Posted
Hello!
So in the past I've been working a lot with the trustcheck in Roblox.
This is because I was writing a trustcheck bypass which turned out really good.
While writing this trustcheck bypass I noticed that whenever you're calling Game:HttpGetAsync you will be prompted with an error:
'Game:HttpGetAsync is only available in non-networked DMs'
So I decided to do a quick google to look what this meant and I landed on a thread made by TrapFX (link).
After seeing how TrapFX went on about "bypassing" this issue to achieve a trustcheck bypass I lost faith in humanity. No hard feelings, but bypassing it by modifying some instruction will not do in the long run.
After a quick string search in IDA disassembler I could see the pseudocode of the function. I could quickly map the important variables and create a struct just to make it easier for your eyes to read.
https://i.imgur.com/iwRJfA5.png
Here's the same psuedocode without the structure:
https://i.imgur.com/Epi455e.png
So.. what does this tell us?
Well it tells us everything we need to know. DataModel + Offset should be 3, if not it will throw the same error as before.
Just by reading the error we know that DataModel + Offset is somewhat a networked-state in Roblox. (Could be wrong, I don't have the RBX source I just assume!)
All that is important to us is that it should be 3 when calling HttpGetAsync :)
Lets write some code to make this happen.
https://i.imgur.com/0X78Tqc.png
As you can see it was really simple. We get the game instance, subtract with Instance offset since we don't want to do anything with the Instance itself. Then just set the networkedState.
Is this detected? Shouldn't be, but could be in the future if they try to read the value and compare it (or set it and read later on). That's why this code would be better in that case:
https://i.imgur.com/J6ptcId.png
If you're using the first code snippet you could put it where you inject or whenever (as long as you have Roblox LS). If you're using the second one you should put it in your HttpGet function.
That's all I've got to share for today.
Maybe next thread will be a full trustcheck bypass, we'll see.
Bye!
https://yesitskiko.github.io/about-me/
I've got a PHD in Scratch.
Replied
instead of dealing with this i suggest wrap this into a custom function and just call it on lua
getgenv().HttpGet = function(self, link)
local ndm = setndm(3)
local returned = doHttpGet(link) -- your httpget function
setndm(ndm)
return returned
endstd::int32_t environment::set_networked_datamodel(std::uintptr_t rL)
{
const auto ndm = (r_get_data_model() - 0xC) + networked_dm;
*reinterpret_cast<std::uintptr_t*>(ndm) = 3;
return 1;
}Cancel
Post
Replied
@59576
Well yeah that's literally what I was saying..
If you're using the second one you should put it in your HttpGet function.
Cancel
Post
https://yesitskiko.github.io/about-me/
I've got a PHD in Scratch.
Replied
I feel dumb reading yall reply lol ðŸ˜
Cancel
Post
Replied
Since I was doing this for android I couldn't bother implementing Curl. Easier this way.
If I were to do it on Desktop I would though.
Cancel
Post
https://yesitskiko.github.io/about-me/
I've got a PHD in Scratch.
Replied
@59576
unclean ...
Cancel
Post
Users viewing this thread:
( Members: 0, Guests: 1, Total: 1 )
Cancel
Post