Exploiting Question

Hello everybody! I just have a simple question about exploiting, is there a way to steal scripts from a game?

I am not an exploiter, I am wondering about the security of my game.

Yes. Everything that is replicated to the client (like local scripts) can be stolen by an exploiter.

1 Like

I believe scripts stored on the server(Like in ServerScriptService) are safe. But scripts that can be seen in the client like LocalScripts, or scripts in ReplicatedStorage can all be stolen.

1 Like

is there a way to steal scripts from a game?

Yes. That’s the most simple answer. If you don’t want it to be stolen, don’t put it on the client.

1 Like

I know, I don’t use free models.

As they said anything replicated to the client can be stolen, however when managing exploits your major concerns should be doing all important stuff such as cash records and transactions on the server, as well as securing your remote events with sanity checks in order to prevent them from being fired by exploiters. for example,

--lets say u have a remote event to buy an item
--on the client you first check if
if client.Money>itemCost then
     remoteEvent:FireServer()
end
--then on  the server you would check again if the player doesnt have enough money
remoteEvent.OnServerEvent:Connect(function(player)
      --then u check if the players doesnt have enough and if they dont kick them because they exploited
end)

this is just a simple illustration, for more information regarding this topic you can read this thread:

1 Like

This is not factual. Scripts can’t access their .Source property ingame.

1 Like

Short answer: Yes and no

Long answer:
LocalScripts can be stolen. However, with the new lua VM which is live a lot of debug information is missing from the bytecode (compiled version of a lua script) which is sent to the client meaning if this bytecode is decompiled variable and function argument names will have to be replaced with things like var1, var2, arg1, arg2, etc. Previously the names of these were stored in the script’s bytecode meaning the script could be reconstructed without comments.

This is also not reason to believe that anything your scripts do is safe. Most likely the method names used on Instances, tables, etc will be available since these are determined by strings and can be accessed with strings. Strings, numbers, etc are also stored in the bytecode since they can be sent over the network and can effect the functionality of scripts.

The rule that you should never trust a client is still true. The client can be controlled in any way. When I say any way I literally mean any way. At the most basic level the stuff that makes up Minecraft is the same stuff that makes up Roblox. This stuff can be modified in any way and is not bound by any limits Roblox places on the client.

1 Like

Yes there is, it’s by using using saveinstance()
But some certain scripts cannot be decompiled.