RbxStu V2: Studio Executor - Runtime Debugging and Exploit Patching

AdvancedOpenGL · May 20, 2024, 2:20am

Correction: studio mods (unless they allow you to connect to a live server) are not bannable.

Binaary · May 21, 2024, 11:50am

Please state all incorrect arguments.

Judgy_Oreo · May 21, 2024, 12:42pm

None of your criticisms are necessarily incorrect (atleast from what I can tell), you’re just being overly destructive. Instead of demeaning the creator of this resource for questionable code, you could have pointed out the better and more efficient ways the code could have been written, and left it at that, instead of going out of your way to say things like;

Or;

As well as;

, which is all really unnecessary.

roalex2008 · May 21, 2024, 3:28pm

This code is not for that. Its was just to get the title of Studio to see if you are in a local file. The real solution would be to not GetForegroundWindow() rather use the process handle as you said later on, at the time I just didn’t think it through, and I won’t change it as it works well enough.

What do you mean here? It is just httppost. Nothing else, the std::string after you pointed out I solved it, it was quite stupid from my part I agree LOL.

Fixed after you pointed out.

XD, I removed it already. It was meant to be some testing on junk code, left it in.

I’m not going to make the loop more complex than it already is, unnecessary.

Its not like I’m pointing to uninitialized memory, even then, of anything was to happen, stack canaries would send me to oblivion.

Applied on latest commit; Honestly not that necessary, and it just increases code complexity by exiting out of Windows API code or C++ std, its not like I’m in the Kernel and I need maximum performance, it is just an injected dll lol.

May you point out SPECIFICALLY where there is a memory leak in the code? All usages of malloc the new keryword are disposed respectively; the only wrong I made is using free on a new allocated structure, doing else would cause me to crash, and I’m not going to make exception-based programming, screw that. Setting heap allocated memory into L->userdata will not leak memory, Robloxs’ internals do it lol, which is the main reason I’m using C pointers on userdata, because that is how it is done. I had to open up roblox and reverse the structure somewhat, so I know some things, like it has 0x98 bytes of size, if i were to allocate less I’d crash, and if I used more, I would be wasting memory anyway, copying it and replacing the userdata pointer worked alright and allowed me to do what I wanted regarding the states’ ExtraSpace, good solution? No, works? Yes. In an era when people don’t even know how Roblox identity works at this point, it works well enough, refactoring would come to use, but I’m not willing.

Agreed and is fixed on latest commit.

This code has somewhat of relation to another code I wrote on Scheduler.cpp, not using this chunk of code anymore on neither sides. Now it will just memcpy on Scheduler.cpp, and it will completely execute the userthread callback forcefully (Which is honestly NOT necessary) and it will allocate the ExtraSpace Robloxs’ side, making it basically automagical. As to why I believe it should not be necessary, is because when calling lua_newthread the userthread callback will run, and would have done all I did, except automatically.

In any case, thanks for the free code review, I solved some of the issues you pointed out on many commits over time, as I had obviously read it, but the recient responses just made me fix the rest that were left which I didn’t turn attention to, they got fixed on commits

Handle check on isrbxactive: Solve code issues. · RbxStu/RbxStu@7c4b2f9 (github.com)

Copying into std::string on httppost: Avoid copying memory into an std::string to then grab the c_str again… · RbxStu/RbxStu@27aefcc (github.com)

Removal of Oxorany throughout the code Remove oxorany_pchars’ internal oxorany macro (better compilation spe… · RbxStu/RbxStu@48b2bdb (github.com)

Minor rename, refactor and overall improving const correctness and other aspects Clean up and some small touch ups on some code. · RbxStu/RbxStu@ddb839b (github.com)

There are probably like two more relating to removing garbage from the code, but I have lost the commits/forgot which were. You should probably not go around dumping on random codebases that are virtually cheats, because they don’t follow the same standards, not really care for the rules as normal, application C++ code, the only time I used smart pointers was on the crypt lib, and it was to shut the compiler up, I was going to use them on the ix::WebSocket with the WebSocket library, but after the errors which related to freeing the ix::WebSocket using delete I just went straight C pointers, you did your critisism in full bad faith I can say, as you never cared to go to github and do even a minor pull request, you may say it is not my problem, yet, you came here, wasted time of your day to yap about the issues on the code, and decided that berating my code over it being written in less than two weeks at the time, with it still being a mere experiment which was not refactored nor cleaned up at the time, as I said back on April 17th when I first responded to this post, this was never intended to be public, which is why the oxorany were there even. (As a side note, the gif was funny, but it didn’t make sense with much of what was at hand lol)

This is my last response to this, now you all stop stiring it up, @Binaary made good statements in regards to code quality on a C++ application setting, not a cheat setting and that is what it is truly.

Binaary · May 21, 2024, 4:45pm

Non async operation within the same thread, CPR post has a huge overhead. It’s as I said, lol.

