Categories > Exploiting > Roblox >

I need help making an execution method

LLethul

Posts: 10

Threads: 5

Joined: Feb, 2023

Reputation: 0

Posted

I have auto updating addresses, but my issue is actually making an execution method. Here is my code:

// Scanner.hpp - scans roblox addies, with the help of EyeStep reborn by MelonMRTS on github
#include "eyestep/eyestep.cpp"
#include "eyestep/eyestep_utility.cpp"
#include "scheduler.cpp"
#include "zstd/xxhash.h"
#include "zstd/zstd.h"
#include "luau/Luau/Compiler.h"
#include "luau/Luau/BytecodeBuilder.h"

int ASLR(uintptr_t addy) { return addy - 0x000000 + reinterpret_cast<uintptr_t>(GetModuleHandleA(NULL)); }
int RASLR(uintptr_t addy) { return addy + 0x400000; }

// 55 8B EC 8B 45 08 8B 00 83 F8 ?? 77 ?? FF 24 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C8

uintptr_t base = reinterpret_cast<uintptr_t>(GetModuleHandleA(NULL));

class roblox_encoder : public Luau::BytecodeEncoder {
	std::uint8_t encodeOp(const std::uint8_t opcode) {
		return opcode * 227;
	}
};

typedef UINT(__fastcall* load)(UINT rL, std::string* source, const char* chunkname, int env);
typedef void(__cdecl* rbx_printf)(int type, const char* format, ...);
using r_taskdefer_t = uintptr_t(__cdecl*)(uintptr_t rl);
typedef int(__cdecl* rbx_getscheduler)();
typedef int(__thiscall* _getstate)(int scheduler_scriptcontext, int* type);

namespace Deobfuscation
{
	uintptr_t luastate(uintptr_t sc)
	{
		return (sc + 236) - *(uintptr_t*)(sc + 236); //u can find it in getstate
	}


	uintptr_t global(uintptr_t rl)
	{
		return (rl + 24) ^ *(uintptr_t*)(rl + 24);
	}
}

std::string compress(const std::string& data)
{
	std::string output = "RSB1";
	std::size_t dataSize = data.size();
	std::size_t maxSize = ZSTD_compressBound(dataSize);
	std::vector<char> compressed(maxSize);
	std::size_t compSize = ZSTD_compress(&compressed[0], maxSize, data.c_str(), dataSize, ZSTD_maxCLevel());
	output.append(reinterpret_cast<char*>(&dataSize), sizeof(dataSize));
	output.append(&compressed[0], compSize);
	std::uint32_t firstHash = XXH32(&output[0], output.size(), 42U);
	std::uint8_t hashedBytes[4];
	std::memcpy(hashedBytes, &firstHash, sizeof(firstHash));
	for (std::size_t i = 0; i < output.size(); ++i)
		output[i] ^= hashedBytes[i % 4] + i * 41U;
	return output;
}

namespace scanner
{
	static uintptr_t getprint()
	{
		int print_call = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("Video recording stopped")[0], false, false);
		uintptr_t print_address = base + EyeStep::util::raslr(print_call - 0x400000);

		return ASLR(print_call);
	}

	static uintptr_t getluau_load()
	{
		int lvm_call_maybe = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("oldResult, moduleRef  = ...")[0], false, false);
		uintptr_t lvm_addy = base + EyeStep::util::raslr(lvm_call_maybe - 0x400000);

		return lvm_addy;
	}

	static uintptr_t gettaskdefer()
	{
		int tdefer_maybe = EyeStep::util::nextCall(EyeStep::scanner::scan_xrefs("Maximum re-entrancy depth (\%i) exceeded calling task.defer")[0], false, false);
		uintptr_t tdefer_addy = base + EyeStep::util::raslr(tdefer_maybe - 0x400000);

		return tdefer_addy;
	}

	static uintptr_t gettasksched()
	{
		auto taskschedulera = EyeStep::util::getPrologue(EyeStep::scanner::scan("55 8B EC 64 A1 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC ?? 64 A1 ?? ?? ?? ?? 8B 08 A1 ?? ?? ?? ?? 3B 81 08 00 00 00 7F ?? A1 ?? ?? ?? ?? 8B 4D F4 64 89 0D ?? ?? ?? ?? 8B E5 5D C3 8D 4D E4 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 E4 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ??")[0]);
		uintptr_t taskscheduler = base + EyeStep::util::raslr(taskschedulera - 0x400000);

		return taskscheduler;
	}

	// get luastate
	static uintptr_t getls()
	{
		const scheduler_t sched{ 0xF969E0 };
		uintptr_t sc = sched.get_script_context();
		return (sc + 308) + *(DWORD*)(sc + 308);
		if (sc == 0x0) { return 0x0; }
	}

	static uintptr_t getstate()
	{
		auto getstate_siggy = EyeStep::util::getPrologue(EyeStep::scanner::scan("55 8B EC 8B 45 08 8B 00 83 F8 ?? 77 ?? FF 24 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C8")[0]);
		uintptr_t getstate = base + EyeStep::util::raslr(getstate_siggy - 0x400000);

		return getstate;
	}
};

 

I use this for getting the addys, so these are the addies I have. What can I do to run scripts?

  • 0

Added

BTW ignore getls() that is very old idk it makes no sense ik

  • 0

ImmuneLion318

contentCreator

Posts: 1479

Threads: 95

Joined: Oct, 2019

Reputation: 103

Replied

Call LuaVM Load Pass It Your Compressed Bytecode And State And Stuff Then After That Call Task Defer Should Work

  • 0

plusgiant5

Posts: 24

Threads: 0

Joined: Dec, 2022

Reputation: 5

Replied

What's wrong with it? Does it crash? Does it do nothing? From looking at it, I think your compression is wrong, but I could make a better prediction if you can elaborate on where in your code the error occurred. Also, I highly recommend not relying on dumpers when you're starting out as they will limit your learning and experimentation and you'll always be sticking to the same functions.

  • 0

LLethul

Posts: 10

Threads: 5

Joined: Feb, 2023

Reputation: 0

Replied

Yeah, the addies work and all but execution is the problem. I'm making an external exploit, I think that's the problem. Should I just make it a DLL?

  • 0

heckerdude

heckerdude

Posts: 129

Threads: 16

Joined: Aug, 2022

Reputation: 6

Replied

You must know that anything externally must catch the target information, such as module handle, base, process id, process name, hwnd, handles. You have to make it internally if you are a starter. To correct your mistake, the luau_load string is incorrect. It returns a random function with 2 arguments.

 

In context, make it internal. As I see that is your issue.

  • 0

hecker dude ngl i hecked 5 ips in 1 second also luaU_loadbiglongjuicythingy(rL);

LLethul

Posts: 10

Threads: 5

Joined: Feb, 2023

Reputation: 0

Replied

Thanks, I'll look into that

  • 0

Users viewing this thread:

( Members: 0, Guests: 1, Total: 1 )