Profile Picture

Darkn (Darkn | Resigned)

Reputation: 19 [rate]

Joined: Oct, 2020

Last online:

Bio

Hello! I'm a person on WeAreDevs that basically does nothing really, I just made an account on here for no reason, so expect me to pop up on random forums.

Badges

badge badge badge badge

Etc

Send Message

Threads List
Possible Alts

Activity Feed

Created a new thread : Wave Concerns: Fake Drawing Lib, Plaintext Passwords, etc..


ello' again, even more concerns regarding Wave.. may that be improper drawing libraries or storing passwords in plaintext, there are many things about Wave that are just.. sketchy.

 

also if Rexi see's this: i don't hate you man, i just don't like how this exploit has been going so far, even from the start. management, vulnerabilities, lack of care regarding user security, etc.

 

original thread: https://new.reddit.com/r/robloxhackers/comments/1drn5z4/wave_concerns/


Some of you may have seen my previous thread about vulnerabilities in the debug library in Wave, and I decided to look further into Wave, to find out what else I would uncover. What I discovered means that multiple of Wave's marketing claims are outright lies, potentially causing people to buy premium who otherwise would not have if they knew the truth.

 

1.  UNC percentage for premium vs free

 

I won't go into too much detail on this, as others have already discussed it, however Wave was originally claiming 100% UNC for both free and paid (visible in the screenshot from just 2 days ago), before backtracking and dropping the free version to 80% UNC. In addition, many users have been reporting that some functions are either broken or fake, and nobody (that I've seen), has been able to validate the 100% UNC claim at this time.

 

Image of 1

 

2. Wave's console library

 

This is not an area tested by the UNC script, as it cannot confirm anything that happens with them. It does confirm that aliases for the functions exist, but that does not count towards the UNC percentage. However, Wave has registered these functions, however if you decompile the DLL, you will uncover that the functions are simply defined as return 0;, meaning they are not implemented at all, and are practically just placeholders designed to stop the missing aliases warnings from showing up when the UNC script is ran. (screenshot is of one of the console functions, when I look at Wave DLL in IDA, they are all the same)

 

Image of 2

 

3. Wave's drawing library

 

Wave has not implemented a proper drawing library, and is instead using a lua drawing library that creates a roblox GUI from drawing library commands. This is was likely done to get around Hyperion's protections around DirectX, however this method will have worse performance than native DirectX rendering, and many Wave users have been asking for a "real drawing lib" in the discord server. (screenshot is a portion of Wave's drawing lib, the whole version has been posted on V3rm already)

 

Image of 3

 

4. Luarmor support

 

On release, Wave lacked support for luarmor, due to an issue in their readfile function. This has since been fixed, however had Wave developers bothered to test a luarmor script prior to release, this oversight would have been avoided.

 

Image of 4

 

5. Wave's hookfunction

 

Wave has an incomplete hookfunction implementation, so while it is complete enough to pass the UNC test, it will fail in some circumstances. When argument 1 is an lclosure, and argument 2 is a cclosure, hookfunction will error with the message "Hooking Lua Closures with C Closures is not yet supported". (screenshot is from hookfunction in Wave DLL in IDA)


Image of 5

 

6. Wave's debug library vulnerabilities

 

Read my previous thread for more details on this, but Wave contains vulnerabilities in it's debug library that can lead to arbitrary code execution. Since releasing my thread, Rexi has replied, practically waving it off as not an issue, and Wave has since updated, with none of the vulnerabilities fixed, and no public acknowledgement about their existence in the Discord server to warn users. 

(https://new.reddit.com/r/robloxhackers/comments/1dqjnvj/vulnerabilities_in_wave/) or (https://forum.wearedevs.net/t/36147)

 

7. Wave registration issues

 

Many users have been encountering issues installing Wave and or registering for a Wave account. The common fixes listed in the discord server has not worked for many people (381 people said it worked, whereas 1433 people said they never worked). While some issues are going to be expected with a just released exploit, the registration issues at minimum could of been avoided by getting a small group of people to test prior to release.

 

Image of 7

 

8. Passwords sent in plaintext

 

Wave UI sends your password in plaintext to Wave's API, meaning that Wave developers could see your password in plaintext if they wish to. The obvious solution to this (which should have already been implemented), would be to hash passwords prior to sending. We also do not know how Wave is storing logins, and what hashing algorithm they are using for this (if any), meaning there is a chance that if somebody managed to compromise Wave's servers and access the database, they could see everybody's Wave logins, including passwords if they are stored in plaintext (or an easily crackable hash), which could let them access other accounts if you reused the same password as another website/service. While Wave's API does use HTTPS, so the password is encrypted during transit, the passwords should be securely hashed before they are sent to Wave's servers. There is no reason for them to be able to have the plaintext password, as they can compare the hashes to ensure someone has the right password to login. This is even more concerning due to Rexi's links with Arceus X, an exploit known for stealing user data back in 2021.

 

Image of 8

 

9. Weird registry keys location

 

Wave stores it's registry keys under HKEY_CURRENT_USER\Software\KasperskyLab. This obviously matches the registry key location for Kaspersky Antivirus, and will increase the rate of false positives that Wave gets. It is unclear why they made the decision to do this, however it could of been done to try to prevent Roblox checking for Wave registry keys (even if Roblox could just look for obviously not Kaspersky related subkeys in that registry key). It would of been easy for wave developers to check if Roblox started checking the registry using a tool like Process Monitor after an update anyway, if they were checking for anticheat changes like they should be. This is even more concerning due to Rexi's links with Arceus X, an exploit known for stealing user data back in 2021.

