I been trying to build some exploits to with not much luck, but if i find something ill let you know
Hi.
I'm hoping I'm not breaking any site rules by posting this.
I've been looking over a ROBLOX exploit from around January which was a script that you used the Lua engine in cheat engine to perform.
I was wondering how it worked, (note it is patched now).
Can someone explain some of it to me, particulary the memory scan, the use of the table, and the debugger on breakpoint?
I've used ROBLOX Lua before, and I can get the Lua part, it seems to be the Cheat Engine part which is unfamiliar to me and some parts of the ROBLOX scripts. Note, Script and NewScript are written in Lua hexadecimal, if you decode them you will see they appear to be scripts that run in the ROBLOX engine as they use ROBLOX Lua commands.
Also, does anyone have any recommendations on how I should get started with trying to build ROBLOX exploits?
Thanks for reading.
--[[
Exploit Created by....
____ _ _____ _
| _ \(_) / ____| | |
| |_) |_ _ __ __ _ _ __ _ _| | ___ __| | ___ _ __
| _ <| | '_ \ / _` | '__| | | | | / _ \ / _` |/ _ \ '__|
| |_) | | | | | (_| | | | |_| | |___| (_) | (_| | __/ |
|____/|_|_| |_|\__,_|_| \__, |\_____\___/ \__,_|\___|_|
__/ |
|___/
Credit to:
booing
Merry Christmas!
--]]
Exploits = {}
Successes = {}
NoRun = {}
count = 0
disablescripts = false
antiban = false
Script = {0x77,0x61,0x69,0x74,0x28,0x32,0x29,0x3B,0x67,0x61 ,0x6D,0x65,0x2E,0x50,0x6C,0x61,0x79,0x65,0x72,0x73 ,0x2E,0x4C,0x6F,0x63,0x61,0x6C,0x50,0x6C,0x61,0x79 ,0x65,0x72,0x2E,0x43,0x68,0x61,0x74,0x74,0x65,0x64 ,0x3A,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x28,0x66 ,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x28,0x71,0x29 ,0x0D,0x0A,0x53,0x70,0x61,0x77,0x6E,0x28,0x66,0x75 ,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x28,0x29,0x6C,0x6F ,0x61,0x64,0x73,0x74,0x72,0x69,0x6E,0x67,0x28,0x71 ,0x29,0x28,0x29,0x65,0x6E,0x64,0x29,0x65,0x6E,0x64 ,0x29,0x2D,0x2D,0x5B,0x5B,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x61,0x64,0x61,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x5D,0x5D}
NewScript = {0x71, 0x33, 0x2F, 0x71, 0x6B, 0x77, 0x62, 0x57, 0x49, 0x42, 0x77, 0x69, 0x4C, 0x54, 0x4E, 0x49, 0x39, 0x4C, 0x6D, 0x7A, 0x4A, 0x44, 0x45, 0x54, 0x73, 0x50, 0x68, 0x69, 0x68, 0x2F, 0x4D, 0x74, 0x63, 0x73, 0x54, 0x67, 0x68, 0x48, 0x6B, 0x69, 0x36, 0x2B, 0x48, 0x4C, 0x7A, 0x77, 0x48, 0x4A, 0x45, 0x73, 0x2F, 0x61, 0x31, 0x35, 0x4B, 0x46, 0x33, 0x36, 0x37, 0x53, 0x67, 0x61, 0x2B, 0x41, 0x47, 0x33, 0x53, 0x6E, 0x43, 0x70, 0x72, 0x42, 0x35, 0x46, 0x69, 0x30, 0x33, 0x75, 0x77, 0x63, 0x57, 0x59, 0x54, 0x35, 0x6E, 0x56, 0x79, 0x52, 0x4B, 0x4F, 0x48, 0x57, 0x4D, 0x33, 0x6F, 0x36, 0x6C, 0x64, 0x35, 0x7A, 0x4B, 0x73, 0x72, 0x72, 0x4C, 0x58, 0x56, 0x6D, 0x39, 0x67, 0x64, 0x4F, 0x69, 0x36, 0x4F, 0x70, 0x45, 0x64, 0x44, 0x58, 0x6E, 0x79, 0x37, 0x77, 0x3D, 0x25, 0x0D, 0x0A, 0x2D, 0x2D, 0x72, 0x62, 0x78, 