If an exploiter has your bytecode, they can decompile it. You can put hurdles in the way, but if the code executes, it can be decompiled. Never assume it can’t be.
Edit: Actually let me expand on this more.
There have always been a few open source Lua decompilers out there, and generally when an exploiter is decompiling scripts, they’re using one of those decompilers but repurposed for Roblox bytecode. Decompilers like this are usually known to have bugs and edge cases where putting certain things in your scripts will outright break or confuse the decompiler.
However now in 2018/2019, more and more cheaters are writing their own decompilers. That or the cheats they’re using are growing more advanced. They tend to have decompilers built into them that were written specifically for Roblox. They get updated when something doesn’t work correctly. Vulnerabilities in the decompiler don’t stay like they did before this became more common.
Always assume the people cheating on your game have access to tools that surpass anything you can do to slow them down. It is possible to make a game that’s exploit-proof with proper client/server code. You don’t need to prevent decompilation or write a good anti-cheat. There are no secrets. Just trust the server foremost and validate everything coming from the client.
Even if it doesn’t actually affect the gameplay if they have the localscript, it would still be nice if all the work you put into making the UIs aswell as camera manipulation and other client-sided things wouldn’t be instantly stolen by someone.
As far as I know, the script sources are sent to the client where they are compiled, meaning it should be readable. Although it’s possible that it’s the bytecode which is sent, which would align with @bmcq_12 's explanation.
Also, if I was him, I wouldn’t release either.
It’s like calling for exploiters.
Byte code obfuscation (with debug data removed) would prevent someone from getting the direct source code of a script, but a determined exploiter could still just re-assemble the source from viewing an assembler of the byte code. (ie reverse engineering)
There’s lots of projects that do this kind of thing, the most notable one I can think of is LBI:
Its sad that localscripts can be stolen so easily and there is literally no way to fully block it, there is some amazing client-sided stuff I’ve seen that just really doesn’t deserve to be stolen at all
If you really want to prevent your localscripts from being stolen do some research on what luadec and unluac is and learn how they work. If you can learn how they work then you can find flaws in how they work. Find the flaws and abuse them to the fullest extent possible
Sort of adding on to other responses, don’t focus on anti exploits. What I think really matters is that you have good remote communication. Say you have a remote event that lets a player buy a weapon. On the server (and NOT the client), you can do checks such as
I wouldn’t say its difficult, I would say its more different then difficult as you just have to get into the habit of making your scripts less vulnerable to exploits just by habit, rather then having to go back and edit them later on.
if you’re right, that’s why I always do a test of my scripts in studio but going back to the topic is difficult to create scripts for anti-exploits since the creators of exploits always find a way to cheat that system and what I still do not understand is there people make scripts for their exploits
Exploits control anything on the client, including your anti-exploit scripts.
Some exploits have specific functions to combat anti-exploits.
Making a client anti-exploit is a waste of time, it’ll catch the few cheaters who don’t know how to bypass, but all it takes is one exploiter releasing a bypass for everyone to start using it.
It’s a cat and mouse game, and a waste of time. Keep your remotes sanitized and you’ll have no problems, (mostly).
I made an edit earlier talking about this in more detail further up in the thread, but exploiters have their own decompilers now. Open source tools like luadec aren’t used the way they used to be. It’s now proprietary decompilers built into cheats that exploiters pay for.
All the exploits currently use unluac / luadec. They’re changed a bit to support Roblox scripts, that’s it. There are still many flaws in them that people can use to stop decompiling, however the issue can be fixed and your “anti-decompile” is no more.
