Best ways to stop people leaking your game client side

Bro what about Rolling Thunder…

In your example, //Images/DeerImage, you are not given the asset ID you show in the web link from the link used. Even if you scripted it this way, you do not get the asset ID you highlighted from the library. It’s simply not given and doesn’t exist within the script.

That address, as I said, is used locally. I’m not sure if you are misunderstanding the word locally, but I’ll make it quite clear in case you are struggling.

When you upload, in your example “DeerImage”.
You are uploading that to a specific place.
It does not exist in any other place.
If you want to use it in another place, you have to reference the asset ID, like what’s used in the library.
It does not exist in any other place.
If you have say a group and you upload “DeerImage” to say “Place 1”, you can not reference /Images/DeerImage from any other place.

When you use /Images/DeerImage, Roblox isn’t going “hmm… I wonder what this is”, translating that to an asset ID, then fetching the ID. No, that’s ridiculous, it’s loading it from the place file it exists within and it’s using the same path that was used, not making up a new one. Yes, it’s sending an HTTP request, but not for an asset ID. Why on earth would Roblox or anyone for that matter put in an ability to reference locally, which contrary to what you believe, yes, it is locally (to that place), just to have it need to convert that to an asset ID to look for it by asset ID somewhere else? What you are saying makes literally no sense.

If I’m running a server locally off my computer and during the execution of a file on my server, that file accesses another part of my server that’s also local, but that file isn’t shared, you don’t suddenly gain access to that file independently because you have access to the local file.

If you could fetch an asset ID from a local image, which I’m not entirely certain you can (I have one way I could test that I know of but I don’t know or even think it would work), that still doesn’t give you the asset ID on a place file download.

Just because you can, in studio, go to your assets, click on images, see a list of all the images uploaded to that place, click on that image and get the asset ID so you can find it in the library, doesn’t mean that anyone else accessing it can do that. I know if I give someone permission to edit a game but I don’t give them permission to edit group games, they can’t access what I upload. They can’t even play my animations in that place. So if someone with game edit permissions can’t access what another person uploads to a group because they don’t have group edit permissions, why would a player locally be able to access that same information?

rbxgameasset is not the same as assetid.
Even IF you could access the asset ID this way, which once again, I highly doubt you can, Roblox could EASILY change that and make that a permission-level access. It would not be hard on their end to rectify this at all.

So I double checked, and my theory of Roblox pre-fetching the IDs and storing them somewhere in memory was wrong. When the client sends the HTTP request, Roblox returns the asset ID with it in the headers. This is still of course in complete contradiction to your claim.

You may click the link below and see exactly that.

https://assetdelivery.roblox.com/v2/asset?universeId=242708590&assetName=Images%2FDeerImage
image

Breaking API backwards compatibility almost never happens on Roblox, not to mention that this sort of information has genuine use cases in tooling and such.

Lastly, I don’t see why they would try to do anything about it when in the worst case you can still automatically download all the images and bulk upload them for the place copy. In reality though, no one will care, because once again most people download places to see the context of scripts so that they may write better exploits, not to reupload.

I will no longer reply to random uninformed rants with interspersed insults.

Is this tested using an image that was added via asset ID or was it tested using an image that was only referenced in the place using nothing more than /Images/ImageName (i.e /Images/DeerImage)?

How exactly would you automatically download all the images in bulk?

The entire premise of this thread is written by and for people that very clearly care. Even if the bulk of these people are doing it for exploit purposes, enough of them do it strictly for theft that the number of people selling stolen assets is vastly greater than the number of people making legitimate assets. As the OP pointed out, beyond places like Hidden Devs, HD, and countless others, you can literally find professional sites with gig workers advertising things like they will steal you any place on Roblox for $5. There is more than enough reason to care enough to do something. Even if someone making scripts found a way to do this, they would most likely use it for their own gain. This would be a huge improvement over anyone and everyone who downloads even a hacked version of synapse being able to steal any place and all of its assets with a couple of mouse clicks that even an 8-year-old kid with no developing knowledge can do effortlessly.

I don’t know if it’s relevant or matters to you, but this post/thread is literally “Best ways to stop people leaking your game client side”. There’s not a single flawless proposal here. That doesn’t mean we should all give up and determine we’ll never stop people from stealing our games.

Most people on Roblox wouldn’t even do it, which is fine, because the less people using features like this, the less there will be people out there with an incentive to try to bypass it. I have yet to see a single person able to steal the images from a place like tribe sim, which is open source. I would take those odds over the current theft rate for everything else any day.

The image was brand new and added through the asset manager in that specific place.

The link I sent, which is what the client calls out to when loading the image, returns a CDN link from where you can directly download the raw data.

My point was never giving up; rather it’s about finding permanent solutions. This issue is an industry one anyways, since AAA games haven’t stopped asset ripping either.

1 Like