Best ways to stop people leaking your game client side

There is no point in doing this. Any half-decent exploiter will understand what’s going on since they could easily track hierarchical changes. It doesn’t lag your game any more than more common methods. The amount of information sent when replicating newly created instances is minimal compared to the stuff most games send through remotes. Clients download assets from servers that are separate from the ones running your games.

All you are doing with this is prevent people with slow computers/connection from playing your game. This can be easily countered on any machine with 512MB of RAM and a Pentium 4 by saving the place as an XML file and deleting those parts in Notepad. The actual bottleneck mostly comes from explorer trying to display all of the instances.

The points of my methods is not to stop all exploiters from leaking your game. It’s there to raise the bar of skill level which exploiters have to be at to be able to leak it.

The vast majority of exploiters cannot code themselves, nor do they understand server/ client interactions. They just download a free exploit and use an injector to get into your game and download what they can.

Therefore, our job as game owners is just to be able to stop the lowest tier of hackers since those are the majority.

Just like how a trained professional assassin is able to get into your house no matter what you do. But you could still buy a lock on the front door to stop 99% of randoms coming in.

All of these methods are very basic and would require 30 minutes for a skilled exploiter or a few hours for a beginner to counter. The only reliable way of handling this issue is by offloading as much logic to the server, leaving only basic checks and performance demanding stuff to the client.

What you don’t understand is that anyone who wants to make a name for themselves will take this on. It doesn’t matter if your game is hard or easy to reverse-engineer, it will appear on that red site in a few months if anyone is interested. Once that happens, everyone else will be able to download the complete version, no matter how skillful they are.

I haven’t got to the point of being that famous yet to be competing with the best and most skilled exploiters. XD

Since I run community games, the most we’ve had to deal with are a few trolls with free downloaded exploit. And so far, these methods described above are working.

Again, the door lock illustration. There are definitely going to be the best lock pickers out there who can get into your house. That doesn’t mean you shouldn’t have a padlock at your door just to stop the lesser skilled majority.

It also doesn’t mean you need 5 digital num locks, 10 fingerprint scanners, 2 retinal scanners, 10 cylindrical locks and a corkscrew padlock. The methods above will slow down development in many situations, especially the one with the excessive parts. Some of your co-devs might not be able to open the game on their laptop/tablet. Maintain a good client-server barrier and keep watch for stolen assets in other games and you should mostly be good.

Since we can’t do anything to stop people leaking your game client side, why not focus on after they leak their stolen games, like just contacting roblox and say “hey roblox some dude stole my game take it down or whatever”, and even then, majority of the hackers don’t even understand enough coding to replicate server-sided action in the original game

But for people who make showcases and even making good builds. It’s so easy for someone to steal your map that you’ve poured your heart and soul into, only for them to sell it to some unknowing client for cash.

Anyone have a current summary on what they are doing to at least just slow down the leak?

Probably someone already ranted about this, but this is clearly false. Please do not imply that the DMCA cost money. Whether it’s difficult or not, that’s subjective, but it primarily consists of filling in one form/email (and using common sense).

Indeed, you submit a legal document under penalty of perjury, but that doesn’t require a lawyer. The following information is requested:

You must provide the following information in writing (see 17 U.S.C 512(c)(3) for further detail):

1. An electronic or physical signature of the person authorized to act on behalf of the owner of the copyright or other right being infringed;
2. A description of the copyright-protected work or other intellectual property right that you claim has been infringed;
3. A description of the material that you claim is infringing and where it is located;
4. Your address, telephone number, and email address;
5. A statement by you that you have a good faith belief that the use of those materials is not authorized by the copyright owner, its agent, or the law; and
6. A statement by you that the above information in your notice is accurate and that, under penalty of perjury, you are the copyright or intellectual property owner or authorized to act on the copyright or intellectual property owner’s behalf.
   [source]

Even members on the DevForum have written posts about how to file a claim. Your post had some nice tips, but your last statement ruins it.

nah instead make an extremely hidden script that checks if the placeid is correct, if not just kick all players

Though, if an exploiter puts alot of effort to finding the script, the best you can do is file a DMCA.

To be honest, the best best best way to stop people from leaking your game or builds is… Instancing everything in your game (too hard to do in fact). Make a server script that instances all your builds with the sizes and positions (pre-built stuff just transforming them into script form). You can’t instance local scripts but you can also instance remote events and name them. Do all this through a server script and the exploiter would have nothing but a view pieces of confusing client code.

You want to protect client code?

Check for game.creatorId in a server script, check if it’s you who did it and store all client scripts inside server storage. If you are the creator, it clones the local scripts and parents them to the required service.

Your server scripts won’t copy onto the copy of the game, so nothing will load.

It might be really hard to instance your whole game but it will leave hackers and exploiters with nothing in the end. More than this, the effective way is to file a DMCA, but I just shared this for people who want to go another mile for game safety.

This doesn’t help. When a game is stolen it’s stolen in whatever state the player is seeing it as. This would be after everything has already been instanced and things are in place. The server script wouldn’t help either because once again the local instances would be the only things present and stolen.

If Roblox wanted to protect our assets, they could, and it wouldn’t be that hard.

If you’ve ever used a GUI image by location and name, those images are not downloaded when a place file is downloaded.

A good reference for this if you don’t understand, download the open-source game tribe sim.

The images in the gui are referenced as /images/image name, instead of by asset ID.

So instead of an asset ID, say you had an image named “frame” uploaded locally to that place. You could put /images/frame and that would work just like having the asset ID. However, if someone steals your place, they get nothing, because there is no “frame” located in /images/ for them.

