Another day another executor
After 2 hours of release I’ve already found a detection 
I’ll work on finding more detection later
local HttpService = game:GetService("HttpService")
while task.wait() do
local suc, response = pcall(HttpService.RequestInternal, HttpService)
if not suc and response:find("blocked function") then
warn("Detected :money_mouth:", response)
end
end
It’s insane how they don’t even check the caller. LOL
Looks like they will be riding the ban wave
“but but they can disable it” “they can just hook it” “they can delete the script” “<insert other devforum members comments>”
Jokes aside, good job, wonder what other functions they block 
This picture alone highlights how uhm, “smart”, their developer team is 
It’s not that hard to bypass Hyperion, the hardest part is going undetected and not making stupid mistakes like these, why the hell are u using the normal HttpService if you’re making an executor?
It is to prevent Remote Code Executions, in this case it is to prevent an attacker from grabbing the ROBLOSECURITY cookie.
Creating a custom internal one shielded from the normal calls is much better. And how are attackers going to steal your cookie? Elaborate.
Sending an request to roblox.com from the executor, and accessing the Cookies from there.
This was intended (by the Wave developer team) to stop malicious threat actors from releasing scripts that maliciously log your cookies, and, to stop developers, in the event they successfully ENV Takeover, to do the same.
I will not elaborate on it for obvious reasons.
Can’t the same thing be done using a custom HttpService then? A sandboxed version so developers and both script creators cannot access important things such as cookies.
Wave runs on Level 7 (I believe), by nature, due to that level now script devs have access to HttpService.RequestInternal aswell as other services which can be used to grab cookies and other stuff.
Wave took the approach of making a, quite blatantly, hook to make sure it doesn’t get called by making it error with a custom error message.
Interesting, well instead of returning a custom error message, why didn’t they return the original error message (if it exists) or modify the engine API or the VM to make it return nil basically?
What they should’ve done is add an caller check, so the hook would only function if called from an executor environment and otherwise return original behavior.
yeah theoretically would work but undetected executors don’t use this Httpservice so they won’t get flagged. And also does this script affect performance? I’d assume it tanks performance if it checks requests in a while task.wait() loop
The reason why this works is due to the developers not adding a caller check to their security (preventing scripts from doing malicious things). This only works for wave because they are the ONLY executor to not have proper checks.
it’s level 6. there’s no such thing as a client-sided level 7, since that’d imply you’re executing code onto the serverside. just an fyi!
They intentionally don’t check the caller because hookmetamethod can be used to run the malicious code on a thread not owned by the executor, which would bypass the protection.
This is basically impossible to fix in Lua itself without creating some sort of detection.
Unless they make it so exploits can’t hookmetamethod that function, which I’m sure they’ll do. And yes, I’m pretty sure they are able to do that.
They can’t get ROBLOSECURITY cookies.
They can the moment you’re vulnerable to an ACE your computer is at the script’s mercy.
