API tools faq
paste
Advertisement
Guest User

xd

a guest
Feb 23rd, 2018
760
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.12 KB | None | 0 0
raw download clone embed print report
  1. #include <Windows.h>
  2. #include <string>
  3. #include <iostream>
  4. #include <sstream>
  5. #include <TlHelp32.h>
  6.  
  7. #define rbxaddy(x)(x - 0x400000 + ((DWORD)GetModuleHandleA(0)))
  8.  
  9. #define ScriptContextAddress rbxaddy(0x119C870)
  10.  
  11. static int rbxlua_getService(DWORD luaState, const char* serviceName);
  12.  
  13.  
  14. static bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
  15. {
  16. for (; *szMask; ++szMask, ++pData, ++bMask)
  17. if (*szMask == 'x' && *pData != *bMask)
  18. return 0;
  19. return (*szMask) == NULL;
  20. }
  21.  
  22. static DWORD FindPattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char * szMask)
  23. {
  24. for (DWORD i = 0; i<dwLen; i++)
  25. if (bCompare((BYTE*)(dwAddress + i), bMask, szMask))
  26. return (DWORD)(dwAddress + i);
  27. return 0;
  28. }
  29.  
  30. static DWORD SigScan(const char *AoB, char *Mask) {
  31. return FindPattern((DWORD)GetModuleHandleA("RobloxPlayerBeta.exe"), 0xF00000, (PBYTE)AoB, Mask);
  32. }
  33.  
  34. static DWORD unprotect(DWORD addr) {
  35. BYTE * tAddr = (BYTE *)addr;
  36.  
  37. do {
  38. tAddr += 0x10;
  39. } while (!(tAddr[0] == 0x55 && tAddr[1] == 0x8B && tAddr[2] == 0xEC));
  40.  
  41. PVOID nFunc = VirtualAlloc(NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  42. if (nFunc == NULL)
  43. return addr;
  44.  
  45. memcpy(nFunc, (BYTE *)addr, 1000);
  46.  
  47. DWORD pos = (DWORD)nFunc;
  48. BOOL valid = false;
  49.  
  50. do {
  51. if (*(BYTE *)pos == 0x72 && * (BYTE *)(pos + 0x2) == 0xA1 && * (BYTE *)(pos + 0x7) == 0x8B) {
  52. memcpy((void *)pos, "\xEB", 1);
  53.  
  54. DWORD cNFunc = (DWORD)nFunc;
  55. do {
  56. if (*(BYTE *)cNFunc == 0xE8) {
  57. DWORD tFunc = addr + (cNFunc - (DWORD)nFunc);
  58. DWORD oFunc = (tFunc + *(DWORD *)(tFunc + 1)) + 5;
  59.  
  60. if (oFunc % 16 == 0) {
  61. DWORD rebFAddr = oFunc - cNFunc - 5;
  62. memcpy((PVOID)(cNFunc + 1), &rebFAddr, 4);
  63. }
  64. }
  65. cNFunc += 1;
  66. } while (cNFunc - (DWORD)nFunc < 1000);
  67.  
  68. valid = true;
  69. }
  70. pos += 1;
  71. } while (pos < (DWORD)nFunc + 1000);
  72.  
  73. if (!valid) {
  74. VirtualFree(nFunc, 1000, MEM_RELEASE);
  75. return addr;
  76. }
  77.  
  78. return (DWORD)nFunc;
  79. }
  80.  
  81.  
  82. //////////////////////
  83.  
  84. //DWORD luaState = 0;
  85. //#define rbxlua_USE_APICHECK // 1337hax - still testing
  86. #define rbxlua_REGISTRYINDEX (-10000)
  87. #define rbxlua_ENVIRONINDEX (-10001)
  88. #define rbxlua_GLOBALSINDEX (-10002)
  89. #define rbxlua_upvalueindex(i) (rbxlua_GLOBALSINDEX-(i))
  90. //#define l_pushcfunction(luaState,f) l_pushcclosure(luaState,f,0)
  91.  
  92. #define rbxlua_TNONE (-1)
  93. #define rbxlua_TNIL 0
  94. #define rbxlua_TNUMBER 2
  95. #define rbxlua_TBOOLEAN 3
  96. #define rbxlua_TSTRING 4
  97. #define rbxlua_TLIGHTUSERDATA 1
  98. #define rbxlua_TTABLE 7
  99. #define rbxlua_TUSERDATA 8
  100. #define rbxlua_TFUNCTION 6
  101. #define rbxlua_TPROTO 9
  102. #define rbxlua_TTHREAD 5
  103. #define rbxlua_TUPVALUE 10
  104.  
  105.  
  106.  
  107. #define rbxlua_pop(L,n) rbxlua_settop(L, -(n)-1)
  108. //#define rbxlua_emptystack(L) rbxlua_settop(L, 0)
  109. #define rbxlua_isfunction(L,n) (rbxlua_type(L, (n), FALSE) == rbxlua_TFUNCTION)
  110. #define rbxlua_istable(L,n) (rbxlua_type(L, (n), FALSE) == rbxlua_TTABLE)
  111. #define rbxlua_islightuserdata(L,n) (rbxlua_type(L, (n), FALSE) == rbxlua_TLIGHTUSERDATA)
  112. #define rbxlua_isnil(L,n) (rbxlua_type(L, (n), FALSE) != rbxlua_TUSERDATA)//== rbxlua_TNIL)
  113. #define rbxlua_isboolean(L,n) (rbxlua_type(L, (n), FALSE) == rbxlua_TBOOLEAN)
  114. #define rbxlua_isstring(L,n) (rbxlua_type(L, (n), FALSE) == rbxlua_TSTRING)
  115. #define rbxlua_isnumber(L,n) (rbxlua_type(L, (n), FALSE) == rbxlua_TNUMBER)
  116. #define rbxlua_isthread(L,n) (rbxlua_type(L, (n), FALSE) == rbxlua_TTHREAD)
  117. #define rbxlua_isnone(L,n) (rbxlua_type(L, (n), TRUE) == rbxlua_TNONE)
  118. #define rbxlua_isnoneornil(L, n) (rbxlua_type(L, (n), TRUE) <= 0)
  119.  
