Understanding SaveInstance in Roblox

[Discord]

Written by DeveloperNes

Straight to the point; there is no actual public way to directly combat SaveInstance(), private methods exist, but those won't be shared anywhere public (nor will they be shared here) because once they are public, they are bypass-able by adjusting the exploit to remain undetected by it. However, there are ways to limited the damage caused by SaveInstance.

Pre-SaveInstance Methods:

Limiting Access

You can limit access to your game to only specific people through a server script or using Roblox's group system to restrict access to members of the group, this only applies to games that are meant to only be used by a specific group (Like most milsims). This method is quite weak however since someone with the slightest knowledge in social engineering can join as opfor or just join the group regularly anyways.

Content Streaming/Blocking

This method is powerful but requires a lot of careful setup and doesn't work everywhere. You can use a server script to control what parts of a game are given to a client. For example, you can make a script that will stop group members of a specific role (like opfor) from receiving certain parts of the map, this could be anything from custom kits to the unit building, but this still has the downside of non-malicious opfor not being able to see/interact with these parts of the map.


This also has another sub-method, which is locking opfor (or new members of the unit) to only rendering a certain radius around the character, so if they use SaveInstance, they only save that area of the map, and will make it difficult to connect several different rbxl files generated from the SaveInstances, but this can be countered by making the script save new objects as the character walks around the map, so really all this does is block script kiddies.

LocalScript Obfuscation

It's not ideal, but if you have a very valuable system based mostly on client side (Which you shouldn't), you can include a line that will only allow the script to function if its running under a specific game id or creator and obfuscate it to make it harder (but not impossible) to steal. Exploiters don’t actually have access to the full source code on the client. They can only reconstruct it based on the bytecode that Roblox gives each client. You can try to crash this reconstruction process but this is dependent on the exploit the client is using. The general guideline is that you shouldn’t have anything important in there to begin with. Luraph is the the industry standard obfuscator if you need it.

Combatting Specific GUIs

Since this is a well known method (and I'm releasing it here) most custom saveinstance scripts will not be caught by this, but the script kiddies using the well known ones probably will. You can use ContentProvider:PreloadAsync({game:GetService("CoreGui")}, function(assetId) to give you some insight as to what assets are being loaded on the CoreGUI (normally you can't access it). Look at common SaveInstance methods and see if they load any assets into CoreGUI with a specific AssetID, then use the method above to detect if that asset is ever loaded. I'm not going to say more on this topic because of the script kiddies and skidders reading this, but with enough research you can come up with a finished solution on your own.

Post-SaveInstance Methods

DMCA

This may seem obvious, but if you know what to say and who to contact, a DMCA can work very well, this is why it's important to save hidden watermarks, screenshot chat messages, and NOT say anything stupid that will end up working against you. This only works if the person stole your map/game then uploaded it to Roblox as their own, if they just share the rbxl file around and don't upload it in full as their own, you aren't going to get anywhere with this. Here are some of the key things to know when going down the DMCA route:

Notes & How SaveInstance Works

When most people say SaveInstance or Synapse they don't actually mean either of those, SaveInstance is an old (and no-longer existing) function for actual game scripts to use, it's sort of been replaced by :SavePlace(), and Synapse hasn't existed since shortly after the Hyperion implementation. What they are actually referring to is the method built into most executors that will simply serialize (save) the assets already given to their client, there is no way to detect this in itself since it's similar to pressing ctrl-c on a folder in file explorer, it doesn't do much within the game itself since everything it's saving is already on the client, it just has to copy and paste it elsewhere. An incredibly skilled programmer could write kernel code to literally rip the assets from the GPU command line as the client is processing them, and not even touch the Roblox game itself. This also means that exploiters can't access server scripts or server sided assets (Unless you have a backdoor in your game, then they can steal literally everything, so don't insert freemodels unless you 100% know it doesn't have malicious scripts)

Here's a cheat sheet type thing for what parts of a game can/can't be taken by the client:

Services exploiters typically can access/save:

Services protected: