What did this ROBLOX exploit do/how did it work?
Hi.
I'm hoping I'm not breaking any site rules by posting this.
I've been looking over a ROBLOX exploit from around January which was a script that you used the Lua engine in cheat engine to perform.
I was wondering how it worked, (note it is patched now).
Can someone explain some of it to me, particulary the memory scan, the use of the table, and the debugger on breakpoint?
I've used ROBLOX Lua before, and I can get the Lua part, it seems to be the Cheat Engine part which is unfamiliar to me and some parts of the ROBLOX scripts. Note, Script and NewScript are written in Lua hexadecimal, if you decode them you will see they appear to be scripts that run in the ROBLOX engine as they use ROBLOX Lua commands.
Also, does anyone have any recommendations on how I should get started with trying to build ROBLOX exploits?
Thanks for reading.
--[[
Exploit Created by....
____ _ _____ _
| _ \(_) / ____| | |
| |_) |_ _ __ __ _ _ __ _ _| | ___ __| | ___ _ __
| _ <| | '_ \ / _` | '__| | | | | / _ \ / _` |/ _ \ '__|
| |_) | | | | | (_| | | | |_| | |___| (_) | (_| | __/ |
|____/|_|_| |_|\__,_|_| \__, |\_____\___/ \__,_|\___|_|
__/ |
|___/
Credit to:
booing
Merry Christmas!
--]]
Exploits = {}
Successes = {}
NoRun = {}
count = 0
disablescripts = false
antiban = false
Script = {0x77,0x61,0x69,0x74,0x28,0x32,0x29,0x3B,0x67,0x61 ,0x6D,0x65,0x2E,0x50,0x6C,0x61,0x79,0x65,0x72,0x73 ,0x2E,0x4C,0x6F,0x63,0x61,0x6C,0x50,0x6C,0x61,0x79 ,0x65,0x72,0x2E,0x43,0x68,0x61,0x74,0x74,0x65,0x64 ,0x3A,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x28,0x66 ,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x28,0x71,0x29 ,0x0D,0x0A,0x53,0x70,0x61,0x77,0x6E,0x28,0x66,0x75 ,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x28,0x29,0x6C,0x6F ,0x61,0x64,0x73,0x74,0x72,0x69,0x6E,0x67,0x28,0x71 ,0x29,0x28,0x29,0x65,0x6E,0x64,0x29,0x65,0x6E,0x64 ,0x29,0x2D,0x2D,0x5B,0x5B,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x61,0x64,0x61,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x5D,0x5D}
NewScript = {0x71, 0x33, 0x2F, 0x71, 0x6B, 0x77, 0x62, 0x57, 0x49, 0x42, 0x77, 0x69, 0x4C, 0x54, 0x4E, 0x49, 0x39, 0x4C, 0x6D, 0x7A, 0x4A, 0x44, 0x45, 0x54, 0x73, 0x50, 0x68, 0x69, 0x68, 0x2F, 0x4D, 0x74, 0x63, 0x73, 0x54, 0x67, 0x68, 0x48, 0x6B, 0x69, 0x36, 0x2B, 0x48, 0x4C, 0x7A, 0x77, 0x48, 0x4A, 0x45, 0x73, 0x2F, 0x61, 0x31, 0x35, 0x4B, 0x46, 0x33, 0x36, 0x37, 0x53, 0x67, 0x61, 0x2B, 0x41, 0x47, 0x33, 0x53, 0x6E, 0x43, 0x70, 0x72, 0x42, 0x35, 0x46, 0x69, 0x30, 0x33, 0x75, 0x77, 0x63, 0x57, 0x59, 0x54, 0x35, 0x6E, 0x56, 0x79, 0x52, 0x4B, 0x4F, 0x48, 0x57, 0x4D, 0x33, 0x6F, 0x36, 0x6C, 0x64, 0x35, 0x7A, 0x4B, 0x73, 0x72, 0x72, 0x4C, 0x58, 0x56, 0x6D, 0x39, 0x67, 0x64, 0x4F, 0x69, 0x36, 0x4F, 0x70, 0x45, 0x64, 0x44, 0x58, 0x6E, 0x79, 0x37, 0x77, 0x3D, 0x25, 0x0D, 0x0A, 0x2D, 0x2D, 0x72, 0x62, 0x78, 0x61, 0x73, 0x73, 0x65, 0x74, 0x69, 0x64, 0x25, 0x33, 0x37, 0x38, 0x30, 0x31, 0x31, 0x37, 0x32, 0x25, 0x0D, 0x0A, 0x0D, 0x0A, 0x2D, 0x2D, 0x20, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x73, 0x20, 0x61, 0x6C, 0x6C, 0x20, 0x6E, 0x65, 0x63, 0x63, 0x65, 0x73, 0x73, 0x61, 0x72, 0x79, 0x20, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74, 0x68, 0x65, 0x20, 0x67, 0x75, 0x69, 0x20, 0x6F, 0x6E, 0x20, 0x69, 0x6E, 0x69, 0x74, 0x69, 0x61, 0x6C, 0x20, 0x6C, 0x6F, 0x61, 0x64, 0x2C, 0x20, 0x65, 0x76, 0x65, 