  120. #define rbxlua_setglobal(L,s) rbxlua_setfield(L, rbxlua_GLOBALSINDEX, (s))
  121. #define rbxlua_getglobal(L,s) rbxlua_getfield(L, rbxlua_GLOBALSINDEX, (s))
  122. #define rbxlua_tostring(L,i) rbxlua_tolstring(L, (i), NULL)
  123. #define rbxlua_getservice(L,s) rbxlua_getService(L, (s))
  124.  
  125. ////
  126. #define rbxlua_pushcfunction(L,f) rbxlua_pushcclosure(L, (f), 0)
  127. #define rbxlua_register(L,n,f) (rbxlua_pushcfunction(L, (f)), rbxlua_setglobal(L, (n)))
  128.  
  129. #define rbxlua_pushliteral(L, s) \
  130. rbxlua_pushlstring(L, "" s, (sizeof(s)/sizeof(char))-1)
  131.  
  132. /*
  133. ** compatibility macros and functions
  134. */
  135. #define rbxlua_getregistry(L) rbxlua_pushvalue(L, rbxlua_REGISTRYINDEX)
  136.  
  137. static void setJb(DWORD addr) {
  138. DWORD oldProtection;
  139. VirtualProtect((LPVOID)addr, 0x05, PAGE_EXECUTE_READWRITE, &oldProtection);
  140. *(char*)addr = 0xEB;
  141. VirtualProtect((LPVOID)addr, 0x05, oldProtection, &oldProtection);
  142. }
  143. static void restoreJb(DWORD addr) {
  144. DWORD oldProtection;
  145. VirtualProtect((void*)addr, 5, PAGE_EXECUTE_READWRITE, &oldProtection);
  146. *(char*)addr = 0x72;
  147. VirtualProtect((void*)addr, 5, oldProtection, &oldProtection);
  148. }
  149.  
  150.  
  151. /*
  152. ** {======================================================================
  153. ** Debug API
  154. ** =======================================================================
  155. */
  156.  
  157. /*
  158. ** Event codes
  159. */
  160. #define rbxlua_HOOKCALL 0
  161. #define rbxlua_HOOKRET 1
  162. #define rbxlua_HOOKLINE 2
  163. #define rbxlua_HOOKCOUNT 3
  164. #define rbxlua_HOOKTAILRET 4
  165.  
  166.  
  167. /*
  168. ** Event masks
  169. */
  170. #define rbxlua_MASKCALL (1 << rbxlua_HOOKCALL)
  171. #define rbxlua_MASKRET (1 << rbxlua_HOOKRET)
  172. #define rbxlua_MASKLINE (1 << rbxlua_HOOKLINE)
  173. #define rbxlua_MASKCOUNT (1 << rbxlua_HOOKCOUNT)
  174.  
  175. ////
  176.  
  177. typedef void* (__cdecl *rbxlua_GetField)(DWORD luaState, int idx, const char *k);
  178. typedef int(__cdecl *rbxlua_PCall)(DWORD luaState, int nargs, int nresults, int errfunc);
  179. typedef void(__cdecl *rbxlua_PushString)(DWORD luaState, const char *s);
  180. typedef void(__cdecl *rbxlua_PushNumber)(DWORD luaState, double Number);
  181. typedef const char *(__cdecl *rbxlua_ToLString)(DWORD luaState, int idx, size_t *len);
  182. typedef void* (__cdecl *rbxlua_PushValue)(DWORD luaState, int idx);
  183. typedef int(__cdecl *rbxlua_GetTop)(DWORD luaState);
  184. typedef void* (__cdecl *rbxlua_SetTop)(DWORD luaState, int n);
  185. typedef int(__cdecl *rbxlua_ToUserData)(DWORD luaState, int idx);
  186. typedef void* (__cdecl *rbxlua_SetField)(DWORD luaState, signed int idx, const char *k);
  187. //typedef void(*rbxlua_SetField)(int luaState, int index, const char *k);
  188. typedef void* (__cdecl *rbxlua_PushCClosure)(DWORD luaState, int fn, int n);
  189. typedef BOOL(__cdecl *rbxlua_ToBoolean)(DWORD luaState, int idx);
  190. typedef int(__cdecl *rbxlua_Next)(DWORD luaState, int idx);
  191. typedef int(__cdecl *rbxlua_Type)(DWORD luaState, int idx);
  192.  
  193. //typedef int(__cdecl *rbxlua_pushcfunction)(DWORD luaState, int idx); // not correct args!!1
  194. typedef int(__cdecl *rbxlua_Insert)(DWORD luaState, int idx);
  195. typedef int(__cdecl *rbxlua_Remove)(DWORD luaState, int idx);
  196.  
  197. typedef int(__cdecl *rbxlua_IsString)(DWORD luaState, int idx); // new
  198.  
