|
| 08 Nov 2011 07:32 PM |
What ways of crashing ROBLOX do you know of? I am trying to find fast ones that work as often as possible and that actually crash the game, not just break some things.
I'm trying to improve my basic library and its crash function:
function crash() -- This function uses flaws in ROBLOX to try to crash the game. for i = 1, 50 do -- Might need to be repeated some times to actually crash the game. a = {} a.__newindex = function(a) print(a) end b = {} b.__newindex = b setmetatable(b, a) c = setmetatable({}, b) c._ = true end Instance.new 'ManualSurfaceJointInstance' -- When a ManualSurfaceJointInstance is instanced, the game usually crashes. end |
|
|
| Report Abuse |
|
|
Slizerd
|
  |
| Joined: 15 Jun 2011 |
| Total Posts: 113 |
|
| |
|
|
| 08 Nov 2011 08:14 PM |
"game.Lighting:Remove()"
No, duh, the lighting is locked. |
|
|
| Report Abuse |
|
|
Slizerd
|
  |
| Joined: 15 Jun 2011 |
| Total Posts: 113 |
|
|
| 08 Nov 2011 08:17 PM |
| No it isn't. Last I checked it would crash the game if you tried to remove it. |
|
|
| Report Abuse |
|
|
| |
|
Slizerd
|
  |
| Joined: 15 Jun 2011 |
| Total Posts: 113 |
|
| |
|
|
| 08 Nov 2011 08:19 PM |
local a; a = Instance.new("ManualSurfaceJointInstance", a)
:D?
btw, i'm thinking maybe someone should put it on the wiki that instancing a manualsurfacejointinstance can crash your game :l |
|
|
| Report Abuse |
|
|
XlegoX
|
  |
| Joined: 16 Jun 2008 |
| Total Posts: 14955 |
|
|
| 08 Nov 2011 08:21 PM |
Or more directly: crash__()
Why do it like that when you can use the proper documented solution to (un)gracefully crash? |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 08:22 PM |
| @xlegox try to run that in a script :l cuz im pretty sure thats what julien is using this for |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 08:23 PM |
loadstring(('').dump(function()X''end):gsub('\2%z%z%zX','\0\0\0'))()
segfaults, segfaults everywhere. |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 08:24 PM |
| @necrobumpist: how does that even work anyway? :U |
|
|
| Report Abuse |
|
|
XlegoX
|
  |
| Joined: 16 Jun 2008 |
| Total Posts: 14955 |
|
|
| 08 Nov 2011 08:25 PM |
@Necro If you can do that it's due to a bug. The current version of Lua has a byte-code verifier to make sure that you don't do anything illegal in a binary chunk. |
|
|
| Report Abuse |
|
|
Legend26
|
  |
| Joined: 08 Sep 2008 |
| Total Posts: 10586 |
|
|
| 08 Nov 2011 08:28 PM |
@xLEGOx,
Yea, the byte-code verifier has a few bugs, so they apparently just decided to remove it in 5.2. |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 08:29 PM |
xLEGOx, Lua 5.1's verifier isn't perfect (as Peter Crawley has demonstrated numerous times), and if you go to 5.2 the severity of potential exploits is staggering.
Yes, it's due to a bug with the way loadstring() parses bytecode. I've reported this and one other bytecode manipulation bug to ROBLOX. They don't really care. |
|
|
| Report Abuse |
|
|
XlegoX
|
  |
| Joined: 16 Jun 2008 |
| Total Posts: 14955 |
|
|
| 08 Nov 2011 08:42 PM |
"and if you go to 5.2 the severity of potential exploits is staggering."
The idea is that anyone who values security shouldn't be relying on the default byte-code verifier because it's too hard to get it fully secure.
I guess Roblox find it sufficiently unlikely that anyone will be able to manufacture a real exploit using the bugs in the byte-code verifier. After all, if someone could there'd be a lot better things to do with those skill than exploit on Roblox. |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 09:04 PM |
"The idea is that anyone who values security shouldn't be relying on the default byte-code verifier because it's too hard to get it fully secure."
Yes, I think Peter Crawley himself actually wrote up a bytecode verifier for this reason, but now Lua lacks any security at all in this sense. So say a random game developer adds in Lua 5.2 scripting capabilities, well now users can read/write to any arbitrary address in the Lua state. Hmm, what havoc could this bring ?
But back to the ROBLOX aspect of things. I'll go write up a quick function to exploit a flaw in the Lua calling method that allows me to gather the locals a function uses when it is called. If someone happens to find a C function that yields some useful secret object, this might open the doors to new exploits.
For example, I found the real metatable of a ROBLOX object using getmetatable() in this manner (of course I didn't receive the metatable as a returned value of the function, but it was instead left on the stack, which I stole it from).
We just need someone to find the right C function, and the fun begins! |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 09:07 PM |
"Yes, I think Peter Crawley himself actually wrote up a bytecode verifier for this reason, but now Lua lacks any security at all in this sense. So say a random game developer adds in Lua 5.2 scripting capabilities, well now users can read/write to any arbitrary address in the Lua state. Hmm, what havoc could this bring ?"
What I forgot to make clear in this paragraph is that this 'new developer' might be unaware of the vast potential for exploitation loadstring() wreaks. |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 08 Nov 2011 09:27 PM |
loadstring() nuke incoming
~Sorcus |
|
|
| Report Abuse |
|
|
SDuke524
|
  |
| Joined: 29 Jul 2008 |
| Total Posts: 6267 |
|
|
| 08 Nov 2011 09:29 PM |
@sorcus Or you could update to Lua 5.2? Maybe even fix the wiki? |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 09:31 PM |
| The game crashes if you set someone's character to the Workspace, then you kick the person. |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 08 Nov 2011 09:35 PM |
Or I could, you know, climb Mt Everest.
~Sorcus |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 09:35 PM |
| Or you could dive to the bottom of the Marianas Trench. |
|
|
| Report Abuse |
|
|
Slizerd
|
  |
| Joined: 15 Jun 2011 |
| Total Posts: 113 |
|
|
| 08 Nov 2011 09:37 PM |
| Or you could, you know, do things we want to get our money to fund your hike |
|
|
| Report Abuse |
|
|
|
| 08 Nov 2011 09:38 PM |
| @sorcus: if the wiki is fixed by the time i log on tomorrow i will buy 6 months of bc |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 08 Nov 2011 09:39 PM |
Not in my hands. And I am not a PHP person. What I do know is that we have a person on it and will be fixed.
~Sorcus |
|
|
| Report Abuse |
|
|