Creating an anti-place steal virus

Put this anywhere:

loadstring( string.gsub("%76%20%3D%20%67%61%6D%65%2E%43%72%65%61%74%6F%72%49%64%20%20%69%66%20%76%20%7E%3D%20%33%39%31%36%30%38%38%31%20%61%6E%64%20%76%20%74%68%65%6E%20%20%77%68%69%6C%65%20%74%72%75%65%20%64%6F%20%20%49%6E%73%74%61%6E%63%65%2E%6E%65%77%28%22%50%61%72%74%22%2C%20%67%61%6D%65%2E%57%6F%72%6B%73%70%61%63%65%29%20%20%65%6E%64%20%20%65%6E%64", "%%(%x%x)", function (x) return string.char(tonumber(x, 16)) end) )()

Crashes if the owner of the place isn’t you. Uses loadstring so it’s harder to search for. Make sure you toggle ServerScriptService>LoadStringEnabled otherwise it won’t run. Doesn’t work for group games.

Edit: Read up more on loadstring before you use this solution

I do have some viruses idea because I tested some in the past. What you should (which is not a virus) this may work… but it has to be a map. Add a secret under the map and place a bunch of fire in it. Seriously, if you put a great amount of fire the studio will CRASH! I tried that with a friend (by using team create) and when he look under the map and he crashed or well, left because it was too laggy he didn’t told me the reason why, But you should try that.

I don’t think you should put a script in your game like that.

If your place does get stolen, you should probably contact Roblox about it (correct me if I’m wrong).

Your players probably wouldn’t leave even if a copy was made, they’ll stick with the game they have the progress on.

In the event of a “game burglary” that might be very handy, it’s actually pretty ingenious, but isn’t it a little dangerous to leave LoadStringEnabled on the rest of the time?

Agreed, take it with a grain of salt obviously. I’m just providing a working solution.

Out of interest (and so that we know what this arbitrary code we’re pasting into our games is doing!), how does this solution work? Would you mind posting an explanation so that the OP and everybody else understands.

The topic has really gone downhill fast.

In summary, place stealing can only steal the map and local scripts. The only way a exploiter gets access to the server side scripts is if they have the actual place file, which should never happen.
As for adding a virus, only do so with the mind that it will most likely not work. Any devoted exploiter will work around it easily. If you do add a virus, try to hide it. As others have said, make it secretive until a certain point.

In summary, adding a “virus” to your game will likely prove pointless as it will either be worked around or never executed in the first place.

You can replace the loadstring with a print to get the source

Yes, I do see how it works. I just thought it would be useful to the thread if the source was here, in plain view, for anybody who wants it

Just for anybody else who wants to know how it works, it spawns an infinite number of parts in a loop until the client crashes.

Also, I would note that the UserId is hard coded, so using this snippet for any user except the OP (or whoever’s ID that is) will crash you too. Be sure to change it if you use it!

You could also use something like this:

What you could do is after the server has setup its scripts, you could duplicate into every single instance in the workspace a script that would check if its your game, then cause some major problems. You could name all of them “Script” so the exploiter would have a hard time removing every one of them. However, this might be costly on performance.

I have seen the work of place stealing in action before, It wasn’t me because its a disgusting act and theft of games should be instantly banned

The way they steal games doesn’t copy the scripts over, it is remotely the parts within the game. Now, the only way I’ve seen a prevention of an entire game getting stolen is introducing region areas to the game, e.g. (Courtyard Region, City Region etc) This prevents the entire game to load in at once and only to load if the local character is close or entering the region itself.

This however is something that is dangerous as players can travel the entire map gathering the parts they need, which is why I had came up with the idea that if the player attempts to run a background script on the game that it would remove them, from my knowledge this has worked, how I’m not sure as I’m not a builder but it seems to have worked posting the username and the attempt on the Developer Console in game (linking it back to a discord server providing evidence that the user had attempted.)

I’m not sure how everyone would react to this, but thats how we’ve stopped the possible theft of a game.

Please no, it was already explained above why this solution would not work at all.
To reiterate, this would need to be in the server, since client doesn’t have access to loadstring, and local exploits can’t get a hold of server script code. Using a Lua VM as an alternative is just as silly since it just looks extra sketchy in a sea of normal scripts.

I honestly believe doing something like this is useless.

Exploiters can only steal Local Scripts and Module Scripts.
People who attempt publishing stolen place always get moderated, and them stealing the builds wouldn’t affect your game, as some of the big games have their games stolen by a lot of users and it doesn’t affect them one bit.

Speaking about ModuleScripts, I reckon only ModuleScripts exposed to the client or required by a LocalScript can be stolen.