  199. typedef int(__cdecl *rbxlua_Newthread)(DWORD luaState);
  200. typedef int(*rbxlua_error)(DWORD luaState);
  201. typedef void(*rbxlua_createtable)(DWORD luaState, int narr, int nrec);
  202. typedef void(*rbxlua_pushlightuserdata)(DWORD luaState, void *p);
  203. typedef signed int(__cdecl *rbxlua_Setmetatable)(DWORD luaState, signed int idx);
  204. typedef int(__cdecl *rbxlua_Newuserdata)(DWORD luaState, size_t size);
  205. typedef void(*rbxlua_pushinteger)(DWORD luaState, ptrdiff_t n);
  206. typedef double(__cdecl *rbxlua_ToNumber)(DWORD luaState, int idx);
  207. typedef int(__cdecl *rbxlua_pushboolf)(DWORD luaState, int idx);
  208.  
  209. typedef int(__thiscall *rbxlua_chatthing)(void* players, std::string* message);
  210.  
  211. typedef int(__cdecl *rbxlua_Print)(int state, int* msginfo);
  212.  
  213. typedef int(__thiscall *dolotsmotscots)(void*, const char* message);
  214.  
  215.  
  216.  
  217.  
  218. typedef LONG(NTAPI *NtSuspendProcess)(IN HANDLE ProcessHandle);
  219. typedef LONG(NTAPI *NtResumeProcess)(IN HANDLE ProcessHandle);
  220. static void SuspendProc()
  221. {
  222. HANDLE processHandle = GetCurrentProcess();
  223.  
  224. NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
  225. GetModuleHandle(TEXT("ntdll")), "NtSuspendProcess");
  226.  
  227. pfnNtSuspendProcess(processHandle);
  228. }
  229. static void ResumeProc()
  230. {
  231. HANDLE processHandle = GetCurrentProcess();
  232.  
  233. NtResumeProcess pfnNtResumeProcess = (NtResumeProcess)GetProcAddress(
  234. GetModuleHandle(TEXT("ntdll")), "NtResumeProcess");
  235.  
  236. pfnNtResumeProcess(processHandle);
  237. }
  238.  
  239. typedef int(__thiscall *rbxlua_chatthing)(void* players, std::string* message);
  240.  
  241. typedef int(__cdecl *rbxlua_Print)(int state, int* msginfo);
  242.  
  243. typedef int(__thiscall *dolotsmotscots)(void*, const char* message);
  244.  
  245. static rbxlua_pushboolf rbxlua_pushbool = (rbxlua_pushboolf)rbxaddy(0x54A010); // 55 8B EC 8B 55 08 33 C0 39 45 0C
  246.  
  247. //55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B 75 08 57 8B 4E 08 8B 44 31 60 3B 44 31 54 72
  248. static rbxlua_Newthread rbxlua_newthread = (rbxlua_Newthread)unprotect(SigScan("\x55\x8B\xEC\x6A\xFF\x68\x00\x00\x00\x00\x64\xA1\x00\x00\x00\x00\x50\x64\x89\x25\x00\x00\x00\x00\x51\x56\x8B\x75\x08\x57\x8B\x4E\x08", "xxxxxx????xx????xxxx????xxxxxxxxx")); // "Executing lua from signal, execution de" should be 0x5300000 sub by the middle
  249.  
  250.  
  251. //55 8B EC 8B 55 08 ?? ?? ?? ?? ?? ?? ?? ?? F2 0F 10 45 0C
  252. static rbxlua_ToNumber rbxlua_tonumber = (rbxlua_ToNumber)unprotect(SigScan("\x55\x8B\xEC\x8B\x55\x08\x33\xC0\x39\x45\x0C", "xxxxxxxxxxx"));/*0x54A260);/*0x549010);/*0x546DE0);/*0x546DE0);/*0x546B50);/*0x5459C0);/*0x5465E0);/*0x5431A0);/*0x5411B0);/*0x540470);/*0x53D760);/*0x536900);/*0x534200);/*0x5348B0);/*0x534110;/*0x50EE90;/*0x517690;/*0x5180B0;
  253. /* Find "elapsedTime" & "ElapsedTime"
  254. follow the address inbetween them that looks like 'offset sub_NUMBERS'
  255. there should be 2 subs.. it should be the second one :)
  256. */
  257.  
  258. static rbxlua_PushString rbxlua_pushstring = (rbxlua_PushString)SigScan("\x55\x8B\xEC\x8B\x55\x0C\x85\xD2\x75\x0D", "xxxxxxxxxx");//0x54A2E0);//0x549090);//0x546E60);//0x546E60);//0x546BC0);//0x545A30);//0x546650);//0x543210);//0x541220);//0x5404E0);//0x53D7D0);//0x53E3C0);//0x53C2E0);//0x536C90);//0x536DC0);//0x536E10);//0x534270);//0x534AA0);//0x534920;//0x534180;//0x516F40;//0x517700;//0x518120;//0x518D60;//0x51C280;//0x51BA60;//0x53FE10; // "__tostring"
  259. //updated
  260. static rbxlua_SetField rbxlua_setfield = (rbxlua_SetField)unprotect(SigScan("\x55\x8B\xEC\x83\xEC\x10\x53\x56\x8B\x75\x08\x57\xFF\x75\x0C\x56\xE8\x00\x00\x00\x00\x8B\x55\x10\x83\xC4\x08\x8B\xCA\x8B\xF8\x8D\x59\x01\x8A\x01\x41\x84\xC0\x75\xF9\x2B\xCB\x51\x52\x56\xE8\x00\x00\x00\x00\x89\x45\xF0", "xxxxxxxxxxxxxxxxx????xxxxxxxxxxxxxxxxxxxxxxxxxx????xxx"));/*0x54AA30);/*0x5497E0);/*0x5475B0);/*0x5475B0);/*0x547290);/*0x546100);/*0x546D20);/*0x5438E0);/*0x5418F0);/*0x540BB0);/*0x53DEA0);/*0x53EA90);/*0x53C9B0);/*0x537360);/*0x537490);/*0x5374E0);/*0x534940);/*0x535170);/*0x533EC0;/*0x534FF0;/*0x534850;/*0x517610;/*0x517DD0;/*0x5187F0;/*0x517D90;//0x519430;/*0x51C950;//
  261.  
