If I had a LocalScript that require()d its code from a ModuleScript, and if an exploiter that was capable of stealing the game were to steal it, would that LocalScript contain the source from the ModuleScript or would it still appear empty apart from the require()? Where exactly does the code that was required exist? I am aware that if a ModuleScript exists anywhere on the client it and its code is still liable to be stolen, however that is beside the point.
1 Like
Hey there!
I think exploiters can just decompile the script leading into them knowing the AssetId of your module script and I think from that point it would be pretty easy to view the ModuleScript code.
Unfortunately, yes. You can only use require(id) from server scripts, and any modules placed in ReplicatedStorage automatically replicate their bytecode to the client. Some exploits contain script decompilers, through which they can get a “stripped” version of your source code.
The decompiled code won’t contain your variable names or comments, or even formatting, but will generally show them how your code works. This can give them enough information to fire your RemoteEvents with seemingly accurate data. How much damage this can do depends on how well your server is coded.
TL;DR: None of the code running on the client is safe from being decompiled, and you shouldn’t rely on this for security.
4 Likes