Avoiding asymptotic behaviour, the combined time complexity of both loops is 2O(n) which can be simplified down to O(n). It doesn’t make it “more complicated”, in reality it simplifies it and enables you to write GOOD algorithms.

In an unsafe language, you can always assume there are random optimisations which could potentially lead to this happening. You should learn more about how release mode actually operates in terms of the flags it pushes to the compiler. You should ALWAYS account for the unexpected.

the _mm_pause intrinsic is probably one of the most useful intrinsics for a spinlock, why? it applies minimal spin with a very tiny cpu usage for that thread. It does not increase code complexity - it’s a compiler intrinsic…

I’ve noted it above, you handle the mallocs incorrectly.

Well yeah… the size of the struct is 0x98 bytes, why would you attempt to allocate less and write to uninitialised memory sparking an access violation? I don’t get your argument here?

github.com

RbxStu/RbxStu/blob/7c4b2f914ae8a739a9affc5c11616ab7b8f18fa3/Environment/ClosureLibrary.cpp#L200


      
              L->top++;
          }
          auto *original = lua_toclosure(L, -1); // C Closure at stack top, variable shadowing on top!
          
          
// C->C
          const auto cl = closures->CloneClosure(L, toHook); // Clone original Closure.
          
          
if (toHook->nupvalues < hookWith->nupvalues)
              luaG_runerror(L, "Hookfunction: Cannot hook. Too many upvalues.\r\n");
          
          
toHook->c.f = []([[maybe_unused]] lua_State *L) -> int { return 0; };
          /* we don't wanna break while we set upvalues */
          for (int i = 0; i < hookWith->nupvalues; i++)
              setobj2n(L, &toHook->c.upvals[i], &hookWith->c.upvals[i]);
          
          
toHook->nupvalues = hookWith->nupvalues;
          toHook->c.f = NewCClosureHandler; // Newcclosure handler.
          closures->AddWrappedClosure(toHook, original);
          L->top->value.p = const_cast<Closure *>(cl);
          L->top->tt = LUA_TFUNCTION;
          L->top++;

?

Just skimmed through most the code, do you even free userdata’s anymore? I’ve checked xrefs to all CloneClosure’s and I can’t see you freeing it? I see that you use memcpy but that doesn’t mean that only one malloc is created overall and you reuse that buffer, It just means that you’re creating many allocations and copying memory over only to never free it from what I can see. Please correct me with github line links if I’m wrong. I just can’t seem to find you freeing userdata’s.

This isn’t an actual argument, this is just you being too ignorant to use smart pointers which actually DEALLOCATE their memory after function end.

I’ve seen many cheat bases with actual good code, this is why the developers of those cheats ended up getting ACTUAL jobs. Please stop grouping people up with you, it doesn’t matter what they write - they decide to write GOOD code.

roalex2008 · May 21, 2024, 4:50pm

Alright, for the first one, Yielding is not yet implemented, therefore, it’s still going to be blocking, that is for all requests.

Second, I still view it as a non-substantial change, and would still yield the same outcome, exceptions by themeselves are expensive.

Third, I agree, accounting for the unexpected is a requirement, but I don’t believe it would get optimised away.

Fourth, Yes, I applied the spinlock and after reading it, it makes sense why to use it, saves power as its a CPU instruction.

Fifth, please point me the incorrect malloc calls

Sixth, I’m confused

Seventh, if you were to switch upvalues with the function set, you would run into a crash if the function was to be called at that time, as the upvalue would be dead.

Eight, I don’t really believe I gotta free userdatas, I could be wrong, but I’ll see when I get into trouble from it.

Ninth, I’m not going to use smart pointers more than I need, although I may change it when I see a banefit in stability overall.

Tenth, please show me a good cheat codebase, it would be actual good learning material, github link please.

Binaary · May 21, 2024, 5:03pm

Hey friend, you do realise not all posts nor gets create a massive overhead right? This is exactly why I pointed out CPR specifically as it suffers from this issue in non-async operations.

This is avoiding the main point entirely, I don’t believe I can teach you further about it. Time complexities do not lie. You can go ahead and benchmark it and see for yourself.

You should learn more about the compiler and how vigorous the optimisation can be. It most definitely can happen.

This invalidates your previous argument and I’m glad you finally understand it now. Thanks.

Unless it’s handled automatically through the luau free detour, which I’m not too sure about, all CloneClosures seem to have a malloc call which will never be freed.

Not too sure how you could get confused here, re-read it a couple times as well as reading your original point twice as much.

This was entirely my fault, I was actually curious on what was going on here.

Yes, from what I’m reading through it. It’s just an allocation that I can’t see where it gets freed. Unless it does this internally within the luau engine - I can’t exactly see how it would work as it’s your own recreated member.

Then I would suggest not caring about poor memory health, this is C++ in 2024. Not C in 1994.