  262. //go below to repeated subs and it should look like:
  263. /* // sub_51C950 is the setfield
  264. sub_51C950(v5, -10002, "delay");
  265. sub_51BEF0(v5, sub_508FF0, 0);
  266. sub_51C950(v5, -10002, "Delay");
  267. sub_51BEF0(v5, sub_51A6B0, 0);
  268. sub_51C950(v5, -10002, "ypcall");
  269. sub_51BEF0(v5, sub_51A6B0, 0);
  270. */
  271. /*0x51C950;/*0x51C130;/*0x5404E0; /*0x53BDA0;
  272. The 'call sub_NUMBERS' right under "wait" AKA aWait; // OLD METHOD
  273.  
  274.  
  275. //updated */
  276. static rbxlua_PushNumber rbxlua_pushnumber = (rbxlua_PushNumber)unprotect(SigScan("\x55\x8B\xEC\x8B\x55\x08\x56\x8B\x42\x08", "xxxxxxxxxx"));/*0x54A260);/*0x549010);/*0x546DE0);/*0x546DE0);/*0x546B50);/*0x5459C0);/*0x5465E0);/*0x5431A0);/*0x5411B0);/*0x540470);/*0x53D760);/*0x53E350);/*0x53C270);/*0x536C20);/*0x536D50);/*0x536DA0);/*0x534200);/*0x534A30);/*0x5348B0;/*0x534110;/*0x516ED0;/*0x517690;/*0x5180B0;/*0x518CF0;/*0x51C210;/*0x51C210;/*0x53FDA0;/*0x53FE50
  277. At the very bottom of the string "math" AKA aMath and ontop of "pi" or aPi;
  278. //updated */
  279. static rbxlua_PCall rbxlua_pcall = (rbxlua_PCall)unprotect(SigScan("\x55\x8B\xEC\x8B\x45\x14\x83\xEC\x08\x53\x56", "xxxxxxxxxxx"));/*0x549D70);/*0x548B30);/*0x546900);/*0x546900);/*0x546720);/*0x545590);/*0x5461B0);/*0x542D60);/*0x540D80);/*0x540040);/*0x53D330);/*0x53DF20);/*0x53BE40);/*0x5367F0);/*0x536920);/*0x536970);/*0x533DB0);/*0x534600);/*0x534480;/*0x533CE0;/*0x516AA0;/*0x517260;/*0x517C80;/*0x5188C0;/*0x51BDE0;/*0x51B5C0;/*0x53F970;/*0x5388B0;
  280. Find "Breakpoint %d condition runtime error: " AKA aBreakpointDC_0;
  281. The first sub_NUMBERS in that function will be pcall;
  282. */
  283. static rbxlua_ToLString rbxlua_tolstring = (rbxlua_ToLString)unprotect(SigScan("\x55\x8B\xEC\x56\x8B\x75\x08\x57\xFF\x75\x0C\x56\xE8\x00\x00\x00\x00\x8B\xF8", "xxxxxxxxxxxxx????xx"));/*0x54AF00);/*0x549CB0);/*0x547A80);/*0x547A80);/*0x547700);/*0x546570);/*0x5471A0);/*0x543D50);/*0x541D60);/*0x541020);/*0x53E310);/*0x53EF00);/*0x53CE20);/*0x5377D0);/*0x537900);/*0x537950);/*0x534DB0);/*0x5355E0);/*0x535460;/*0x534CC0;/*0x517A80;/*0x518240;/*0x518C60;/*0x5198A0;/*0x51CDC0;/*0x51C5A0;/*0x532450; /*0x53C150;
  284. Find "!handler.empty()" AKA aHandler_empty;
  285. And follow the 'jnz short loc_NUMBERS' right under the emptyhandler;
  286. And find the first sub_NUMBERS and your done!1;
  287. */
  288. //updated// newproxy only supports the arguments ni
  289. static rbxlua_SetTop _rbxlua_settop = (rbxlua_SetTop)rbxaddy(0x54A010);/*0x549E30);/*0x548BF0);/*0x5469C0);/*0x5469C0);/*0x547520);/*0x546390);/*0x546FC0);/*0x543B70);/*0x541B80);/*0x540E40);/*0x53E130);/*0x53ED20);/*0x53CC40);/*0x5375F0);/*0x537720);/*0x537770);/*0x533810);/*0x535280;/*0x533EE0;/*0x533740;/*0x516500;/*0x516CC0;/*0x5176E0;/*0x518320;/*0x51/B840;/*0x51B020;/*0x540770;/*0x53F3D0; /*0x53BFB0;
  290. Find "top+1 == lua_gettop(functionThread)" AKA aTop1rbxlua_gettop;
  291. And the first sub_NUMBERS on the function is the address;
  292. */
  293. //updated
  294. static rbxlua_ToBoolean _rbxlua_toboolean = (rbxlua_ToBoolean)rbxaddy(0x54B060);/*0x54AE80);/*0x549C30);/*0x547A00);/*0x547A00);/*0x547680);/*0x5464F0);/*0x547120);/*0x543CD0);/*0x541CE0);/*0x540FA0);/*0x53E290);/*0x53EE80);/*0x53CDA0);/*0x537750);/*0x537880);/*0x5378D0);/*0x534D30);/*0x5353E0);/*0x534C40;/*0x517A00;/*0x5181C0;/*0x518BE0;/*0x519820;/*0x51CD40;/*0x51C520;/*0x5408D0; /*0x53C0D0;
  295. Find "isdst" AKA aIsdst;
  296. And follow the 'jnz short loc_NUMBERS' in the function;
  297. And it will be the sub_NUMBERS in the function;
  298. [normally right under the aIsdst function];
