to basic rules such as having the client request things and the server checks if their request shall be granted, therefore creating a complete safety from exploits like "i bought this upgrade 1 m times for free" and it takes minimal effort to stick to those principles. You can also just not send any client things to the server like settings, except if you want the settings data to save without any checks if it's exploited or not. To an extent it's a good thing because you can allow exploiters to mod the client however they like.
It actually is, the player can change anything inside their character, so if you were to delete that hitbox (assuming it’s located inside the player character, you CAN delete the hitbox to bypass basically everything.
Theres a difference between hacks / cheats and bugs / exploits. Exploits are more like glitches in game's code that allows you to do things, without significantly modifying the games code at all. For example, glitching into walls with the camera glitch. Using stuff like JScript or Lua Script Injectors is not an exploit, but a hack, a cheat. When you exploit, you're exploiting an oversight in the game's code, when you're hacking or cheating, you are intentionally doing things that the game did not intend for you to do by measures that are invasive to the game's code (via injection etc) essentially, hacking it.
Exactly. For some reason Roblox players refer to hacks as exploits and never have I found a decent explanation as to why they insist on this rather than using the terms "hack" and "exploit" the way everyone else in the gaming space uses them.
You could also give ownership of the player to the server like black magic 2 does that prevents literally 99% of teleportation/movement exploits at the cost of slight delay because of ping every time you are moving.
@@cclosure forceibly cull everything that the player shouldent be able to see for esp and for aimbot i guess lie to the player and tell them the enemy is in like 14 diffrent places so the aimbot breaks
Worst optimization ever, I mean if you game really relies on people not noclipping go for it, but that's a lot of requests and if you have lots of players it might be really laggy, plus if a user has a bad connection, on mobile for example, they might rubber all the time.
depends from game to game some exploits are made specifically for some games, (take KAT, there was an aimbot exploit for some time) some others are just generalistic (like the noclip) while it's true that on roblox it's easy to fix a couple of exploits, for specific big games it actually starts to be hard when the client starts to manipulate stuff like aiming and if we get outside of roblox, it just gets even harder, CS:GO with their VAC, or even minecraft (yes, minecraft cheating, especially in the competitive side of the game, is a thing) it's not as easy. you can prevent the obvious yes, but eventually something will be found that the devs either won't be able to address or don't have the time to do so
Game design also plays a huge role in reducing exploiters, for fps games/competitive games more exploiters are gonna work on exploits for these games rather than a game like DOORS, but with roblox adding byfron recently, exploiting is now even harder than it was 5 years ago, so each game has their own unique way of implementing a anti cheat, and it isnt easy at all especially since depending on your type of game, exploiting can happen rarely or frequently.
Anti-noclip idea: Instead of just placing a script that places the player to their CFrame half a second ago, just make a script that sends em to a singleplayer place, as if they just noclipped out of the game's reality entirely. Backrooms? Could be, or you can put your own twists or whatever
roblox is weird, because for some reason, the server does NO security checks to player movement. the only data the server EVER checks for is the position, orientation, ETC. of all the parts of the client. this means that the client can just teleport, check their speed/jump, no-clip, etc.
exploits as the name states using weak points of your game to gain advantage on local side they have pretty much unlimited possibilities and especially with character - because it's first source of client-server replication don't try to prevent exploits - better try to lower advantage exploiters can get - just secure any way of client-server connections.
Simple fly anticheat: Detect humanoid floormaterial changes, they aren't replicated to the client anymore and are somewhat decent, you just need leeway
"SHAME ON YOU." bold statement, no matter what, anything can be exploited. And roblox games are no exception, there WILL be no game that's completely safe from exploiters, the best thing you can do is just limit the use of remotes and exploitable opportunities for the big and bad (as one of the top commenters already mentioned)
some exploits(scripts for games) use character noclip which loops through the character and checks if it is a basepart and if it is a basepart then it will set the "Can Collide" property to false
Aimbot from what i have seen in games seems to have 2 tipes depending on the weapon projectile a example would be the bow from minecraft the projectile is slow so even if the aimbot makes it so the arrow goes where the target is they can just move of the way because the projectile is slow so aimbot speed the projetile or it makes it teleport behind the enemy u are shoting (imagine a portal in the guy stomach of the guy u are shoting and the other side of the portal is your bow) If the weapon has a instant projectile or a fast one the aimbot just makes the bullet shot where the guy is. so the way to fix the teleport aimbot would be to make the game check if the projectile is acting the right way (like not going faster that normal) Edit: im do not know to code so please do not critize me if the solution i said is wrong
aimbot isnt about speed of the projectile cause the projectile is supposed to be created on the server. Its only the direction and maybe origin of the projectile that the client usually sends
9:05 and what happens if the client instead decides to delete their own hitbox? i feel like you're gonna play cat and mouse forever no matter what you do, the only solution is to prevent the client from making any changes
issue is, while you can execute local scripts, exploiters quite literally hijack the local script environment. Check if the player has .CanCollide disabled on his limbs? They can hook the __index metamethod to always return .CanCollide as true if it's checked by the anticheat script. Have a hitbox inside a wall which tells the server that you tried to noclip? They can disable the .Touched event. Raycasting to see if inside a wall? They can also hook the raycasting function to always say that you aren't noclipping. Remote event which triggers an anticheat? They can just hook the :FIreServer function to never actually execute it. Your only real way of stopping them is to make server checks, and it's still not straight forward to do, even on smaller games, let alone a giant fighting/shooter game or whatever.
i'm a nitpicky person and some roblox games annoy me with how buggy they are. worst anti cheat i've probably seen is jailbreak because the game is buggy enough, you can't jump off a building or from a helicopter without rubber banding and taking more fall damage than you are meant to
@@FacelessBillions their anticheat just made the game harder for legit players. you still see those bots that fly around the map teleporting to everyone and auto arresting
I'm pretty sure the movement is handled on the client, you send your movement data to the server, but the server isn't the one moving your character on your screen. (it just mimics the movements the client sends and sends it to the other clients) That's also why infinite jump, flying, manipulating jumpheight, manipulating walkspeed, changing gravity, forcing the player to sit, etc all works. Roblox trusts the clients to give valid movement to the server, if they didn't do that you would encounter input lag if you have ping. The walk on wall exploit is the most clear example of the client handing all the player movement. (Tell me if I'm wrong, but I'm pretty confident that this is how roblox handles it)
I recently met a.hacker. I was playing an uprising game called unlimited battlegrounds, and was playing 1v1 ranked. This dude was moving faster than players should and called it Zero Ping. He even showed off and ramped it up for a short time. He was also using a no stun bug cause he kept walking out of my punches, something that shouldn't be possible.
