How can I stop exploiters from yoinking my scripts?

:GetDescendants() and a small for loop would solve that issue immediately.

then manage your wonderful scripts in server, thats the only place your systems are safe

Exploiters have full access to the environment, setting it to nil would do absolutely nothing as it’s not hard for them to parent it back to the workspace from nil.

All instances replicated to the client will always be visible to the exploiters. There’s no way for you to stop this, unfortunately. This means the bytecode of the scripts will also replicate to the client, meaning exploiters can decompile the scripts and see everything inside them. (Aside from comments)

What you can do to prevent at least a little bit of this, is to put the most important scripts, like scripts that handle the important data and game mechanics to the Server. (ServerScriptService or ServerStorage) As instances on the server do not replicate to the client.

Yup, I like using modules a whole lot so having to break the server part of the module script into another one wasnt exactly wanted for me but seems to be my best bet

Yes, but the use of an actor might be a key component to that.

Repeating this again, exploiters have full access to the environment and the client. Whatever you do, they can find ways to bypass it. Before a script even begins to parent the Actor to nil, they can hook or stop it from doing so.

I understand that it is currently impossible, I was thinking of potential ways to make things harder or extremely difficult. I think it’s good to have an open mind to those sort of ideas.

I am not complaining about that, I am too open to these ideas, however after you try these things over and over again, you get a sudden realization that all it takes for your patch to be completely useless is one experienced exploiter bypassing it and spreading the bypass on exploiting forums where skids frequently visit.

There’s also a post I think made by the creator of the post that you sent, that me, them, and additionally, one other person had a heated argument on the reliability of the client-sided anti-cheats.

Anti-Cheats are stupid, unless you’re some hazem nobody is stealing you’re scripts, and rather if you’ve done it right they wouldn’t even work without the server, nil effect is the best you got to avoid such issues and that’s really it.

Whenever doing weapon systems just do it all on the server. All ya need for a weapon to even work in the first place is the time when the player needs it (Which would be a remote event firing the server) in this case.

A projectile system all ya need is the remote event of course, and the coordinates of where the player’s mouse is pointing or the 3D coordinates of the mouse depending on what you’re doin.

Just use the client to get your simple stuff then have the server do the important stuff for ya.

The exploiters won’t find any need for scripts grabbing the mouse position because that’s already all over the internet.

Im aware, again I like modules so I put everything in modules, any client functions for weapons would also go in said module so Id leave it in rstorage. But anyhow any server modules will not be exclusive to the server, as thats what I am doing now

What part of your weapon system are you needing to replicate to the client? If you don’t mind me asking, you can be vague, but then again there’s a lot of systems out there.

Mainly just getting the information for the weapon, which I store in a module, I also have a setup weapon function in the module so those things.

I hope ya know if the module is in replicatedstorage the exploiter can change the information on the weapon, given that the information contains the damage and whatnot. Just store the module in serverstorage then just have ur weapon system (Inside serverscriptservice) reference it. The client does not need that since serverscriptservice will be the one dealing the damage to the player.

You kinda got the spirit, however, you should give both of these posts a good read.

Dont worry, they can change the info on the client, but not on the server so its not an issue how im doing it

I think exploiters yoinking your scripts should be the least of your concerns