Because of this, they exist and load locally based on their name and location, never giving access to the asset ID to begin with. The thief wont know the asset ID of the item. More so, you can use an alias that wont even give them the real file name.

There used to be times when more worked this way, but now it is pushing more towards depending on asset ID.

Currently, you can protect your GUI and normal textures this way. Sadly, PBR textures do not work with this method. Something that bothers me since they moved transparency to PBR, anything like a tree that used to be protectable even with textured leaves, now no longer is protectable.

I can’t make suggestions or I would have suggested long ago they fix this so it works with more, not less.

What I would like to see is the option on everything from meshes to textures that when you upload, you can use the local path instead of the asset ID.

This would solve place theft for everything but parts and terrain really.

Fyi modulescript bytecode is never loaded to the client until a client script requires it

And why would you put sensitive information/keys on a place replicated to the client, that’a shooting yourself in the foot

Place copying is mostly ever done to reverse engineer a game with better context, not to just republish it. Having a “good enough” look at how it works is all people need to write scripts targeting the game itself.

If anyone really cared to steal it exactly as is including images with local paths, they could. Those images are still uploaded to the website and Roblox still stores their actual IDs internally.

Clearly you know nothing about how programs like synapse work and what their limitations are. Asset IDs are server sided associations that are associated internally and used or not. How they are referenced are exactly that. The only thing that allows place stealing as it is now is that asset IDs work essentially as a hyperlink. There is no means to force that hyperlink to exist when it does not outside of through the server.

If you wanted to steal an item this way, you “could”, but programs like synapse would have to be specifically written for that purpose. While I have no desire to put this out there, I will say that developers like those making synapse didn’t put place copying in so people could steal assets, thieves are not their demographic. They put it in there to facilitate writing hacks, which is their market. Even if they did though, it wouldn’t be easy.

If you think you know something in this field, try it. I know many who have and to be quite blunt, anyone who knows anything about how file paths are used and the limitations of programs like synapse would tell you this isn’t doable. At best, if the developers of programs like synapse re-wrote their programs in a way to facilitate this, it would just give them raw data copies of models and images. These people would have to figure out what every one is and attempt to piece it back together themselves.

This has has a few impacts that are very important.

1. It wouldn’t work without the nature of Synapse or other programs like it being re-written.

2. Doing so for programs like Synapse greatly complicates the scope of how the program operates and would make updating it specifically for that purpose more work than I think they would care for. Also it would make their program much easier to detect.

3. Even if the things above both happened. The process would become difficult enough as to elininate 99.9% of the people doing it. It would turn it from something skill-less, to an actually time consuming skilled task.

This isn’t some “no big deal” issue. Switching an asset from using a universal Roblox hyperlink to using a local file path is a huge deal as far as someone outside trying to access that data. These hack tools can’t access server data. How it is loaded to the client matters because now we’re no longer talking about accessing a function within Roblox, we’re moving to things like accessing local cache and memory addresses, which is an entirely different animal.

Even with the place file uncopylocked, you cant download those files.

If you want to see this in action, make a place file in studio, link some images by their local path, and try to even download those images yourself without changing the path to an asset ID. Or just go to tribe sim and try to download that GUI from that place file.

The only way to access them would be to go into your “images”, find the file, and copy the ID. This information is not used when it’s not entered, so there’s no way to steal something that isn’t used.

For the record. Security is never about absolute protection, there’s no such thing.
It’s about making it difficult enough to deter people from it.

Nearly every game out there is possible to be exploited and have its assets stolen.
Right now, the Roblox asset ID linking system just makes it exceptionally easy.

Using local addresses comes with its own issues, but for securing assets, it’s worth it 100%
For one, you have to upload the assets by the same name to every place you intend to use them.
This means keeping a local directory structure that is a duplicate of your game’s with every raw file.
To any developer that cares about theft, this is a small cost.

But no, just because data exists on Roblox’s side doesn’t mean 3rd party programs access it.
The whole reason they “reverse engineer” games they steal is because they don’t have the server scripts or anything server-sided that isn’t copied to the client.

Currently, the asset ID or file path is copied to the client. If you don’t enter the asset ID, it’s not copied to the client, so they don’t have it. Sure, there are other ways they “could” obtain the models or images, in theory, but the odds are they won’t, and when they do it would be rare. Compare that to right now when every kid with any copy of synapse can steal your place with the click of a button vs. a solution that doesn’t yet exist that would be much more work no matter what… this is a no-brainer.

You don’t ignore security because in theory one day someone can do something to bypass it. If that was the case, the internet would have no security at all.

Edit: For the record, I’m not even saying they should switch it entirely. For many developers, this isn’t even worth the effort. I’m just saying that the option is already there. There are just changes that they have made that break a lot of them. They could just give us a button “use local path” that puts the local path in instead of the asset ID (if the file is local) or give us correct information to know the paths and make sure asset loading works with local paths for everything.

A really good way is to make all of your local script variables

local

.

And make all of your functions local too with

local function

This makes it so that exploiters can’t decode your variable name and function names.

Also make sure that you keep ModuleScripts that only the server uses in ServerStorage or ServerScriptService to prevent the client from decompiling them.

A DMCA costs no money

That’s a very bad design choice and makes your game lag a lot.

An exploit could easilly just download the relative images. Sure it needs some extra code but there are very talented exploit devs who can do that.

Besides even if they didn’t they’d still get everything else expect remotely downloaded assets.

It won’t lag if you let the server handle as many tasks as necessary, but you obviously shouldn’t literally dump everything on the server. You should never trust anything that comes from clients anyways.