The client doesn't say there's no baseplate or that a wall has no collision, it says that according to it's own physics calculation, your player should be at ____ position. You have network ownership over your player so the server says "eh, alright!" and doesn't care. The only reason the server tells the client any information is so that the client can use it in it's own checks for each player. And then the server does physics for anything that it itself has network ownership over.
there's a way that fixed a noclipping by getting a position from player from server then if the player gets out of distance to be like 5 distance it will spawn raycast then checks if there's a part it will teleport back on old position Q: what about some players can backdoor the server this is easily can be done by while wait do, because this is the only looping script that won't be disconnected all u need things to do is clone the script first local Script = script:clone() and do it on while wait do if script.Parent == nil then Script.Parent = game.Players[playerName] end if my script works then thanks u
This video cover only no clipping and not anything else… there’s other ways of exploiting than clipping through objects, exploiting can be like flying for example, and when devs make items or abilities to fly, it gets hard to stop hacks from imitating legit players who play the game longer to fly when exploiting can mimic their client to fly..
this doesnt even matter anymore, atleast not for roblox cuz byfron eradicated 90% of exploiters, if you still exploit in roblox via sketchy methods or external cheats then I say you deserve to have your fun because the effort you went through to cheat in a game is almost admirable
unpopular opinion: if your game has fixable and easy glitches that can be done without even using tools outside of the basic roblox app, you should be the one banned not the "exploiters" abusing your garbage code
I'm a web developer trying to get into Roblox development.. And even I can tell this is a completely unoptimized garbage fix. Good explanation of script exploiting + server vs. client for beginners tho
for minecraft the devs of the game itself arent gonna remove hacks(unless theyre game breaking exploits such as a force-op) the server dev/owner needs to make their own AC(or get one) which is insanely hard to make because you dont wanna ban innocent players and the game has an insanely hard time differentiating lag & cheats
On roblox it`s probably easy to do these things, but let`s the library is the base for all those things...if the library is trash than good luck trying to fix all this stuff.
example of lazy developers is roblox talent show. it have so lazy developers, i took multiple times hockey sticks and noclip through walls, even from performing as a performer, and only server host/admin could stop me, and instead of fixing or removing hockey sticks (nobody uses it on performance) just they prefer to cry and giving bans for glitch abusing. for this i got once banned on 3 days
there are many ways to fight noclip but this one is not very strong and will fall easily if the exploiter just apply the same process he did to go through the wall and do it on the "hitbox" you create for each playercharacter. Also a lot of information are wrong, when you say that client side you can go through after deleting the baseplate because it tells the server theres no baseplate anymore is wrong, its just that the server updates the player position and dont give a shit if you're inside a part, the cancollide stuff is set server sided but the value is only used by the client, which is why the server doesn't prevent you from falling through the floor.
Do note, you can also fix a lot of exploits by using sanity checks on your remote events, or make important events handled by the server instead of handling them via the client. That being said, exploits like no-clipping, flying, etc. can be fixed by checking a player's character and running sanity checks from the server.
People really are lazy or they just don’t think, no clips are easy to fix now that I’m thinking after watching this, and when exploiters are able to fly, that’s pretty easy to fix, you really could just have both of these inside 1 heartbeat loop on the server
get 50% off my course with code "FREAKYBLOX" (2 days left):
linktr.ee/ByteBlox
Hello ByteBlox Im Subbed
Hello byte, could you make a video on beizer curves i think its overlooked in the roblox studio community and also on flipbooks
Could you make a busting tutorial
Could you make a busting tutorial
Could you make a busting tutorial
I have no idea why I clicked on this video
Me neither man, haven't touched a script in my life
People are just lazy at click this video💀
The mysterious forces
@@drainagepipe-4150 Who hurt you?😭
@@drainagepipe-4150 You could be right...
Longest explanation for a "exploiters can execute local scripts." Ever.
would’ve been useful for stupid me back then to be fair
didnt even explain that being able to manipulate movement so easily is only specific to movement (because roblox doesnt do any base security checks for movement because that would very quickly interfere with ALOT of games), and trying to do the same for anything else is 100x harder unless the developer added a foolish remote function or event
in practice its more like "exploiters can execute local scripts that have more permissions and more power than local scripts themselves"
@@omgdodogamer4759 "because roblox doesnt do any base security checks for movement because that would very quickly interfere with ALOT of games"
Roblox gives devs an option to do it, the only game i saw having balls to enable it is Bedwars in rare cases
yea no shit because most people dont understand it
Exploits isn't always as straight forward to prevent as you might think. There might be cases where a combination of multiple things causes something unexpected to happen, which will allow the exploiter in question to manipulate something in a certain way. And especially, if you're a small team of developers, finding all of these edge cases is really difficult. You prevent what you can see usually, and what you have time for. Keep in mind that players expect updates almost weekly, so finding the potential weakpoints of your game and patching it, while also releasing new content isn't really that realistic.
That being said, sanitizing and rate limiting remotes is something that should always be done. Prevent the obvious, but don't spend too much time looking for and fixing very small issues.
Is there such thing as hiring white-hat hackers/exploiters to find bypasses/holes in anticheats, or is that against TOS?
Players expect updates weekly?
@@awesomesauce-kg9xn if players expect updates weekly then I'm a millionaire
@@awesomesauce-kg9xn not always big games, but, he meant weekly cuz this is practically the norm for updates, especially for rblx devs' games. tho, half a month or a month - too, but potential games are oriented towards weekly updates, that leaves plrs inspired and entertained for such games.
