Best ways to stop people leaking your game client side

Most games take time to build up the momentum to hit the front page. Many games never reach it due to them having niche audiences or if they are community games. And even front page games can have assets stolen and sold to unwitting clients who don’t know better.

Let’s say you have sensitive information in a module script you keep at rep storage. People will be able to take this if you don’t make sure that it’s mostly in the server side unless needed.

1 Like

I for one believe in quality games, with little exposure, a good game would naturally hit front page. There are plenty of games that are front page from the spread of word. Now I’d have to say that while it’s true that those stealing assets and reselling are obviously up to no good, it’s partially that clients fault for not confirming where the asset came from.


As an example, today I was looking forward to purchase 6 models from an individual from a project that gave up, I went through the efforts to gather everyone on that development team to ensure that they are aware that assets are being sold, the original creator has given consent and nothing is free modeled or stolen. To those who are making larger deals should be signing contracts for potential court cases.


Sensitive information should not be exposed to the client? Can you give an example where sensitive information is exposed?

2 Likes

Again, this post isn’t about reasons why you need to hide assets from the client side to stop them taking it with exploits, but rather it’s about a discussion on ways that you can use to prevent asset theft, whatever the reason might be.

I for one believe in quality games, with little exposure, a good game would naturally hit front page. There are plenty of games that are front page from the spread of word. Now I’d have to say that while it’s true that those stealing assets and reselling are obviously up to no good, it’s partially that clients fault for not confirming where the asset came from.

Statistically, most games don’t reach the front page, no matter what their quality is. Some of the best games I know are from the nichest communities. Good quality, but too little exposure/ unappealing to the wider audience, example could be CoderQwerty’s Blood and Iron which targets a very small part of the roblox Napoleonic Community.

As an example, today I was looking forward to purchase 6 models from an individual from a project that gave up, I went through the efforts to gather everyone on that development team to ensure that they are aware that assets are being sold, the original creator has given consent and nothing is free modeled or stolen. To those who are making larger deals should be signing contracts for potential court cases.

There is always a danger that the models sold might be stolen, it’s very hard to find out. Majority of cases, people buying models just don’t. Either due to ignorance or they just don’t have the time. Again, I’m talking about the majority of cases, with this post being just a few ways of limiting asset theft.

Examples of stuff you don’t want stolen include, but not exlusively: what remote events you have, so they could make exploits to fire them. The data kept in module scripts. Models that can be stolen and sold, stealing the entire map to sell to someone else, leaking your game and making it public just to spite you, taking your game and uploading it into a free model.

It doesn’t really matter what reason you have of wanting to keep your assets private, the point of this post is to give a few suggestions and ways to do so.

1 Like

I understand the discussion topic, however I’m arguing that you shouldn’t use these methods that are un-natural (excluding point 4 and 5).


A quality of a game isn’t dependent on a singular person’s perspective, while you may find it good in quality, some people may be expecting more from it. A quality game isn’t just visual aspects of a game either, it’s how the game is designed and meant to be played. Now I’m not arguing it’s not a good game in general, but I’m arguing that it’s not a good game specifically on the platform. (I’ve tried the game once and it’s not really visually appealing either which loses the interest of a lot of players as soon as they join). To clarify, when I said quality game, I meant for the Roblox Platform.


These are exposed regardless (without stealing the place, they can be exposed in-game live), proper sanity checks on the server side would easily prevent this. I’m not sure what “data” refers to but if it’s somewhere the client can access, I’m assuming the client needs it.


I’m going to make my concluding statement since I have to go now. Your points 4 and 5 are natural processes in the game development industry and are used from day to day and these are good points. Points 1 and 3 to me sounds redundant, it’d be as bad as obfuscating your local scripts. Point 2 is more reasonable and should be done in practice if possible. I will not longer be replying, I’ll just watch from now since I’ve already flooded the thread.

3 Likes

Lol, thank you for your input regardless.

Now I look at it, I think the first few points I posted are in relation to sanity checks. But I still think it is needed to educate devs on the distinction between client side and server side.