0x72, 0x79, 0x74, 0x68, 0x69, 0x6E, 0x67, 0x20, 0x65, 0x78, 0x63, 0x65, 0x65, 0x0D, 0x0A, 0x67, 0x61, 0x6D, 0x65, 0x2E, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x73, 0x2E, 0x4C, 0x6F, 0x63, 0x61, 0x6C, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x2E, 0x52, 0x6F, 0x62, 0x6C, 0x6F, 0x78, 0x4C, 0x6F, 0x63, 0x6B, 0x65, 0x64, 0x20, 0x3D, 0x20, 0x74, 0x72, 0x75, 0x65, 0x0D, 0x0A, 0x67, 0x61, 0x6D, 0x65, 0x2E, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x73, 0x2E, 0x4C, 0x6F, 0x63, 0x61, 0x6C, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x2E, 0x43, 0x68, 0x61, 0x74, 0x74, 0x65, 0x64, 0x3A, 0x63, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x28, 0x66, 0x75, 0x6E, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x28, 0x73, 0x74, 0x29, 0x0D, 0x0A, 0x53, 0x70, 0x61, 0x77, 0x6E, 0x28, 0x66, 0x75, 0x6E, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x28, 0x29, 0x0D, 0x0A, 0x6C, 0x6F, 0x61, 0x64, 0x73, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x28, 0x73, 0x74, 0x29, 0x28, 0x29, 0x0D, 0x0A, 0x65, 0x6E, 0x64, 0x29, 0x0D, 0x0A, 0x65, 0x6E, 0x64, 0x29, 0x0D, 0x0A, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x20, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x20, 0x3D, 0x20, 0x67, 0x61, 0x6D, 0x65, 0x3A, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x28, 0x22, 0x53, 0x63, 0x72, 0x69, 0x70, 0x74, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x22, 0x29}
function AddExploit(name, hex, offset, func)
table.insert(Exploits, { name, hex, offset, func })
end
function GetExploit(index)
local tab = Exploits[index]
local scan = createMemScan(true)
memscan_returnOnlyOneResult(scan, true)
memscan_firstScan(scan, soExactValue, vtByteArray, rtTruncated, table.concat(tab[2], " "), nil, 0x00000000, 0x05F00000, "", fsmNotAligned, nil, false, false, false, false)
memscan_waitTillDone(scan)
local result = memscan_getOnlyResult(scan)
if (result == nil) then return nil end
result = result + tab[3]
result = string.format("%x", result)
result = string.rep("0", 8-#result) .. result
return result
end
-- Exploit definitions here
AddExploit("Heh",{0x0F, 0xB6, 0x58, 0x01, 0xC1, 0xE2, 0x08, 0x0B, 0xD3, 0x0F, 0xB6, 0x18},9,"yolo")
AddExploit("level", { 0x89, 0x74, 0x24, 0x0C, 0x89, 0x06, 0xe8}, 4, ContextChanger)
function gethax()
for i,v in pairs(Exploits) do
local xploit = GetExploit(i)
if xploit == nil then
showMessage("NO EXPLOITS!")
else
debug_setBreakpoint(xploit)
--print(xploit)
end
end
end
function debugger_onBreakpoint()
if EAX > 0x02 and EAX < 0x7 then
EAX = 0x7
return 1
elseif EAX == 0x2 and disablescripts and count > 1 then
EAX = 0x0
return 1
end
local b1,b2,b3,b4,b5 = readBytes(EAX,5,false)
if b1 == 67 and b2 == 102 and b3 == 100 and b4 == 120 and b5 == 122 then
if count <= 1 then
local killit = EAX+64
--print(string.format("%x",killit))
count = count+1
if not antiban then
writeBytes(killit,Script)
return 1
else
writeBytes(killit,NewScript)
end
sleep(10)
else
count=0
debug_removeBreakpoint(EIP)
return 1
end
end
return 1
end
function myCheck(_)
local id = getProcessIDFromProcessName("RobloxPlayerBeta.exe" );
if id ~= nil then
for i, v in pairs(NoRun) do
if v == id then
return
end
end
table.insert(NoRun, id);
openProcess(id);
debugProcess(3);
gethax();
end
end
t = createTimer(nil)
timer_setInterval(t, 500)
timer_onTimer(t, myCheck)
timer_setEnabled(t, true)
--[[
]]--