RbxStu V2, originally RbxStu, is a Roblox Studio project that aims to grant developer access to exploiter tools.

Why?

As much as we despise the mess exploiters do on our games, their tools allow for powerful debugging. RbxStu V2 has the capability of executing on Edit, Studio and Client mode, the first two are considered dangerous, however, as they grant the executor too much power, and should only be used if debugging your game. That aside, a tool like RbxStu V2 allows for the scripts they release to your game to be patched in a breeze, without having to obtain a tool like “Synapse Z” or “Solara”, which are breaching Roblox’s ToS, and open your account to risks of bans.

Is this safe?

Unfortunately, safety, although being one of the concerns of the project, is not a guarantee. Anything you run can be vulnerable, and that is a risk you accept when running any untested code that is not yours. If you are suspicious that the script you’re going to run may contain dangerous, malicious code, prepare a VM, make an alternative account and host a copy of your game on it, then use RbxStu to try and figure out what it does.

It may sound a long, arduous process, but it is better like that. No tool is fully safe, and RbxStu V2 is no exception. Exercise caution when running any code that is not yours.

Is this infringing ToS?

RbxStu V2 can be very well considered a gray area, it has been said by Roblox Staff before that it is, but if they went on with this, they would have to delete studio modifications in general, and because of it, it is not enforced, if anything Roblox can reap benefit from this tool, although a native implementation of this would be certainly much better.

Script Support

RbxStu V2 supports features of many known exploits such as, function and metamethod hooking and remote spying, the latter although you may not require at all. There are small niches which are not available on it due to either their complexity, or them being deemed unnecessary.

This project has gone closed source!

You can submit a request on our Discord server RbxStu to access the tool, this tool is free, anyone trying to sell you is probably trying to scam you. Source code access can be granted if requested after guaranteeing you will not share it or spread it on circles which are not appropiate.

Disclaimer

Can’t believe I have to say this but… This tool was NOT created for the purposes of escaping Studio into Released games, and will NEVER get that feature, STOP requesting this feature becuase it will not get added ever. This is a DEBUGGING tool at best. NOT a Roblox cheat. I have already obtained more than one DM asking for this, I will NOT do it.

Links:

• RbxStu V1 source archival (Very bad): RbxStu/RbxStu: Roblox Studio executor for game penetration testing

• This project is not endorsed by Roblox (Just in case)

Do you have a planned release date if you are planning to release it.

Cant you run the script in the console tab ? Not sure tho

The thing is terribly unstable, my vision for it is to not have to restart the game once you are done with your pentesting, else if you mess it up, you would have to completely restart studio just to get to the same point, so my vision is being able to interchangebly change between edit and game

You can, but the key here is that it is meant to run scripts written by exploiters. The normal Roblox environment lacks many functions exploiters use to cheat, things like hookfunction for hooking, and hookmetamethod for hooking metamethods just lack in the actual console tab, which is quite a shame. Also to note that on Local Tests, you cannot use the console tab, which limits the extent it can be used at. The best would be for Roblox to do this themselves, but I haven’t heard any updates on the proposal they did back on RDC.

Here is the project with some code executed in a Local Test, you can see the Lua code I wrote on the right, and on the left the outcome of it, the executor works using a normal lua way of hijacking a state (Hooking a function like pseudo2addr), which gets me a way of executing code in the game, the problem is that most actual executors back them use things like the Task Scheduler to do this I’m doing, but much more stable.

image1920×1241 137 KB

The current most stable way of executing using this tool is by using Local Test and injecting into that process of studio that was started by the Local Test (As Client), without crashing the actual studio, I could release it right now, but it is one update behind, so I’d have to update it.

It also works on a team test, even though I’d not see a reason to use it on one at all, honestly.

image1920×1166 99.4 KB

Ohh I see your point now! Thanks for explaining

Being able to use this in team test would actually be useful for me.

Why can’t you just make localscripts ( such as tests of your remote events ) to “pentest”? Or honestly, just read and properly protect your server code. You are risking your account to do in a 3rd party program what you can do in studio as is.

There practically isn’t anything outside of testing your remote events (or client-to-server logic) that you can prevent with anti-exploit anyway.

