Badges
Activity Feed
Created a new thread : LuaVM::load scanning
I use eyestep to scan roblox addies. Only two of my functions are broken:
update_getstate
update_lvml
Here is my code:
#include "Eyestep/eyestep_utility.cpp"
#include "Globals.h"
namespace Updater
{
static void update_print()
{
int print_call = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("Video recording stopped")[0], false, false);
uintptr_t print_address = base + EyeStep::util::raslr(print_call - 0x400000);
Addresses::r_print = (Addresses::r_print_t)print_address;
}
static void update_lvml()
{
int lvm_call_maybe = EyeStep::util::prevCall(EyeStep::scanner::scan_xrefs("oldResult, moduleRef = ...")[0]);
uintptr_t lvm_addy = base + EyeStep::util::raslr(lvm_call_maybe - 0x400000);
Addresses::r_luavm_load = (Addresses::r_luavm_load_t)lvm_addy;
}
static void update_taskdefer()
{
int tdefer_maybe = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("Maximum re-entrancy depth (\%i) exceeded calling task.defer")[0], false, false);
uintptr_t tdefer_addy = base + EyeStep::util::raslr(tdefer_maybe - 0x400000);
Addresses::r_taskdefer = (Addresses::r_taskdefer_t)tdefer_addy;
}
static void update_getscheduler()
{
auto taskschedulera = EyeStep::util::getPrologue(EyeStep::scanner::scan("55 8B EC 64 A1 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC ?? 64 A1 ?? ?? ?? ?? 8B 08 A1 ?? ?? ?? ?? 3B 81 08 00 00 00 7F ?? A1 ?? ?? ?? ?? 8B 4D F4 64 89 0D ?? ?? ?? ?? 8B E5 5D C3 8D 4D E4 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 E4 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ??")[0]);
uintptr_t taskscheduler = base + EyeStep::util::raslr(taskschedulera - 0x400000);
Addresses::r_getscheduler = (Addresses::r_getscheduler_t)taskscheduler;
}
// dont work
static void update_getstate()
{
auto getstate_siggy = EyeStep::util::getPrologue(EyeStep::scanner::scan("55 8B EC 8B 45 08 8B 00 83 F8 ?? 77 ?? FF 24 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C8")[0]);
uintptr_t getstate = base + EyeStep::util::raslr(getstate_siggy - 0x400000);
Addresses::r_getstate = (Addresses::r_getstate_t)getstate;
}
static void update_all()
{
update_print();
update_lvml();
update_taskdefer();
update_getscheduler();
update_getstate();
}
}
Created a new thread : Need xrefs for roblox
Does anyone know xrefs for luavm::load? Or know how to find it in IDA pro?
Replied to thread : I need help making an execution method
Yeah, the addies work and all but execution is the problem. I'm making an external exploit, I think that's the problem. Should I just make it a DLL?
Replied to thread : I need help making an execution method
BTW ignore getls() that is very old idk it makes no sense ik
Created a new thread : I need help making an execution method
I have auto updating addresses, but my issue is actually making an execution method. Here is my code:
// Scanner.hpp - scans roblox addies, with the help of EyeStep reborn by MelonMRTS on github
#include "eyestep/eyestep.cpp"
#include "eyestep/eyestep_utility.cpp"
#include "scheduler.cpp"
#include "zstd/xxhash.h"
#include "zstd/zstd.h"
#include "luau/Luau/Compiler.h"
#include "luau/Luau/BytecodeBuilder.h"
int ASLR(uintptr_t addy) { return addy - 0x000000 + reinterpret_cast<uintptr_t>(GetModuleHandleA(NULL)); }
int RASLR(uintptr_t addy) { return addy + 0x400000; }
// 55 8B EC 8B 45 08 8B 00 83 F8 ?? 77 ?? FF 24 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C8
uintptr_t base = reinterpret_cast<uintptr_t>(GetModuleHandleA(NULL));
class roblox_encoder : public Luau::BytecodeEncoder {
std::uint8_t encodeOp(const std::uint8_t opcode) {
return opcode * 227;
}
};
typedef UINT(__fastcall* load)(UINT rL, std::string* source, const char* chunkname, int env);
typedef void(__cdecl* rbx_printf)(int type, const char* format, ...);
using r_taskdefer_t = uintptr_t(__cdecl*)(uintptr_t rl);
typedef int(__cdecl* rbx_getscheduler)();
typedef int(__thiscall* _getstate)(int scheduler_scriptcontext, int* type);
namespace Deobfuscation
{
uintptr_t luastate(uintptr_t sc)
{
return (sc + 236) - *(uintptr_t*)(sc + 236); //u can find it in getstate
}
uintptr_t global(uintptr_t rl)