I don’t think that’s wise linking malicious cheats on this forum. Making cheats does not mean you automatically have to write terrible code. Get this idea out of your head as it’s toxic.

roalex2008 · May 21, 2024, 5:14pm

First, Cpr makes the job easier, just as MinHook, which is why I just didn’t change and used it

Second, still a meh in my opinion, I do understand what you are trying to convey, but the benefit would probably be negligible in this case unless the stack is insanely big, at which point I should question if my code is doing what it should be

Third, I don’t believe it would get optimized away, even in aggressive, the function uses it so removing it would be kind of non-sensical.

Fourth, yes, I normally don’t delve into intrinsics much which is why I originally omitted it

Eighth, the detour if freeblock is to prevent crashes as for some reason it tries to free an RWX page, I still don’t know the cause maybe I’ll check later

Sixth, I don’t think I’m reading less or more, that code relies on behaviour I have seen from Roblox and it’s in it’s executable, the callback should be called when making a thread, and the struct is the correct size so it should be “safe”.

Seventh, Function hooking is annoying as hell, hookfunc I mean, I wish to not touch it ever again lol

Ninth, agreed, but I might care for it later on a refactor of the entire codebase

Tenth, true.

(Response order messed up by me because on phone xd)

Bakonowychlopak123 · May 21, 2024, 5:29pm

how about you make pull request and contribute to the project instead of complaining about it on the devforum

VyonEXE · May 21, 2024, 8:32pm

Dude you’re asking way too much, you can’t just tell someone on devforum to do something productive instead of complaining!

roalex2008 · June 1, 2024, 6:38pm

(post deleted by author)

AlureonTime · June 1, 2024, 8:47pm

@Bitdancer Your thoughts?

I’m guessing you guys are working on a plan for such things?

shadowmaster940 · June 2, 2024, 9:05am

there’s no reason for them to take action on this, if they ask us to stop we will gladly shut the project down, this is only intended to pentest games studio it isn’t possible to use it on the normal client so it can’t hurt anyone’s experience on roblox.

roalex2008 · June 2, 2024, 4:39pm

As shadow already said, me and him have no problem shutting RbxStu down, but it does not really constitute a problem to anyone wanting to play games in Roblox, and its effect is limited ONLY to developers and their own games to work towards things that ward off cheaters, which is why I believe @Bitdancer would not really go against the project, as there is little to no damage done to Roblox in general, and it more likely benefits Roblox as a whole, as they don’t have to work in a solution for this (Although I would much rather them to do so!)

AlureonTime · June 2, 2024, 8:13pm

I meant in terms of, I think it is a good idea to elevate to the same level as exploits to pentest your game.

But I just wanted clarification if this were somewhat going to be dealt with in terms of preventing this.

It wouldn’t be no different to give someone collaboration access to execute scripts anyway. But I wouldn’t want to use something that could quite possibly lead to apart of a ban wave. As far as I’m aware there is nothing in Studio to prevent this. And was wondering if there was something in the future they’d do.

shadowmaster940 · June 3, 2024, 9:12am

There should be no reason for them to add prevention methods to studio due to it being unable to join public games.

Bitdancer · June 3, 2024, 5:46pm

Not really a gray area. From the TOS:

Restrictions of Use. In addition to any other restrictions set forth in the Roblox Terms or any Additional Terms, Users may not (a) lease, lend, sell, redistribute, or sublicense any part of the Services; (b) copy, modify, distribute, publicly perform or display, reverse engineer, disassemble, modify, or create derivative works of the Services or related or implemented technology; (c) circumvent any technological measure designed to protect the Services or any technology associated with the Services; (d) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any Services’ source code, in whole or in part (unless a portion of code contained within the Services is released as open source and the open source license governing such code expressly permits reverse engineering, copying or other modification); (e) use the Services to create malicious or abusive content (as determined by Roblox in is sole discretion) or any content that violates these Roblox Terms, Additional Terms, guidelines, or policies; or (f) use the Services (or any part thereof or any technology contained therein) in any manner that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable laws.

quinowenryanjen · June 3, 2024, 7:20pm

Why are you pointing that out? Many people know Roblox hasn’t had a history of actually caring what people do with studio. You post that like a threat to the developer or like roblox is going to start caring about studio mods soon.
Anticheat coming to studio CONFIRMED?!?/s

roalex2008 · June 3, 2024, 7:22pm

So, shall I suspend development? If that is what you want on Roblox sure thing, I’m not going to oppose you all’s desicion truly, in the end as developers we all want a good platform

roalex2008 · June 3, 2024, 7:32pm

I do believe knocking down people from modifying studio is kinda weird, more when it benefits developers and does not truly damage Robloxs playerbase, I guess the ulterior motive is for the purposes of protecting IP, I have no problem stopping development if the reason makes sense (I.e: Roblox staff directly telling me to C&D of to formally stop on this forum post, right now, if so I will archive (Unless specified to remove) the repos and take down anything related to it from channels I can control), exploiting currently is at an all time low anyway, so the benefit of keeping RbxStu running is minimal at best, and it is more somewhat of a hassle, because updates each week, so please tell me directly @Bitdancer if I end and so I will, no one will truly benefit from pointless back and fourth, you will probably get tired, and I will probably as well