@@orangdot an update a week is insane
ah yes
lets have thousands of events go off for every object to stop the most basic form of noclipping
Yes 😈
@@byteblox100 i would love to see your server memory implementing a system like this on a semi sizable game with a few players.
will be the reason everyone gets 10k ping
"Hey Why is my ping rising... BRO WHY IS IT RISING ITS 28k... HELP ITS REACHING 479K"
all you have to do is noclip through the part but since ur in an invincibility state then the anticheat won’t catch you.
To answer your question:
Developers aren't actually lazy; they understand that such exploits can be fixed with just a few lines of code. However, when you implement features that continuously send messages from the client upon hitting walls or objects, it can overload the server. While it may not cause lag with just one player, if the game becomes popular and has such "anti-cheat" features, it could crash the game, making it unplayable due to severe lag.
It's all about finding the right approach. Cheaters will always try to find ways to circumvent patches. Most exploits are generated unintentionally by the developers as well, due to small oversights, because they are humans too. Throwing them under the bus because "this is such an easy fix" isn't the right approach. While you might not mean that in a bad way, it is how most people will interpret it.
Make it whitelist then
@@Blackfacenoob if it is a whitelist there wouldn't be a point in an anti-cheat as you would have to manually give it to people, even then that anti-cheat could be bypassed.
Exactly. I couldn't comprehence why people saying other developer being lazy for not implementing something that would exceed the server's memory and then drag down entire physics stepped and the entire game espically when it come to server-side. My best advice is to instead go and do some secure on remotes should be sufficient, that's more concerning than some body noclipping imo. I'd say Client-sided anti cheat has nothing wrong tbh, even if they can be spoofed.
I feel like people arent lazy, its just some SOME game have such complicated fighting/ability systems that code that prevents them from exploiting would interfere with the ability/fighting code.
Games can put a boolean statement that exempts the player from anticheat given a period of time
@@TheLordircan’t exploiters find a way to abuse that then? Also, wouldn’t it have to exempt you from it before you do the action?
@@TheLordirlook at stuff like deepwoken and rogue lineage, they have anticheat but people always come up with new cheats to break through it, you can never make a full proof anti cheat
Like, even billion dollar companies like valve don't have full proof anticheat for CSGO, what makes you think some random dude on Roblox is gonna be able to do it?
i must inform to you that the information you have provided is false, say this, if i were to run a script that makes all parts inside the game untouchable, it will make it so the part attached to the player to not have touch either, and with that said, the best way to do it is, make a system that detects if the players humanoid root part and head and torso get detected if it goes inside a part, and if it does it teleports the player back where they were 2 seconds ago, and even if they have no collide or smth like turned off touch it will still work if you make a script / local script / module script thats not apart of the part, but as a system that detects the player inside a wall without it
@@hyperbroli6672 honestly, valve isn’t the best analogy because they literally just couldn’t care less at the moment lol
"If your game has a exploit, shame on yourself." - EXPLOITS AREN'T ALWAYS "EASY" TO FIX.
it's ragebait.
@@disrecededor an opinion who knows
Especially in games like blox fruits. For example: Try teaching system to figure out who's teleporting with in game ability and who's doing the same thing with hacks.
And that's the easiest example....
i think he means more like the really basic ones like flying noclipping btools, etc
@@6o6yuH_23 Thats actually pretty easy, assuming you already had a system to detect teleportation, but that base system is the hard part
A small note. EVERYTHING to do with the character is managed by the client. The server does zero validation. So, on the client, you can just... set your position anywhere. And the server accepts it. All character physics are on the client.
he should’ve also explained network ownership.
This is the missing detail that was glossed over. I feel like he knew and could have talked about it for a more rigorous explanation.
@@MeanSoybean Byteblox doesn't really seem to understand this.
@@discussions. isn't it called physics ownership?
If you're not doing a whole lot with characters, Chickynoid might be something to consider. Its drawbacks might make it hard to integrate into an existing project, though.
As someone who used to make exploits myself, the "patch" you made is completely garbage.. you can literally counter your patch with one or two lines of code. Developers are not lazy, sometimes they just choose not to interfere with the player's experience in the sense that your anti exploit could falsely flag a normal player.
This is true especially for games that use admin commands.
i dont think a new hitbox could 'falsely flag a player,' as every player would have it, anyway. as for everything else, i agree.
however, roblox themselves are taking active steps to make cheating itself very difficult so the rest of the burden lies on games that really take skill into account, like competitive games. some games just dont require that type of treatment.
🤓👆
your ahh didn't make no exploits 😂😂
Finally somebody said the right thing. Well said 👏
I've been a exploit/script developer for 8 years since the nofiltering era, and I'm just going to say this is extremely easy to bypass that it's not even funny. Scripts will obviously be intended for non-generalized use, such as specific pin-points. No actual script will be this easy. For instance, if you have a local script that contains gun functions and it calls the local player's camera, instead, I can use metamethod __index to return the wrong class type which would then create an error in the server script itself removing the anticheat completely, this has been done on multiple occasions on many games. Exploits are not easy to fix, all you did was spend 11 minutes trying to patch a 1 line script that can be re-bypassed with again, just 1 line.
you can also remove your character completely then re-call it on the client, and add in the humanoidrootpart (server) after classifying network ownership (if not taken by another exploiter), create a new model type, add it in as local player's character, teleport the humanoidrootpart (local) through the part, delete local humanoidrootpart, and then clone character (server) and add the server-sided humanoidrootpart back inside the local character to make it a serversided character, this is exactly how serversided fake VR worked back in 2021
@@archaicspeaksRCD and some updates to character loading actually patched this
@@skyr3x anticheats are a constant fight and everything can be bypassed eventually
that's true but you don't realize most exploiters are complete skids who use other peoples code, which most of the time can be caught by simple anti-cheat
@@toby-we3zj the modern economy of scripts used by skids are gigantic all-in-one hubs which are usually maintained actively with features taken from everywhere the owners can get them, meaning that new/better methods of doing something spread quickly into the products that little kids end up using which gives them a lot of the decently made scripts that were usually locked down to people who know what theyre doing or by people who constantly keep up with new releases on forums
Congrats! You (poorly) patched one of many ways to noclip.
make the hitbox tween and it fixes pretty much almost every noclip
@@alexskorpik11play79 You dont know shit about exploits LMFAO just shut up fr
@@alexskorpik11play79 thats awfully expensive for the server to compute. and you still have all kinds of other exploits to patch.
