generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: To explain the bytecode exploit...

Previous Thread :: Next Thread 
en6 is not online. en6
Joined: 24 Jul 2012
Total Posts: 14
02 Aug 2012 06:04 PM
This thread explains everything about the new exploit. It is aimed at scripters. If you're not a scripter, you won't understand anything here and that's not my problem.

First, you need to know that, about 8 months ago, NecroBumpist found a Lua bytecode exploit that used a flaw in the Lua bytecode verifier. It was able to access any upvalue of any Lua or C function. He used bytecode for this. He was able to do this by breaking the Lua calling conventions and making a function that was put at the end of the stack, making it possible for that function to steal the values of any other function.

He reported it about a year ago to ROBLOX, but the ROBLOX team seemingly didn't care much, so he decided to release it to all of us.

Please read this thread before continuing (note: an explanation of the bytecode is included in it on the second page):

http://www.roblox.com/Forum/ShowPost.aspx?PostID=57817090

As you obviously know if you are a scripter, the default environment doesn't contain the global functions, instead, its metatable does. However, that metatable is locked, meaning you can't usually access these. Because of this, ROBLOX decided to make that metatable be the same for all scripts, to save memory.

However, with NecroBumpist's magical bytecode exploit, you can steal values from the getmetatable function, meaning you can actually get the metatable of the environment... and edit it.

This means you can, for example, edit the 'print' function or the 'script' variable in every script. And by "every script", I mean EVERY script, including the CoreScripts...

Then, some user (apparently, it was RenderSettings, though I can't confirm this) found out that some CoreScript used the print function when a player leaves (judging it's when a player leaves, I'd say it's the player list CoreScript).

This means that, by using NecroBumpist's exploit, you can edit the print function to make CoreScripts run anything. And, as you should know, CoreScripts can do much more than normal scripts...

If you know how to script, then I do not need to explain anything else, and I will not give you the code because you can obviously re-create it yourself easily, since you have read that other thread I gave you a link to and since you have read my explanation.

Of course, 95% of the credit for this exploit goes to NecroBumpist. The rest of it goes to the user who thought about using it to modify the print function.
Report Abuse
NecroBumpist is not online. NecroBumpist
Joined: 12 Sep 2010
Total Posts: 4198
02 Aug 2012 06:07 PM
10/10

well done.

If anyone can list specific usages of the bytecode exploit, I'd love to see them.
Report Abuse
en6 is not online. en6
Joined: 24 Jul 2012
Total Posts: 14
02 Aug 2012 06:08 PM
@NecroBumpist

Stealing the metatable of stuff is pretty much the most useful thing you can do.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
02 Aug 2012 06:08 PM
@Necro

- RobloxLocked no longer applies
- Level 7 access
- Able to use any function implemented
- Do pretty much anything that the corescripts are allowed to do
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
02 Aug 2012 06:08 PM
As far as the print function goes:
- using it to change the Player.Name to something else
- using it to change Player.userId to something else
- muting a Player with Player:SetSuperSafeChat(true)
Report Abuse
en6 is not online. en6
Joined: 24 Jul 2012
Total Posts: 14
02 Aug 2012 06:09 PM
I have a favor to ask to whoever reads this...

Can anyone make a library of all the upvalues used by most of the common methods in ROBLOX?

You see, I'm asking this because I think these could be useful for knowing better how these methods actually work. Knowledge is always useful, and considering ROBLOX isn't open source, who knows, this might be useful one day...
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
02 Aug 2012 06:11 PM
@Seranok

You can do much, much more...

You can edit locked properties. So you can change your character appearance. Want to use HttpGet/HttpPost? No problem. Add guests in a forever loop? It's been done. Make other players chat bad things? You betcha.

Basically, you can do anything that is available in the object browser...and more.
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
02 Aug 2012 06:12 PM
Hmm I tried to do game:HttpGet but it didn't seem to work.
Report Abuse
en6 is not online. en6
Joined: 24 Jul 2012
Total Posts: 14
02 Aug 2012 06:14 PM
" So you can change your character appearance."