  299. //updated */
  300. static rbxlua_Type _rbxlua_type = (rbxlua_Type)SigScan("\x55\x8B\xEC\xFF\x75\x0C\xFF\x75\x08\xE8\x00\x00\x00\x00\x83\xC4\x08\x3D\x00\x00\x00\x00\x75\x05", "xxxxxxxxxx????xxxx????xx");/*0x54B2C0);/*0x54A070);/*0x547E40);/*0x547E40);/*0x547A70);/*0x5468E0);/*0x547510);/*0x5440C0);/*0x5420D0);/*0x541390);/*0x53E680);/*0x53F270);/*0x53D190);/*0x537B40);/*0x537C70);/*0x537CC0);/*0x535120);/*0x535950);/*0x5357D0;/*0x535030;/*0x517DF0;/*0x5185B0;/*0x518FD0;/*0x519C10;/*0x51D130;/*0x51C910;/*0x540CC0; /*0x53C440;
  301. Find "rbxlua_isthread(functionThread, -1)" AKA arbxlua_isthreadFu;
  302. It will be the first sub_NUMBERS in the function;
  303. //updated */
  304. static rbxlua_GetField rbxlua_getfield = (rbxlua_GetField)unprotect(SigScan("\x55\x8B\xEC\x83\xEC\x10\x53\x56\x8B\x75\x08\x57\xFF\x75\x0C\x56\xE8\x00\x00\x00\x00\x8B\x55\x10\x83\xC4\x08\x8B\xCA\x8B\xF8\x8D\x59\x01\x8A\x01\x41\x84\xC0\x75\xF9\x2B\xCB\x51\x52\x56\xE8\x00\x00\x00\x00\xFF\x76\x10", "xxxxxxxxxxxxxxxxx????xxxxxxxxxxxxxxxxxxxxxxxxxx????xxx"));/*0x549550);/*0x548310);/*0x5460E0);/*0x5460E0);/*0x545FE0);/*0x544E50);/*0x545A70);/*0x542620);/*0x540640);/*0x53F900);/*0x53CBF0);/*0x53D7E0);/*0x53B700);/*0x5360B0);/*0x5361E0);/*0x536230);/*0x533670);/*0x533EC0);/*0x533D40;/*0x5335A0;/*0x516360;/*0x516B20;/*0x517540;/*0x518180;/*0x518180;/*0x51B6A0;/*0x51D130;/*0x51B6A0;/*0x51B6A0;/*0x51AE80;/*0x53F230; /*0x53AE70;
  305. Find "__unm" AKA a__unm [it should say offset to the left of a_unm];
  306. Follow the 'offset sub_NUMBERS' right underneath it;
  307. Follow the last loc_NUMBERS in the function;
  308. It should be the first sub_NUMBERS;
  309. //updated */
  310. static rbxlua_PushValue rbxlua_pushvalue = (rbxlua_PushValue)unprotect(SigScan("\x55\x8B\xEC\x56\xFF\x75\x0C\x8B\x75\x08\x56\xE8\x00\x00\x00\x00\x8B\x56\x10\x83\xC4\x08", "xxxxxxxxxxxx????xxxxxx"));/*0x54A3A0);/*0x549150);/*0x546F20);/*0x546F20);/*0x546CB0);/*0x545B20);/*0x546740);/*0x543300);/*0x541310);/*0x5405D0);/*0x53D8C0);/*0x53E4B0);/*0x53C3D0);/*0x536D80);/*0x536EB0);/*0x536F00);/*0x534360);/*0x534B90);/*0x534A10;/*0x534270;/*0x517030;/*0x5177F0;/*0x518210;/*0x518E50;/*0x51C370;/*0x51CB70;/*0x572700;/*0x51BB50;/*0x53FF00; /*0x53B8D0;
  311. Find "%s.%s" AKA aS_S;
  312. In the function look for 'jz short loc_NUMBERS' and follow it;
  313. And it should be the second to last 'call sub_NUMBERS' in the function;
  314. //updated */
  315. static rbxlua_GetTop _rbxlua_gettop = (rbxlua_GetTop)rbxaddy(0x549900);/*0x549720);/*0x5484E0);/*0x5462B0);/*0x5462B0);/*0x546180);/*0x544FF0);/*0x545C10);/*0x5427C0);/*0x5407E0);/*0x53FAA0);/*0x53CD90);/*0x53D980);/*0x53B8A0);/*0x536250);/*0x536380);/*0x5363D0);/*0x533810);/*0x534060);/*0x533EE0;/*0x533740;/*0x516500;/*0x516CC0;/*0x5176E0;/*0x518320;/*0x51B840;/*0x51B020;/*0x53F3D0; /*0x53AFB0;
  316. Find "tostring" AKA aTostring;
  317. It will be right on top of the "offset aTostring ; "tostring"";
  318. */
  319. static rbxlua_ToUserData rbxlua_touserdata = (rbxlua_ToUserData)SigScan("\x55\x8B\xEC\x56\x8B\x75\x08\x6A\x01\x56\xE8\x00\x00\x00\x00\x8D\x45\x10", "xxxxxxxxxxx????xxx");/*0x54B290);/*0x54A040);/*0x547E10);/*0x547E10);/*0x547A40);/*0x5468B0);/*0x5474E0);/*0x544090);/*0x5420A0);/*0x541360);/*0x53E650);/*0x53F240);/*0x53D160);/*0x537B10);/*0x537C40);/*0x5357A0);/*0x517DC0;/*0x518580;/*0x518FA0;/*0x519BE0;/*0x51D100;/*0x51C8E0;/*0x540C90; /*0x53C410;
  320. Find "Bad argument materials[%d][%d][%d] to '" AKA aBadArgumentM_0;
  321. Should be the 3rd sub_NUMBERS in the function;
  322. [and the 1st and 2nd should possibly be the same]
  323. */
  324. static rbxlua_Next rbxlua_next;
  325.  