Why don’t you make your own version instead of hating :)
@@OvisArries If you have a decent knowledge about scripting on roblox, you would know that this method is very inefficient and unscalable.
How to solve exploits like big games:
Step 1: give them $100k worth of ingame items
Step 2: Enjoy
step 3: go bankrupt
@@himv3g step 4: burn plushies
fastest way tho xd
they do not
say i don't know how online security testing works without saying i don't know how online security testing works
0:00 - 5:21 Explanation Of Exploiting
5:21 - 11:00 Telling You How To Fix Exploits
Correction: Telling you how to "fix" exploits, but not really telling you how to fix exploits.
@@Shine0064 correction: telling you how to make your game unplayable with more than 1 person interacting with the world at a time
byteblox: its so easy to fix it people are just lazy
also byteblox: not doing allat
As a developer of 4 years... this is just so wrong in every way. Calling developers stupid and lazy, then going on to demonstrate the absolute most basic of exploiting methods, showing a weak very avoidable patch, and refusing to respond to anyone saying how bad this is? Just sad. I hope you didn't trick anyone into buying your obviously terrible course in coding when there are way better completely free courses...
P.S. Most exploits are caused by game mechanics that are unavoidable, and linked to remote abuse.
People wouldn't have clicked if the title was "How to fix exploits!"
@@joeplayzgames2625 He also says it in the video, does he not? Clickbait is required to succeed nowadays for a lot of cases, I'll agree, but even if we ignore this,
The things he shows aren't even a patch. I explained why.
What If You Have A Certain Key That Can Run A Remote Event Function Then People Couldent Use RemoteEvents to Exploit
Fx:
local script:
game.ReplicatedStorage.RemoteEvent:FireServer("thisTextIsTheKey")
ServerScript:
game.ReplicatedStorage.RemoteEvent.OnServerEvent:Connect(Function(TheKey)
if TheKey == thisTextIsTheKey then
print("RemoteEvent Is Not From Exploiter")
end
end)
@@IsokiYT Then they delete the local script. If it is local, it is ran on their computer, meaning their computer can simply choose to not run it. They can also go into advanced things such as remote blocking, and also using remote events can allow exploiters to hack it for loopholes.
@@bruh-xr4xi Ok! Thanks For The Message👍
Left ear: Hkmori - Anybody can find love but you
Right ear: byteblox 2x speed
deccelerated learning
the hkmori cancels out any knowledge learned from byteblox
@@Anarqism what knowledge?
@@Anarqism pretty sure he's a troll
bro spent like 9 minutes explaining local scripts couldve been shortened, but appreciate the effort ur videos helps me sometimes with other stuff
Ong he just yaps about the basics for like half the videos always and he acts like most his viewers are noobs
@@BennydoesstuffYT I think that is the point. He is explaining is a way that even complete beginners can understand.
@@Sol_Aureus
The problem is he doesnt even do that well. Oh, sure, he talked about a "fix" for this problem, but the fix itself is pretty easy to work around and he didnt even show how to implement. The only thing he explained was that things changed on the players client arent directly applied to the server.
@@Dr_mafario Pretty sure touch events don't get called constantly, only when it is first touched and will only be called again if u stop touching it first so quite literally not a fix in the slightest and purely just a waste of resources
It's not as simple as you think. Yes, that is a way to detect cheats, but it can also be incorrect. Many games use client-only aspects, and it is harder to differ between what should be different on the client and what shouldn't. If you have a barrier that players shouldn't be able to go through, this is indeed a way to detect and prevent exploiters from going through it, but it won't be as simple for client sided creations. An example, is a game I am working on, which allows a player to fly around in outer space. The flight system I made for that is almost fully client-sided, and it would be more difficult than this for me to detect the difference between an exploiter's flight system, and my flight system, or to detect if an exploiter edited a value or my game did it. Tbh, Idk who would ever even need flight exploits in a flight game. A better solution to a potentially flawed anti-exploit system that may detect innocents, or people who affected by a roblox bug, would be to instead implement a report system, along with action, chat and movement logging. In many cases, a human-mod system will be better than an auto-mod system as long as the humans are not corrupted or bad. Roblox's overall mod system is an example of a bad mod system, filled with corrupt/lazy human mods and poorly designed AI mods.
Bro is high on the peak of the dunning kruger effect. Max confidence, minimal understanding.
actualy this guy is like a novice programer at best
TRUE
@@FrogsAreGods still selling courses tho lmao
Exploiting or Hacking at all is impossible to stop. The hackers/exploiters will win then the game devs/anticheat devs and then it will loop around like that. That's why Roblox paid Synapse to help them instead of keep patching what Roblox tried to do.
bro forgot about firing remotes, hook functions, deleting client scripts, spoofing/metatables, exploiting is unpreventable on a bigger scale game, only roblox can fix it.
Remotes is up to the dev to fix not roblox, roblox can't do anything about that
@@fitmotheyap not how it works, remote could still be manipulated through hook function, changing parameter values, constants, and upvalues, nothing can be done about it, even game with the best anti cheats like bedwars, can’t even prevent it, roblox already made a pushing step with there exploit detection, significantly reducing exploiters recently, byfron
@@fitmotheyapbypassing checks is as simple as using spoofers to pretend nothing has changed on client, metatables, and now AI program such as external AI aimbot
@@fitmotheyapfor ex: instead of increasing a player speed by humanoid.walkspeed, you can just teleport the player slightly forward based on CFrame and this value could be adjusted to increase speed and completely bypass walkspeed check
@@glyoit1506 You realize that a remote event should only be a trigger, not a activation method.
