xAPI - A Powerful Pentesting and Debugging Tool

lambarini · June 11, 2024, 3:31pm

Any idea how a remote spy would be done?

SQLanguage · June 11, 2024, 5:24pm

We can’t really hook Instance metamethods, as Roblox metamethods are written in C, meaning that they don’t have an environment we can jam them with.

We can however use Instance wrapping to wrap called functions and indexed properties, though we can only hook remote events/functions that are invoked within the host script. I recommend using Emilarity’s guide on Instance wrapping as a reference, because although the guide is useful for the general idea and premise, it isn’t practical and the code snippets in the guide itself are prone to errors.

0ysf4 · July 31, 2024, 2:43pm

detecting exploits? debugging your anti cheat? and more

SQLanguage · August 1, 2024, 2:03pm

Version v4.2 got released!

Change log:

Added:

FFlags - You can now disable and enable settings to efficiently modify how xAPI works (xAPI → FFlags)
Synapse X library and aliases
Even more aliases
File system
setreadonly, run_on_actor, checkcallstack, cache.replace, fireproximityprompt
loadstring, clonefunction, execute_clipboard, and the teleport queue are now equipped with the xAPI environment

Changed:

Improved decompiler even more. If the decompiler errors anymore, please let me know!
Better Instance type checking

UNC: 49%

Go here to install v4.2 from GitHub!

Terzilion · August 7, 2024, 6:36am

I use Sirius, source code to test

SQLanguage · August 7, 2024, 12:07pm

Can you provide a screenshot or code snippet from the error line, so I can determine what is causing the issue?

Terzilion · August 7, 2024, 5:49pm

Yes, do you have guilded? I need to contact yoi

WalletOverflow · August 14, 2024, 12:35pm

Like what I’ve said in my other thread that you replied to before, I’ve managed to elevate CommandBar to thread identity 6 (has the same as CoreScript permissions) and make xAPI work on CommandBar. I’ve also modified xAPI and managed to shoot UNC up to 76% (76% success rate in the UNC test) without faking functions, implemented requests and game.HttpGet by just calling HttpService:RequestInternal() and some like WebSocket are implemented by actually executing code in my PC outside Roblox, by taking advantage of ScriptContext:SaveScriptProfilingData() to create a file inside my C drive and get the path to that file, and LinkingService:OpenUrl() to get the code inside that file to execute.

There is one issue that prevents having a good script execution experience though. And that is the fact that most exploit scripts use loadstring() while xAPI uses LuauCeption to compile Luau string into bytecode then passes it to Fiu, which is basically Luau inside Luau and that causes massive performance issues. Scripts like Dex Explorer freeze the client for over 20 seconds before successfully executing, and obfuscated scripts just throw a C stack overflow error.

If we could find a way to implement a reliable loadstring function, this modified version of xAPI can beat actual executors such as Solara. What I first had in mind was making the client invoke a RemoteFunction which will call the loadstring function on the server, then return the function that loadstring returns back into the client, but found out that functions can not be passed through RemoteFunctions.

h_vcn · August 18, 2024, 11:20pm

problem with executors is that they are level 8 now, i was able to test solara and printidentity() returned 8 (i dont know the actual legitimacy of it, it may just deliberately print 8 to fool the user)

WalletOverflow · August 19, 2024, 1:14am

With Roblox Internal permissions, it is only possible to elevate thread identity to 6.

However, since level 6 has RobloxScript permissions and is like a CoreScript, this should cover most stuff that exploit scripts need level 8 for. The only thing that level 6 doesn’t have access to is RobloxEngine locked stuff, such as game:GetService("NetworkServer").

SQLanguage · August 19, 2024, 8:21am

Solara fakes functions btw

Considering the Solara devs had the bauls to fake identity 3, I’d say it’s more than likely that identity 8 is fake too.

WalletOverflow · August 22, 2024, 2:17pm

A quick way to check if an executor fakes thread identity 8, is to see if it passes this test up to RobloxSecurity.

local Security = {
    {"None", function() return workspace.Name end},
    {"LocalUserSecurity", function() return workspace.DataCost end},
    {"PluginSecurity", function() return workspace.RobloxLocked end},
    {"RobloxScriptSecurity", function() return game:GetService("CoreGui").SelectionImageObject end},
    {"NotAccessibleSecurity", function() game:GetService("Chat").LoadDefaultChat = game:GetService("Chat").LoadDefaultChat end},
    {"RobloxSecurity", function() return game:GetService("CSGDictionaryService").Name end},
}

for _, Tag in ipairs(Security) do
    local Name, Test = Tag[1], Tag[2]
    local CanDo, Error = pcall(Test)
    if CanDo then
        printidentity("Check passed for tag "..Name.." for identity")
    else
        printidentity("[Permission "..Error:sub(-2, -2).."] Check failed for tag "..Name.." for identity")
    end
end

SQLanguage · September 20, 2024, 7:25pm

Version 4.3 released!

Added:

added instance wrapping: xAPI now supports game.CoreGui, game:GetHttp, and more!
full command bar compatibility

Changed:

hopefully fixed most problems with the decompiler, function hooking and loadstring

UNC: 54%

Go here to install v4.3 from GitHub!

ridiche34 · September 30, 2024, 5:32am

It’s not intended for placing in a real game, it’s meant as a tool to use in Studio to see what exploiters could do with an executor

TeeMinn · November 16, 2024, 8:46pm

seems to not work anymore, scripts yield after calling the module

SQLanguage · November 16, 2024, 11:17pm

It seems that Roblox has, once again, broken something without notice.
To temporarily fix this just remove the pipe connection thingy on line 259 in the main module.
Keep in mind you won’t be able to use run_on_actor nor protect_function anymore.

I will release an official build fixing this soon.

bluebxrrybot · November 17, 2024, 3:50am

Powering Unreliability

I believe I have fixed it, but I don’t know how it worked before. It can run infinite yield, but some things are broken. I can’t tell if this is how it was before Roblox broke xAPI… but it seems to still be useful.

Basically, I just used breakpoints to find where it yielded and made a workaround that fixed it.

(edit): Removed my version from the reply, I think I forgot to remove some game-specific code.

You can ignore this. A use case would be debugging anti-exploits, using a remote spy, etc. The remote spy I tried with infinite yield did not work with xAPI which is unfortunate, but it maybe could be fixed one day?

SQLanguage · November 17, 2024, 2:30pm

@TeeMinn

Version 4.4 released!

Added:

Decentralized GetObjects: game:GetObjects is now able to import untrusted models without InsertService!

Fixed:

Fixed proxy piping and networking

UNC: 55%

Go here to install v4.4 from GitHub!

bluebxrrybot · November 18, 2024, 3:18am

I was still having problems with requiring in this version! No idea why, but Luau decides to stop running the code after requiring. If you debug with breakpoints it works, otherwise something stops the thread.

I did a lot of changes in an attempt to fix it, but I believe adding a task.wait() at the bottom of the xAPI module fixed it. The fake script may have also had something to do with it…? I don’t really know!

I don’t like my solution to this, any investigation in the original version would be appreciated.

Anyways. I added file system saving using one of my resources!

Sakupenny · December 4, 2024, 2:16pm

solara executor is level 3 identity, most their stuff is faked