  326. static rbxlua_chatthing _rbxluachat = (rbxlua_chatthing)rbxaddy(0xB1C2E0);
  327.  
  328. static rbxlua_PushCClosure rbxlua_pushcclosure = (rbxlua_PushCClosure)unprotect(SigScan("\x55\x8B\xEC\x56\x8B\x75\x08\x8B\x4E\x08\x8B\x44\x0E\x60", "xxxxxxxxxxxxxx"));
  329. static rbxlua_Insert rbxlua_insert;
  330. static rbxlua_Remove rbxlua_remove;
  331.  
  332. static rbxlua_Setmetatable rbxlua_setmetatable = (rbxlua_Setmetatable)unprotect(SigScan("\x55\x8B\xEC\x56\x8B\x75\x08\x57\x8B\x4E\x08\x8B\x44\x31\x60\x3B\x44\x31\x54\x72\x09\x56\xE8\x00\x00\x00\x00\x83\xC4\x04\x8B\x46\x0C", "xxxxxxxxxxxxxxxxxxxxxxx"));
  333.  
  334. static rbxlua_Newuserdata rbxlua_newuserdata = (rbxlua_Newuserdata)unprotect(SigScan("\x55\x8B\xEC\x53\x56\x57\xFF\x75\x0C\x8B\x7D\x08\x57\xE8", "xxxxxxxxxxxxxx"));
  335.  
  336. static int rbxlua_type(DWORD luaState, size_t Size, BOOL luaIsNil)
  337. {
  338. try
  339. {
  340. _rbxlua_type(luaState, Size);
  341. }
  342. catch (std::exception e)
  343. {
  344.  
  345. }
  346. return 0;
  347. }
  348.  
  349. // RunCommand.h
  350. #include <Windows.h>
  351. #include <iostream>
  352. #include <vector>
  353. #include <iterator>
  354. #include <sstream>
  355. #include "CoreMain.h"
  356. #include "LuaFuncs.h"
  357.  
  358. /*
  359. extern "C"
  360. {
  361. #include "CoreLua\lua.h"
  362. #include "CoreLua\lauxlib.h"
  363. #include "CoreLua\lualib.h"
  364. #include "CoreLua\lopcodes.h"
  365. #include "CoreLua\lstring.h"
  366. #include "CoreLua\lfunc.h"
  367. #include "CoreLua\ldo.h"
  368. #include "CoreLua\lvm.h"
  369. }
  370. */
  371.  
  372. std::vector<std::string> split(std::string s) {
  373. std::vector<std::string> elems;
  374. std::stringstream ss(s);
  375. std::istream_iterator<std::string> begin(ss);
  376. std::istream_iterator<std::string> end;
  377. std::vector<std::string> vstrings(begin, end);
  378. return vstrings;
  379. }
  380.  
  381. std::string Input() {
  382. std::string ass;
  383. getline(std::cin, ass);
  384. return ass;
  385. }
  386.  
  387. void ConsoleHacks()
  388. {
  389. DWORD nothing;
  390. VirtualProtect((PVOID)&FreeConsole, 1, PAGE_EXECUTE_READWRITE, &nothing); //roblox has a "freeconsole" gay thingy
  391. *(BYTE*)(&FreeConsole) = 0xC3;
  392. }
  393.  
  394. void Console(char* title) { //void console haxs
  395. AllocConsole();
  396. SetConsoleTitleA(title);
  397. freopen("CONOUT$", "w", stdout);
  398. freopen("CONIN$", "r", stdin);
  399. HWND ConsoleHandle = GetConsoleWindow(); //gets the console window
  400. ::SetWindowPos(ConsoleHandle, HWND_TOPMOST, 0, 0, 0, 0, SWP_DRAWFRAME | SWP_NOMOVE | SWP_NOSIZE | SWP_SHOWWINDOW); //make program topmost (above roblox)
  401. //topmost function: Look at http://www.cplusplus.com/forum/windows/125528/
  402. ::ShowWindow(ConsoleHandle, SW_NORMAL); //show window
  403. }
  404.  
  405. constexpr unsigned int _INT(const char* str, int h = 0) {
  406. return !str[h] ? 5381 : (_INT(str, h + 1) * 33) ^ str[h];
  407. }
  408.  
  409. std::vector<std::string> GetArguments(std::string input) {
  410. std::vector<std::string> rtn;
  411.  
  412. if (input[0] == ' ') {
  413. input = input.substr(1);
  414. }
  415. //BYTE
  416. std::size_t size = input.size();
  417. DWORD pos1 = 0;
  418.  
  419. for (std::size_t i = 0; i < size; ++i) {
  420. if (input[i] == ' ') {
  421. rtn.push_back(input.substr(pos1, i - pos1));
  422. pos1 = i + 1;
  423. }
  424. else if (i == size - 1) {
  425. rtn.push_back(input.substr(pos1, i - pos1 + 1));
  426. pos1 = i + 1;
  427. }
  428. }
  429. return rtn;
  430. }
  431.  