0x61, 0x73, 0x73, 0x65, 0x74, 0x69, 0x64, 0x25, 0x33, 0x37, 0x38, 0x30, 0x31, 0x31, 0x37, 0x32, 0x25, 0x0D, 0x0A, 0x0D, 0x0A, 0x2D, 0x2D, 0x20, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x73, 0x20, 0x61, 0x6C, 0x6C, 0x20, 0x6E, 0x65, 0x63, 0x63, 0x65, 0x73, 0x73, 0x61, 0x72, 0x79, 0x20, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74, 0x68, 0x65, 0x20, 0x67, 0x75, 0x69, 0x20, 0x6F, 0x6E, 0x20, 0x69, 0x6E, 0x69, 0x74, 0x69, 0x61, 0x6C, 0x20, 0x6C, 0x6F, 0x61, 0x64, 0x2C, 0x20, 0x65, 0x76, 0x65, 0x72, 0x79, 0x74, 0x68, 0x69, 0x6E, 0x67, 0x20, 0x65, 0x78, 0x63, 0x65, 0x65, 0x0D, 0x0A, 0x67, 0x61, 0x6D, 0x65, 0x2E, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x73, 0x2E, 0x4C, 0x6F, 0x63, 0x61, 0x6C, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x2E, 0x52, 0x6F, 0x62, 0x6C, 0x6F, 0x78, 0x4C, 0x6F, 0x63, 0x6B, 0x65, 0x64, 0x20, 0x3D, 0x20, 0x74, 0x72, 0x75, 0x65, 0x0D, 0x0A, 0x67, 0x61, 0x6D, 0x65, 0x2E, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x73, 0x2E, 0x4C, 0x6F, 0x63, 0x61, 0x6C, 0x50, 0x6C, 0x61, 0x79, 0x65, 0x72, 0x2E, 0x43, 0x68, 0x61, 0x74, 0x74, 0x65, 0x64, 0x3A, 0x63, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x28, 0x66, 0x75, 0x6E, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x28, 0x73, 0x74, 0x29, 0x0D, 0x0A, 0x53, 0x70, 0x61, 0x77, 0x6E, 0x28, 0x66, 0x75, 0x6E, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x28, 0x29, 0x0D, 0x0A, 0x6C, 0x6F, 0x61, 0x64, 0x73, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x28, 0x73, 0x74, 0x29, 0x28, 0x29, 0x0D, 0x0A, 0x65, 0x6E, 0x64, 0x29, 0x0D, 0x0A, 0x65, 0x6E, 0x64, 0x29, 0x0D, 0x0A, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x20, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x20, 0x3D, 0x20, 0x67, 0x61, 0x6D, 0x65, 0x3A, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x28, 0x22, 0x53, 0x63, 0x72, 0x69, 0x70, 0x74, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x22, 0x29}
function AddExploit(name, hex, offset, func)
table.insert(Exploits, { name, hex, offset, func })
end
function GetExploit(index)
local tab = Exploits[index]
local scan = createMemScan(true)
memscan_returnOnlyOneResult(scan, true)
memscan_firstScan(scan, soExactValue, vtByteArray, rtTruncated, table.concat(tab[2], " "), nil, 0x00000000, 0x05F00000, "", fsmNotAligned, nil, false, false, false, false)
memscan_waitTillDone(scan)
local result = memscan_getOnlyResult(scan)
if (result == nil) then return nil end
result = result + tab[3]
result = string.format("%x", result)
result = string.rep("0", 8-#result) .. result
return result
end
-- Exploit definitions here
AddExploit("Heh",{0x0F, 0xB6, 0x58, 0x01, 0xC1, 0xE2, 0x08, 0x0B, 0xD3, 0x0F, 0xB6, 0x18},9,"yolo")
AddExploit("level", { 0x89, 0x74, 0x24, 0x0C, 0x89, 0x06, 0xe8}, 4, ContextChanger)
function gethax()
for i,v in pairs(Exploits) do
local xploit = GetExploit(i)
if xploit == nil then
showMessage("NO EXPLOITS!")