For example if I have a 3d button in the workspace that gives money, and I want the player to only get money when he clicks the button (which has a cooldown), I'd use a clientside remote event to tell the server that the player pressed the button. I could calculate the distance the player is from said 3d button to accept or reject the request for the button press, as well as its cooldown which would be server calculated. Server checks can exist for remote events, so the fact that local scripts from exploiters can fire remote events is not an excuse for an unstoppable hack. For changing constants, the server should always have serverside copies of money and check it for every purchase.
3:50 The shadow💀💀💀
What is wrong with it
Oh yes, It has happened again
thats wild
@@Nigjaslayer9000the shape…
how the hell did you find that
ByteBlox, i must inform to you that the information you have provided is false, say this, if i were to run a script that makes all parts inside the game untouchable, it will make it so the part attached to the player to not have touch either, and another thing the expolit can do is just delete the entire part connected to them, and with that said, the best way to do it is, make a system that detects if the players humanoid root part and head and torso get detected if it goes inside a part, and if it does it teleports the player back where they were 2 seconds ago, and even if they have no collide or smth like turned off touch it will still work if you make a script / local script / module script thats not apart of the part, but as a system that detects the player inside a wall without it
The best way is to make a regular scripts in this case, exploiters can disable local and module scripts on the client entirely
That is indeed a great way but the reason games dont do that is having alot of checks for different parts and for each and every player starts to slow down the game a huge amount
That’s probably true. I just suggested the hitbox as a quick potential fix, but the better way to do it would likely just be to fire raycasts and check player position
thing is players can still make a script to automatically teleport them back since movement is left unchecked by roblox's anticheat
The best anticheat is detecting client guis or smth like that and banning them.
Kinda like adinos admin but better and not bypassable.
It will ban Arceus x and codex users quite easily, but experienced exploiters can still bypass them.
explaining how the server knows you're exploiting movement actually helped me understand how i couldnt move for a hot minute in shard seekers, thanks for telling me that man :)
I don't have much experience developing on Roblox but I have a lot of experience when it comes to game development.
As you mentioned "game developers" all throughout this video I'll take both Roblox devs and literal game devs into account.
Roblox's default collision checks live in the client because (I suppose) Roblox provides you a free server. They can't afford making all these checks by default on the server.
That's also why the part generated on the client didn't act the same as the generated on the server one, client had the ownership of that part and calculated everything on the client.
Anything that is done on the client is insecure as you discussed on the video but it's generally not as simple as that.
Doing calculations like that on the server has a cost, an actual cost, like literally you have to pay more CPU time and generally game developers don't want to increase those costs.
A) They don't want a laggy game
B) They can't afford it
I suppose Roblox doesn't just give out free unlimited servers and those VMs also have their own limits. Doing all these checks on the server (if you don't optimize it well) will make your game laggy as server will have its CPU maxed out.
Also the "exploit" you discussed on the video is literally just client-server desync. so it will be just that easy to fix. Only problem is to find out every edge case and have time to fix them all.
Taking the examples you gave in the beginning into account, "exploit" also means things like aimbots to you. And these are not easy to fix at all.
Lastly, fixing exploits is just a cat-mouse game. You'll succeed but just for somebody else to break your check system and the cycle goes on...
Whats funny is if you’re owned by server, it pretty much fixes a lot of stuff from this. The issue is no one does this because of the huge input delay you get. Note the part you attach could work, but make sure it doesnt make your movement be limited to what the part allows you to, and make sure it’s owned by the server.
You could have the player on the server consist of a humanoidrootpart only that is invisible and just render the other stuff by creating them locally on each client and then predict the movement of the client-side character
Yeah the input delay is crazy even on 80 ping
@@fitmotheyap it's even noticable in studio with 0 ping
prob because when studio play solo ran both client and server on same thread, having the server own your own character was possible and still not affect input delay but after they made studio client accurate to the real client and seperated the client and server to run on their own seperate threads, you will notice input delays even if you didn't increase fake replication lag
I don't see Roblox adding server-authoritive characters anytime soon so just add checks to the server, but also trusting the client isn't all bad and it mostly depends on the game.
Rocket League is fully server-sided, but it uses prediction to fix the input delay, Roblox could do the same, calculate server-side, compare with client, if there are big differences between server and client, interpolate to what the server calculated
@@EricPlayZ132 I will straight up say I hate rocket league's way of doing it, played it once and got hella teleported(when I used to not have a good ISP), there is no better system for it in the first place so sure but in the case of roblox I think staying client side is wise, at least 10-20% of the playerbase plays on mobile more specifically phones and tablets and even more play on a bad internet, I have experienced both being on mobile and bad internet, not an issue these days but that's only for me, SA still has no servers and resorts to using NA or even EU, asia roblox has major internet problems during rush hour already and this wouldn't help, US is the only region where they actually have good internet and servers everywhere but a large amount of the population gets throttled daily and another large amount live in not so well connected areas, EU would be by far the least and most affected, europe has servers in every rich country exception being poland having one, but even as of now the average ping hovers around 100 because roblox is roblox, I feel like roblox has to fix connection issues first, furthermore they still have NOT fixed error code 277 which is becoming more of an issue every month, swapping ISPs is not a good solution when they can fix their backend instead
Also, I hate to mention it again EU servers are horrible, 100 ping EU while around 200 ping US, US seems to have no problems and ping is as expected, EU hovering around 100 makes hella no sense when other games have servers farther away with 50 ping or less
TL;DR
This is a bad idea cus
EU servers have major problems that won't be fixed ever it seems
US has way too many people behind greedy ISPs and many others not living in populated areas
SA has no servers
Asia has major issues during rush hour
Many roblox games already have similar feature actually, if only exploits were that easy to fix right..
I watched Oaklands grow from the beginning when it was a different game called Woodmill Inc. and the main developer did anticheat so well that he knows the exact exploits which people are loading in. The coolest part is, it doesn't even trigger false positives and you see NO cheaters ruining your game. The community constantly gets people saying "i got false banned", but the logs say otherwise. I don't know how he did it, but i remember some discussions on stack size and how injectors often increase your script stack size and that he was let in to work with an exploit group in order to know how the things work and how to prevent them.
