xAPI - A Powerful Pentesting and Debugging Tool

Yea I didn’t expect anything else from Nano :skull:

1 Like

There is no need for images, just require the module and enjoy exploiting :100:

1 Like

When I require the module, nothing happens. I don’t know how to run a pentesting script like a remote spy.

Nothing is happening, because you didn’t setup an execution GUI.
You don’t need a GUI, however. You can just put together a script like this:

require(game.ReplicatedStorage.xAPI)()

-- Remotespy, darkdex, IY here

Some scripts may not work on the first try, so you may need to patch some things.
For example, Infinite Yield checks if a player is on mobile or not using a function that is protected by Roblox using the unsafe thread safety. To patch this, go to line 1939 and change the line from

local IsOnMobile = table.find({Enum.Platform.IOS, Enum.Platform.Android}, UserInputService:GetPlatform())

to the following:

local IsOnMobile = false
1 Like

Any idea how a remote spy would be done?

We can’t really hook Instance metamethods, as Roblox metamethods are written in C, meaning that they don’t have an environment we can jam them with.

We can however use Instance wrapping to wrap called functions and indexed properties, though we can only hook remote events/functions that are invoked within the host script. I recommend using Emilarity’s guide on Instance wrapping as a reference, because although the guide is useful for the general idea and premise, it isn’t practical and the code snippets in the guide itself are prone to errors.

detecting exploits? debugging your anti cheat? and more

1 Like

Version v4.2 got released!

Change log:

Added:

  • FFlags - You can now disable and enable settings to efficiently modify how xAPI works (xAPI → FFlags)
  • Synapse X library and aliases
  • Even more aliases
  • File system
  • setreadonly, run_on_actor, checkcallstack, cache.replace, fireproximityprompt
  • loadstring, clonefunction, execute_clipboard, and the teleport queue are now equipped with the xAPI environment

Changed:

  • Improved decompiler even more. If the decompiler errors anymore, please let me know!
  • Better Instance type checking

UNC: 49%

Go here to install v4.2 from GitHub!

I use Sirius, source code to test

Can you provide a screenshot or code snippet from the error line, so I can determine what is causing the issue?

Yes, do you have guilded? I need to contact yoi

Like what I’ve said in my other thread that you replied to before, I’ve managed to elevate CommandBar to thread identity 6 (has the same as CoreScript permissions) and make xAPI work on CommandBar. I’ve also modified xAPI and managed to shoot UNC up to 76% (76% success rate in the UNC test) without faking functions, implemented requests and game.HttpGet by just calling HttpService:RequestInternal() and some like WebSocket are implemented by actually executing code in my PC outside Roblox, by taking advantage of ScriptContext:SaveScriptProfilingData() to create a file inside my C drive and get the path to that file, and LinkingService:OpenUrl() to get the code inside that file to execute.

There is one issue that prevents having a good script execution experience though. And that is the fact that most exploit scripts use loadstring() while xAPI uses LuauCeption to compile Luau string into bytecode then passes it to Fiu, which is basically Luau inside Luau and that causes massive performance issues. Scripts like Dex Explorer freeze the client for over 20 seconds before successfully executing, and obfuscated scripts just throw a C stack overflow error.

If we could find a way to implement a reliable loadstring function, this modified version of xAPI can beat actual executors such as Solara. What I first had in mind was making the client invoke a RemoteFunction which will call the loadstring function on the server, then return the function that loadstring returns back into the client, but found out that functions can not be passed through RemoteFunctions.

3 Likes

problem with executors is that they are level 8 now, i was able to test solara and printidentity() returned 8 (i dont know the actual legitimacy of it, it may just deliberately print 8 to fool the user)

With Roblox Internal permissions, it is only possible to elevate thread identity to 6.
image

However, since level 6 has RobloxScript permissions and is like a CoreScript, this should cover most stuff that exploit scripts need level 8 for. The only thing that level 6 doesn’t have access to is RobloxEngine locked stuff, such as game:GetService("NetworkServer").

Solara fakes functions btw

Considering the Solara devs had the bauls to fake identity 3, I’d say it’s more than likely that identity 8 is fake too.

1 Like

A quick way to check if an executor fakes thread identity 8, is to see if it passes this test up to RobloxSecurity.

local Security = {
    {"None", function() return workspace.Name end},
    {"LocalUserSecurity", function() return workspace.DataCost end},
    {"PluginSecurity", function() return workspace.RobloxLocked end},
    {"RobloxScriptSecurity", function() return game:GetService("CoreGui").SelectionImageObject end},
    {"NotAccessibleSecurity", function() game:GetService("Chat").LoadDefaultChat = game:GetService("Chat").LoadDefaultChat end},
    {"RobloxSecurity", function() return game:GetService("CSGDictionaryService").Name end},
}

for _, Tag in ipairs(Security) do
    local Name, Test = Tag[1], Tag[2]
    local CanDo, Error = pcall(Test)
    if CanDo then
        printidentity("Check passed for tag "..Name.." for identity")
    else
        printidentity("[Permission "..Error:sub(-2, -2).."] Check failed for tag "..Name.." for identity")
    end
end
3 Likes

Version 4.3 released!

Added:

  • added instance wrapping: xAPI now supports game.CoreGui, game:GetHttp, and more!
  • full command bar compatibility

Changed:

  • hopefully fixed most problems with the decompiler, function hooking and loadstring

UNC: 54%

Go here to install v4.3 from GitHub!

1 Like

It’s not intended for placing in a real game, it’s meant as a tool to use in Studio to see what exploiters could do with an executor

seems to not work anymore, scripts yield after calling the module

2 Likes

It seems that Roblox has, once again, broken something without notice.
To temporarily fix this just remove the pipe connection thingy on line 259 in the main module.
Keep in mind you won’t be able to use run_on_actor nor protect_function anymore.

I will release an official build fixing this soon.