2 Likes

None of your points are in “relation” to sanity checks.

Neither do they prevent exploiting, injection can still happen and so can interception.

The advice/education you should be giving is not how to prevent “leaking” but how to remove what’s been leaked (contacting support/staff, DMCA - as you have covered, and other outlets).

As someone who has had to deal with security in a game with high potential security risk these are the issues with your points:

  1. You are effectively ruining User Experience at a loss. This does not prevent interception through an injector and neither does it hinder it effectively. Your “RunService:IsStudio()” suggestion does not work either as this would not run during a studio session and if someone were to inspect your game within the game itself it would do no good either. Naming does nothing either as you can simply search for contents; but, what I mentioned earlier would make this useless anyways.
  2. This also damages User Experience. The less reliance on the server you can have for the client the better. This should never be done and most things if used on the client should be in a container that replicates to the client. The more reliance you have on the server means the more likely that users with higher latencies will be stuck waiting for the assets to load for them.
  3. This is terrible for User Experience and here’s the situation in reality: If most exploiters won’t be able to steal the game because of the amount of instances, it’s not because they can’t download it but it’s because they can’t load it in the first place. If the exploiters can’t load the place than neither can your users. This is the best way to look at this point.
  4. Exploiters don’t publish the games they steal and when they do they don’t do it to make their own game. Plenty of exploiters steal off popular games because they contain contents that are valuable and that can be repurposed for other instances. Triple A Games also do NOT do this at all. Their security is just as good as Roblox’s. Also what you mentioned about Triple A Games being Open Sourced is for the most part to my knowledge - completely FALSE. They are not Open Sourced and if they were people would be taking valuable technologies from them left and right.
  5. This is by far the only valuable and reasonable listing here. You can submit a DMCA to an individual given that there is enough legal evidence that this infringes on some property. Now, I am not a lawyer so I cannot go further than what I am legally educated of - this applies to you as well. You can raise the option and its existence but do not go further as to act as if you are fully aware of the workings and meanings that define this.

All of these ideas besides the last one (which isn’t even related to the other four) are terrible for User Experience and don’t resemble good advice; they resemble brilliant ways to destroy your Game and the User Experience of it.

When I see posts like this I am only left to assume that most developers are not aware of the potential and functionality of software used by exploiters (those that produce not copy and paste) and what do to achieve certain goals.

I myself can only speak to a certain extent and can only go so far. However, here is something to note for the future. Don’t attempt to prevent people from leaking your games: It is futile. When you see something of yours stolen immediately contact Roblox Support or a Roblox Staff Member on the DevForums - they are your best bet at resolving the problem.

8 Likes

You cannot stop the client from leaking the existing material. Game design prevents most of the stolen content. If you really had to secure that information, the client has to see the content. Memory dumps is one simple step of stealing games. This however is not immediately unnoticed and is very easy to tell if the game was stolen. DMCA takedowns should resolve the case.

3 Likes

or just dont bother and dmca everyone that’s using your assets and game for profit

1 Like

I believe that in order to be good at defending your game against exploiters, you need to have good knowledge on how the exploits work also.

The majority of the exploits devs are currently dealing with in roblox are injector based, and the actual client stealing is done from the client side. Ie, all the stuff the game puts inside the local client.

Therefore, from my experience, by only putting the bare minimum (stuff which the client is ACTUALLY running at the time) into the client, you reduce the amount of stuff stolen. As exploiters cannot steal anything (at least to my knowledge) in the server. With this prerequisite in mind, I’ll evaluate your points.

  1. You are effectively ruining User Experience at a loss. This does not prevent interception through an injector and neither does it hinder it effectively. Your “RunService:IsStudio()” suggestion does not work either as this would not run during a studio session and if someone were to inspect your game within the game itself it would do no good either. Naming does nothing either as you can simply search for contents; but, what I mentioned earlier would make this useless anyways.