The CharacterAppearance property isn't and has never been locked.
Report Abuse
Robloxianof07 is not online. Robloxianof07
Joined: 30 Jul 2012
Total Posts: 896
02 Aug 2012 06:43 PM
^
Report Abuse
Tarabukka is not online. Tarabukka
Joined: 18 Jan 2011
Total Posts: 394
02 Aug 2012 06:44 PM
this = &postAbove;
Report Abuse
Robloxianof07 is not online. Robloxianof07
Joined: 30 Jul 2012
Total Posts: 896
02 Aug 2012 06:44 PM
Any DLL nub can easilly give himself a teapot turret if they manage to find an ID that has it on ATM (xSCENEx)
Report Abuse
axle5657 is not online. axle5657
Joined: 01 Jul 2011
Total Posts: 25
02 Aug 2012 06:51 PM
Lot.
Report Abuse
RenderSettings is not online. RenderSettings
Joined: 16 Aug 2010
Total Posts: 2560
02 Aug 2012 07:52 PM
I wasn't actually using Necro's bytecode. I actually didn't even know he found the same exploit I did...I was actually talking on ##codelab on FreeNode (Camoy, tiffany, and Madoka) and Madoka made me that simple stack-clean-up function which I used to rawaccess the metatable without invoking the __metatable metamethod.
2)I'm sorry for accidently leaking the exploit, many people stole it from me on a SB. While I'm at it, I should mention that I didn't *just* use it on an SB, and also used it to award the first 20k users the Last Egg hat, random SB'ers most of the rare eggs, along with this account, Shedletsky, and a couple others the End Of Days egg. I also kinda used it to steal the serverscript's accesskey to friend request Roblox, and started that entire shenanigan on RT with Roblox's Friends a month or so ago, along with steal the anti-exploit from SFoTH (Nice anti-exploit btw, telemon!)
...Pl0x don't ban admins?

Anyways, they unlinked the Eggs and the badges, so thats no longer a problem, and also broke the Friend Request system in game, and now script kiddies are running around with level 6 server-sided code that can steal places and do direct httpgets. Basically, roblox, fix yo gaem.
Report Abuse
RenderSettings is not online. RenderSettings
Joined: 16 Aug 2010
Total Posts: 2560
02 Aug 2012 07:57 PM
Also, more clarification, the script I am hooking into is actually /Game/ServerScript.ashx so it has direct access to the badge-awarding system and such, and it is triggered when a player joins, leaves, or dies which is why its the easiest. I was BEFORE hooking into game by creating a proxy functioner, but the problem with that was I couldn't use Game:HttpGet without incurring a feedback loop =P
Report Abuse
Robloxianof07 is not online. Robloxianof07
Joined: 30 Jul 2012
Total Posts: 896
02 Aug 2012 07:57 PM
@Render

Well put :o
Report Abuse
JulienDethurens is not online. JulienDethurens
Joined: 11 Jun 2009
Total Posts: 11046
02 Aug 2012 08:00 PM
"Also, more clarification, the script I am hooking into is actually /Game/ServerScript.ashx"

I did think about that, but I thought it was actually completely separate from the rest and wouldn't be affected by the change...

I guess I was wrong.
Report Abuse
Sorcus is not online. Sorcus
Forum Moderator
Joined: 29 Nov 2010
Total Posts: 3775
02 Aug 2012 08:02 PM
Well that's cool. Bytecode go bai bai. Easiest fix. Next is removing all the other exploits which is happening like real soon.

~Sorcus
Report Abuse
RenderSettings is not online. RenderSettings
Joined: 16 Aug 2010
Total Posts: 2560
02 Aug 2012 08:03 PM
@Julien I'm not entirely sure the CoreScripts have either 1)Access to HttpGet 2)A call to an object that is stored in the metatable enviorment, so I didn't try to hook those. I actually did accidently hook into the Visit:SetPing function, since it sends a httpget ping to some logging service every 60 seconds, but that is local only and doesn't have access to the badgeservice or anything server-sided.
Report Abuse
Legend26 is not online. Legend26
Joined: 08 Sep 2008
Total Posts: 10586
02 Aug 2012 08:03 PM
@Sorcus,

Could you at least tell us what has identity levels 3, 6 and 7?
Report Abuse
Robloxianof07 is not online. Robloxianof07
Joined: 30 Jul 2012
Total Posts: 896
02 Aug 2012 08:03 PM
@Sorcus

Please tell me you're separating studio and player.
Report Abuse
JulienDethurens is not online. JulienDethurens
Joined: 11 Jun 2009
Total Posts: 11046
02 Aug 2012 08:03 PM
@§orcus

So all this exploiting is finally going to be fixed? YAY!
Report Abuse
RenderSettings is not online. RenderSettings
Joined: 16 Aug 2010
Total Posts: 2560
02 Aug 2012 08:05 PM
@Sorcus Ok, silly question time: Was that actually you at Oxcool's SB when I changed your name to 'I'm stupid' and set my name to 'Shedletsky', along with a couple people to 'ROBLOX', 'Sorcus', etc.? If so, we should do that again sometime =P Either way, you really should do that patch quickly, since more and more script kiddies are stealing it from oxcool, and the mods don't seem to like people messing with the servers judging from the warning I got to cut out spawning 1000 roblox clones.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
02 Aug 2012 08:06 PM
So, to clarify, bytecode no longer works?
Report Abuse
ninjaknight101 is not online. ninjaknight101
Joined: 04 Apr 2011
Total Posts: 1281
02 Aug 2012 08:08 PM
Wait, if using Game:HttpGet and the bytecode exploit, wouldn't you be able to alter the html of a page? I know a certain use (can't remember their name) did this, and changed the player who joined the game's status to the id of their game... I just can't remember their name, anyone?
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image