How does hacking work exactly?

I’ve never really understood how hacking works, are hackers able to open up the explorer and mess around with the scripts, or is it much different? Are they able to see server scripts, even though editing them won’t do anything?

4 Likes

In short,

Not necessarily. However “Dex” is an in-game studio-like explorer which is inserted into CoreGui via a script executor such as Synapse X.

No. Never. It is impossible for exploiters to decompile server scripts. Roblox does not send the bytecode of server scripts to the client at all. There is no reason for Roblox to, and plus there is usually sensitive information inside them (like API keys).

7 Likes

Yes they can open up the explorer and do anything there, but they cant do anything to server scripts.

They can’t see ServerStorage and ServerScriptStorage, not even whats inside them.

Note that they can mess up with Local Scripts and Module Scripts.

To prevent them messing up with modules you should put them in ServerScriptStorage.

No they cant. But as I said above they can see module scripts that are outside any of the server storages and can see local scripts.

2 Likes

No they can’t see server scripts. To find what exploiters can and can’t see, press Play in Roblox Studio. If you look at the Explorer, you’ll notice that some services, such as ServerScriptService and ServerStorage, are empty, even though you have things in there. That’s because you are on the client. If you switch to server view in Test, you can now see the things in ServerScriptService and ServerStorage. That’s because Roblox doesn’t send the data contained in those services to the client, ever. But they can see LocalScripts and scripts in other locations, like the Workspace.

If they would mess with a module script would the server also see the change?

1 Like

So you’re telling me they can see server scripts? I thought they couldn’t.

Just a note that you cant actually fully prevent exploiters, the most you can do is make your game more secure.

To do so, you should rely more on the Server and when there are things you NEED to use local scripts then you use remote events or remote functions.

So you can just do the most important things on the server.

Well I dont really know about if the server would see or not but they can mess up with module scripts.

They cant see server scripts though, and if they do, they wont be able to do any changes to it.

Not if they are in ServerScriptService.

What the server sees:
image
What the client sees: (notice that ServerScriptService is empty)
image

So if you keep your scripts in ServerScriptService, the client can’t see them.

1 Like

This is inaccurate. It doesn’t matter where the server scripts are, exploiters are unable to see the actual contents in the script. Since Roblox doesn’t send server script bytecodes to the client there is nothing for exploiters to decompile.

LocalScripts and ModuleScripts that are accessible to the client, e.g in PlayerScripts, are able to be decompiled because clients need something to compile.

cc @AstralBlu_e

4 Likes

Actually when I said the location of the script I was saying about module script (If you look at my message again you can notice it.)

I figured. But you showed some uncertainty here:

So I wanted to clarify

1 Like

If a hacker would make changes to a module script, the change would be made on the client and the server won’t see the change, right? So if a server script is using that module, even if the hacker messed with that module, it wouldn’t really do anything. So module scripts would still be safe anywhere in the explorer.

Yes

On each machine there are different scripts. So exploiters would just be changing their own copy

3 Likes

Oh ok thank you for clarifying!

Oh, I see. So the client can see the name, parent, etc. of the script, but not the actual code? Because it shows up in the explorer, even on the client. That’s good to know.

Correct

Roblox hiding the server code on the client in studio is pointless because it’s literally just a playtest. Server outputs are also shown in the console in studio from the client window.

I wasn’t sure if its okay to link videos here. Search YT for “How to Prevent Exploits in Roblox Studio,” by TheDevKing. Its is pretty educational overall, covering off on some of the tools these folks use and offering suggestions on how to mitigate.

Exploiters can manipulate client sided things: localscripts and modules required by a localscript.
They can also mess with some physics-related things, like flinging players off the map.