You’re not affecting user experience at all by having a script which checks the owner of the game. Since, if the owner is the right owner, then the script does nothing, meaning the user is not affected at all. “RunService:IsStudio()” is just a way for the script to make sure it doesn’t act up when bug testing during studio sessions, making it an extra hurdle for hackers to go past. This is similar to renaming.
Now I understand that good scripters will be able to find these immediately if they were to look for it, it still filters out a chunk of potential hackers. Again, this is a suggestion for how to REDUCE exploiting, not to completely prevent it.

  1. This also damages User Experience. The less reliance on the server you can have for the client the better. This should never be done and most things if used on the client should be in a container that replicates to the client. The more reliance you have on the server means the more likely that users with higher latencies will be stuck waiting for the assets to load for them.

Again, you miss the point of the post, that you ONLY spawn the models in when the players need them. Not that you keep spawning things in and out to lag the game. I am not saying you should completely ignore client side and have all coding done on the global. I am simply saying to not keep everything inside the client at all times, especially the things which the client does not need. I am suggesting to only put the bare minimum. For example, if a player is in a game, they don’t need to have access to a model 5000 studs away, so that model could be safely stored in serverstorage, replicated into rep storage when needed, and then cloned to client when the player gets close. This actually REDUCES lag as you reduce parts being rendered, though I have also acknowledged it could cause lag spikes as the player gets close.

  1. This is terrible for User Experience and here’s the situation in reality: If most exploiters won’t be able to steal the game because of the amount of instances, it’s not because they can’t download it but it’s because they can’t load it in the first place. If the exploiters can’t load the place than neither can your users. This is the best way to look at this point.

I did acknowledge in the original post the implications of lag, but it is a balancing act. I did also say that the instances would be loaded in after the player joins via scripts on the client. If they were put inside the replicated storage, they would not affect the playing of the game much, as they aren’t being rendered anyways. However, the moment that the game is about to be stolen, they would all cause the exploiter to lag trying to download it, increasing the filesize they need to download.

  1. Exploiters don’t publish the games they steal and when they do they don’t do it to make their own game. Plenty of exploiters steal off popular games because they contain contents that are valuable and that can be repurposed for other instances. Triple A Games also do NOT do this at all. Their security is just as good as Roblox’s. Also what you mentioned about Triple A Games being Open Sourced is for the most part to my knowledge - completely FALSE. They are not Open Sourced and if they were people would be taking valuable technologies from them left and right.

Again, this has been acknowledge in other points. The majority of devs facing this problem is exploiters stealing their models/ scripts, and selling it off as their own. If you’re untrusting of companies having open sourced projects, just take a scroll at Unreal where you could literally take any code and edit it as your own.

  1. This is by far the only valuable and reasonable listing here. You can submit a DMCA to an individual given that there is enough legal evidence that this infringes on some property. Now, I am not a lawyer so I cannot go further than what I am legally educated of - this applies to you as well. You can raise the option and its existence but do not go further as to act as if you are fully aware of the workings and meanings that define this.

I am assuming you’ve never filed a DMCA. DMCAs cause so much hassle, and they cost money that many developers simply don’t have or unwilling to afford. As well as this, the legal repercussions cause so much strife too. I acknowledge that Roblox does a great job at answering emails and taking these down. And that is why this last point is put last, because it is a last ditch if the exploiter did publish your full game. If they are just selling models, roblox can’t do anything.

Overall, I thank you for your reply, but such things aren’t as easy sometimes. DMCA’s are often advised by lawyers to only be used as a worst case scenario, due to the hassle they cause. Going against exploiters is very useful, and not useless. Just because there will always be that one person who can hack your game, it doesn’t mean you should do absolutely nothing to protect your game from hackers.

Similarly, just because exploiters can leak your game, it doesn’t mean you should make it easier for them to do so. Of course I am against protecting your game at your user’s expensive. However it is important to take an objective view to balance out the pros and cons of each method, and doing what suits your game.

