Can exploiters view source code in modules if they are never required?

DevOfLua · March 15, 2019, 7:40am

Someone said hackers used modulescript. I don’t know the id but when they executed the modulescript would’ve copied the whole game and placed the copy of the game in hackers desktop.

colbert2677 · March 15, 2019, 7:43am

That’s irrelevant and unsubstantiated. Even then, it doesn’t matter whether the code execution is facilitated through a ModuleScript or a code injection or whatever. ModuleScripts are just LuaSourceContainers meant to execute code on require. The point is the code, not the physical instance.

OverHash · March 15, 2019, 9:13am

No. It cannot copy objects placed in ServerStorage or ServerSciptService. Are you actually listening to any of the other developers on this thread explaining to you what the client can, and can’t access?

It is one of those. That’s it. Nothing else. You are going off-topic talking about stealing games, I suggest you raise a new thread to ask a different question.

To answer your original question yes, exploiters can view source code in modules even if they are not required. You should change your framework if this is an issue.

RuizuKun_Dev · March 15, 2019, 10:26am

If you are unsure of what can be seen by Server and Client you can simply “Start Test Server” and observe the explorer you will know exactly what is accessible by whom.

Very informative thread, have a read and it should cure your concerns.

My advice is let go of what ever is exposed to the Client, you aren’t in control of the security, Roblox is and I doubt that they would do something about.

Monsieur_Joe2 · July 11, 2023, 5:07am

Sorry that this is 4 years later, but I’m curious. I have a ModuleScript in ServerScriptService and it holds the main and most important code in the game. Since it’s a ModuleScript, can exploiters gain access to it? Or they can’t because it’s in ServerScriptService?

Phazezero9 · July 11, 2023, 7:09am

No, they can’t access it because, as you said, it’s in ServerScriptService, which is only accessible by the server.

One way to check if a client has access to something is to try to find it while playtesting as a client.

If you were to place any instance, say a modulescript, into ServerScriptService as the server, then playtest as a client, you’d use explorer and find that the modulescript does not appear.

If the client’s explorer can’t find it, a client’s exploits can’t find it (except in VERY rare security breaches).