Edit: The simplified goal in this post is to bypass the security of Roblox Executors, which is the “modified Roblox client” that I talk about below. This is not about the development of these executors. Roblox Executors block specific functions from being called for security purposes, and the goal is to bypass the security that the developer of these executors put into their executor.
A modified Roblox client that achieves client side code execution with CoreScript permissions or thread identity 8 in any Roblox game has its own sandboxed Luau Environment. There are some blocked functions such as HttpRbxApiService.GetAsyncFullUrl, where attempting to index into that function will return a hooked function which will do nothing when called other than throw this error in the console Attempt to call blocked function GetAsyncFullUrl of HttpRbxApiService.
Before, this could be bypassed by using the modified client’s custom function called getrenv() which returns the normal Roblox environment, and the function getgenv() which returns the modified client’s custom environment. Using these functions, we can clone the getgenv function directly into the roblox environment to allow this function to be called by LocalScripts in the game by doing so:
getrenv().getgenv = clonefunction(getgenv)
-- getrenv returns a table which is the Roblox environment, and we clone the getgenv function into the Roblox environment by using the custom function in the modified Roblox client called clonefunction, which literally just clones a function.
Now, from a LocalScript which is running under a different Luau VM compared to the modified Roblox client one, we can index into the function HttpRbxApiService.GetAsyncFullUrl then clone it back into the modified client’s environment by doing so:
getgenv().pwnage = game:FindService("HttpRbxApiService").GetAsyncFullUrl
Now the blocked function protection is now bypassed, the GetAsyncFullUrl can now be called in the modified Roblox client with CoreScript permissions by using pwnage()
Alternatively, we can clone the setthreadidentity() function of the modified client into the Roblox environment and have it called by a LocalScript to elevate its identity to 3 which will allow the LocalScript to freely call the GetAsyncFullUrl function, avoiding modified client’s protection.
The issue is that this method has been patched in the modified Roblox client, and now also hooks LocalScripts to return a function that just errors when attempting to index into a blocked function within a LocalScript. And setthreadidentity will no longer work when its not called inside the Luau VM of the modified Roblox client, resulting in the LocalScript unable to elevate its thread identity.
Can you think of any other remaining methods to bypass this type of blocked function protection? You will be contributing for a big project aimed to make the Roblox platform a “better place.” And you may get paid for contribution.
Possible methods:
- Since code in Parallel Luau run in an entirely different Luau VM and has its own environment, with its environment being different to the one that getrenv returns, it is possible to index into the
HttpRbxApiService.GetAsyncFullUrlfunction in parallel and get an unhooked function. But how would we pass that function back into the normal Roblox environment, or the modified client’s environment? - By abusing custom functions of the modified Roblox client, which is all the functions in the Unified Naming Convention (UNC), or abusing the fact that it can execute code with thread identity 8, you could try getting CoreScripts to run your own code which will allow the GetAsyncFullUrl function to be called with no issues. You could also try an approach similar to this. However, all the methods in that GitHub gist are now patched in the modified Roblox client.
The modified Roblox client in question: Arceus X, Wave, Solara, Electron, Celery, Apple-Ware, Synapse Z, Codex, Domain, Delta, VegaX, Cryptic
