xAPI - A Powerful Pentesting and Debugging Tool

SQLanguage · May 9, 2024, 11:21am

The LuauCeption VM does not work, but the LuauCeption bytecode compiler does. I used Fiu for the VM instead.

Also, Fiu uses an external environment to bring Roblox objects to the VM. I don’t know about types, but I am pretty sure they are only used for the IDE or when --!strict is enabled so we don’t have to worry about those for now.

RadiatedExodus · May 9, 2024, 11:23am

This wasn’t what I was talking about, but it should be enough to use Fiu and the LuauCeption compiler, you don’t need to step into the LuauCeption VM for this (unless you want to really implement functionality in C/C++ for low-level stuff)

SQLanguage · May 9, 2024, 11:25am

I am not using the LuauCeption VM though?

kaan650 · May 9, 2024, 4:29pm

Hey @SQLanguage! nice module there!

Just a question. is there any documentation for this?

SQLanguage · May 10, 2024, 11:07am

You can use UNC’s documentation since xAPI was developed with UNC compatibility in mind.

Kealomon · May 18, 2024, 7:45pm

Probably one of the best pentesting tools I’ve ever seen, especially since it works with every script I’ve used, with a little modification (like parenting things from CoreGui to PlayerGui) I have got dark dex v3 running, infinite yield, and various other popular cheats like remote spy. 10/10

Kealomon · May 18, 2024, 8:25pm

Infinite Yield and Dark Dex if anyone wants it
darkdex.rbxm (2.6 MB)
infiniteyield.rbxm (2.5 MB)

lambarini · May 18, 2024, 8:43pm

How’d you get remote spy working?

Kealomon · May 18, 2024, 8:55pm

Technically, remote spy doesn’t work since you need the games raw metatable from a localscript, but I got the gui working so its a win in my book.

lambarini · May 19, 2024, 7:50am

Technically, you could make a server script that tracks all remote events and then tells the client (if fired from the player) what they sent

SQLanguage · June 8, 2024, 9:23pm

Version 4.1 got released!

Changelog:

Added:

oth.hook, oth.unhook (more secure versions of hookfunction and restorefunction)
debug.getconstants
debug.getconstant
debug.getprotos
debug.getproto

Fixed:

Improved decompiler
Updated loadstring (Fiu and LuauCeption)
gethwid is now equipped with a real session tracking calculator

Go here to install v4.1 from GitHub!

_{All of the recently added debug funtions rely on the decompiler, which may ignore things like logic flow or locals.}

SQLanguage · June 9, 2024, 9:07am

Ladies and gentleman, we did it.

SOMEONE SKIDDED OFF OF xAPI LMAO

To clarify, I have nothing against taking my code without permission. It only gets bad when you talk badly about other people while you have done nothing (good) on your own. Also, if you do decide to take my code, do not say that it is your own. At least imply that it was taken from xAPI.

lambarini · June 9, 2024, 6:35pm

From what I understand he used xApi to fake execution right?

Kealomon · June 9, 2024, 8:20pm

This is insane work A level-2 executor and a bonus of a VIRUS

SQLanguage · June 9, 2024, 9:51pm

I believe he made an executor that’s like 100% detected and used xAPI for the extra functionality.
Keep in mind, xAPI was meant for use inside of Roblox - inside of a sandbox. Executors aren’t sandboxed and thus are able to use C code for unrestricted code execution. Nano, however, skidded off of xAPI for (what I believe to be) atleast some of the functionality.

Keep in mind, xAPI, if you were to actually use it to inject into a Roblox game, IS DETECTABLE. xAPI requires some nifty oversights from the Roblox devs, but EVEN WHEN I WAS WRITING xAPI I KNEW that the following are detected, which are coincidentally the most used functions in the Roblox exploiting community:

hookfunction
getrawmetatable (and all relatives, such as hookmetamethod)
decompiler (and all of its children, such as debug.getconstants, dumpstring, etc.)

xAPI is also probably detected by, I don’t know, EVERY SINGLE ANTICHEAT METHOD???

Metaphorically speaking, he lobotomized Usain Bolt, paralyzed him and gave him a wheelchair with shopping cart wheels.

bluebxrrybot · June 9, 2024, 10:07pm

How do you actually use this? There’s no images, videos, documentation, tutorials, or instructions anywhere that I can see. I saw some people getting it to work, but I can’t figure it out myself.

This also is not helpful. This is not your documentation…

lambarini · June 10, 2024, 5:50am

Yea I didn’t expect anything else from Nano

lambarini · June 10, 2024, 5:51am

There is no need for images, just require the module and enjoy exploiting

bluebxrrybot · June 10, 2024, 1:55pm

When I require the module, nothing happens. I don’t know how to run a pentesting script like a remote spy.

SQLanguage · June 11, 2024, 10:41am

Nothing is happening, because you didn’t setup an execution GUI.
You don’t need a GUI, however. You can just put together a script like this:

require(game.ReplicatedStorage.xAPI)()

-- Remotespy, darkdex, IY here

Some scripts may not work on the first try, so you may need to patch some things.
For example, Infinite Yield checks if a player is on mobile or not using a function that is protected by Roblox using the unsafe thread safety. To patch this, go to line 1939 and change the line from

local IsOnMobile = table.find({Enum.Platform.IOS, Enum.Platform.Android}, UserInputService:GetPlatform())

to the following:

local IsOnMobile = false