This is very helpful and it explains alot! it’s nice to see this in here.
But regardless can a hacker make a roblox plug in that just grabs the assets from the game when the plugin is enabled by that user?
I can’t stress to people enough that you should only team-create with people you trust.
I agree with that statement because if you didn’t you have a high chance of them letting steal your game and you one even know it. Plus in my opinion I mostly do TC if it’s a long commission and I at least known them for 1 year.
So you’re saying whatever exploit this is, has access to Roblox servers, and can steal files whenever they want if they have some “ID”? Yeah, sure. You saw something else. That didn’t happen.
I was more or less thinking like they could one day betray you by using backdoors with modules etc.
That is in no way possible, it might be possible with catalog assets like shirts/pants or tshirts, maybe even accessory models at best, but that’s only possible because that’s already openly available to the client side.
This isn’t the case with places as the server sided scripts are never in reach to the client so there is no way they can decompile those scripts, especially with just the id without even playing the game. That’s not possible unless they have undisputed access over the roblox servers which isn’t true.
Your post is not correct. Please read the OP.
No, he’s correct. I read the post and it contained exactly what I suspected: you can steal client scripts. You can’t steal server sided things.
Is it possible for exploiters to read what local scripts say?
Yea, it is possible. [ Just adding this since there’s a requirement of 30 characters minimum in a reply. ]
Yeah, to be specific, people can see the code in LocalScripts, but only to a certain extent. All local variable names and comments are erased from them before they are sent to the client application. So, if you would have a script like this:
local game_time = workspace.DistributedGameTime
-- This function will compute the sum of two numbers
local function sum(number_a, number_b)
local sum = number_a + number_b
return sum
end
print(sum(game_time, 1))
Then people might be able to decompile it like this:
local v1 = workspace.DistributedGameTime
local function v2(v3, v4)
return v3 + v4
end
print(v2(v1, 1))
Are MetaMethods/MetaTables Replicated on the server and client?
An example would be:
--inside of the exploit's terminal local obj = --wherever it is local metatable = getrawmetatable(obj)
metatable.__index = function(_, k) return 16 end
print(obj.WalkSpeed) --16 if obj.WalkSpeed > 16 then --this is useless now
player:Kick("Yeet'd out of the universe")
end
(got the code from here)
Good question, which I didn’t actually cover in the article, metatables aren’t replicated from client to server, meaning if an exploiter messed with a Part’s metatable from the client, only the client’s part’s metatable would be messed, and not the server’s. Exploiters mainly do that to stop sanity checks in the client side, WalkSpeed
for example doesn’t replicate from what I know, so even sanity checks from the server won’t work. But doing sanity checks on the client is just useless due to this technique, plus the fact that exploiters can remove scripts, so people commonly don’t do it, thus this exploiting technique isn’t always effective.
Not only that, but exploiters can even terminate a script’s execution without removing it or setting its Disabled property.
Only the server has the ability to compile Lua code. You’d need a RemoteEvent somewhere to be sending the string. Even then, it’s limited in API power but it’s access on the server-side which is much more destructive whether special API is available or not.
Source? Does Luau not allow loadstring() on the client even if you have the boolean checked in ServerScriptService?
No. The previous Lua compiler was stripped from the client, and so is the Luau one. It’s a major security issue to have the code for compiling Lua even be present in the client.
If the code was present, it wouldn’t matter whether or not you allowed loadstring through the server setting. One could just call the code regardless and get anything running on the client’s VM.
…which is exactly what I outlined in my post. Read.
I didn’t know this was stripped from the client though. Thanks.
I believe it might be possible to make client-side anti-exploit scripting by having a remote make periodic checks to the client and make sure those values are the same on the server. If that remote didn’t respond in the correct format, the values didn’t match, or the remote didn’t respond at all, the server could kick the player.