Need help block Lua injector cheaters

[MohammedX]

hi i have a problem on my mtasa server. some players are using cheats or lua injectors to bypass client-side protection. they trigger server events or modify scripts and just mess up the game for other players.

i already enabled anti-cheat in mtaserver.conf but it doesn’t seem to stop them.

is there a way to detect or auto-ban players if they use lua injectors?
also, any good anti-cheat scripts or something that helps block this?
and maybe a way to log strange/suspicious client activity?

any help would be great, thanks.

[FernandoMTA]

hello, you need to focus on securing the server side scripts: add verifications to server events, create detections and automatic bans/punishments for unwanted activity, etc.

read this article https://wiki.multitheftauto.com/wiki/Script_security

[MohammedX]

On 07/06/2025 at 10:51, FernandoMTA said:

hello, you need to focus on securing the server side scripts: add verifications to server events, create detections and automatic bans/punishments for unwanted activity, etc.

read this article https://wiki.multitheftauto.com/wiki/Script_security

What about client side? like if no players in srv and hackers join, they can control speed, explode cars of other players, change handling etc. any way to block this or auto ban?

[DiSaMe]

There's no way to block client-side changes that can't be circumvented, but script security should not rely on that in the first place. The server-side script should not blindly accept whatever events it receives from the client.

With physics, it gets tricky. The server doesn't have physics so it has to rely on players to tell their own positions and positions of other elements that they're syncing. Usually the solution to speed hacks is to track the player position to detect if they're moving in a way that's impossible with the game's physics. But distinguishing that is not always easy so this won't fully solve the problem. The foolproof solution is to implement physics on the server, but that's a lot of work and the server will have to do much more processing.

But I'm not sure what you mean by "explode cars of other players". The vehicle is synced by its driver, if there's any, so other players should not be able to control the damage (probably, I'm not certain about how it works).

[MohammedX]

4 hours ago, DiSaMe said:

There's no way to block client-side changes that can't be circumvented, but script security should not rely on that in the first place. The server-side script should not blindly accept whatever events it receives from the client.

With physics, it gets tricky. The server doesn't have physics so it has to rely on players to tell their own positions and positions of other elements that they're syncing. Usually the solution to speed hacks is to track the player position to detect if they're moving in a way that's impossible with the game's physics. But distinguishing that is not always easy so this won't fully solve the problem. The foolproof solution is to implement physics on the server, but that's a lot of work and the server will have to do much more processing.

But I'm not sure what you mean by "explode cars of other players". The vehicle is synced by its driver, if there's any, so other players should not be able to control the damage (probably, I'm not certain about how it works).

 

but i just want to clarify something currently there are lua injector hacks that allow players to explode other players vehicles fly with cars increase vehicle or player speed and more even if theyre not the driver of the vehicle i think theyre doing this using client side functions like setelementvelocity or other tricks that somehow affect synced elements so even if the server side is protected once no admins are online or the server is empty these cheaters can mess up everything im talking specifically about race or dm or mgm servers i know full server side physics is hard to implement but is there at least a way to log suspicious velocity changes or detect if someone is abusing setelementvelocity maybe comparing it to expected speeds or limits

Edited June 8 by MohammedX

[DiSaMe]

If they manage to bypass the client-side anti-cheat, I don't think it makes a difference whether they do those things by calling Lua functions or without using Lua at all. All that matters is that they manipulate some data that the server relies on clients to tell.

To detect suspicious movement - yes, as I said, you can track player position, by calling getElementPosition repeatedly and checking how much the value has changed since the last time you checked. Or velocity too, for that matter. The thing is that if you only check velocity but not position, they'll still be able to evade detection by teleporting (since teleporting only changes the position) or by faking the velocity values they send to the server.

When a cheater is the syncer of a vehicle, they can manipulate that vehicle, regardless if they're driving it or not. So they'll be able to make some driverless vehicles fly around, which you can detect on the server using getElementPosition and getElementVelocity and find the player syncing it using getElementSyncer. Understandably, it's going to be less evident when no one's in the car that's flying around. But they shouldn't be able to affect vehicles that are being synced by other players, which includes all vehicles driven by other players.

Whether the same applies to vehicle damage - I'm not sure. I remember shooting the fuel tank of a vehicle driven by another player, and it exploded. That was a lucky shot, it was moving quite fast, and I hit the fuel tank from my point of view, but I doubt it was the same from their point of view. It's as if there's some "fuel tank explosion" signal that the server accepts regardless of who's the syncer. But it happened long ago (2008 or 2009 I think).