Is there anyway to use script.source in a localscript / script without the use of a plugin or command line. If so / or there are other ways to approach this let me know by replying.
Only plugin commands do that Sadly.
Is there a way to create an instance and change the source?
Sadly, you can’t if you try to do that it will error this
The current identity (2) cannot Source (lacking permission 1)
Hm, would it be possibly to have code as a string run, say when you use a function?
As I’ve said you can’t do that the script doesn’t have enough permission only plugins do because they have full access to most things.
Also, what do you mean by this? could you be more clear
I could use loadstring, although that does risk a few possibility’s of bad things.
You can use
loadstring in scripts by setting
LoadStringEnabled to true in
ServerScriptService properties, this doesn’t work for localscripts though and it disables some Luau specific optimizations.
It only becomes risky when you don’t filter what’s running inside it. For example, a valid Luau code passed by a player.
How would I protect the game from a user exploiting loadstring?
Depends, why do you need user to run Luau code with
loadstring in the first place?
Ironically it is to protect scripts.
I don’t follow. How
loadstring is supposed to protect scripts?
That was used by exploiter.
Especially embedding backdoor activation from foreign site.
loadstring, you could use a Lua(u) VM / “custom loadstring” module which would work on both the client and server.
Could you elaborate on how exactly that happened? What does “embedding backdoor” mean?
Especially this line.
Search backdoor.exe if you are okay to go to dark side.
Disclaimer for stuff: URL reported to @Exploit_Reports
There isn’t much Roblox can do about it since it’s an external site; you’d be better off reporting the repository to GitHub.
Sorry for the late reply but this seems interesting can you show examples of this? I am thinking of using rerumi for the custom loadstring, although a few examples would be nice!