 

Image of 9

 

While I wish Wave the best as it would be great for this community to return to it's former glory, in it's current state full of security concerns, bugs, and outright lies when it comes to marketing, it should not be available to the public, until such issues are resolved.

Commented to thread : Wave Vulnerabilities


Hello!! You can try adding me but I won't guarantee if I'll accept your friend request or not or if I unfriend you in the future since I've been purging my friends list really often :v

It got way too bloated when I was staff for Coco Z and Fluxus so... that's mainly why..

Created a new thread : Wave Vulnerabilities


Hey guys, it's been a while since I last used WeAreDevs forums but Roblox exploiting is back..? Despite that though, I had heard that Wave released again, and I had just saw another thread on Reddit mentioning that Wave has the Debug Lib Vulnerabilities found in Synapse back at the end of 2021. Just wanted to ensure people were aware about this as it's kind of concerning the lack of care in user security that they have for a second time in a row..

Vulnerabilities in Wave by u/Objective_Highway424 (Original post if anyone was curious)


 

Posting this on a throwaway, but I recently purchased Wave, and due to the vulnerabilities previously known in the beta, the first thing I did was look for vulnerabilities. It was very public knowledge back in 2021/2022 about the vulnerabilities that were present in the debug library in Synapse X, which were later patched and a test script for them published. These vulnerabilities can lead to arbitrary code execution, as shown in the reddit thread about them (https://www.reddit.com/r/robloxhackers/comments/rkuga2/most_executors_affected_by_debug_lib_ace/).

Wave is vulnerable to these same vulnerabilities, an oversight I feel should of been corrected prior to release. Wave's claim of 100% UNC also appears to be false, as setscriptable failed, resulting in 99% UNC.

These claims can be validated easily by trying the test script available in the reddit post above (the screenshot is of a slightly modified version doing a warn for each failed test instead of asserts, so they will all be tested)

Image Showing Vulnerabilities (I was planning to use an image, but WRD was breaking for me..)

 



If anyone was curious, yes Rexi did reply to this.

Rexi's reply:

Stop using old scripts UNC exists for a reason, and also theres UNC but for vulns
loadstring(game:HttpGet("https://raw.githubusercontent.com/fissurectomy/test/main/executor_vuln_test.lua"))()

other than that its not really a vuln but ill check it out.

OP's reply to Rexi:

Just because there is a vulnerability test script (which I did try, and Wave did pass that), does not mean it contains every vulnerability possible. Your blatant denial of this, despite the same lack of checks in the debug library leading to people using synapse being infected with malware before is concerning, and shows that your priorities clearly do not include user security.

Image of Reply (Same thing happened again.. Can't use an image cause WRD was being broken..)

Replied to thread : Delete my WeAreDevs account


this should be an option in settings and not require a full email to WRD

Replied to thread : WHAT THE FVCK SYNAPSE?


oh well lol, i don't really care tbh

Commented to thread : Synapse Caught Switching Sides


i have the dox saved but i'm not gonna share it here nor anywhere

Replied to thread : Synapse Caught Switching Sides


lol no more exploiting then

Commented to thread : [Cw] RealChronics/Haruka Scamming/Alting


eh well this is the first one i've seen from you so that's that lol

Replied to thread : [Cw] RealChronics/Haruka Scamming/Alting


i take a quick sneak peak at the exploiting community CWs and i see immunelion of all people making a CW on a person i know

well then that caught me by surprise lmao

Created a new thread : Hi, Coco Z is discontinued. (Has been for a few months)


I completely forgot about WeAreDevs and forgot to post a thread here along side my Discord post.

 

So yeah, if you joined the Discord Server and checked Coco Z announcements, you will realize that Coco Z has now been discontinued. Over 2-3 years of being an exploit, all gone.

Reasons for this can include:

1. Lack of motivation from the developers.
2. The developers were constantly busy, having to do school, Coco development, developing other exploits, etc.
3. The new Roblox anticheat (Byfron) being annoying to bypass now, still bypassable, but takes long.
4. Inactivity from MCGamin1738, Laxion busy with schoolwork, Rexi having his own exploit, etc

If you all want an archive of the entirety of Coco, you can check my GitHub:
https://github.com/NotDarkn/Archives/tree/main/Coco

Anyways yeah, Coco Z has been discontinued and has been for a few months now. I was told it was going to be removed off the WeAreDevs website soon after but it doesn't seem like it, so I'll put this out now.

yes, I say Coco Z, not Coco. Coco will most likely still exist, but the exploit (Coco Z) will not.
+ Coco Z will still work just only with the WRD API.

 

https://media.discordapp.net/attachments/892067098728230963/1050890490108727337/1.png

https://media.discordapp.net/attachments/892067098728230963/1050890490435874816/2.png

Replied to thread : Tell about your First Exploit you used.


My first Roblox executor (on Windows) was:
JJSploit

My friend redirected me to an exploiting website called "WeAreDevs" back in like 2019, and once I installed Windows I decided to try exploiting for the first time. Best thing I could have done during 2019 and 2020.

(Timeline, probably accurate)
JJSploit -> Proxo -> Skisploit -> Cheatsploit -> sk8r -> Proxo -> Krnl -> Sentinel -> Synapse X

Replied to thread : Fluxus Staff when there is nothing to do:


@SirWeeb
Fluxus tickets used to be like that before we had good support 💀

Replied to thread : I have 1000 posts!


congrats you made it to 1000 posts!
now comes the activity decline