Hear Me Out…

If we can require asset IDs and whitelist the universes they can be required from, then why aren’t big games gatekeeping their main modules behind this?

Why not just make your main module—or whatever your game is using—an asset that’s private under your account?

Once these skids with decompilers come in, even if they get the game, it won’t work if the main code running the game is gatekept. Roblox won’t let you require an asset you don’t have permission to.

Another thing

It would make it more easy for the developer of the game to update it as all they’d have to do is update the model and any new server will instantly get the update, So minor changes can be made without major losses. And yes it may be a burdon but really you can make it more simple on yourself by doing this:

local Devmode = false
return if Devmode == true then require(script.Parent.Parent:FindFirstChild("MainModule")) else require(835659254447452)

correct me.

If im wrong and its not really this simple, Bring it down on me below. Let me know.

because:

getfenv can bypass
performance
not foolproof. hackers can still frick it and get code.

plus, the module is still going to be loaded in the clients memory. it won’t do crap.

yea just took a look at it, Roblox’s security really sucks.

What “security” could they possibly add that would… prevent the client from being able to access data that has been provided to the client? it doesn’t matter how many fancy layers of encryption and w/e you try to add to it because at the end of the day that code is still gonna be somewhere in the client’s memory unencrypted and ready for access.

This isn’t a matter of security, it’s a matter of you can’t stop someone from using their device how they please.

its the server not the client, im talking about the server. Nowdays decompilers can somehow access the server and download the entire game.

Could you provide sources for this information?

GitHub - atrexus/unluau: A decompiler for Luau (Roblox’s Lua based programming language: https://luau-lang.org/).

STOLEN ROBLOX GAMES
GitHub - gaps510dev/Decompiled-Roblox-Games: Decompiled using Medal & Oracle. This does NOT violate Roblox’s terms of usage.

No way… Do you really believe this?
If that was true then every roblox game would be compromised right now.

It is only possible to decompile client code, and the links you have sent are for a decompiler which does exactly that, and a list of games with decompiled client code. (some with recreated server code, with their own logic)

no you need a file before you do it. For example Criminality, you can decompile it with a older version to get the full current.

image386×240 24.1 KB

This tells me all I need to know. Keep living in your fantasies.
How about doing some research before posting?

i did do my research thats why im supplying you with this reply.

i found the perfect decompiler : r/Krnl

image1295×907 23.4 KB

not to mention

client exploits/decompiles don’t have ANY access to server code unless you downloaded a backdoor in your game or if you hacked the Roblox servers which is really hard since they are protected and also is illegal I think

because server scripts don’t exist on the clients so clients cannot see them

What does this prove? This isn’t a decompiled server script.
How can you not comprehend the fact that there is no way to access the server and steal server scripts?

sounds like the dev team has a malicious actor within them that leak their game, or the main dev(s) decided to share the older versions and people just misuse that and try to recreate the newer versions (latter is rare but if your game code doesn’t change all that often, this can happen)

in any shape or form, this type of leaking IS NOT exploiting as it doesn’t involve actually messing with Roblox and the scripts themselves will be the actual source (1:1 lets say), this is more Social Engineering (holy crap Operators reference??)

personal attack fallacy, you’re going to brazil

counter personal attack, you’re going now too

but before you go, to answer your questions:

Why can’t we prevent leaks by making private modules under our account, and using require() in our code?

Because private modules only work on the server, not on the client (the player’s device).

If they did work on the client, anyone could just open them up and steal the code, which would make them not private at all!

To run code on a player’s device, the game has to send that code to the device. That means that anyone dedicated enough can find the source code at some point. There’s no magic way to make a player run code without giving them the code first.

But what about leaked server scripts?

Server scripts can’t be seen by exploiters, because their code is never sent to the client. Only the server runs them.

When server scripts do get leaked, it’s usually because a developer with access shared them, not because an exploiter decompiled them. This is a trust issue, not a technical one.

Using things like private modules doesn’t help here, because developers with access can still view those modules and leak them just the same.

Can you turn a leaked file into a newer version?

If you’re asking whether an old version of a game can somehow give you the latest version of the place file, then no, that’s not possible.

Think of place files like text documents: once you save a version and later make changes, the old version doesn’t magically update. You can’t figure out the newest content just by looking at an outdated copy.

Stop diverting. You weren’t speaking about this previously.
This is what you were talking about, and it is what I replied to.

IMG_24991170×2023 724 KB

Devforum community is too easy to ragebait with the most stupid claims ever

Even then a backdoor cannot do this because it would only have normal level script access, not the level of access required to read script sources. Those games had their server-side stolen either by a malicious plugin or by someone gaining access to oan account which could access the original place file.

we knew this. You’re just stating what was already mentioned, also really wish the part where he asked when i was diognosed was in this screenshot anyways.

Lets break this down

A: I say why not use Require()

B: Somone tells me about GetFenv()

C: This should already be over

D: I mention im talking about server side as somone talks about client

E: I provide a list of stolen roblox games that have had their files leaked via a client side script like dex, etc.

F: Random person yet again mentions what i already know, Server cant be seen

G: I mention people experienced enough have managed to update games themselves via reading the client scripts in the update then on the file they stole cross refrencing it to make their own update from scratch (Criminality)

H; Random person pulls the “I’ve got more knowledge” card and triggers the harsher side of the argument.

I: I respond…

Yet again i don’t understand what everyone is… Wish i could say it but i cant. Arguing over right now. There should be no argument here and i don’t want to there to be, No this is not rage bait this is just a curious new developer wondering how they can secure their game, No attacks should have been pointed at anyone its a shame this happened. I will keep my questions and opinions with the hiddendevs support channel instead of this for now. as people are sensitive here.

Edit: I opened this topic looking for answers, and i’ve recived none.

Yes i at first assumed that there was some sort of security issue where decompliers could get to the server, Why did i think this? I was told this by somon else. This is just false information that spread to me and had me questioning how, As i belived the person that told me.

Please do not reply any more im tired of coming back to this. I think its best we let this topic age.