2 Likes

the code of localscripts doesn’t actually matter they can save the map without them you can always file a dmca if it’s stolen also getting lawyer for that is Exaggerated

1 Like

There is no way that makes it impossible for exploiters to steal assets, at last they will somehow find a way around it even if you make a lot of preventions, so why need to waste your time securing that, just file a DMCA on them if you find someone using your stolen assets.

1 Like

DMCAs are a hassle to do and not as easy as people put it.
Even if you can’t stop all exploiters, the point of this post is to make it as hard for exploiters as possible. Just like how you can’t stop all hackers, but you can’ stop the bad hackers, ie the majority of them.

1 Like

you can also obfuscate the client side scripts

2 Likes

I won’t be responding to this thread at all after this because I’ve come to the realization that you have very little experience in a field such as this and most (if not all) the claims you are making are completely baseless with no evidence to back them up whatsoever.

I will reiterate once again for those who see this thread: If your game does get stolen and republished and you come across it – report it to a Roblox Staff Member (Developer Relations specifically) or the Support Team. None of the things suggested here (other than taking some form of “legal” action) will aid you (and will in fact make it more difficult for you to develop your own game).

Changing the way you load assets will not prevent exploiters from stealing your game, adding scripts or renaming instances will do nothing, and these aren’t “hackers” they are exploiters.

Take this from somebody who has been paid to look into security flaws and managing them.

My final points to reiterate:

Additional points:

  • Obfuscating your scripts will do nothing, exploiters don’t see the code you see when you publish it as a game. The version they see is like if you translate another language to english: You don’t get the exact meaning but you get something pretty close. (Just imagine your code being turned into hieroglyphics when your game is ran and then being translated into English when you decompile the code, it’s going to be dodgy but close.) Obfuscating your scripts will make debugging in live games impossible, if you are suggesting this I can presume you have never released a game where you needed to debug before.

  • If Front Page Games aren’t using strategies like this to prevent their games from being stolen (the most valuable ones that exploiters will target) than it’s safe to say that your methods might not be as good as you think.

6 Likes

Player’s experience is a much higher priority than preventing exploiters from leaking your game. Exploiters don’t steal from random games, they steal from popular games, obviously. So, even if they steal from your game, it has very less impact on your user base which is the main source of your earnings. Huge efforts which you’ll put in preventing exploiters leak will go to waste along with ruining normal players’ experience and your game.

When you make games which require user interaction, you’ve to give them access to certain things so it happens smoothly.

Just had an idea - if you use video frames instead of models themselves, it might still look the same and also it will prevent exploiters from getting your models. I don’t know if they can steal your videos too…
:grin:

2 Likes

Not sure if anyone else has said this but personally I would update the game regularly so when they leak the game it will be an outdated version.

1 Like

The best way to deal with the prospect of people leaking your client side game is to expect it to be leaked and not worry. If your game gets popular it will happen, and you can’t stop it. However a client side copy of your game should not be playable. If it is then you need to rethink how you structure your games because you will have bigger issues than maps being leaked.

Funny enough, a lot of synapse users got some punishment. Supposedly five days ago there was a massive ban wave going on where Roblox was able to detect if you were using synapse. Anybody that was using synapse got a single day ban.

As of right now, the entire community is in shambles and trying to lay low for a while.

The by far best way you can prevent this is by listening for local console output for exploit outputs. If you can confirm the output is malicious, kick the user. Any other method than this will not work

Use LogService. LogService | Documentation - Roblox Creator Hub

Example:

game:GetService("LogService").MessageOut:Connect(function(Message, Type)
    if Type == string then
        if Message == "exploit output" then
           game.ReplicatedStorage.ExploitRemoteEvent:FireServer() --put code on server that kicks player
        end
    end
end)

Another way you can do the above is by obfuscating your services and using ScriptContext.Error to detect if a player tries to fire a RemoteEvent through an obfuscated service and fails.

2 Likes

I’ve had my game stolen and get players so I filed a DMCA request and got and email back from ROBLOX claiming it was a human, that “human” never did anything, currently the exploiters have gotten away with it.

1 Like