[Executor Detection] Wave Executor Prevention

HexadecimalLiker · August 9, 2024, 4:41pm

You do not know what you are talking about.
Please see bypassing blocked function protections using corescripts · GitHub

HexadecimalLiker · August 9, 2024, 6:16pm

In that case, just produce a generic error that looks like Roblox’s. Pretty sure Wave is gone now, but that shows the developers’ incompetence.

MaxGamingYT129 · August 9, 2024, 6:50pm

Oh god, that is so funny, smth tells me u use exploits, ey wanna check out (15) James auf X: „Looks like Roblox cheaters got hit with a “surprise” #Roblox #RobloxDev https://t.co/8RdPbpHmWK“ / X . I wanna tell u smth, every executor makes money, not only by selling their “hacks” they mine crypto on your pc too, and if u think they can’t get your cookie, ey they are rats. You gave them and the owner of the scripts u execute full permission to your device.

Boeufplume6771 · August 9, 2024, 7:32pm

What does http service request internal do? What is the purpose of this script?

Lonegwadiator · August 10, 2024, 5:04am

I’m not gonna sit here and suggest that cheats are good, but considering you get it from the right place, they aren’t miners either.

Yes that tweet is real, I’m actually the one who made the script for it.

Exploits will never be secure with the privileges they grant, if there’s not some gaping flaw in your APIs, Roblox will soon enough introduce something with an embedded ShellExecute call.

Cookie logging is perhaps the easiest thing of all to do on these exploits, Roblox introduced a new way to do this recently as a matter of fact.

Lonegwadiator · August 10, 2024, 5:08am

It’s just something Roblox uses in CoreScripts to do HTTP requests on the client, it’s not typically accessible using a normal LocalScript.

However exploit environments can access it just fine, but that’s where cookie logging comes in.
Cookie logging is possible using RequestInternal, since it passes in some roblox auth headers.

This leads many exploits to try and block it, and many other functions, however their implementation usually sucks and leads to detection.

That’s what’s happening here.

MaxGamingYT129 · August 10, 2024, 4:39pm

Hi, i don’t wanna risk me getting banned, however i can gurantee you, that the known executors such as wave… are crypto miners, as you made the script you should know how easy it is to insert in it a rat / trojan and get the user data, Roblox should run Byfron on Kernel level or do instead of ban waves, instant bans (1 month - or longer) and should get a better alt detection.

Lonegwadiator · August 10, 2024, 6:55pm

Your comments on ban waves and instant bans:

Instant bans are a sure way for exploit developers to know that they’re detected, and therefore allow them a chance to fix those detections.

However, I do agree that bans should be more strict.

(as per Bitdancer’s prior comments) Current moderation policies mean the Hyperion team cannot simply ban people for a month.
Currently, if you’re caught exploiting, you are queued for a ban wave, then banned for:
Infraction 1: 1 Day
Infraction 2: 3 Days
Infraction 3: 7 Days
Infraction 4: Deletion

My understanding is, any previous infraction is not taken into account if more than a year old, so if you receive a 5th infraction 366 days after Infraction 1, you don’t get deleted, just a 7 day ban.

With Hyperion’s current ban-wave rate being like 2-3 months apart, it seems quite hard to get deleted anyway.

RCE/Malware talk:

There haven’t been many recorded instances of malware actually being installed using a script, the only one being from the Synapse era around 2021.

The method we used was a function with an embedded ShellExecute call, this was patched in the update afterwards. (along with some choice words from the owners of Wave!)

So to drop and execute a crypto miner nowadays, you’d need to find one of these functions (only 2 exist as of the making of this post and are well known by most exploit developers)

The only other documented way to do this is via their vulnerable exploit libraries or functions, which sometimes allow for unsafe actions and can lead to an arbitary mem read/write, this is a billion times more complex to achieve than the aforementioned method, which as I said, is very well known about by now.

Wave still definitely has its’ vulnerabilities, but it’s still not very easy to exploit these vulnerabilities without the proper knowledge, i’m sure most would choose the cookie logger route instead.

RevokeFriendship · August 12, 2024, 1:49am

I’d like to correct you on the idea that there hasnt been many recorded instances of malware being installed via scripts. There have been many cases of this happening (most commonly they just steal your robux using RequestIntnal using RbxHttpService or whatever it is which when requesting something returns your auth stuff but ive seen bad actors just outright ratting people).

The sad part is every executor’s protections are just outright bad. Take Celery for example (last i tested): you can bypass their entire protections by using their own function clonefunction. Which I guess would technically fall into a custom function issue but at the same time you could accomplish bypassing solora’s protection by adding a \0 to the end of whatever function you’re requesting.

Lonegwadiator · August 12, 2024, 3:48am

Yeah I know about those, quite funny that these 2 externals are some of the most vulnerable.

I haven’t heard much about malware actually being installed, perhaps you can remind me of some other instances where this happened?

Thanks

RevokeFriendship · August 13, 2024, 12:04am

Well one major case was when moon added a rat or something to infinite yield but that was many years ago. all of the ones i talked about happen in these little neash communities where only a couple people are affected at most.

v1uxz · August 15, 2024, 12:01pm

I do.
The post you linked is literally from 2023 (meaning most likely already patched), what executor do you know of that can steal your robux, etc?

v1uxz · August 15, 2024, 12:03pm

Ey, might want to provide more valid evidence because I checked and a lot of people were saying it is fake.

x1_EE · August 15, 2024, 8:28pm

I understand other big games do this. However, since the kernel level gives you access over everything, one small vulnerability can be exploited and turned into something huge. Games that use kernel level anticheats have the potential to literally remotely clone, modify and annihilate your system. They do not inform you and can just do it, and along with whatever they please. It is a very big security and privacy concern. A kernel level anticheat is literally a backdoor with the perms of a “CEO”. This is a cheap, lazy half-solution with massive risk.

HexadecimalLiker · August 15, 2024, 11:27pm

Most of them actually. It’s not because the post is old that the executor developers are competent enough to patch known vulnerabilities.

v1uxz · August 15, 2024, 11:45pm

Mhm. I mean’t Roblox probably patched that vulnerability.

RevokeFriendship · August 16, 2024, 5:59am

Roblox hasn’t “patched” anything due to it only meaning to be accessible for corescripts / a high script context.

v1uxz · August 16, 2024, 2:51pm

And have you seen any executors doing this?

MaxGamingYT129 · August 16, 2024, 9:08pm

I assume because of your reaction that you’re using executors, [Executor Detection] Wave Executor Prevention - #25 by Lonegwadiator .

v1uxz · August 16, 2024, 9:30pm

Does it look like I care about your assumption? Just admit that you’re pressed and move on, thank you!

(p.s- take the hint and quit replying to me)