There have been some concerns expressed about how easy it is to steal places on ROBLOX:
among numerous discussions on the main site.
In general, users feel that it’s too easy to steal places. It is not possible for Roblox to prevent place stealing. You can’t play a Roblox game, or any game for that matter, if your client doesn’t know what the game/level should look like – you’d just be seeing a blank screen, so Roblox has to send clients information about the game. This information can be used to recreate the level geometry (building) and potentially anything else clientside in your game. This is nothing new. Every game can have its assets ripped or extracted. Why do we only hear of this being a problem on Roblox then? One DMCA request from the original owner and the uploader has to take it down or suffer heavy legal consequences. Unfortunately that is not the case on Roblox , and someone can release a stolen game with little repercussion through anonymity, assuming they don’t plan on ever DevExing.
If you want the situation on Roblox regarding place theft to get better, you need to request better handling of taking down stolen copies and/or suggest approval processes (e.g. like the one for XBox Featured) that would prevent stolen games from ever getting popular. Roblox can break place stealing tools as they come out by making slight changes, but someone will always find a way around and start stealing places again. The only way to permanently deal with the issue is approval processes or better handling of takedown requests for stolen assets.
I run a plugin before uploading that scrambles my 1.5k variables into nonsense text like print(“Hello World”)->aD4rg(“Hello World”). Takes two seconds and it makes a huge game with 20k lines in two scripts and no comments nearly impossible to interpret, take advantage of, and modify. I recommend this to worried people whose biggest asset in their game is the script rather than the geometry.
Made it myself. I’m not 100% sure if you can run a script to gather all variable names from every scope and local/global, so I just typed out all my variables by hand(that was a pain) that I approve to be swapped out and use simple string manipulation to replace all localscripts/modulescripts/script’s sources
The formal process for this is a DMCA request. Your game is your intellectual property, and you are fully protected under copyright law. Laws protect content creators on ROBLOX too.
I want to add that for most AAA video games you should be able to find an “unpacker” that can extract models, textures, sometimes levels and animations, sounds, etc.
In addition to that there are 3D geometry ripping tools that try to be compatible with every game; depending on the complexity of the game’s shading pipeline they are more or less effective.
As a result, unfortunately stealing “geometry” is not preventable.
Stealing server scripts should not be possible (we used to pay out 1M R$ for exploits that can steal server scripts; I’m not sure what’s the status on that policy but we haven’t had new server script stealing exploits in a while).
Finally, client scripts are very non-trivial to steal, but unfortunately there do exist ROBLOX-specific Lua bytecode decompilers. Usually for FE-based games stealing local scripts is not critical - meaning, it’ll take you a while to replicate the game even if you had the original source code. Finally, we’ve been talking before about obfuscating client-side scripts even more, to the point where local variable names, line data, etc. are unavailable at the expense of losing legibility of client-side stack traces - we can implement this if the community wants us to.
Interesting. That was Bethesda’s opinion on mod theft as well on their site. Nexusmods had a different view of it that I think applies very accurately to ROBLOX as well. You can read the full article here, but I’ll paste the relevant bits since the article is rather long.
But before that, here’s a tl;dr: Bethesda told mod authors to file DCMA requests for stolen mods, and eventually they would get taken down, but the issue is a precedent. Bethesda’s forum community didn’t set a precedent for not stealing other peoples’ work, to the point where people feel free to upload stolen stuff (sound familiar?) – compare that to Nexusmods where the site staff feel strongly against stolen content, passed that along to users, people who steal mods feel very unwelcome (unlike on Bethesda.net and ROBLOX where you’re rewarded with popularity), and stolen content is taken down at a breakneck pace.
I was actually going to create a post about this on here. Wasn’t sure if this was scrapped or not already, figured it wasn’t since you can get stack traces online.
Honestly, I think this should be looked at the same way an executable is: you can optionally bundle an exe with a pdb in the case you feel it’s necessary. Obviously, you wouldn’t just be giving out a pdb for a closed-source application, so I feel like roblox games are the same.
The only case where debugging info is good is when a creator of a game is testing it online. Outside of that, there’s maybe the rare case where a user encounters an error ingame and you want the stack trace to figure out what the issue is, but people solve issues like this all the time without traces. So, at most, maybe make it optional (per-local/module script? option of some service? having the debugging for testing is useful so it should still be possible to have) but I would definitely enjoy having debug info removed online for a live game.
I’m assuming this would make modifying values using exploits a whole lot harder?
If so, this’d be fantastic to have as an option, that way once we’ve got all the bugs in our games squashed, we can enable it to further stop exploiters.
People exploit by searching for the memory they want to modify. So if you have a boolean as a cooldown, they can figure out what this value will be and search for it. The variable name doesn’t matter in this case. This applies to money etc.
In terms of people reading your code to figure out vulnerabilities etc, yes variable names matter.
I think that a code obfuscation option would be nice. Should be an option though; that way you can have a “production” game and a private “development” game.
In my opinion, you have to look at basically… all games. Client-side stuff is always prone to being stolen. There’s not much you can do about it.
I like to see this problem from the perspective of any web page:
On any modern web browser, you can view tons of info on the current page you’re on, including all the pages and scripts loaded. All the client-side info is free to take and view. People who write web apps know this. That’s why sensitive business logic never exists client-side, but is all done server-side. Many people to obfuscate and minify their client code for websites, but usually that’s for the purpose of how much bandwidth is being used.
My point is: It’s silly to ever consider your client-side stuff secure. However, server-side stuff should be seen as secure.
Exactly. I couldn’t care less if somebody is stealing my local code. Without my server they can’t do anything.
And if they’re crazy and spend months rewriting your server by interpreting the client (people have done this for MMORPGs to make private servers) your game should be miles ahead in terms of updates by then.
BTW, I have a plugin that does that in a semantically correct way automatically so that you don’t have to do anything by hand. It finds the minimal construction of variables and syntax to crunch the script down to a pretty unreadable minimal form:
The internal code is pretty clean, so you could probably modify it to do a whole place pretty easily.
Though, it’s a double-edged sword… it also beautifies scrambled code for those trying to reverse engineer stuff.
