[Executor Detection] Wave Executor Prevention

Another day another executor
After 2 hours of release I’ve already found a detection :money_mouth_face:
I’ll work on finding more detection later

local HttpService = game:GetService("HttpService")

while task.wait() do
	local suc, response = pcall(HttpService.RequestInternal, HttpService)
	
	if not suc and response:find("blocked function") then
		warn("Detected :money_mouth:", response)
	end
end

36 Likes

It’s insane how they don’t even check the caller. LOL

4 Likes

Looks like they will be riding the ban wave

8 Likes

“but but they can disable it” “they can just hook it” “they can delete the script” “<insert other devforum members comments>”

Jokes aside, good job, wonder what other functions they block :thinking: This picture alone highlights how uhm, “smart”, their developer team is :laughing:
image

7 Likes

It’s not that hard to bypass Hyperion, the hardest part is going undetected and not making stupid mistakes like these, why the hell are u using the normal HttpService if you’re making an executor?

5 Likes

It is to prevent Remote Code Executions, in this case it is to prevent an attacker from grabbing the ROBLOSECURITY cookie.

4 Likes

Creating a custom internal one shielded from the normal calls is much better. And how are attackers going to steal your cookie? Elaborate.

1 Like

Sending an request to roblox.com from the executor, and accessing the Cookies from there.

This was intended (by the Wave developer team) to stop malicious threat actors from releasing scripts that maliciously log your cookies, and, to stop developers, in the event they successfully ENV Takeover, to do the same.

2 Likes

I will not elaborate on it for obvious reasons.

1 Like

Can’t the same thing be done using a custom HttpService then? A sandboxed version so developers and both script creators cannot access important things such as cookies.

1 Like

Wave runs on Level 7 (I believe), by nature, due to that level now script devs have access to HttpService.RequestInternal aswell as other services which can be used to grab cookies and other stuff.

Wave took the approach of making a, quite blatantly, hook to make sure it doesn’t get called by making it error with a custom error message.

1 Like

Interesting, well instead of returning a custom error message, why didn’t they return the original error message (if it exists) or modify the engine API or the VM to make it return nil basically?

What they should’ve done is add an caller check, so the hook would only function if called from an executor environment and otherwise return original behavior.

2 Likes

yeah theoretically would work but undetected executors don’t use this Httpservice so they won’t get flagged. And also does this script affect performance? I’d assume it tanks performance if it checks requests in a while task.wait() loop

The reason why this works is due to the developers not adding a caller check to their security (preventing scripts from doing malicious things). This only works for wave because they are the ONLY executor to not have proper checks.

1 Like

it’s level 6. there’s no such thing as a client-sided level 7, since that’d imply you’re executing code onto the serverside. just an fyi!

1 Like

They intentionally don’t check the caller because hookmetamethod can be used to run the malicious code on a thread not owned by the executor, which would bypass the protection.

This is basically impossible to fix in Lua itself without creating some sort of detection.

1 Like

Unless they make it so exploits can’t hookmetamethod that function, which I’m sure they’ll do. And yes, I’m pretty sure they are able to do that.

They can’t get ROBLOSECURITY cookies.

They can the moment you’re vulnerable to an ACE your computer is at the script’s mercy.

1 Like