Luadec steal exploit

Bug Reports Engine Bugs
#1

Since nobody posts about it here, for unknown reasons, I decided to post what I know.

“There is a new exploit that is going to be released sometime within the next 2 days (by July 7th). It can steal scripts, steal models, steal unions, steal anything. All in game items can be stolen, it is called luadec (short for lua decompiler). The client it can be used on is not stoppable by filtering enabled (the client is rc7) and many games are going to / have shut down (strife, black magic, monster islands, deadzone remake, over soul, and many more). A lot of games will be shutting down, this is going to be very bad for roblox.”

It’s rumours going around, not sure if it’s true tho. Luadec isn’t anything new but the adaptation to roblox games might be a new hax. Some claim it can steal anything and some claim it only works on models. Strife has shutdown according to their group (Strife! Fan Group [Official] - Roblox)

Just thought I’d post this here since I dont see any other threads on the subject.

#2

How’d you hear about this?

#3

Got some PM’s but here is the thread i got the text from:
https://forum.roblox.com/Forum/ShowPost.aspx?PostID=192930724

#4

How credible is the source? Seems a bit… imaginative to me.

Surely, anyone capable of stealing places (as this would effectively do) would much prefer a $2500 payout and Boss White Hat (which they’re guaranteed to get at this point, apparently) than, well, a few weeks of being an ass.

1 Like
#5

Yeah, I agree however, this does sound somewhat possible due to the fact there are filtering bypasses out there and since filtering is only done on the client. Once you’ve bypassed filtering on the client, you can then run server-side code to get the contents of things such as ServerScriptService, etc

Edit: Going to tag @ConvexHero since he would know a lot more about this than I would.

#6

This has been done before, now they just do it again but with marketing.
For the scripts part:
Does it work? Yes
Is it perfect? No, but good enough
Should we worry? We should, but we can’t do anything about it
Can ROBLOX do something? Heavily change the Lua bytecode format, other stuff… not sure
For the other assets:
They probably just log the HTTP requests, nothing special really…

1 Like
#7

I don’t think it’s a good idea to post rumours in this category though.

2 Likes
#8

1 person’s sending PM’s all around
Must be a rumour

Roblox is really not the place where you should be all concerned about other people stealing your stuff. Neither is any place at all.

#9

Um quite the opposite anyone wishing to make a great game shouldn’t need to worry about it being copied especially if its on Roblox. I could understand developing a game from scratch but because Roblox’s whole platform is based on user creation and trust, it seems that game security and account security should be #1 priority.

1 Like
Place theft - Why ROBLOX places are already as secure as it's possible to get them
#10

cough devexing thousands of dollars each month, yet no 2FA end_cough

2 Likes
#11

Filtering is done on both client and server. On the server, it is for the intended security purpose. On the client it is an optimization.

Replicating scripts to a game server is also filtered in several places, and should be impossible. The exception being dev console.

1 Like
#12
#13

Thread seems to be largely based on rumor rather than credible information and isn’t really an exploit report.

1 Like