else
debug_setBreakpoint(xploit)
--print(xploit)
end
end
end
function debugger_onBreakpoint()
if EAX > 0x02 and EAX < 0x7 then
EAX = 0x7
return 1
elseif EAX == 0x2 and disablescripts and count > 1 then
EAX = 0x0
return 1
end
local b1,b2,b3,b4,b5 = readBytes(EAX,5,false)
if b1 == 67 and b2 == 102 and b3 == 100 and b4 == 120 and b5 == 122 then
if count <= 1 then
local killit = EAX+64
--print(string.format("%x",killit))
count = count+1
if not antiban then
writeBytes(killit,Script)
return 1
else
writeBytes(killit,NewScript)
end
sleep(10)
else
count=0
debug_removeBreakpoint(EIP)
return 1
end
end
return 1
end
function myCheck(_)
local id = getProcessIDFromProcessName("RobloxPlayerBeta.exe" );
if id ~= nil then
for i, v in pairs(NoRun) do
if v == id then
return
end
end
table.insert(NoRun, id);
openProcess(id);
debugProcess(3);
gethax();
end
end
t = createTimer(nil)
timer_setInterval(t, 500)
timer_onTimer(t, myCheck)
timer_setEnabled(t, true)
--[[
]]--
I been trying to build some exploits to with not much luck, but if i find something ill let you know
Thanks, I'll do the same for you.
Let me convert the Hexidecimal to String and remove all the stupid ? that the tool i use leaves, Done.
Heres the script in a more readable way. Maybe someone else can make more sense out of it, like the part in Script where it has --[[adadadadadadadadadadaadadadadadadadadadadadadadada dadadadadadadadadadadadaddadadadadadad]]
--[[
Exploit Created by....
____ _ _____ _
| _ \(_) / ____| | |
| |_) |_ _ __ __ _ _ __ _ _| | ___ __| | ___ _ __
| _ <| | '_ \ / _` | '__| | | | | / _ \ / _` |/ _ \ '__|
| |_) | | | | | (_| | | | |_| | |___| (_) | (_| | __/ |
|____/|_|_| |_|\__,_|_| \__, |\_____\___/ \__,_|\___|_|
__/ |
|___/
Credit to:
booing
Merry Christmas!
