Tutorial | Learning to dump Roblox and creating a basic print C++ exploit

Credits to DeepPain for teaching me this.
https://wearedevs.net/profile?uid=59316

What you're going to need:

-- IDA By Hex Rays - https://mega.nz/file/JNMlDa6L#BJruQfumHZg2khTLChKTcsd63Vk5jxt7SWhyFk5PpJg
-- PE Tools - https://github.com/petoolse/petools/releases/download/v1.9.762/PE.Tools.v1.9.762.2018.7z
-- General knowledge on game exploiting

Part 1 - Dumping Roblox and Rebasing:

Go on any roblox game and hit play. Once your roblox game loads up, open your PE tools and look for RobloxPlayerBeta.exe in the process list, and once you've found it, right click it and press Dump Full, then save the new exe somewhere.

Go and open IDA 32-bit and open the new exe on there. Once you've done that, look on the top bar and go on Edit > Segments > Rebase Program. Once you have gotten there, rebase the program to: 0x400000 and continue.



Part 2 - Finding the print Address:

Once roblox is dumped and rebased, you can now start searching for the strings. Look again on the top bar and go on View > Open subviews > Strings. After you have completed that and it's loaded, on your keyboard, hit the keys CTRL + F and a search bar should've popped up. On that search bar, search up the string Video recording started and hit enter.

https://media.discordapp.net/attachments/737974508459130942/741288487449264128/unknown.png

You should be there now, double click that, and a message should pop up, just continue and hit OK. 

https://media.discordapp.net/attachments/740507546413957212/741334164619395133/unknown.png

Click on aVideoRecordi_0 and then on your keyboard hit X, and a message should pop up, just continue and hit OK. .

https://media.discordapp.net/attachments/740507546413957212/741333039937749122/unknown.png

Double click the FIRST CALL under aVideoRecordi_0 and it will take you to the print function. After, press TAB or F5 and you will be shown the pseudocode for print. On the first line is your calling connection and your print address.

https://media.discordapp.net/attachments/737974508459130942/741341702496976916/unknown.png

So your calling is __cdecl and your address is 5F2D70. And there you go, you have your address and your calling, which you are next going to need to make the exploit.



Part 3 - Beginning the Exploit:

Open your visual studio and create a Empty C++ Project. After you've created your project, add a new .cpp file. After you've done that, click on your Project > Properties and then set the output type from .EXE (Windows Application) to .DLL (Dynamic Link Library) and then we can now start our code. 

Now let's add our imports:

#define _CRT_SECURE_NO_DEPRICATE #define _CRT_SECURE_NO_WARNINGS #include <Windows.h> #include <iostream>

So since it's a .DLL we need a way to execute our code once it's injected, simply head HERE and copy and paste the code

Part 4 - Bypasses:

Roblox has code in place to stop people using consoles which is very easy to bypass. You might see it in most exploit sources: 

DWORD asdmemes; VirtualProtect((PVOID)&FreeConsole, 1, PAGE_EXECUTE_READWRITE, &asdmemes); *(BYTE*)(&FreeConsole) = 0xC3; AllocConsole(); SetConsoleTitleA("Exploit"); freopen("CONOUT$", "w", stdout); freopen("CONIN$", "r", stdin); HWND ConsoleHandle = GetConsoleWindow(); ::SetWindowPos(ConsoleHandle, HWND_TOP, 0, 0, 0, 0, SWP_DRAWFRAME | SWP_NOMOVE | SWP_NOSIZE | SWP_SHOWWINDOW); ::ShowWindow(ConsoleHandle, SW_NORMAL);

After this we are gonna be needing a ALSR bypass, thankfully this can be achieved by just one line of code:

#define x(x) (x - 0x400000 + (DWORD)GetModuleHandleA(0))

 

 

Part 5 - Finishing up:


Now we have to create a print function so we can call it and exploit in roblox, we simply make the function with this code:

 

typedef int(__cdecl* RPrint)(int, const char*, ...); RPrint r_Print = (RPrint)x(0x5F2D70);

And then you just call it by doing r_Print(0,"Text here"); , and there you go! Your first print exploit.
I hope you've learnt something from this, and can come to you for help in the future.

Here's the final code:
https://pastebin.com/raw/kLmA1ZfW

Bye for now!
EDIT: REALIZED I PUT WRONG LINK FOR PE LINKS, SORRY