EXPOSING THE RUMORS | THE GREATEST HYPERION REVERSAL

HELLO ALL I AM BACK AGAIN!

Hello all, I am back again! For those who don't know I was the internal developer behind the scenes of MANY big exploits. For those who don't know me I am KnowledgeKING. I am here to drop the greatest Hyperion reversals. If you guys thought Gogo's releases were good, wait until you read mine. To start off I shall be giving you ALL a complimentary Hyperion bypass you can use at home.

Intimidated? Don't be. We'll walk you through a simple step by step process to becoming undetected on the modern anti-cheat.

To start, let's analyze their active process scanning. Hyperion scans for things such as Cheat Engine, Ollydbg, IDA Pro, Ghidra, Cutter, Binja & a few others.

The initialization of these scans is quite simple. Hyperion has a special secret laying for us. It may not seem like anything at first, for those with the untrained eye but here it hides, the KILLSWITCH. 

For those who are unaware, Hyperion doesn't always release with complete stability. They add killswitches which trigger upon if they detect you with incompatible hardware for some checks. These killswitches are served in the form of FFlags but these are special flags. They aren't the ones you can insert into ClientSettings json file. We'll go more into depth with that later, but for now keep this in mind while you read this reversal as we will be leveraging this vulnerability to take it down from the inside out. We will go over their entire deployment system, and show how to find these undocumented flags. You cannot simply set them due to a blacklist at runtime which only allows Roblox to control such flags. 

https://imgur.com/n87u4d5

To set these hidden flags we will be using a tool called Physmeme. This is a reversing tool which lets us directly access the physical memory of a computer without having to write a kernel driver. It simply leverages an existing signed driver to map physical memory into the calling process of the ioctl stack. We'll get more into that on a later series, but physical memory is like the real memory on your computer. Some memory is paged out for not being used, when memory gets used it causes a PAGE_FAULT (you've heard of this before likely) and this will tell the memory manager to page in memory, into any virtual address it desires (which doesn't have to be the same as a physical address). If you've ever BSOD with the error PAGE_FAULT_IN_NONPAGED_AREA this is why. You have tried to access a virtual address which isn't actually mapped to anything, and therefore it was a nonpaged area.

Now to get into the real meat of the reversal here. Let's start by analyzing their updator which uses these secret flags in practice to prevent version reverts. If you've ever tried to revert your Roblox version you'll notice that it doesn't completely revert. Instead it seemingly knows it's been reverted and updates. This is their updating mechanism in play here, seeing that it's running an older version and needs to update. 

Here are a couple SECRET FFlags that you have never heard of:

"WinSkipLuaUpdateForBackgroundDownload", "DebugDisableAppUpdateChecks2", "WinBackgroundDownloadUpdates", "WindowsMinimumClientVersion"

These FFlags are used inside the internal protected FFlag system that Hyperion also uses. Fear not, for we will reverse this in and out in a later series, but for now let's actually see what's going on here. 

Inside of Roblox, we know they are a multiplatform game, so they obviously have abstractions from their platform APIs, here's a couple of classes they use: RBX::WindowsUpdateController

RBX::WindowsUpdateAdapter

These are the main classes responsible, and hold the hidden FFlags. The update controller is the main controller which is called from the outer APIs. The Adapter holds the code which actually preforms the update checks and updating if needed.

Roblox has 2 kinds of flags in place for updating. Forced updates (2), and background updates (1). Anything else is counted as a skip.

Going into the update adapter we can see the following killswitch in place ("DebugDisableAppUpdateChecks2"):

https://cdn.discordapp.com/attachments/980743461059825684/1309059156061192232/image.png?ex=674033d7&is=673ee257&hm=79cc331f09aeeabc8e4dbf056e7513d1c690eb8a59e930a4374eabefd3f9d733&

If disable app updates is checked then it simply calls a couple vtable funcs to preform de-initialization and then returns. Similar Hyperion functionalities such as Window scans, Thread iterations, TLS context checks, & Lua environment checks can be disabled too!

You might think you can be clever and find all these flags by simply going to the FFlag deployer site and looking for these flags, but you'd be mistaken. As I've said these are NOT the same as normal FFlags and therefore won't accept any input from a file (they'll be ignored). Here we can see their ENUMS:

https://cdn.discordapp.com/attachments/980743461059825684/1309059010388824096/image.png?ex=674033b5&is=673ee235&hm=05b5c6b55e24ac4ba1fb41069f81b5dfe23e434135dc2f825f10452993a62d5e&

Here is the official FFlags deployed to the client when you load the game: https://clientsettingscdn.roblox.com/v2/settings/application/PCDesktopClient

Again, some of the FFlags we talk about here are NOT included in this list. 

For example, the background download is in this list. https://media.discordapp.net/attachments/980743461059825684/1309060712857075722/image.png?ex=6740354b&is=673ee3cb&hm=a8d4a434a7fddf7ddd706235a8014f41d419eacc92d2dc24853c739227616616&=&format=webp&quality=lossless

The disables are not though.

They also offer these flags in a compressed version using ZSTD at: https://clientsettingscdn.roblox.com/v2/settings/application/PCDesktopClient.zst

For helpful reasons I will provide the URLs to check your current channel and version. These vary depending on the currently logged in Roblox ACCOUNT, not PC.

Channel: https://clientsettingscdn.roblox.com/v2/user-channel?binaryType=WindowsPlayer

Version: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer

Version with channel: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer/channel/LIVE

With the provided information you can now look further into the secret FFlag deployment system, and yourself discover the true secrets of the Roblox engine. If you need any help just DM me on WRD. Together We Are Devs! I will assist you in bypassing all of Hyperions secret mechanisms, with EASE! Stay looking forward to the second thread where we will analyze deeper in their secret deployment system, and ways to circumvent and tamper with it. As always, good luck, and I'll see you later! ;)