Best ways to stop people leaking your game client side

I believe that in order to be good at defending your game against exploiters, you need to have good knowledge on how the exploits work also.

The majority of the exploits devs are currently dealing with in roblox are injector based, and the actual client stealing is done from the client side. Ie, all the stuff the game puts inside the local client.

Therefore, from my experience, by only putting the bare minimum (stuff which the client is ACTUALLY running at the time) into the client, you reduce the amount of stuff stolen. As exploiters cannot steal anything (at least to my knowledge) in the server. With this prerequisite in mind, I’ll evaluate your points.

1. You are effectively ruining User Experience at a loss. This does not prevent interception through an injector and neither does it hinder it effectively. Your “RunService:IsStudio()” suggestion does not work either as this would not run during a studio session and if someone were to inspect your game within the game itself it would do no good either. Naming does nothing either as you can simply search for contents; but, what I mentioned earlier would make this useless anyways.

You’re not affecting user experience at all by having a script which checks the owner of the game. Since, if the owner is the right owner, then the script does nothing, meaning the user is not affected at all. “RunService:IsStudio()” is just a way for the script to make sure it doesn’t act up when bug testing during studio sessions, making it an extra hurdle for hackers to go past. This is similar to renaming.
Now I understand that good scripters will be able to find these immediately if they were to look for it, it still filters out a chunk of potential hackers. Again, this is a suggestion for how to REDUCE exploiting, not to completely prevent it.

2. This also damages User Experience. The less reliance on the server you can have for the client the better. This should never be done and most things if used on the client should be in a container that replicates to the client. The more reliance you have on the server means the more likely that users with higher latencies will be stuck waiting for the assets to load for them.

Again, you miss the point of the post, that you ONLY spawn the models in when the players need them. Not that you keep spawning things in and out to lag the game. I am not saying you should completely ignore client side and have all coding done on the global. I am simply saying to not keep everything inside the client at all times, especially the things which the client does not need. I am suggesting to only put the bare minimum. For example, if a player is in a game, they don’t need to have access to a model 5000 studs away, so that model could be safely stored in serverstorage, replicated into rep storage when needed, and then cloned to client when the player gets close. This actually REDUCES lag as you reduce parts being rendered, though I have also acknowledged it could cause lag spikes as the player gets close.

3. This is terrible for User Experience and here’s the situation in reality: If most exploiters won’t be able to steal the game because of the amount of instances, it’s not because they can’t download it but it’s because they can’t load it in the first place. If the exploiters can’t load the place than neither can your users. This is the best way to look at this point.

I did acknowledge in the original post the implications of lag, but it is a balancing act. I did also say that the instances would be loaded in after the player joins via scripts on the client. If they were put inside the replicated storage, they would not affect the playing of the game much, as they aren’t being rendered anyways. However, the moment that the game is about to be stolen, they would all cause the exploiter to lag trying to download it, increasing the filesize they need to download.

4. Exploiters don’t publish the games they steal and when they do they don’t do it to make their own game. Plenty of exploiters steal off popular games because they contain contents that are valuable and that can be repurposed for other instances. Triple A Games also do NOT do this at all. Their security is just as good as Roblox’s. Also what you mentioned about Triple A Games being Open Sourced is for the most part to my knowledge - completely FALSE. They are not Open Sourced and if they were people would be taking valuable technologies from them left and right.

Again, this has been acknowledge in other points. The majority of devs facing this problem is exploiters stealing their models/ scripts, and selling it off as their own. If you’re untrusting of companies having open sourced projects, just take a scroll at Unreal where you could literally take any code and edit it as your own.

5. This is by far the only valuable and reasonable listing here. You can submit a DMCA to an individual given that there is enough legal evidence that this infringes on some property. Now, I am not a lawyer so I cannot go further than what I am legally educated of - this applies to you as well. You can raise the option and its existence but do not go further as to act as if you are fully aware of the workings and meanings that define this.

I am assuming you’ve never filed a DMCA. DMCAs cause so much hassle, and they cost money that many developers simply don’t have or unwilling to afford. As well as this, the legal repercussions cause so much strife too. I acknowledge that Roblox does a great job at answering emails and taking these down. And that is why this last point is put last, because it is a last ditch if the exploiter did publish your full game. If they are just selling models, roblox can’t do anything.

Overall, I thank you for your reply, but such things aren’t as easy sometimes. DMCA’s are often advised by lawyers to only be used as a worst case scenario, due to the hassle they cause. Going against exploiters is very useful, and not useless. Just because there will always be that one person who can hack your game, it doesn’t mean you should do absolutely nothing to protect your game from hackers.

Similarly, just because exploiters can leak your game, it doesn’t mean you should make it easier for them to do so. Of course I am against protecting your game at your user’s expensive. However it is important to take an objective view to balance out the pros and cons of each method, and doing what suits your game.

the code of localscripts doesn’t actually matter they can save the map without them you can always file a dmca if it’s stolen also getting lawyer for that is Exaggerated

There is no way that makes it impossible for exploiters to steal assets, at last they will somehow find a way around it even if you make a lot of preventions, so why need to waste your time securing that, just file a DMCA on them if you find someone using your stolen assets.