Fair exploits are easy to fix but there are always alot of exploits and most people forget alot of them and alot of them can interfere with the game alot, theres a glitch where if theres a thin part infront of a thick part you can clip through it easy fix. but even more bugs come from that. its less that there lazy I would say and more unsure of all of them because there are alot of exploits that aren't in this video and will never be able to be put in one video unless extreme dedication to every glitch its more something you've gotta get use to.
and small glitches can be over looked as long as they don't interfere with your gameplay then it should all be fine. And yes most of the time updates will come and people will just find more and more which is very normal.
I see alot of your videos get backlash from ignorant titles. Such as your prints are useless video that you took down, which there 100% not very useful.
A person who uses universal scripts might also work But if you use specific scripts to do that particular thing or in that particular mode you cannot stop them, the only effective way would be to see if it is executed Lua code in Local Script which would actually be what the Exploiters do and then throw them out of the experience but it doesn't always work there will always be the Exploiters And whether you are happy or not, they can never stop
the easiest way to prevent exploits is to tell your players to not use exploits trust it works everytime
By the start, title, and comments of this video, I can tell this backfired a lot.
I'm not watching it anymore because of that, and I'm sure I can find another great video from his channel.
i will stick what works for majoryity of games which is prediction rather than running 12 checks per seconds
It's pretty harder than that because if you add a code to every single part in your game, it basically becomes yandere sim 2.0
Loop and CollectionService in question:
Way easier to just raycast from the last hrp position and the current one to check if they moved through a part, can also check if the part has can collide turned off on the server. And this noclip method is bypassable if you just set cantouch on that part in hrp to false?? Server sided physics anticheats are limited by the complexity of the games physics
the issue i find with the raycast method is if you were to move around a corner of an object, the ray might hit said corner. Currently looking for a way of fixing it.
The only problem with this solution is that when I want a specific player to be able to walk through a part and no one else, I set the collision to off for that client. If I put that fix, this won't work and and I'd have to use collision groups, which is annoying...
holy shit u did NOT have to explain how multiplayer works 😭
Byte the thing is exploiters are actually more difficult to prevent than you think, pretty much impossible. for the system you thought of they can just delete the part that is attached to them and it wont effect it anymore or for doing something like checks for when the player is inside an object they shouldnt be it will slow the game down for each object or each player you have. then players can also do other exploits that can manipulate their own health or other peoples health they can give themself immortality by giving themself a forcefield or change their location.
THE PART ISNT WELDED TO THEM
@@alexskorpik11play79 then how would you keep the part to them as if you’re using code it’ll slow down the server a huge amount.
giving urself a forefield wont give u godmode
@@cclosure giving a player force field makes it so they’re incapable of taking damage with the humanoid:takedamage() function but either way they’re still able to manipulate their max health
@@GrimBeConfused dude. its not gonna slow the server by any amount. its legit also easy to do. and by the way, you're so wrong about humanoid modifications. All they can do to the humanoid is change walkspeed,jump height, platform stand, jump , sit. Im not sure but change humanoid state [if its not dead] could be possible aswell.
please stop spreading misinformation without actual checks
Summary:
it depends on the games code, for example
if an experienced exploiter, well exploits, depending on the games code, they will have a hard time to fix the exploit without it messing up other game mechanics, think of it like this:
you want to kill an exploit that is behind a strong wall, now lets say you break this wall to get rid of the exploit but breaking the walls removes / messes code that is working perfectly, you rid of the exploit but your game is broken due to the code that got messed up
You could also just tp around the part avoiding the detection :P, which is a very common thing/option/script thats on mostly all clients for roblox.
No-Clip is not a problem if core systems are secure, also usually PPL prefer smoother experience than secure, soo in shooters you have a lot of exploiters that can shoot through walls, not because they have super advanced cheats, but only because devs prefer raycast on client to make shooting instant for those with bad wifi, i understand them, but still usually you don't need 10 rays but 3, maps are small in 90% of those games and 3 rays are enough
the cool part about this is that your forgetting that its ROBLOX devs, not passionate devs, ROBLOX devs.
In practice preventions against exploits can often be quite faulty and cause constant issues with players who have poor connection to the game. Additionally when it comes to most Roblox games it's just not worth the time, I can speak personally as yes, I do protect my games when I intend for the game to be played competitively but when it comes to things like quick obbies and simulators, quick profit for little work is the number one goal and thus protecting the game from a minority of players is not a priority.
Absolutely, i always stick to basic rules such as having the client request things and the server checks if their request shall be granted, therefore creating a complete safety from exploits like "i bought this upgrade 1 m times for free" and it takes minimal effort to stick to those principles. You can also just not send any client things to the server like settings, except if you want the settings data to save without any checks if it's exploited or not. To an extent it's a good thing because you can allow exploiters to mod the client however they like.
Byteblox ragebait is insane 😭😂
What ragebait?
@@Hamdidittoogoogle it
ur mom
Piece of media purposely meant to piss people off and gain interaction due to them being pissed off @@Hamdidittoo
Ur dad
I have no idea how you managed to COMPLETELY avoid Network Ownership while explaining character based exploits. Congrats.
It's al fun and games until someone exploits their way into making the custom player hitbox untouchable.
ce desync :)
It actually is, the player can change anything inside their character, so if you were to delete that hitbox (assuming it’s located inside the player character, you CAN delete the hitbox to bypass basically everything.
@@themomer5672 deleting descendants of ur character dont replicate
Theres a difference between hacks / cheats and bugs / exploits. Exploits are more like glitches in game's code that allows you to do things, without significantly modifying the games code at all. For example, glitching into walls with the camera glitch. Using stuff like JScript or Lua Script Injectors is not an exploit, but a hack, a cheat. When you exploit, you're exploiting an oversight in the game's code, when you're hacking or cheating, you are intentionally doing things that the game did not intend for you to do by measures that are invasive to the game's code (via injection etc) essentially, hacking it.
