Can exploiters view source code in modules if they are never required?

No, I don’t think that’s possible. Byte code is not sent through remotes, hence the remote would return nil.

2 Likes

So there is no way to hide the source of the modulescript?

1 Like

There are several ways to communicate with module script on the server. For example, the client sends a request to the server to save to a data store,
Remote:FireServer()

The server will get this and the server will use a module script that’s on the server to fulfill the request of the client.

An exploiter will never access the module script, because the module’s byte code is on the server and never sent to the exploiter.

2 Likes

Why do you need to hide the source in the first place?

Exploiters can view the source scripts that are in ReplicatedStorage,ReplicatedFirst,Players,Workspace,Lighting ect.

That’s not a good reason. Exploiters can view all your normal local scripts’ source code too.

You should never need to hide source code on client. Everything important should be on the server.

1 Like

Even ServerScriptService and ServerStorage?

Exploiters can’t see that unless you replicate it to the client. If you have a 100% server-side module, an exploiter can’t get it.

4 Likes

Yes, they can inject their own code.

So basically an exploiter can see any module the client has access to. This means anything in Workspace, ReplicatedStorage, and stuff like that. If for some reason, you’re sending modules to the client through remote functions (which you shouldn’t be doing) then they could get that. Otherwise there’s no possibile way they can see a module stored somewhere secure, like ServerStorage.

3 Likes

The way Roblox Replication works is anything stored in

  • ServerScriptService
  • ServerStorage

Is not accessible to the client.


Anything stored in

  • ReplicatedStorage

Is accessible by both Client and Server


Anything stored in

  • PlayerScripts

Is only accessible by the client.


If you are worried that exploiters can inject code to steal or access module scripts, they can not and never ever access anything thats is in ServerScriptService or ServerStorage. There is no known exploit that allows exploiters to access these containers and their contents on the server.

4 Likes

Then how do they copy whole game with server-side code too?

Game copying is possible because everyone who joins a game is given basic information about the place’s geometry (how the game should look like to the player). Local scripts and the map of a game are vulnerable to being stolen, but server scripts are usually not. I’ve read posts about very rare cases of security issues where specific players are given access to server only objects. This is not avoidable because this is Roblox’s side, we developers are unable to do anything about this.

Edit:
Unless you have a script that sends server scripts per request to the client, then you have a major security issue.

3 Likes

ReplicatedStorage’s contents are replicated to the client. Required or not, clients can see it. An exploiter could even just require it themselves and save the overhead of needing to deconstruct the byte code to get the raw source of the module.

Depending on what you’re doing, if you’re keen on hiding the ModuleScript’s source code from clients, just make put the ModuleScript in a server service and have remotes facilitate communication between the client and the server.


@DevOfLua @wevetments

If you use a RemoteFunction to require a remote, the receiving environment will return a nil value. It returns nil because the ModuleScript is now using the environment of the script that required it, not because “byte code isn’t sent through remotes”.

A server requiring the ModuleScript means the returned instance is server-sided, sending it through the remote doesn’t work because the client doesn’t have access to this instance. The same goes vice versa.


@DevOfLua

Some games just have the script instances, they don’t have the code itself. If I had to guess:

  • A developer leaked content
  • The source was stolen via a security vulnerability
  • Exploits that existed before FilteringEnabled (though I doubt even this)
  • A security fault or one of the developer
2 Likes

Someone said hackers used modulescript. I don’t know the id but when they executed the modulescript would’ve copied the whole game and placed the copy of the game in hackers desktop.

That’s irrelevant and unsubstantiated. Even then, it doesn’t matter whether the code execution is facilitated through a ModuleScript or a code injection or whatever. ModuleScripts are just LuaSourceContainers meant to execute code on require. The point is the code, not the physical instance.

4 Likes

No. It cannot copy objects placed in ServerStorage or ServerSciptService. Are you actually listening to any of the other developers on this thread explaining to you what the client can, and can’t access?

It is one of those. That’s it. Nothing else. You are going off-topic talking about stealing games, I suggest you raise a new thread to ask a different question.

To answer your original question yes, exploiters can view source code in modules even if they are not required. You should change your framework if this is an issue.

2 Likes

If you are unsure of what can be seen by Server and Client you can simply “Start Test Server” and observe the explorer you will know exactly what is accessible by whom.

Very informative thread, have a read and it should cure your concerns.

My advice is let go of what ever is exposed to the Client, you aren’t in control of the security, Roblox is and I doubt that they would do something about.

3 Likes

Sorry that this is 4 years later, but I’m curious. I have a ModuleScript in ServerScriptService and it holds the main and most important code in the game. Since it’s a ModuleScript, can exploiters gain access to it? Or they can’t because it’s in ServerScriptService?

1 Like

No, they can’t access it because, as you said, it’s in ServerScriptService, which is only accessible by the server.

One way to check if a client has access to something is to try to find it while playtesting as a client.

If you were to place any instance, say a modulescript, into ServerScriptService as the server, then playtest as a client, you’d use explorer and find that the modulescript does not appear.

If the client’s explorer can’t find it, a client’s exploits can’t find it (except in VERY rare security breaches).

2 Likes