DMCAs are a hassle to do and not as easy as people put it.
Even if you can’t stop all exploiters, the point of this post is to make it as hard for exploiters as possible. Just like how you can’t stop all hackers, but you can’ stop the bad hackers, ie the majority of them.

you can also obfuscate the client side scripts

I won’t be responding to this thread at all after this because I’ve come to the realization that you have very little experience in a field such as this and most (if not all) the claims you are making are completely baseless with no evidence to back them up whatsoever.

I will reiterate once again for those who see this thread: If your game does get stolen and republished and you come across it – report it to a Roblox Staff Member (Developer Relations specifically) or the Support Team. None of the things suggested here (other than taking some form of “legal” action) will aid you (and will in fact make it more difficult for you to develop your own game).

Changing the way you load assets will not prevent exploiters from stealing your game, adding scripts or renaming instances will do nothing, and these aren’t “hackers” they are exploiters.

Take this from somebody who has been paid to look into security flaws and managing them.

My final points to reiterate:

Additional points:

• Obfuscating your scripts will do nothing, exploiters don’t see the code you see when you publish it as a game. The version they see is like if you translate another language to english: You don’t get the exact meaning but you get something pretty close. (Just imagine your code being turned into hieroglyphics when your game is ran and then being translated into English when you decompile the code, it’s going to be dodgy but close.) Obfuscating your scripts will make debugging in live games impossible, if you are suggesting this I can presume you have never released a game where you needed to debug before.

• If Front Page Games aren’t using strategies like this to prevent their games from being stolen (the most valuable ones that exploiters will target) than it’s safe to say that your methods might not be as good as you think.

Player’s experience is a much higher priority than preventing exploiters from leaking your game. Exploiters don’t steal from random games, they steal from popular games, obviously. So, even if they steal from your game, it has very less impact on your user base which is the main source of your earnings. Huge efforts which you’ll put in preventing exploiters leak will go to waste along with ruining normal players’ experience and your game.

When you make games which require user interaction, you’ve to give them access to certain things so it happens smoothly.

Just had an idea - if you use video frames instead of models themselves, it might still look the same and also it will prevent exploiters from getting your models. I don’t know if they can steal your videos too…

Not sure if anyone else has said this but personally I would update the game regularly so when they leak the game it will be an outdated version.

The best way to deal with the prospect of people leaking your client side game is to expect it to be leaked and not worry. If your game gets popular it will happen, and you can’t stop it. However a client side copy of your game should not be playable. If it is then you need to rethink how you structure your games because you will have bigger issues than maps being leaked.

Funny enough, a lot of synapse users got some punishment. Supposedly five days ago there was a massive ban wave going on where Roblox was able to detect if you were using synapse. Anybody that was using synapse got a single day ban.

As of right now, the entire community is in shambles and trying to lay low for a while.

The by far best way you can prevent this is by listening for local console output for exploit outputs. If you can confirm the output is malicious, kick the user. Any other method than this will not work

Use LogService. LogService | Documentation - Roblox Creator Hub

Example:

game:GetService("LogService").MessageOut:Connect(function(Message, Type)
    if Type == string then
        if Message == "exploit output" then
           game.ReplicatedStorage.ExploitRemoteEvent:FireServer() --put code on server that kicks player
        end
    end
end)

Another way you can do the above is by obfuscating your services and using ScriptContext.Error to detect if a player tries to fire a RemoteEvent through an obfuscated service and fails.

I’ve had my game stolen and get players so I filed a DMCA request and got and email back from ROBLOX claiming it was a human, that “human” never did anything, currently the exploiters have gotten away with it.

Just make your game heavily rely on server script storage and other things people cannot steal. I think that will help a lot.

I think you should enable the Lock property on anything you don’t want to be leaked, but I don’t know if it will actually prevent the exploiter from interacting with it.
From my experience with exploits, you can’t interact with anything that is locked.

We’re referring to assets in workspace mostly. You still need to have the GUI and other local scripts on the client.

Yes but any exploiter can unlock the workspace using a simple script

Well, you could copyright your game’s everything.
Piggy did it and removed piggy clash for copyright infringement

Please keep us updated if anything on it happens.

I’ve had a few games stolen, but since the exploiters didn’t publish it, instead selling it on. I had no way of tracking who did it, and therefore reporting that person.

If you can, see if you could follow a few of the above suggestions on reducing game theft, and see if you can tell us if it helped.

It works, but keeping things on client side reduces lag since there’s less server- client interactions.

However what I proposed above is to have a secondary script which monitors which scripts/ models are needed immediately by the client, and they are placed into the client. While the ones which aren’t needed by the client are kept in serverstorage so they aren’t stolen.

I understand that people try to copy your game. But here reasons threy might do so. Number one they want to know how it works and what was the process behind it which is probably why you hardly see any copyunlocked games on Roblox. Number 2 they are trolls and what to try to make a replica of your game so they can profit which is probably the worst choice.