xAPI - A Powerful Pentesting and Debugging Tool

This is not bannable by roblox unless you require something that is against roblox tos. This will not ban anybody or delete your roblox game if im not wrong. Also this post would be deleted if it was against tos.

2 Likes

You can inject inappropiate stuff that isn’t in the game by just using require() in the roblox developer console

1 Like

This is actually useful as I need to pen-test my games, but don’t want to download any exploits.

3 Likes

The “If you put it inside the game, your game will get deleted.” is incorrect, If you use xAPI carefully and properly, your game won’t be deleted. I don’t know why you are comparing apples and oranges. Ultimate Trolling Gui has some TOS Breaking items, while for xAPI, The only way to break the TOS with it is the modified version of require(), and already require() lets you insert inappropriate items, the owner is not responsible for the misuse of xAPI, the person who did it is responsible

1 Like

Are you forgetting that you replied to me back in like November about this? you don’t have to keep fueling the fire

Can someone compare GRH: GRH-Fake-Exploit [Client Side Executor For Testing Games] vs XAPI?

2 Likes

Everybody complaining in this thread literally is doing it for the sake of clout. Ignore them, I actually find this useful because I dont wanna install script injectors.

Hopefully we get a luau interpreter in luau though

4 Likes

How does Hooking work??? I thought regular user scripts cannot hook into engine-side API functions unlike actual executors.

Still cool tho, idk how useful this would be as it’s much more useful to secure remote events and not trusting the client than testing exploit stuff, altrough if the hooking does actually work then it would be fun to mess around in Roblox Studio by exploiting in your own game or a blank template and just try to see what would happen if you do x or did y.

Here is how hookfunction works:

  • It gets the name of the function
  • It goes into the script’s environment
  • It sets the fenv index to your function you want to hook it with

Basically, just getfenv()[debug.info(old, "n")] = new

There are however limitations, such as:

  • Local function hooking;
local function a()
print()
end

hookfunction(a, warn) -- errors: Cannot hook local functions
  • Non-fenv function hooking;
local RE = Instance.new("RemoteEvent")

local old
old = hookfunction(RE.FireServer, function(...)
	print(...)
	return old(...)
end)

-- errors: Cannot hook anonymous functions
-- meaning: No functions with no name / No table functions allowed, such as:
-- a.b(), game.GetService(), function() end

Also i am also pretty sure you cannot run this in Studio, even in command bar (except maybe if the game isn’t running) but when it’s running you’re either in Client or Server mode, thus your command bar is limited to the security context of a local or server script.

You can try it for yourself here!

Also, local and server are not security contexts. They are runtimes.

Security Contexts are used by Roblox to determine if a script has permission to view/interact with something.

Runtimes are the Roblox App / Server. Their purpose are to check if all scripts were run. If a script wasn’t run, the client sends it over to the server or the server generates bytecode by itself (as far as I know, I am not a Roblox employee so I don’t know the ins and outs of Roblox), and then executes the Luau bytecode.

1 Like

This can be said just about anything like server scripts or loadstring

3 Likes

@3XPLs @commitblue

Version 3.6.0 got released!

Changelog:

  • Upgraded loadstring to be compatible with Luau, meaning standard Roblox scripts will be able to run!

Download it from github here or get it from the marketplace here!

1 Like

Version 3.7.0 got released!

Changelog:

  • Added Optimizations
  • Added dumpstring: Returns the Luau bytecode of argument 1
  • Added saveinstance: Saves the current game in a .rbxlx file and returns the path. Use readfile to get the contents
  • Added getallthreads: Returns all coroutines and other threads
  • Fixed Instance.new

Download it from github here or get it from the marketplace here!

Now wait a second, how does ‘saveinstance’ even work? I assume maybe plugins have something that allows you to create files or so i think

It uses Synapse X’s saveinstance, which goes through all descendants in the game and dumps their properties into an XML “file”. xAPI’s saveinstance uses an optimized version to increase performance and to make it compatible with xAPI.
Naturally, we cannot save files using standard scripts, so you have to do something like this:

print(readfile(saveinstance()))
-- saveinstance also returns the filename for the XML, 
-- making it easier to locate

Then,

  • go to a text editor, preferably VScode
  • make a new file
  • paste the content in, make sure that only the XML (<roblox…/roblox>) gets pasted in
  • save it as “[filename].rbxlx”
  • open the file with Roblox Studio by either double clicking on it or by going into Studio and clicking on ‘FILE’ → ‘Open from file…’ and selecting the file

If everything’s correct, it should open up your saved place.
Note that if some things are wrong, like parts being misaligned, that’s on the Synapse X developers, not me.

1 Like

yo, you forgot to include the UNC score for the new XAPI release.

It’s 53%

chars chars chars chars

I think i’ll contribute to XAPI with a pull request when im done with my Drawing api re-implementation. Might be fun.

1 Like

might even implement this into my fake roblox executor, which connects to the roblox servers and executes scripts.
Here’s how the UI looks, if you’re curious.


Just gotta add a tab system and a way to switch from client & server execution.

1 Like