Mod Name: Moon Slide
Author: huanyue
Version: 1.2
Type: Client‑only mod (client_only_mod = true)
For: DST (Don’t Starve Together)
1. Core Principle Overview
This is a client‑only mod, yet it achieves movement speed far beyond normal client limits.
Under normal circumstances, the client only controls the local display of the character; actual movement validation is handled by the server.
Moon Slide exploits DST’s Client‑Side Prediction mechanism to convince the server that the player is walking normally, thereby bypassing most server‑side checks.
2. Detailed Technical Implementation
1. Forged Walking RPC Requests
Normal walking flow:
Client presses W → sends WALK action → server calculates path → server broadcasts movement → client displays
Moon Slide flow:
The client sends the following two RPCs every frame (0‑interval DoPeriodicTask) directly to the server:
RPC.PredictWalking (predict walking)
RPC.LeftClick + ACTIONS.WALKTO.code (simulate walk‑to click)
Upon receiving these, the server believes the player is performing a WALKTO action and moves the character to the target coordinates.
Sending these every frame (dozens of times per second) allows the player to slide at extreme speeds.
Key code (modmain.lua lines 64–65):
lua
SendRPCToServer(RPC.PredictWalking, track_x, track_z, false, false, nil, false, nil)
SendRPCToServer(RPC.LeftClick, WALKTO_CODE, track_x, track_z, nil, nil, 0, nil, nil, nil, false)
2. Hijacking PlayerController Methods
The mod hijacks four critical functions via AddClassPostConstruct or direct overriding:
RemoteDirectWalking – disables server checks for direct walking
RemotePredictWalking – removes client prediction limits
RemoteStopWalking – blocks server‑forced stop (except mod‑internal stop)
CanLocomote – deceives the game that the player can move
While sliding, all these methods skip original validation, allowing unrestricted RPC spamming.
Key code (modmain.lua lines 234–253):
lua
function PlayerController:RemotePredictWalking(x, z, ...)
if IsSliding() then return end
return orig_RemotePredictWalking(self, x, z, ...)
end
3. Force‑enable Movement Prediction
Lines 20–22:
lua
function EnsurePrediction()
SendRPCToServer(RPC.SetMovementPredictionEnabled, true)
end
DST disables client prediction for non‑walking actions (e.g., attacking) by default.
The mod forcibly enables prediction, making the server more trusting of client position data.
4. Track Position Synchronization
The mod maintains local coordinates track_x, track_z, accumulating frame‑by‑frame deltas before sending to the server.
If the player’s animation switches to running/walking (IsSlideBroken), it immediately calls ForceStopWalking to reset state and avoid detection.
5. Terrain Collision Check (Prevent Wallhack)
Lines 59–61:
lua
if TheWorld.Map:IsPassableAtPoint(new_x, 0, new_z) then
track_x = new_x
track_z = new_z
end
The mod verifies passability (ground/water/walls) before moving to avoid obvious wall penetration, reducing detection risk.
3. Why a Client‑only Mod Can Do This
DST client‑server communication relies on RPCs.
Normally, the client only sends intents (e.g., “attack A”), validated by the server.
However, certain RPCs (PredictWalking, LeftClick) accept raw coordinates from the client without full server revalidation.
The core vulnerability:
RPC.SetMovementPredictionEnabled + RPC.PredictWalking + RPC.LeftClick(WALKTO)
The server does not sufficiently limit send frequency or movement distance,
allowing the client to spam small, frequent displacements to achieve extreme speed.
4. Comparison with Other Speed Hacks
Server mod modifying TUNING.MOVE_SPEED
Direct and stable, but easily detected server‑side
Requires server installation
Client‑side animation speed editing
Visual only; does not change real position
Moon Slide (RPC forging)
No server mod required
Actually changes character position (recognized by server)
Risk: obvious high‑frequency RPC pattern, detectable via server logs
5. Server Fix Recommendations
To block such client mods:
Limit RPC.PredictWalking frequency
In scripts/components/playercontroller.lua, record timestamps. Reject or kick if interval < threshold (e.g., 50ms).
Validate displacement distance
Reject single movement exceeding normal walk speed (e.g., >2 units per RPC).
Server‑side path validation for LeftClick(WALKTO)
Currently, servers often only check if the target point exists, not path validity.
Add pathfinding checks to prevent fast movement through obstacles.
Detect high‑frequency RPC patterns
Monitor RPC count per player per second in scripts/networking.lua or custom scripts. Flag and act on repeated spam.
Use third‑party anti‑cheat plugins
Community anticheats for dedicated servers already include RPC frequency and abnormal movement detection.
mod.manifest modicon.tex modicon.xml modinfo.lua modmain.lua ACTIONS_util.lua ENT_util.lua EQUIP_util.lua GAME_util.lua HACKER_util.lua HUD_util.lua INV_util.lua KEY_util.lua MAP_util.lua MOD_util.lua m_utils.lua PLAYER_util.lua POS_util.lua RW_util.lua
Summary
Moon Slide fundamentally abuses DST’s client prediction design boundary:
It spams large numbers of legitimate, small‑distance RPCs to bypass server speed limits,
achieving extreme movement without server mods.
This is not traditional “wall hacking” but improper use of client permissions.
Servers can effectively defend against it by limiting RPC frequency and validating displacement.
This analysis is for technical research and server administration only.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now