[ROBLOX CHECK BYPASS] How to internally call lua_pcall without shutdown

[rbxhaxer]

I'm glad you're here. I have imported this thread from a previous forum I posted it on in hopes MPGH one day making a section for ROBLOX cheats and hacks.

Understanding this should at the least take very basic C++ and assembly/reversing knowledge. But if you don't have that, stick around. You might learn a thing or two. This thread is also assuming you have bypassed the check inside of lua_pcall and any other protected function, which can be achieved in a similar manner as to this bypass.

First, we must locate the check. Follow my steps in the following GIF from lua_pcall.



Now that we found the check, look at the diagram I provided.



Is there a way we can ensure that we take the green path to avoid the check? Of course there is!

How could we do that? Look at how the path is decided. It will JMP if zero. Using basic assembly knowledge, you can conclude that the path will be green if zero, or the path will be red if anything else. By calling a function that triggers this check if you're out of range, it'll always be red. How can we make it so that the JZ comparison will be zero even though it's not? In other words, how can we make it so that we can still take the green path while being out of range? We could change the JZ instruction to a JMP instruction, so that it will take that path whether we are in range or not!

That sound's like a great idea, but how can we do this in C++?

We could use the Windows WriteProcessMemory function. But what would we put in the parameters?
We can decide that by using our basic C++ skills from looking at MSDN.
https://msdn.microsof*****m/en-us/lib...(v=vs.85).aspx

You should come up with something like this:

Code:

WriteProcessMemory(GetCurrentProcess(), reinterpret_cast<void*>(rawrJzAddr), "\xEB", 1, 0)

You might be thinking: "Where did you get EB from?"
EB is the x86 opcode for JMP. Take a look at this chart of x86 opcodes if you need to:
https://sparksandflames.com/files/x8...tionChart.html

You also might be thinking: "Where do I find the address?"
You can find it in the .text section next to the second xref of the JZ we looked at earlier.

Great! We bypassed it. Simply do that before calling any function that triggers the check (in this case lua_pcall), and the check should be bypassed!

What is that, you still shut down? That's because ROBLOX has an integrity check that detected that you made a change in their scanned portion of memory, so they shut you down. We have two options to fix this. You could just bypass their integrity check instead, or you could go the easy route and after you bypass the check, change the condition back to a JZ before the check catches us. Do that immediately after your call to the function.

That task would look something like this:

Code:

WriteProcessMemory(GetCurrentProcess(), reinterpret_cast<void*>(rawrJzAddr), "\x74", 1, 0)

Again, we use \x74 because it's the opcode for JZ.

Thank you for reading, and although it's unlikely this would be useful for anyone on MPGH due to the lack of attention given to the idea of ROBLOX exploiting, maybe someone will come across this with a google search, or better yet, they'll add a ROBLOX section if enough people want it. Bye!

[Aroki]

So can you give me a written step by step manual tutorial for this because I just want to make sure that I do this right so it works 100%

[rbxhaxer]

I can’t tell if you’re being ironic or not, take what you have.