Incorrect. My thread asked whether exploiters could access or modify the ModuleScripts in any way. Not only whether they can be used or not.
Exploiters can tamper with ModuleScripts, but the changes will only be replicated to the client. (In other words, the exploiter is the only who can see the changes. No one else can).
If you continue reading the article, you will notice Experimnetal Mode basically means FilteringEnabled is disabled.
This has changed and FilteringEnabled is now forced by roblox, which means you cannot disable it anymore and you cannot go into Experimental Mode
The simplest answer to this is the client and server receive different copies of the module they require. The copy the server has of the module is different from the client, any changes the server makes inside the module for example changing a value in a dictionary in the module will not replicate to the client, you will need to use a RemoteEvent for this.
Similarly, if the client edits the ModuleScriptâs bytecode or whatever it returned, it will be editing the copy it received, which is different from what the server has, and from what every other player has.
Note: This only applies to the code of the module and the values it returns. If the server edits the name of the modulescript for example, it will replicate to the client, but not vice versa, just like every other instance.
âReplicatedStorageâ just simply means a place where you want to put objects which are visible to both the server and the client. If you place a script in ServerScriptService, it will not be visible to the client, but in ReplicatedStorage, it will (but it will only be visible, the bytecode of the script will still not be shared with the client, because there is no reason to), but it doesnât mean that if you put a module there any changes the client makes will be replicated, as this is not what ReplicatedStorage does.
Thatâs an excellent chart made by @colbert2677, however from what I could understand, after the diamond (require), a copy is made (for the Server and for the Client), which leads to the belief that the code can be tampered with BEFORE that, generating tampering that will also be imported to the Server, right?
Yes, a client can modify a ModuleScriptâs source, fortunately this will not replicate to the server. ModuleScripts that are required by both the client and the server will return a unique value for each, this can be verified by running the following scripts.
--MODULE
local module = {}
return module
--SERVER
local Game = game
local ReplicatedStorage = Game:GetService("ReplicatedStorage")
local Module = require(ReplicatedStorage.ModuleScript)
print(Module)
--CLIENT
local Game = game
local ReplicatedStorage = Game:GetService("ReplicatedStorage")
local Module = require(ReplicatedStorage:WaitForChild("ModuleScript"))
print(Module)
I think an important mindset to approach this conversation with should be divorced from the type of script being used - to us, the difference is mostly only eager versus lazy. The process changes for how exploiters modify the client but the result at the end of the day is the same.
Once code is compiled it canât be tampered with. Exploits generally donât focus on manipulating the actual execution of code which in itself is nigh or completely impossible; what it focuses on is memory and arbitrary execution. That is, either changing what certain variables point to or running something on their own end that is passable (and understood by the engine) as genuine code.
The chart in question is to show that interactions between the server and client between the same ModuleScript do not propagate to each other. Every VM (server, client, command bar, actor server and actor client) receives a different instance of the ModuleScript. For this you are correct.
When it comes to any form of tampering however, the client-server model is still applicable. Even if hypothetically it was possible to change the execution content (source) of a script, client changes cannot replicate to the server. The server cannot see anything a client does except in the case of the client having authority over replication (e.g. network ownership).
My explanation for this chart was on another developerâs worry that ModuleScript content could be changed by an exploiter. That is true, so the chart and accompanying explanation are showing that it is still fine to use ModuleScripts in lieu of this but to use a different approach when incorporating them into game-critical systems. The developer originally intended to store mission progress on the clientâs instance of the ModuleScript but an exploiter could change that so I simply recommended tracking it from the server instead.