How to make it difficult for exploiters to get upvalues and constants in my scripts, also how to defend against them hooking onto your functions

It’s not too hard for an exploiter to go through the environment of your game then retrieve the function they want from either a local or module script and then get the upvalues and constants on it

I know to never trust the client but is there anyway to prevent them from being able to do this

For example, they can easily get the constant which is the 1 and change it too something like zero and Ive heard that they can also hook different methods from your game and replace something like task.wait with nil

local debounce = false

if not debounce then
  debounce = true
  debounce = false

There are several methods.

  1. Write your game logic and server script and everything visual will process the clients alone. (the easiest and also common sense)
  2. Obfuscate your code. This requires some skill in development workflow, if you make your game in vanilla Lua, the process is super difficult, however for people like me who writes games in Typescript and then transpilles them to Lua in the background it’s lot easier since we don’t have to care about the final code at all.
  3. Hide your constants in the server files and then send them to the clients when it’s needed, this will not exactly defeat all exploiters, but the ones who are not very experienced and are there only to steal the content. You could change it little bit and instead of sending constants you could replicate client scripts only when they’re needed.

You should always remember that there is never a way how to fully defeat an exploiter, it’s not only Roblox’s issue, but also issue of other games around you. Sometimes you need to give up on some things which could potentially destroy good gaming experience at some point.

For debounce you can do sanity check on the server.

You don’t. Exploiters have higher contextual access including up to VM access that developer code can’t match in. Client-side code is being interpreted and executed on their machine so likewise they can also gain full control over the environment of code executing in their environment.

If you have experience critical elements where your variables are important or affect other users’ gameplay then you need to have the server serve as the point of truth for data in your experience as well as a security layer. If it’s not critical to gameplay then there’s no particular need to prevent it since they’re only butchering the part that matters only to them.

1 Like

Heey there it’s very difficult to stop the exploiters to annoy U mostly they download a exploiter software to get what they need to make it easier for them. U Murder Mystery 2 is a good example lol. Every Single hacker who hacks or exploiters the game they use a same Software but a bit different cuz The Roblox codes are so old that doesn’t help has well.
Maybe try to work out and code a exploiter tracker in your game so it automatically bans the exploiters that will help a lot!


The most you can do for the client is rename stuff and hide it as best you can. But even with that, exploiters can still get services with game:GetService(). Still, you can’t rename remote events random stuff either, cause then your local scripts won’t be able to find them. The best you can do is make everything on the server AS MUCH AS YOU POSSIBLY CAN (Example, move the cooldown to the server) and pray that Roblox gets better anti-cheat. Also add checks that auto-bans the player, cause chances are if they exploit once and get kicked, they’ll just rejoin- also add a minimum account age. Hope this helped-