  432. void DoCommand(std::string Cmd) {
  433. try {
  434. std::vector<std::string> args = GetArguments(Cmd);
  435. //std::string cmdarg = command.at(1).c_str();
  436. std::string command = args.front(); args.erase(args.begin());
  437. std::vector<DWORD> players = GetPlayersFromMessage(args);
  438. if (args.size() != NULL) {
  439. switch (_INT(command.c_str()))
  440. {
  441. case _INT("ff"):
  442. {
  443. try {
  444. for (std::size_t i = 0; players.size(); i++) {
  445. std::string* Player = GetName(players[i]);
  446. rbxlua_getglobal(luaState, "game");
  447. rbxlua_getfield(luaState, -1, "Players");
  448. rbxlua_getfield(luaState, -1, Player->c_str());
  449. rbxlua_getfield(luaState, -1, "Character");
  450. rbxlua_getglobal(luaState, "Instance");
  451. rbxlua_getfield(luaState, -1, "new");
  452. rbxlua_pushstring(luaState, "ForceField");
  453. rbxlua_pushvalue(luaState, -4);
  454. rbxlua_pcall(luaState, 2, 1, 0);
  455. }
  456. }
  457. catch (std::exception e)
  458. {
  459.  
  460. }
  461. }
  462. case _INT("kill"):
  463. {
  464. try {
  465. for (std::size_t i = 0; players.size(); i++) {
  466. std::string* Player = GetName(players[i]);
  467. rbxlua_getglobal(luaState, "game");
  468. rbxlua_getfield(luaState, -1, "Players");
  469. rbxlua_getfield(luaState, -1, Player->c_str());
  470. rbxlua_getfield(luaState, -1, "Character");
  471. rbxlua_getfield(luaState, -1, "BreakJoints");
  472. rbxlua_pushvalue(luaState, -2);
  473. rbxlua_pcall(luaState, 1, 0, 0);
  474. }
  475. }
  476. catch (std::exception e)
  477. {
  478.  
  479. }
  480. }
  481. case _INT("time"): {
  482. std::string timefloat = args.at(0).c_str();
  483. rbxlua_getglobal(luaState, "game");
  484. rbxlua_getfield(luaState, -1, "Lighting");
  485. rbxlua_pushstring(luaState, timefloat.c_str());
  486. rbxlua_setfield(luaState, -2, "TimeOfDay");
  487. }
  488. case _INT("print"):
  489. {
  490. std::string msg = args.at(0).c_str();
  491. rbxlua_getglobal(luaState, "print");
  492. rbxlua_pushstring(luaState, msg.c_str());
  493. rbxlua_pcall(luaState, 1, 0, 0);
  494. }
  495. case _INT("sparkles"):
  496. {
  497. for (std::size_t i = 0; players.size(); i++) {
  498. std::string* Player = GetName(players[i]);
  499. rbxlua_getglobal(luaState, "game");
  500. rbxlua_getfield(luaState, -1, "Players");
  501. rbxlua_getfield(luaState, -1, Player->c_str());
  502. rbxlua_getfield(luaState, -1, "Character");
  503. rbxlua_getfield(luaState, -1, "Torso");
  504. rbxlua_getglobal(luaState, "Instance");
  505. rbxlua_getfield(luaState, -1, "new");
  506. rbxlua_pushstring(luaState, "Sparkles");
  507. rbxlua_pushvalue(luaState, -4);
  508. rbxlua_pcall(luaState, 2, 1, 0);
  509. }
  510. }
  511. case _INT("fire"):
  512. {
  513. for (std::size_t i = 0; players.size(); i++) {
  514. std::string* Player = GetName(players[i]);
  515. rbxlua_getglobal(luaState, "game");
  516. rbxlua_getfield(luaState, -1, "Players");
  517. rbxlua_getfield(luaState, -1, Player->c_str());
  518. rbxlua_getfield(luaState, -1, "Character");
  519. rbxlua_getfield(luaState, -1, "Torso");
  520. rbxlua_getglobal(luaState, "Instance");
  521. rbxlua_getfield(luaState, -1, "new");
  522. rbxlua_pushstring(luaState, "Fire");
  523. rbxlua_pushvalue(luaState, -4);
  524. rbxlua_pcall(luaState, 2, 1, 0);
  525. }
  526. }
  527. case _INT("smoke"):
  528. {
  529. for (std::size_t i = 0; players.size(); i++) {
  530. std::string* Player = GetName(players[i]);
  531. rbxlua_getglobal(luaState, "game");
  532. rbxlua_getfield(luaState, -1, "Players");
  533. rbxlua_getfield(luaState, -1, Player->c_str());
  534. rbxlua_getfield(luaState, -1, "Character");
  535. rbxlua_getfield(luaState, -1, "Torso");
  536. rbxlua_getglobal(luaState, "Instance");
  537. rbxlua_getfield(luaState, -1, "new");
  538. rbxlua_pushstring(luaState, "Smoke");
  539. rbxlua_pushvalue(luaState, -4);
  540. rbxlua_pcall(luaState, 2, 1, 0);
  541. }
  542. }
  543. case _INT("fog"):
  544. {
  545. std::string pusharg = args.at(0).c_str();
  546. rbxlua_getglobal(luaState, "game");
  547. rbxlua_getfield(luaState, -1, "Lighting");
  548. rbxlua_pushstring(luaState, pusharg.c_str());
  549. rbxlua_setfield(luaState, -2, "FogEnd");
  550. }
  551. case _INT("ragdoll"):
  552. {
  553. for (std::size_t i = 0; players.size(); i++) {
  554. std::string Player = *GetName(players[i]);
  555. rbxlua_getglobal(luaState, "game");
  556. rbxlua_getfield(luaState, -1, "Workspace");
  557. rbxlua_getfield(luaState, -1, Player.c_str());
  558. rbxlua_getfield(luaState, -1, "Humanoid");
  559. rbxlua_pushstring(luaState, "1");
  560. rbxlua_setfield(luaState, -2, "PlatformStand");
  561. }
  562. }
  563. case _INT("noob"):
  564. {
  565. try {
  566. for (std::size_t i = 0; players.size(); i++) {
  567. std::string Player = *GetName(players[i]);
  568. rbxlua_getglobal(luaState, "game");
  569. rbxlua_getfield(luaState, -1, "Players");
  570. rbxlua_getfield(luaState, -1, Player.c_str());
  571. rbxlua_pushstring(luaState, "false");
  572. rbxlua_setfield(luaState, -2, "CanLoadCharacterAppearance");
  573. }
  574. }
  575. catch (std::exception e)
  576. {
  577.  
