Mocha - Barebones module loader and protector

Hey everyone! I would like to start with telling you guys that this was originally meant for my personal projects. Mocha allows you to create services that are freely accessible on the server, but the client requires a controller. A max on these controllers can be set, and if it goes over, it will kick the localplayer. What this does it basically ensures that hackers cannot create a controller and therefore only YOUR scripts can access modules on the client.

I don’t recommend using this for anything but learning as it is pretty barebones and there are surely other methods for securing your modules. Lastly, I would like to give thanks to Dynamic Tables and Warp for powering this module. As a result of this not being intended for use on most projects, there is no documentation (as of right now). Feel free to build off of this module. That’s all thanks!

Download

1 Like

I think this would definitely scare off any novice/intermediate exploiters, due to the lack of modules visible to the client, but any exploiter determined enough can still read through your modules through however many methods(upvalues, gc, func hooking, etc)
Overall, this is something that other module loaders and such should probably implement the same!
Put some work in and polish this up, it has great potential

Basically creating a module in ServerStorage and setting up a service with it using Mocha will clone the module on the server and parent it to ReplicatedStorage, sending it to the client Mocha where it is deleted. I haven’t done thorough testing, but ChildAdded and WaitForChild do not work because the module is renamed to " " and it is done before even loading in. If I’m not wrong, wouldn’t this protect against most of those risks? I’ll definitely polish the module, and thanks for your knowledge!

if the client ever requires a module, exploiters can interfere with it’s workings in many ways:
they can block/edit incoming event connections(like .touched etc)
they can view any functions environment and upvalues, and change them(every function & table is visible to them thru lua’s garbage collector)

& also the basic art of firing remoteevents/functions with whatever they want

Everything on the client is visible, you can’t protect anything.
maybe just don’t create vulnerabilities in the first place?

2 Likes

Great idea, but can’t they just hook require() or use gc?

1 Like