RbxStu V2: Studio Executor - Runtime Debugging and Exploit Patching

exploits bring alot of functions to the table which simply isn’t possible to replicate from a normal localscript, such as being able to intercept,block and modify calls to remote events, spoofing values and much more, the goal of RbxStu is to create a way for developers to be able to test these functions against their games in a safe environment

I can definitely see value in this as open-source hobby project, more tools to combat exploiters is always better. My reply was targeted at the question if a Roblox Studio “executor” would be realistic to expect, which is obviously no.

from roblox themselves likely not as if something were to go wrong such as the executor being vulnerable to an ACE it’d fall back on them.

Yeah, that’s one of the major concerns I have with RbxStu, and why I have not tried completing the FileSystem library, I refuse to make vulnerable code, and things like the FS library are REALLY notable for being exploited by malicious actors to do things, which is why I have not done it yet, and if I do, I’ll have to put it behind an “Unsafe” mode of some kind, just to prevent issues from the get go for developers who run generic scripts/not trusted cheat scripts for their game.

Yeah it does. Remote Spies are not supported officially, and if you want to make one, you will have to use different methods, as the current methods that things like SimpleSpyV3 or Hydroxide use do not work on Studio (And I will NOT research why at all).

One of the things I added with the purpose of patching is what I called an Instrumented Environment, it basically traces all C function calls, and prints out the arguments of __namecall and __index on elevated lua states (threads running over Level 4 I believe, I don’t remember how I implemented checkcaller at this point…). You can use the Instrumented Environment calling enable_environment_instrumentation using Lua.

And its a 50/50 team if you will, Shadow had the original idea, he wrote an implementation for it using a Lua C wrapper, but it fell short on some aspects (Too unstable), so I wrote another version using an RVM, we treated development as a competition with Shadow over who could make the best thing, we ended up in somewhat of a neutral stance in that, I think he is restarting his personal version but don’t take my word for that, but it is completely different from RbxStu I can assure you.

Shadows’ participation on RbxStu is that he is the first contributor of the project other than me, other people that I could mention would be Hisoka, he wrote a full dumper for me to use to update RbxStu, but I don’t use it (Mainly because its a vcproj, and not CMake), he is also a contributor to the project as well, as he gave me some offsets when I was in a hurry, which if you want to for some reason try, is this little beauty → nhisoka/RbxStuDumper: A Dumper made for roblox studio (github.com)

Although little people have contributed, and 90% of them (By not saying all of them) have a background on anti-cheat lua solutions or cheat development in general, I’m quite happy with how it has turned out :+1:, I have also been made aware of detections for hookfunction, but quite honestly, this is not about making an anticheat that is able to detect an executor that is present, its more about running exploiter written scripts to patch them on your own game, so patching detections, unless they have an impact, such as the broken newcclosure handler I don’t find necessary, but if I do find it mid development, I’ll probably fix it, I don’t like half baked things.

If remote spies are your goal, wouldn’t a plugin suited for that purpose be more reliable?

Non-tested example:

I have used that plugin and it does not work

you could theoretically hook instance.new and check if it is an event, and monitor replicated storage for hooking the appropriate functions and you could get a remote spy, but I’m not sure, never did ine

you need to hook RemoteEvent.FireServer if you want “remote spy” (in studio of course)

No, RemoteSpy(s) do not work on studio, i have already tried, the method you are saying is the one everyone uses to make a Rspy, and it doesn’t seem to work

1 Like

Setting setclipboard to nil crashes the Roblox Studio ;(

That should not happen, calling setclipboard(nil) will error, as it checks if there is a string at the top of the Lua stack using luaL_checkstring(L, 1);

Do you mean running setclipboard = nil or setclipboard(nil)?

Why dont you just add a ratelimit like most executors do? You can also log the FS actions and ask to revert them if it seems malicious

What do you mean by “Ratelimit” and for logging FS actions, doing FS in C++ is already painful enough, making them revertable must be the last circle of hell, as in, more than last…

1 Like

How does this work? I managed to hook the DLL but I don’t know how to execute any scripts.

Also if this breaks any agreements then I shall cease any operations, I just want to test an anti-hooking function I made.

you may want to opt to using V2 as it’s much more stable and supports more functions

I am indeed using the V2 release.

This looks to be a development version of it, try using the latest release on the GitHub repository.

Cheers, Dottik

(I read this message before, I just thought I had answered to it much sooner than I actually did)

Remote Spies work on RbxStu V2 by the way, at least Simple Spy V3. Hydroxide has been more complicated because it makes use of Get objects, which for some reason is broken no matter what I try

You are breaking the TOS, but it’s just a grey-area anyway so while i won’t judge, Roblox Staff will.