Securing Game Scripts

IK Kohl’s admins does this.

People can only use the admin commands and edit some things but they can’t see how the main code works.

I would like to note that I could be wrong but here’s my assumption:

If your game is stolen by someone saving your Game place to their PC but all of your script is requiring a module, you shouldn’t have anything to worry about.

Exploiters can’t steal Server Side stuff, they can’t see Server Side stuff.
in other words “You can’t steal what you can’t see”


Yes and no, you can still do getfenv() and you can do something with Script.Code but I’m not sure how it works because I never explored this.


I would like to know a method that people can’t steal our scripts too my fellow Dev.

I know phantom forces got leaked, and that was their whole game.

I can’t risk it, lol.

By which method?

Trojan horse? (Leaked by someone who has access to edit the game)

or

Exploiter?

and when did this happened? was it recently?

The only way your game scripts (server-side) can be stolen is if you let random people edit the place, your account gets compromised or someone finds a way to steal place files.

If you’re so worried about stuff like private keys or just code in general put it in a private module and/or don’t let other people you don’t trust edit your game (if that’s what you’re doing)

Keep in mind, making it a private module means if your account gets compromised then it’s basically useless, and you’ll also need to make the module in such a way that only “runs” the code if it’s the right place.

If a user can download place files (including server scripts etc.) then there’s a good chance they can download model files too, meaning no matter what there’s no way to 100% secure your code.

1 Like

It happened a couple years ago, I believe.

So to sum it up,

the method requiring a module asset id to run is useful after all?

I’ll mention a few Experts on this subject so they can shed some light on to this topic

@crossStarCross @Corecii @ANSI_C

Exploiting Explained

Understanding method hooking and keeping your game protected

1 Like

To an extent, but are you trying to simply hide the code or stuff like private keys for things? If it’s just code then you shouldn’t bother with stuff to hide your code. Just obfuscate it and call it a day at the most.

1 Like

I’m really just trying to hide my code.

It will be harder for them to read it if im using the require asset module way, right?

They can’t analyze it 100%

You should obfuscate it.

An Exploiter will give up (even I will) when seeing code like this

local Accsf = 5;local Bahsfdgjuy = 'STRING';local Chsstadhsjd = true;local DtASJDYEDK = print

local function HATAHSJHYAHJSYHA_LOLFASDHGGHDOLOLOL()
	do
		DtASJDYEDK('try reading me bro, you mad?')
	end
end
1 Like

Another thing,

require module asset ids dont work on studio mode. Only on online.

Then you will have to upload it as a Module when you are done editing it.

I would have separate places;

1 for my Actual game

1 for Editing/Building/Testing (or more places)

One of my projects is a paid pathfinding service. Since it needs to be secure, even while providing functionality to developers who have complete access to game servers, I am hosting it on a cloud service. Now, pathfinding is a bit of a heavy operation so I’m actually writing it in C and hosting it on a cloud that can scale easily and be positioned physically close to Roblox servers, but most uses wont require this much effort. Just grab a free trial of some cloud server, setup an image with Lua and start sending requests to it!

#NowThatIsSecurity

2 Likes

Yea, thought so

Seems like a real pain tho every time you update, lol.

1 Like

Oh, it is great! You only need to update the code on the external server, and all of a sudden even your currently running games are up to date. Now, you do need to be careful when performing the update. I’m envisioning something like update script that sets a flag to hang pending requests, swaps out the installation, then the installation flips the flag once its ready.

1 Like

Or, you know, have two installations, and just swap which one requests go to when there is an update.

3 Likes

Yes and no, you can still do getfenv() and you can do something with Script.Code but I’m not sure how it works because I never explored this.

Not anymore, when you do this nowadays you get a blank module, but all of the children are there so you can get access to the whole client side part, but the module itself will be blank (i tried it out myself)

Doesn’t ropp obfuscate some of your code?

Might be what you’re looking for

An exploiter won’t ever see code like that. do end blocks don’t naturally compile, and decompilers usually ignore lineinfo debug data so code will turn out beautified anyways. Ctrl + h can then be used to solve variable naming.

Regarding the stealing issue, just worry about your local code doing things properly. If there is ever a bug allowing for stealing of server side code somehow, then it’s safe to assume none will be safe or damage diminished anyhow.

3 Likes