Nothing is happening, because you didn’t setup an execution GUI.
You don’t need a GUI, however. You can just put together a script like this:
require(game.ReplicatedStorage.xAPI)()
-- Remotespy, darkdex, IY here
Some scripts may not work on the first try, so you may need to patch some things.
For example, Infinite Yield checks if a player is on mobile or not using a function that is protected by Roblox using the unsafe thread safety. To patch this, go to line 1939 and change the line from
local IsOnMobile = table.find({Enum.Platform.IOS, Enum.Platform.Android}, UserInputService:GetPlatform())
We can’t really hook Instance metamethods, as Roblox metamethods are written in C, meaning that they don’t have an environment we can jam them with.
We can however use Instance wrapping to wrap called functions and indexed properties, though we can only hook remote events/functions that are invoked within the host script. I recommend using Emilarity’s guide on Instance wrapping as a reference, because although the guide is useful for the general idea and premise, it isn’t practical and the code snippets in the guide itself are prone to errors.
Like what I’ve said in my other thread that you replied to before, I’ve managed to elevate CommandBar to thread identity 6 (has the same as CoreScript permissions) and make xAPI work on CommandBar. I’ve also modified xAPI and managed to shoot UNC up to 76% (76% success rate in the UNC test) without faking functions, implemented requests and game.HttpGet by just calling HttpService:RequestInternal() and some like WebSocket are implemented by actually executing code in my PC outside Roblox, by taking advantage of ScriptContext:SaveScriptProfilingData() to create a file inside my C drive and get the path to that file, and LinkingService:OpenUrl() to get the code inside that file to execute.
There is one issue that prevents having a good script execution experience though. And that is the fact that most exploit scripts use loadstring() while xAPI uses LuauCeption to compile Luau string into bytecode then passes it to Fiu, which is basically Luau inside Luau and that causes massive performance issues. Scripts like Dex Explorer freeze the client for over 20 seconds before successfully executing, and obfuscated scripts just throw a C stack overflow error.
If we could find a way to implement a reliable loadstring function, this modified version of xAPI can beat actual executors such as Solara. What I first had in mind was making the client invoke a RemoteFunction which will call the loadstring function on the server, then return the function that loadstring returns back into the client, but found out that functions can not be passed through RemoteFunctions.
problem with executors is that they are level 8 now, i was able to test solara and printidentity() returned 8 (i dont know the actual legitimacy of it, it may just deliberately print 8 to fool the user)
With Roblox Internal permissions, it is only possible to elevate thread identity to 6.
However, since level 6 has RobloxScript permissions and is like a CoreScript, this should cover most stuff that exploit scripts need level 8 for. The only thing that level 6 doesn’t have access to is RobloxEngine locked stuff, such as game:GetService("NetworkServer").
A quick way to check if an executor fakes thread identity 8, is to see if it passes this test up to RobloxSecurity.
local Security = {
{"None", function() return workspace.Name end},
{"LocalUserSecurity", function() return workspace.DataCost end},
{"PluginSecurity", function() return workspace.RobloxLocked end},
{"RobloxScriptSecurity", function() return game:GetService("CoreGui").SelectionImageObject end},
{"NotAccessibleSecurity", function() game:GetService("Chat").LoadDefaultChat = game:GetService("Chat").LoadDefaultChat end},
{"RobloxSecurity", function() return game:GetService("CSGDictionaryService").Name end},
}
for _, Tag in ipairs(Security) do
local Name, Test = Tag[1], Tag[2]
local CanDo, Error = pcall(Test)
if CanDo then
printidentity("Check passed for tag "..Name.." for identity")
else
printidentity("[Permission "..Error:sub(-2, -2).."] Check failed for tag "..Name.." for identity")
end
end
It seems that Roblox has, once again, broken something without notice.
To temporarily fix this just remove the pipe connection thingy on line 259 in the main module.
Keep in mind you won’t be able to use run_on_actor nor protect_function anymore.
I will release an official build fixing this soon.
I believe I have fixed it, but I don’t know how it worked before. It can run infinite yield, but some things are broken. I can’t tell if this is how it was before Roblox broke xAPI… but it seems to still be useful.
Basically, I just used breakpoints to find where it yielded and made a workaround that fixed it.
(edit): Removed my version from the reply, I think I forgot to remove some game-specific code.
You can ignore this. A use case would be debugging anti-exploits, using a remote spy, etc. The remote spy I tried with infinite yield did not work with xAPI which is unfortunate, but it maybe could be fixed one day?
I was still having problems with requiring in this version! No idea why, but Luau decides to stop running the code after requiring. If you debug with breakpoints it works, otherwise something stops the thread.
I did a lot of changes in an attempt to fix it, but I believe adding a task.wait() at the bottom of the xAPI module fixed it. The fake script may have also had something to do with it…? I don’t really know!
I don’t like my solution to this, any investigation in the original version would be appreciated.