{
return (rl + 24) ^ *(uintptr_t*)(rl + 24);
}
}
std::string compress(const std::string& data)
{
std::string output = "RSB1";
std::size_t dataSize = data.size();
std::size_t maxSize = ZSTD_compressBound(dataSize);
std::vector<char> compressed(maxSize);
std::size_t compSize = ZSTD_compress(&compressed[0], maxSize, data.c_str(), dataSize, ZSTD_maxCLevel());
output.append(reinterpret_cast<char*>(&dataSize), sizeof(dataSize));
output.append(&compressed[0], compSize);
std::uint32_t firstHash = XXH32(&output[0], output.size(), 42U);
std::uint8_t hashedBytes[4];
std::memcpy(hashedBytes, &firstHash, sizeof(firstHash));
for (std::size_t i = 0; i < output.size(); ++i)
output[i] ^= hashedBytes[i % 4] + i * 41U;
return output;
}
namespace scanner
{
static uintptr_t getprint()
{
int print_call = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("Video recording stopped")[0], false, false);
uintptr_t print_address = base + EyeStep::util::raslr(print_call - 0x400000);
return ASLR(print_call);
}
static uintptr_t getluau_load()
{
int lvm_call_maybe = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("oldResult, moduleRef = ...")[0], false, false);
uintptr_t lvm_addy = base + EyeStep::util::raslr(lvm_call_maybe - 0x400000);
return lvm_addy;
}
static uintptr_t gettaskdefer()
{
int tdefer_maybe = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("Maximum re-entrancy depth (\%i) exceeded calling task.defer")[0], false, false);
uintptr_t tdefer_addy = base + EyeStep::util::raslr(tdefer_maybe - 0x400000);
return tdefer_addy;
}
static uintptr_t gettasksched()
{
auto taskschedulera = EyeStep::util::getPrologue(EyeStep::scanner::scan("55 8B EC 64 A1 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC ?? 64 A1 ?? ?? ?? ?? 8B 08 A1 ?? ?? ?? ?? 3B 81 08 00 00 00 7F ?? A1 ?? ?? ?? ?? 8B 4D F4 64 89 0D ?? ?? ?? ?? 8B E5 5D C3 8D 4D E4 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 E4 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ??")[0]);
uintptr_t taskscheduler = base + EyeStep::util::raslr(taskschedulera - 0x400000);
return taskscheduler;
}
// get luastate
static uintptr_t getls()
{
const scheduler_t sched{ 0xF969E0 };
uintptr_t sc = sched.get_script_context();
return (sc + 308) + *(DWORD*)(sc + 308);
if (sc == 0x0) { return 0x0; }
}
static uintptr_t getstate()
{
auto getstate_siggy = EyeStep::util::getPrologue(EyeStep::scanner::scan("55 8B EC 8B 45 08 8B 00 83 F8 ?? 77 ?? FF 24 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C8")[0]);
uintptr_t getstate = base + EyeStep::util::raslr(getstate_siggy - 0x400000);
return getstate;
}
};
I use this for getting the addys, so these are the addies I have. What can I do to run scripts?
Replied to thread : How do I execute addresses?
Got print working, but how do I run luavm_load? 0x72A2A0 is the addy right?
Created a new thread : How do I execute addresses?
So I know how to get the addies, but I don't know how to exec them. I know this sounds weird
When I run this code, it says memory access violation
Code:
load luavn_load = (load)(lvm_loada);
r_taskdefer_t tdefer = (r_taskdefer_t)(tdefera);
_getstate gstate = (_getstate)(getstatea);
rbx_getscheduler getsch = (rbx_getscheduler)(scanner::gettasksched());
const auto print = reinterpret_cast<void(__fastcall*)(std::uint8_t, const char*, ...)>(reinterpret_cast<std::uintptr_t>(GetModuleHandle(nullptr)) + scanner::getprint());
print(0, "hey");
scheduler_t s(getsch());
int idk = 0;
lua_State* rL = (lua_State*)Deobfuscation::luastate(s.get_script_context());
luavn_load((UINT)rL, &comp, "", 0);
tdefer((UINT)rL);
Replied to thread : ROBLOX Reverse Engineering Wiki (With example dumper, OPEN SOURCE!)
u right im gonna use smth like zydis next
Created a new thread : ROBLOX Reverse Engineering Wiki (With example dumper, OPEN SOURCE!)
I think this is the biggest release for WRD this month. I'm talking about full updated addy methods for roblox, EyeStep examples, and an example dumper.
Credits go to:
Links:
Wiki: https://github.com/LLethul/ROBLOX/wiki
Example Dumper: https://github.com/LLethul/ExampleDumper
Please make a PR, or message me if you want to add something.