Sorry if this isn’t the right place for this post, but is there an anti-exploit for map stealing or ways to prevent such?

Yes there is…! Sorta.

It more slows them down. Do you know Region3?

One method I’ve heard of trying to slow down map thieves is by using Region3, only load parts of the map to the client when they are in a certain Region3!

Example:
Load the “rain forest” map into the client when the character enters the “rain forest” Region3!

This means they’ll have to copy the map piece by piece.

Additionally, you may want to perform a memory check to try to see if the client is mass copying, but be warned, this could trigger false-positives!

At the end of the day, trying to stop all forms of exploiting is near impossible. Eventually a smart enough exploiter will crack your code with enough time and effort.

If you’re new to scripting, imagine anti-exploit like an arm wrestling competition where you have to arm wrestle not one, but all the exploiters trying to steal your map. In general though, you and most other developers will want to keep most of their anti-exploit systems secret, because you never know, perhaps an exploiter is looking at us right now trying to get code to look at to find vulnerabilities.

Have a look at Exploiting Explained

Map Stealing

There’s nothing you can do about this. Just be proactive and submit DMCA Takedown notices to leaks

Streaming/Region3

This limits how much of the map can be taken, but a skilled exploiter can likely get around this. (See Archivable about skills)

Archivable

99% of exploiters (very accurate statistic) don’t know much about what they’re doing and are just using scripts made by others.

You can use a script to make every part archivable = false, but this can still be bypassed

Code Theft

Ditto. With the new Luau VM, stolen scripts will be harder for humans to read— it’s important to note only client stuff (localscripts, replicated storage, etc) can be stolen.

Conclusion

There’s no way to stop theft, but you can use tactics to slow them down. Anything on the client can be taken by the client

If your game gets big, it’ll be targeted.

General Exploiting

(won’t be very specific here, read exploiting explained for more info)
To prevent general exploits

• Do vanity checks
  • someone fires a remote, double check the details
  • check variables and character stats that they’re “legal”
• have some sort of way for users to report exploits

Obviously this changes based on your game, but theres some more general advise.

I wouldn’t worry too much about map stealers anyway. They typically can’t do much without the scripts and their game will never gain much traction until you report them for copyright.

I really should’ve linked that now that I think about it. You explained it a lot better than I did.

However I will say that there are ways to patch map stealing like I said, but you’d get false positives so you’d have to manually unban anyone who was banned for having high memory usage at a constant pace.

There’s two extremes,

1. Not trusting the client at all which basically makes your game essentially UNBREAKABLE outside of exploits Roblox doesn’t want you fixing (example being CoreGui and ESP) but causes a lot of innocent people to get banned needlessly as well as damaging performance (constant checks start to add up when doing them every single frame) and finally, these security systems take a long time to make.

Example:
Any descendants added into the game will be thoroughly searched through a whitelist, if it doesn’t match the naming conventions BAN! This can still be worked around, but only if the exploiter finds out the naming convention. Only time I’ve seen this fail is when someone on the team create was paid to leak it.

Me: “whoops, forgot to add that object name to the whitelist… Now I get to decide who was falsely banned and who was really banned so I can attempt to unban people… Looks like I done kotojoked myself.”

If you want to keep a local script from being edited, you can either use LoadString to try to hide it, or if you really want to reduce performance as much as possible, make it fire a series of events every single frame and if anything is different in a SINGLE FRAME, then ban the client.

If that’s not good enough for you and you want to hurt your game EVEN MORE more for the sake of security, then make your game paid access for over 500 robux, this will make exploiters think twice before exploiting on an alt.

2. Completely trusting the client which massively helps performance and makes the game easier to make but causes exploits to run rampant in your game. If you can even call it your game anymore since everyone will have a copy of it if it gets big if you decide to go this route.

Example:
Yeah we already know what this leads down to. DON’T DO THIS.

Both of these extremes kinda make your game unplayable, at the very least, it will severely hurt your game. The idea is to find a healthy balance between the two.

tl;dr

You explained this really well, but there are ways to beat up map thieves.

As to the original post, I listed some ways to lean more towards security>everything, feel free to investigate them more!

This post was made by the client & server security gang.
^ This part is a joke please don’t hurt me.

Good luck and happy deving!

EDIT: Just came back to this, Roblox has recently patched #1, as of now, you cannot detect objects that are descendants of locked objects, even by using things like tostring(), so that boat is sunk. Streaming/Custom Replication is really your only solution.

As of now, no. Most AAA games have had their maps stolen. Making maps unstealable would have significant effects on game performance, so nobody does it. It’s much easier to load the game’s geometry and other physical assets on the client.

Exploiters will also be able to steal your local scripts, and everything they see in replicated storage.

However, exploiters will not be albe to access server only assets, like the ones stored in serverstorage/serverscriptstorage, so it will be difficult to replicate your game, especially if it is a larger game.

In my case, for my game Sworge the maps aren’t the most important asset — the gameplay is. So I’m not too worried about this exploit.

But if you have really good maps you might want to sell/showcase I recommend you be very careful, as anyone can enter your game and steal it.

P.S That’s why some people selling maps on this forum only give screenshots, because if they made their places public people could walk in and steal em

You can easily make a rollback system if you’re that worried (e.g. unban all players banned on versions 1.4 and 1.5 because of this one object)

And you don’t necessarily need to ban. You can easily just kick and that’d stop the exploiter dead in their tracks. It can be annoying but doesn’t harm users in the unlikely event of false positive.