Skip to content

Instantly share code, notes, and snippets.

View TheGreatSageEqualToHeaven's full-sized avatar
🫖
Tea, Earl Grey, hot.

James TheGreatSageEqualToHeaven

🫖
Tea, Earl Grey, hot.
View GitHub Profile
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / LuauAllOpcodes.luau
Last active July 22, 2024 14:56
Hellborn abomination
-- LOP_BREAK, LOP_COVERAGE and LOP_NOP aren't possible without the C API
-- Vector constants are supported but need to be commented in and need the ctor renamed
-- LOADKX and JUMPX support can be commented out
---------------------------------------------------------------------------------------
-- PREPVARARGS
local a = "hello world"; -- LOADK
a,a,a,a,a,a = nil, true, false, 1, 9e9, function() --[[ RETURN ]] end; -- LOADNIL, LOADB 1, LOADB 0, LOADN 1, LOADK 9e9, DUPCLOSURE (no captures)
FUNC_GLOBAL = newproxy; -- GETIMPORT, SETGLOBAL
local t = { }; -- NEWTABLE 1 1
local function stub() -- NEWCLOSURE (ref, val, ref captures)
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / LuaVersion.lua
Created March 28, 2024 01:35
Runtime Lua version detection without _VERSION
local function luaVersion()
local f = function()
return function() end
end
if 0xffffffffffffffffffffffffffffffffffffffffffffff == 2 ^ 64 then
return "Luau"
end
if ({nil,[1] = true})[1] then
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / LuauOptimizeLevel.lua
Created March 28, 2024 01:34
Getting the Luau optimize level at runtime safely
local function getOptimizeLevel()
local function dupclosure()
return function() end
end
local O0 = dupclosure() ~= dupclosure()
local function inlinefunction()
return debug.info(1, "f")
end
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / main.md
Last active October 12, 2024 16:08
bypassing blocked function protections using corescripts

bypassing blocked function protections using corescripts

author: James Napora.


roblox and exploit fundamentals

  • corescripts have RobloxScript permissions on Roblox.
  • exploit function protections do not run on any threads except exploit threads.
  • roblox has several permission levels: None, Plugin, LocalUser, RobloxScript and Roblox.
  • actors on Roblox run whenever a script under it has a client run context, e.g local scripts, scripts with RunContext.Client and corescripts.
  • scripts under actors share the same global state
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / Lua51AllOpcodeCases.lua
Last active September 21, 2024 18:27
Lua 5.1 Opcode Case Test File
-- load
local math = math -- GETGLOBAL
local newproxy = newproxy -- GETGLOBAL
local ipairs = ipairs -- GETGLOBAL
local floor = math.floor -- GETTABLE KST(C)
local pi = math.pi -- GETTABLE KST(C)
local _nil = nil -- LOADNIL B -> C (1)
local _true = true -- LOADBOOL B(1)
local _false = false -- LOADBOOL B(0)
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / READ.md
Last active October 28, 2024 18:40
Datastore Rollback Playground Course

In the previous github gist we went over multiple ways DataStoreService could be abused to rollback data. This time we will be taking a more hands-on approach where you, the reader will be trying to figure out how to rollback data in a playground specifically created with the intention to teach you how to rollback data.

This time nothing you do will be pseudo-code. Everything you abuse, fire and interact with be real. Nothing is emulated in the playground and your data is actually rolled back because the datastore threw an error, all datastore requests use SetAsync and if datastores fail UpdateAsync is used to pull your old data and include a notice for when you rejoin to notify you that you have successfully rolled back your data.

An example notice: Example_Note

You will need:

  • A working exploit You can use the testing
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / READ.md
Last active November 12, 2024 10:36
Data store vulnerabilities

Write-up

A warning to Roblox developers about a powerful exploit primitive. In this, I will detail the research I’ve conducted into this attack vector and walk you through how you as a developer, can protect against exploits with primitives like this.

DataStoreService lets you store data that needs to persist between sessions, such as items in a player’s inventory or skill points. Data stores are consistent per experience, so any place in an experience can access and change the same data, including places on different servers.

By default, experiences tested in Studio cannot access data stores, so you must first enable API services. You will need to do this to test the vulnerabilities.

The idea I wanted to explore when pondering the above question was; can we exploit remotes to prevent data from saving? It is easy to blame the developer for not protecting themselves against such a simple exploit but it ends up being more complicated than that. I found plenty of examples of these vulnerabilities occurring