Thats… odd, for sure.
Its more likely something wrong with your game code rather than exploiters then.
You should double check every script you got
I can say with confidence it is an exploiter, when In testing alone or with just members of senior management its fine. We were messing around with btools for a good few hours and no issues.
Well i haven’t seen anything as what you’ve showed me before.
All i can think of is some security issue with a script or a backdoor
Here Is what is happening for example:
NOTE: I have blured the text it was making everyone say as it is very inappropriate.
Is the gravity going to 0 for every player in the game? If so, it sounds like you have a backdoor or some kind of server-sided security flaw which allows for that.
Also, what do you mean by “extracting the game file while in game”?
Its making everyone say things? 100% backdoor/crappy coding
I’m not sure if it is gravity related after playing around with gravity in a seperate server, but yes it is everyone.
And I have seen cause someone was streaming in a VC, they were able to basically get the game and all its assets into a downloadable file, and they then leaked it online.
Ah. Could It potentially be a product i have installed into the game?
i suppose.
press ctrl + shift + F
now search for “require”
If you see anything that’s requiring numbers - its probably a backdoor
ctrl+shift+f doesn’t do anything?
are you pressing it in studio?
Nope. I am trying it in Roblox Itself.
Well… how do i tell you this…
You should try it in studio
You are the owner of the game correct? You don’t work on the game development side yourself right? You have another person programming your game? Maybe they installed a backdoor intentionally or by accident? How many people work on your game?
its just me working on the game, there is one thing:
Loadstrings are enabled in SSS for a cafe product I purchased from a well known developer, I have heard they can lead to issues somtimes.
Could that be why its happening?
I dont get the appeal with purchasing encrypted code
Ok, there’s a few ways backdoors can be made.
- Check your plugins for malicious code. This includes requiring by asset IDs and making HTTP requests.
- Ensure
loadstringis disabled in the properties ofServerScriptService. - Search for scripts requiring asset IDs. Like @Hzodx said, you can use ctrl + shift + f to do this but it may be easier to run a command in the command bar to get a list of only scripts requiring by ID:
local reqById = {}; for _, script in next, game:GetDescendants(), nil do if (script:IsA("BaseScript") or script:IsA("ModuleScript")) and string.match(script.Source, "require%s*%(%s*(%d+)%s*%)") then table.insert(reqById, script) end end; for _, scr in next, reqById, nil do print(scr:GetFullName()) end --outputs ancestry of all scripts
- Check for HTTP requests, you can use a similar structure I did before to check. Just replace the string pattern with this:
":[(Get)(Request)(Post)]Async" --may also flag for datastores
Yep, could well be the issue. Can be used to load a backdoor from a HTTP request. Is the code obfuscated? If not, check it carefully.
correct me if im wrong but your string pattern seems to only be searching for numbers?
Its common to hide the numbers with encoding so your search script could not find everything
Never enable loadstring unless you intentionally know what you’re doing and you have safeguards in place.
Please do not buy scripts from developers who encrypt their work or use third party requires (requiring by ID). You need to know what you pay for and how it works.
Good developers will give you the source code with no encryptions/obfuscations for the reason above and will make sure you know how to use it (answer your questions, etc). If the developer is “well known” with good commissions they would be as transparent as possible.
If you want to check for backdoors I’m going to do a shameless plug and send my plugin here 
: BeeScan | 1.0.0 | Studio Script Scanner for Backdoor Detection. I recommend you install it and run it, then paste the output log here. It performs a script keyword search similar to what @12345koip provides but with a couple more layers of checking