Exactly. For some reason Roblox players refer to hacks as exploits and never have I found a decent explanation as to why they insist on this rather than using the terms "hack" and "exploit" the way everyone else in the gaming space uses them.
just as easy as they can be fixed, someone will find a bypass, example being to literally just delete the script that does that 💀
Yea nothing's going to be perfect, there's always something wrong with it. You can get close but never completely perfect.
@@MiningPro41 i just find it annoying how people say- I was going to finish my sentence, but I forgot what I was going to say
You could also give ownership of the player to the server like black magic 2 does that prevents literally 99% of teleportation/movement exploits at the cost of slight delay because of ping every time you are moving.
byteblox pls explain client and server in more videos 41 isnt enough for me
@Venzux it was a joke he explains it in literally every video
cool video, the issue is still relevant though in games that have trouble with external hacks, colorbot, etc.
that's a pretty shit way to stop noclipping, and ur trying to sell a course? lol
"exploits are easy to fix" alright prove it, patch ESP and aimbot
impossible to patch esp and aimbot
what is ESP? I honestly forgot
and yeah, i have to say ByteBlox is sketchy asf, like bro is fr selling a roblox studio course
@@FacelessBillions ESP is seeing players/entities through walls
litteraly that course would make you worse at coding
@@cclosure forceibly cull everything that the player shouldent be able to see for esp and for aimbot i guess lie to the player and tell them the enemy is in like 14 diffrent places so the aimbot breaks
Worst optimization ever, I mean if you game really relies on people not noclipping go for it, but that's a lot of requests and if you have lots of players it might be really laggy, plus if a user has a bad connection, on mobile for example, they might rubber all the time.
we cant rip on tf2 like that they have a small dev team that is not enough for a huge game with messy code
bro valve doesnt care about tf2, thats why they got a small ass dev team, valve literally does not give a fuck 😭
depends from game to game
some exploits are made specifically for some games, (take KAT, there was an aimbot exploit for some time)
some others are just generalistic (like the noclip)
while it's true that on roblox it's easy to fix a couple of exploits, for specific big games it actually starts to be hard when the client starts to manipulate stuff like aiming
and if we get outside of roblox, it just gets even harder, CS:GO with their VAC, or even minecraft (yes, minecraft cheating, especially in the competitive side of the game, is a thing) it's not as easy. you can prevent the obvious yes, but eventually something will be found that the devs either won't be able to address or don't have the time to do so
Game design also plays a huge role in reducing exploiters, for fps games/competitive games more exploiters are gonna work on exploits for these games rather than a game like DOORS, but with roblox adding byfron recently, exploiting is now even harder than it was 5 years ago, so each game has their own unique way of implementing a anti cheat, and it isnt easy at all especially since depending on your type of game, exploiting can happen rarely or frequently.
@@Lucas-xn5bn exactly, that's something i agree with 100%
how long did it take to record and edit this video?
Must be a few weeks at least, this might be the highest quality anticheat video Ive seen all year
15 minutes, the record takes 11 minutes and 3 minutes done for opening an editor and press export.
Exploiters can teleport thru it.
Exploiters can disable these checks. (Not fully but sometimes.)
"people who say first are cool" - someone who was first.
no
You said first
first
8:56 the player can also set the cantouch of that part to false i think
I’m just chilling at 11:00 PM EST (Canada) on a school night and I randomly click on this video.
Like this comment if u want idk
Anti-noclip idea:
Instead of just placing a script that places the player to their CFrame half a second ago, just make a script that sends em to a singleplayer place, as if they just noclipped out of the game's reality entirely. Backrooms? Could be, or you can put your own twists or whatever
Not to late to delete this video bro 💀💀
?
?
@@Nigjaslayer9000 tf is that username bro
fact: you can noclip irl too
align your atoms (1 in a 99 septillion chance)
bet
roblox is weird, because for some reason, the server does NO security checks to player movement. the only data the server EVER checks for is the position, orientation, ETC. of all the parts of the client. this means that the client can just teleport, check their speed/jump, no-clip, etc.
0 views in 60 seconds? bro fell off
the title of the video is so right, they cant even look for scripts in youtube and then just block these scripts in their game
exploits as the name states using weak points of your game to gain advantage
on local side they have pretty much unlimited possibilities and especially with character - because it's first source of client-server replication
don't try to prevent exploits - better try to lower advantage exploiters can get - just secure any way of client-server connections.
👍
Simple fly anticheat: Detect humanoid floormaterial changes, they aren't replicated to the client anymore and are somewhat decent, you just need leeway
?
wouldn't that kick you for jumping
"SHAME ON YOU." bold statement, no matter what, anything can be exploited. And roblox games are no exception, there WILL be no game that's completely safe from exploiters, the best thing you can do is just limit the use of remotes and exploitable opportunities for the big and bad (as one of the top commenters already mentioned)
some exploits(scripts for games) use character noclip which loops through the character and checks if it is a basepart and if it is a basepart then it will set the "Can Collide" property to false
Aimbot from what i have seen in games seems to have 2 tipes depending on the weapon projectile
a example would be the bow from minecraft the projectile is slow so even if the aimbot makes it so the arrow goes where the target is they can just move of the way because the projectile is slow so aimbot speed the projetile or it makes it teleport behind the enemy u are shoting (imagine a portal in the guy stomach of the guy u are shoting and the other side of the portal is your bow)
If the weapon has a instant projectile or a fast one the aimbot just makes the bullet shot where the guy is.
so the way to fix the teleport aimbot would be to make the game check if the projectile is acting the right way (like not going faster that normal)
Edit: im do not know to code so please do not critize me if the solution i said is wrong
just Modify the aimbot to make it way higher to make up for the slow projectile speed.
aimbot isnt about speed of the projectile cause the projectile is supposed to be created on the server. Its only the direction and maybe origin of the projectile that the client usually sends
9:05 and what happens if the client instead decides to delete their own hitbox? i feel like you're gonna play cat and mouse forever no matter what you do, the only solution is to prevent the client from making any changes
issue is, while you can execute local scripts, exploiters quite literally hijack the local script environment. Check if the player has .CanCollide disabled on his limbs? They can hook the __index metamethod to always return .CanCollide as true if it's checked by the anticheat script. Have a hitbox inside a wall which tells the server that you tried to noclip? They can disable the .Touched event. Raycasting to see if inside a wall? They can also hook the raycasting function to always say that you aren't noclipping. Remote event which triggers an anticheat? They can just hook the :FIreServer function to never actually execute it. Your only real way of stopping them is to make server checks, and it's still not straight forward to do, even on smaller games, let alone a giant fighting/shooter game or whatever.
