Can exploiters see scripts in workspace?

Wizertex · September 22, 2019, 12:08pm

Hello!

I’m wondering if Exploiters can see scripts in-game (for Local scripts, I know they can), but for “server” scripts, can they see and change them?

Thank you,

tradeArray · September 22, 2019, 12:13pm

Hello,
server scripts can’t be decompiled its only local scripts.

Wizertex · September 22, 2019, 12:13pm

So basically, they can’t even see them, nor edit?

tradeArray · September 22, 2019, 12:14pm

no i do not believe so my friend tried just to see if it works and he couldn’t edit them.

Wizertex · September 22, 2019, 12:16pm

So, they also can’t see them, then?

tradeArray · September 22, 2019, 12:16pm

yeah, they cant as of right now.

WisdomClock · September 22, 2019, 12:18pm

Exploiter is nothing but a client. He can see everything you let the client see, he can read local scripts, invoke remote functions, remote events and edit properties. Is part has networkownership set to the client then those changes will replicate to the server, otherwise everything has to be done through a server (server script)

Wizertex · September 22, 2019, 12:24pm

Okay, thank you for your help.

colbert2677 · September 22, 2019, 7:20pm

Exploiters can see scripts in the Workspace but if they aren’t LocalScripts, then they can’t see their contents or anything. Server scripts don’t have their bytecode (what’s necessary to interpret and run the code) sent to the client, so likewise they can’t access any of it’s content.

Be wary that ModuleScripts can be accessed regardless unless you put them into a server container (ServerStorage or ServerScriptService). The code is sent to the client as both the server and client can require them.

ScottSpiritWalker · May 1, 2020, 3:03am

Why does server Script replicate to the client? Server Script seems to be perfectly legible on the client. It can’t run on the client, but it can be stolen by exploiters. Tools, vehicles and NPC Models frequently have server Script inside them. When I clone these models from ServerStorage to the server’s workspace, the server script is cloned too, which is correct, since the script must run on the server. Once in the server’s workspace, the model gets replicated to the client, including the server Script. Now that it is on the client, exploiters can steal our server script. We can’t stop them from stealing the model, but now they have the script that makes it work. And why spend the bandwidth pushing it out to the clients when it doesn’t run there.

Repro: Easy to demonstrate. Start Studio with an empty baseplate. Start a test local server and client (click Test, then Start). In the client window, in Explorer, expand Workspace, expand Player1, you will see a Health server script on the client. It can’t run there, but it is legible, so why did it replicate? Another example: In the server window of this same test, right-click Workspace, Insert Object, Script. Now back to the client window, you will see it replicated to the client’s Workspace. And it is perfectly legible.

Yes, I could put my server Script in ServerScriptServices to protect it from exploiters and save some bandwidth. But it is somewhat awkward to control several NPC models and vehicles from Script in ServerScriptServices since the script needs access to the seats and other parts of the model which can be cloned to workspace and removed from workspace at any time. It is more customary to keep the Script inside the model so it is self-contained.

My preferred solution to this would be for Roblox to create a new checkbox on all parts called Replicate (similar to Archivable). If set to True, the object (and its children) replicate to all client. If false, it does not replicate. Plus add a new API that will allow us to force a replication to a specific client. Then we can control what goes to the client and when.

The easier solution is for Roblox to stop replicating server Scripts from Workspace to the clients.

byc14 · May 1, 2020, 3:45am

You’re most likely seeing the source in a studio play solo session. It’s completely different behaviour from a live game. As mentioned above, the bytecode isn’t sent to the client. It’ll just be a blank instance in workspace.

MallocByte · May 1, 2020, 3:49am

Additionally, tools and GUIs use localscripts, which is not compiled to bytecode and thus can be seen. However, no sensitive code should ever be on the client so if someone steals it, you shouldn’t worry. As long as any remotes you have are secured, you are fine.

byc14 · May 1, 2020, 4:52am

The source in localscripts is compiled into bytecode and sent to the client where it’s run. It can then be decompiled into readable Lua.

It doesn’t work the same way with server scripts because the bytecode is never actually sent to the client, therefore there’s nothing to decompile in the first place.

MallocByte · May 1, 2020, 12:56pm

Ah my bad. Thanks for the correction.

xynekko · August 7, 2020, 11:04pm

To protect my games i just do the following:

ServerScripts: I do nothing to them since they cant be seen by the local, only backdoors can copy these kind of scripts but thats only when you use free models.

ModuleScripts: Some exploiters figured out how to get those, but all i just do is putting them on ServerScriptService and they are protected.

LocalScripts: These ones unfortunately can be copied but if you dont want them to be copied just obfuscate them with “IronBrew, Synapse Xen, etc.” .