--]]
Exploits = {}
Successes = {}
NoRun = {}
count = 0
disablescripts = false
antiban = false
Script = {
wait(2);game.Players.LocalPlayer.Chatted:connect(f unction(q)
Spawn(function()loadstring(q)()end)end)--[[adadadadadadadadadadaadadadadadadadadadadadadadada dadadadadadadadadadadadaddadadadadadad]]}
NewScript = {q3/qkwbWIBwiLTNI9LmzJDETsPhih/MtcsTghHki6+HLzwHJEs/a15KF367Sga+AG3SnCprB5Fi03uwcWYT5nVyRKOHWM3o6ld5zK srrLXVm9gdOi6OpEdDXny7w=%
--rbxassetid%37801172%
-- Creates all neccessary scripts for the gui on initial load, everything excee
game.Players.LocalPlayer****bloxLocked = true
game.Players.LocalPlayer.Chatted:connect(function( st)
Spawn(function()
loadstring(st)()
end)
end)}
function AddExploit(name, hex, offset, func)
table.insert(Exploits, { name, hex, offset, func })
end
function GetExploit(index)
local tab = Exploits[index]
local scan = createMemScan(true)
memscan_returnOnlyOneResult(scan, true)
memscan_firstScan(scan, soExactValue, vtByteArray, rtTruncated, table.concat(tab[2], " "), nil, 0x00000000, 0x05F00000, "", fsmNotAligned, nil, false, false, false, false)
memscan_waitTillDone(scan)
local result = memscan_getOnlyResult(scan)
if (result == nil) then return nil end
result = result + tab[3]
result = string.format("%x", result)
result = string.rep("0", 8-#result) .. result
return result
end
-- Exploit definitions here
AddExploit("Heh",{0x0F, 0xB6, 0x58, 0x01, 0xC1, 0xE2, 0x08, 0x0B, 0xD3, 0x0F, 0xB6, 0x18},9,"yolo")
AddExploit("level", { 0x89, 0x74, 0x24, 0x0C, 0x89, 0x06, 0xe8}, 4, ContextChanger)
function gethax()
for i,v in pairs(Exploits) do
local xploit = GetExploit(i)
if xploit == nil then
showMessage("NO EXPLOITS!")
else
debug_setBreakpoint(xploit)
--print(xploit)
end
end
end
function debugger_onBreakpoint()
if EAX > 0x02 and EAX < 0x7 then
EAX = 0x7
return 1
elseif EAX == 0x2 and disablescripts and count > 1 then
EAX = 0x0
return 1
end
local b1,b2,b3,b4,b5 = readBytes(EAX,5,false)
if b1 == 67 and b2 == 102 and b3 == 100 and b4 == 120 and b5 == 122 then
if count <= 1 then
local killit = EAX+64
--print(string.format("%x",killit))
count = count+1
if not antiban then
writeBytes(killit,Script)
return 1
else
writeBytes(killit,NewScript)
end
sleep(10)
else
count=0
debug_removeBreakpoint(EIP)
return 1
end
end
return 1
end
function myCheck(_)
local id = getProcessIDFromProcessName("RobloxPlayerBeta.exe" );
if id ~= nil then
for i, v in pairs(NoRun) do
if v == id then
return
end
end
table.insert(NoRun, id);
openProcess(id);
debugProcess(3);
gethax();
end
end
t = createTimer(nil)
timer_setInterval(t, 500)
timer_onTimer(t, myCheck)
timer_setEnabled(t, true)
--[[
]]--
Last edited by end360; 04-05-2014 at 01:19 PM. Reason: Spoilers didnt work, and some comments
what website/tool did you use though? I think i know how to bypass the patch
I entered it into the lua engine on CE and executed it while the game was running. You needed to have DBVM switched on also.
i meant what tool did you use to decode the
{0x77,0x61,0x69,0x74,0x28,0x32,0x29,0x3B,0x67,0x61 ,0x6D,0x65,0x2E,0x50,0x6C,0x61,0x79,0x65,0x72,0x73 ,0x2E,0x4C,0x6F,0x63,0x61,0x6C,0x50,0x6C,0x61,0x79 ,0x65,0x72,0x2E,0x43,0x68,0x61,0x74,0x74,0x65,0x64 ,0x3A,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x28,0x66 ,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x28,0x71,0x29 ,0x0D,0x0A,0x53,0x70,0x61,0x77,0x6E,0x28,0x66,0x75 ,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x28,0x29,0x6C,0x6F ,0x61,0x64,0x73,0x74,0x72,0x69,0x6E,0x67,0x28,0x71 ,0x29,0x28,0x29,0x65,0x6E,0x64,0x29,0x65,0x6E,0x64 ,0x29,0x2D,0x2D,0x5B,0x5B,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x61,0x64,0x61,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64 ,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61,0x64,0x61 ,0x64,0x61,0x64,0x5D,0x5D}
part?
Yeah me too! ive been looking how to do that too...
Memory reading is something you'd have to learn to do.