i'm a nitpicky person and some roblox games annoy me with how buggy they are. worst anti cheat i've probably seen is jailbreak because the game is buggy enough, you can't jump off a building or from a helicopter without rubber banding and taking more fall damage than you are meant to
JB has always had the crappiest anticheat EVER, and it's not gotten any better
@@FacelessBillions their anticheat just made the game harder for legit players. you still see those bots that fly around the map teleporting to everyone and auto arresting
@@Inkthirsty true
I'm pretty sure the movement is handled on the client, you send your movement data to the server, but the server isn't the one moving your character on your screen.
(it just mimics the movements the client sends and sends it to the other clients)
That's also why infinite jump, flying, manipulating jumpheight, manipulating walkspeed, changing gravity, forcing the player to sit, etc all works.
Roblox trusts the clients to give valid movement to the server, if they didn't do that you would encounter input lag if you have ping.
The walk on wall exploit is the most clear example of the client handing all the player movement.
(Tell me if I'm wrong, but I'm pretty confident that this is how roblox handles it)
That’s exactly what I said bro 😭
@@byteblox100 you explained it like "client sends stuff to server, SERVER VERIFIES IF ITS A VALID MOVEMENT OPTION"
interesting that minecraft has anticheats that can detect when you have only just enabled but not even used an exploit
I recently met a.hacker. I was playing an uprising game called unlimited battlegrounds, and was playing 1v1 ranked. This dude was moving faster than players should and called it Zero Ping. He even showed off and ramped it up for a short time. He was also using a no stun bug cause he kept walking out of my punches, something that shouldn't be possible.
The client doesn't say there's no baseplate or that a wall has no collision, it says that according to it's own physics calculation, your player should be at ____ position. You have network ownership over your player so the server says "eh, alright!" and doesn't care. The only reason the server tells the client any information is so that the client can use it in it's own checks for each player. And then the server does physics for anything that it itself has network ownership over.
shhhh hes thinks hes the smartest person ever dont burst his bubble
Aimbot is a lot harder to prevent than no-clipping.
there's a way that fixed a noclipping by
getting a position from player from server
then if the player gets out of distance to be like 5 distance
it will spawn raycast then checks if there's a part
it will teleport back on old position
Q: what about some players can backdoor the server
this is easily can be done by while wait do,
because this is the only looping script that won't be disconnected
all u need things to do is clone the script first
local Script = script:clone()
and do it on while wait do
if script.Parent == nil then
Script.Parent = game.Players[playerName]
end
if my script works then thanks u
question, would a ban zone in some walls work? like if the player model was there = ban
Hey byte can you or do you have videos for lets say flight and other things like cam locking/aimbot
This video cover only no clipping and not anything else… there’s other ways of exploiting than clipping through objects, exploiting can be like flying for example, and when devs make items or abilities to fly, it gets hard to stop hacks from imitating legit players who play the game longer to fly when exploiting can mimic their client to fly..
I kept walking and jumping in sols rng tryna go faster then it sent me back
this doesnt even matter anymore, atleast not for roblox cuz byfron eradicated 90% of exploiters, if you still exploit in roblox via sketchy methods or external cheats then I say you deserve to have your fun because the effort you went through to cheat in a game is almost admirable
unpopular opinion: if your game has fixable and easy glitches that can be done without even using tools outside of the basic roblox app, you should be the one banned not the "exploiters" abusing your garbage code
Bro
What about flying exploits/scripts that allow users to use admin flight which allows no-clipping via said flight? How would that be prevented?
The "My heads are so shiny"got me laughing 😂😂😂3:42
I'm a web developer trying to get into Roblox development.. And even I can tell this is a completely unoptimized garbage fix.
Good explanation of script exploiting + server vs. client for beginners tho
for minecraft the devs of the game itself arent gonna remove hacks(unless theyre game breaking exploits such as a force-op) the server dev/owner needs to make their own AC(or get one) which is insanely hard to make because you dont wanna ban innocent players and the game has an insanely hard time differentiating lag & cheats
On roblox it`s probably easy to do these things, but let`s the library is the base for all those things...if the library is trash than good luck trying to fix all this stuff.
example of lazy developers is roblox talent show. it have so lazy developers, i took multiple times hockey sticks and noclip through walls, even from performing as a performer, and only server host/admin could stop me, and instead of fixing or removing hockey sticks (nobody uses it on performance) just they prefer to cry and giving bans for glitch abusing. for this i got once banned on 3 days
They're not lazy, they just think exploiters are so rare.
there are many ways to fight noclip but this one is not very strong and will fall easily if the exploiter just apply the same process he did to go through the wall and do it on the "hitbox" you create for each playercharacter. Also a lot of information are wrong, when you say that client side you can go through after deleting the baseplate because it tells the server theres no baseplate anymore is wrong, its just that the server updates the player position and dont give a shit if you're inside a part, the cancollide stuff is set server sided but the value is only used by the client, which is why the server doesn't prevent you from falling through the floor.
Do note, you can also fix a lot of exploits by using sanity checks on your remote events, or make important events handled by the server instead of handling them via the client. That being said, exploits like no-clipping, flying, etc. can be fixed by checking a player's character and running sanity checks from the server.
u can spoof positions,
Good idea but make the part parent to a folder in the workspace because anything that gets deleted in character is also serversided.
the only base security checks in this game is the byfron thing that detects exploit programs. there isn't any security checks in game.
People really are lazy or they just don’t think, no clips are easy to fix now that I’m thinking after watching this, and when exploiters are able to fly, that’s pretty easy to fix, you really could just have both of these inside 1 heartbeat loop on the server
Bloxfruits devs needs to see this.