  578. }
  579. }
  580. case _INT("regular"):
  581. {
  582. try {
  583. for (std::size_t i = 0; players.size(); i++) {
  584. std::string Player = *GetName(players[i]);
  585. rbxlua_getglobal(luaState, "game");
  586. rbxlua_getfield(luaState, -1, "Players");
  587. rbxlua_getfield(luaState, -1, Player.c_str());
  588. rbxlua_pushstring(luaState, "1");
  589. rbxlua_setfield(luaState, -2, "CanLoadCharacterAppearance");
  590. }
  591. }
  592. catch (std::exception e)
  593. {
  594.  
  595. }
  596. }
  597. case _INT("animate"):
  598. {
  599. try {
  600. for (std::size_t i = 0; players.size(); i++)
  601. {
  602. std::string Player = *GetName(players[i]);
  603. rbxlua_getglobal(luaState, "game");
  604. rbxlua_getfield(luaState, -1, "Workspace");
  605. rbxlua_getfield(luaState, -1, Player.c_str());
  606. rbxlua_getfield(luaState, -1, "Animate");
  607. rbxlua_pushstring(luaState, "1");
  608. rbxlua_setfield(luaState, -2, "Disabled");
  609. }
  610. }
  611. catch (std::exception e)
  612. {
  613.  
  614. }
  615. }
  616. case _INT("fegod"):
  617. {
  618. rbxlua_getglobal(luaState, "game");
  619. rbxlua_getfield(luaState, -1, "Workspace");
  620. rbxlua_getfield(luaState, -1, "RipAxstin");
  621. rbxlua_getfield(luaState, -1, "Humanoid");
  622. rbxlua_getfield(luaState, -1, "Health");
  623. rbxlua_getfield(luaState, -1, "Destroy");
  624. rbxlua_pcall(luaState, 1, 1, 0);
  625. printf("fegod ran.\n");
  626. }
  627. case _INT("terrianclr"):
  628. {
  629. rbxlua_getglobal(luaState, "game");
  630. rbxlua_getfield(luaState, -1, "Workspace");
  631. rbxlua_getfield(luaState, -1, "Terrian");
  632. rbxlua_getfield(luaState, -1, "Clear");
  633. rbxlua_pushvalue(luaState, -2);
  634. rbxlua_pcall(luaState, 1, 0, 0);
  635. }
  636. }
  637. }
  638. }
  639. catch (std::exception e)
  640. {
  641. printf("\r\n");
  642. }
  643. }
  644.  
  645. // Main.cpp
  646.  
  647. #include "RbxOffsets.h"
  648. #include "Memory.h"
  649. #include "LuaFuncs.h"
  650. #include "CoreMain.h"
  651. #include "RunCommand.h"
  652. #include "CoreChecks.h"
  653.  
  654.  
  655.  
  656. using namespace std;
  657.  
  658. typedef int(__thiscall *nsopenstate)(DWORD self);
  659. nsopenstate openstate = (nsopenstate)SigScan("\x55\x8B\xEC\x56\x57\x6A\x05", "xxxxxxx");
  660.  
  661. static BYTE GetFE(BYTE Workspace)
  662. {
  663. return *(byte*)(Workspace + 0x25B);
  664. }
  665.  
  666. void Main()
  667. {
  668. try {
  669. ConsoleHacks();
  670. Console("");
  671. printf("Scanning... ");
  672. DWORD ScriptContextVftable = ScriptContextAddress;
  673. int ScriptContext = Memory::Scan(PAGE_READWRITE, (char*)&ScriptContextVftable, "xxxx");
  674. DataModel = GetParent(ScriptContext);
  675. Players = FindFirstClass(DataModel, "Players");
  676. Workspace = FindFirstClass(DataModel, "Workspace");
  677. luaState = *(DWORD*)(ScriptContext + 220) - (ScriptContext + 220);
  678. printf("OK!\n");
  679. std::cout << "Current LuaState: " << std::hex << luaState << "\n";
  680. HANDLE hPipe;
  681. char buffer[1024];
  682. DWORD dwRead;
  683. do
  684. {
  685. std::string x = Input();
  686. DoCommand(x);
  687. } while (true);
  688. }
  689. catch (std::exception e)
  690. {
  691.  
  692. }
  693. }
  694.  
  695. int __stdcall DllMain(HMODULE DLL, DWORD Reason, void* Useless) {
  696. if (Reason == 1) {
  697. CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Main, 0, 0, 0);
  698. }
  699. return TRUE;
  700. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!