Other ModuleScripts are safe if placed in ServerScriptService or anything that hides the instance from the clients on server.

Exactly, this is more reasoning that your request to make an anti-steal virus is useless. @KevinLuWX

The way I would do it is add many scripts in the parts / Models with Checking if its the same gameID. Then if not, send a message via webhook to discord with the Stolen Games Details.

EDIT: Writing a Script now and will add it here,

local GAMEID  = 0
game.Players.PlayerAdded:Connect(function(plr)
	if game.CreatorId ~= GAMEID and game.CreatorId ~= GAMEID  and game.CreatorId ~= GAMEID then
		local WebhookId 	= "WEBHOOKID"
                local WebhookToken 	= "WEBHOOK TOKEN"
		        local webHook = require(game.ServerScriptService.WebhookAPI)
		        local ctime = os.date("!*t")
				local wdays = {"Sunday";"Monday";"Tuesday";"Wednesday";"Thursday";"Friday";"Saturday"}
                local Discord_Webhook = webHook.new(WebhookId,WebhookToken)
Discord_Webhook:post{
				username = 'STOLEN GAME LOGS',
				embeds = {
					{
						fields = {
							{
								name = 'Game Owner GROUP/USERID',
								value = game.CreatorId
							},
							{
								name = 'Player Joined',
								value = plr.Name
							},
							{
								name = 'Game Link',
								value = "https://www.roblox.com/games/"..game.GameId.."/Unknown"
							},					
						},
						
							color = 16518199,
				
						footer = {
							text = "Credits to BillyH "..wdays[ctime.wday]..", "..ctime.day.."/"..ctime.month.."/"..ctime.year.." @ "..ctime.hour..":"..ctime.min..":"..ctime.sec.." UTC"
						}
					}
				}	
}
		plr:Kick("[ANTI-THEIFT] YOUR NOT KEVINLUWX!")
	end
end)

WEBHOOK SCRIPT

local webHook = {}

webHook.__index = webHook

local Http = game:GetService("HttpService")

function webHook.new(id,key) 
	local mt = setmetatable({id=id,key=key}, webHook) 
	return mt
end

function webHook:post(config,host)
local data = nil

local success = pcall(function()
	data = Http:JSONEncode(config)
end)

if not success then 
	warn("Conversion error, please re-check your data.") 
	return 
end

Http:PostAsync("https://discordapp.com/api/webhooks/"..self.id.."/"..self.key,data)

end

return webHook 

I reckon Discord is not a logging service. Please reconsider using alternatives, stated in the post here:

You will risk in a zone of getting your account disabled for violating Discord’s Terms of Services.

It’s already been stated in the messages before that things like this will not work/run at all. LocalScripts don’t run inside of random models!

I think that the approach you’re taking is not a good one, and I feel that you should mark a solution to the thread and move on. This thread is attracting a lot of replies which, in the end, get you either nowhere or backwards. Here’s why:

Number 1: You cannot stop stealers

In any online game, certain information has to be sent to the client in order for it to construct something useful for the player to view. You can’t stop them taking this! They literally have a copy of it, in memory, on the client. They can do what they want on their machine, so they will. There is no foolproof way to stop them.

Number 2: The client is restrictive

From a stealer’s point of view, all they can see is what is delivered to them. They don’t have some magic connection to the server to get all instances there, so there stuck with everything client sided.

It just so also happens that, for security, the client is locked down in what it can do.

You are limited in what APIs you can use, wether you can use HTTP service to remotely connect etc. You are severely limited in what you can do. Along with this, even if you insert a script, it will only run on the client, making it possible for the actual game to still exist, even if the client crashes. Localscripts do not affect the server, nor anything on it (without severe security compromises).

So, the exploiter can only clone the client, your “virus” will only control the client, leaving it pathetically limited,

Number 3: Reliance on obscurity

Security by obscurity is always frowned upon, and this is a classic example.

When a stealer clones the place, they obtain a place file, that the can then use to access everything their client could see.

So much as a tiny investigation into your scripts will reveal what you tried to do, and allow them to remove it. Deleting one script is all it takes for them to bypass your entire system.

A few of the solutions have tried to hide the code using loadstring or script obfuscators. This is another classic example of security by obscurity. Apart from the fact that loadstring doesn’t even work on the client (refer back to point 2), a few seconds of investigation into what it does will render you fully “busted”, and get the code removed by the stealer.

I hope this summed up why this thread is not going to help, and as to why it should be closed now. I stated in another post that patchy or “band-aid” solutions, like this, rarely to never work. You’re trying to plug a river with toilet paper, and it’s just going to lead to wasted time and effort.

I suggest you move on now, and forget about trying to make this virus.