Local scripts lack the actual methods used by exploiters

That doesn’t change the fact that anything that you CAN prevent is in your client-to-server logic, which is what it ultimately comes down to. Sure exploiters have a bunch of fancy functions for example meddling with your local variables. This is only effective if you do not have proper server protection. Furthermore, you can pentest simply by changing the variable to huge values or invalid value types.

Ultimately any explots will:

1. Be client sided, thus impossible to prevent. You can make it annoying, but any client protections you add are under the full control of cheaters.

2. Be server sided, and a result of you not adding proper checks.

It really isn’t worth intentionally bypassing protections and risking your account. And I’d highly doubt the vast majority of the people who want to use this will even really find many “vulnerabilities” in their code using this executor.

How much does it get on the UNC test? Or have you not implemented any custom functions yet?

Not entirely sure on what the extent of Hyperion flagging is when it comes to studio. iirc- the studio client doesn’t have the exact hyperion model as the main game client, but it still retains some of it. it could have nothing in terms of flags, don’t remember exactly

Overall, there hasn’t “really” been any drawback to community members who have modded studio, albeit, most of the time it’s not through an executor that these “mods” are done (such as fflageditor).

The reality is this is sort of a grey zone. If we’re talking strictly terms of service wise, I don’t believe this would be allowed, although I guess it really depends, studio plugins have never really been punished for.

If you are reading and writing memory directly to the application, then I’d be a little skeptical on what ROBLOX’s stance is for that in terms of strictly studio.

I tried it on a team test, at least by myself it works just fine

Studio from what I know holds no Hyperion, else it would be packed and many Lua functions I have to get and one I have to hook would be inlined, at most the RCC service, but that’s about all I know about how studio is personally

The main reason is not to make your own local scripts, you are also forgetting exploits don’t necessarily run on your same permission level, and there are functions like getconnections, hookfunction, firetouchdetector and many more, do as much pen testing as you can on a local script, but the workflow for it would not be the same, as you cannot “hot reload” it if you will, which is what this tool can do if you will, which makes testing things much quicker

You can make a lot of things from a client, even when server validated, you cannot make the server own the player of someone, because that’s plain ridiculous for performance overall. “Meddling with local variables” has a lot of power if you know how to do things right. This tool as far as I know, this doesn’t put your account at risk of any kind, I’m not affecting anyone’s ability to play Roblox in any way or manner, and you are truly only capable of using it on games you develop/own, since you cannot just get into production Roblox games using this, Roblox studio doesn’t allow you to do that lol. Client protections work just fine when you add the correct ones, the main point is to deter those who aren’t determined enough, that’s why obfuscation is abused on many places, by packing, obfuscating and virtualizing your code, you throw off less-persistent exploiters who would have otherwise wasted their time on your game doing their scripts.

Hyperion also uses packing and obfuscation as well, yet it’s fully client-sided, but it has kept us safe for plenty of time off from dealing with cheaters.

And even then, it’s completely useless if you do something like a save instance, because you are lacking all of the server logic. I don’t see this as a bad idea, it’s just a tool that we can add to our tool belt when dealing with exploiters. If it is bannable, though, I truly don’t know, but I don’t believe it is.

I’m implementing those, but I work on my free time in it, and I have started it a week ago, I figured some crashes earlier two days ago, so right now I’m currently implementing functions, although they may not behave 1:1 like they used to, because this is studio, not client, a behaviour 1:1 to that of old exploits isn’t really possible in my opinion.

The environment has the basics, although they should be enough for quite of what exploiters do.

hookfunction (Only Lua functions due to me not implementing C yet)
clonefunction (Lua only)
getgenv
getrenv
setidentity
getidentity
require (Has to be modified for the purposes of requiring in high permission scripts)
consoleprint/warn
getgc
getrenv
httpget
checkcaller

I will try to implement as much of the spec so scripts run just alright.

I can confirm this guy is undetected he is the real top g and has never crashed once when making this.

Nothing is being bypassed or risked. There’s no hyperion on studio, and there’s no real reason there would be either. Roblox doesn’t care and isn’t going to waste their money on whatever you do with studio because you aren’t harming others.