Categories > Exploiting > Roblox >

How to Printsploit

Skid_Destroyer

Self Taught (Pro)grammer

Posts: 10

Threads: 2

Joined: Jul, 2022

Reputation: 3

Posted

Good Morning, skids.

 

Today we learn how to call and find a simple function in Roblox.

 

Requirements -> IDA Pro and anything that is able to reconstruct the imports (such as Scylla or PE Tools).

 

 

 

Step 1 - Dump Roblox

 

Dump Roblox.

 

Step 1.1 -> Select Roblox's Main Process (the process that uses more resources, the other one is yara).

 

https://cdn.discordapp.com/attachments/972845808678490146/996309033793372161/unknown.png

 

Step 2

 

Open IDA Pro 7.7 -> Disassemble a new File -> Select your dump of RobloxPlayerBeta.exe.

Edit -> Segements -> Rebase Program : Set it to 0x1000.

 

https://cdn.discordapp.com/attachments/972845808678490146/996309176802344970/unknown.png

 

Let IDA analyze, depending on your CPU this can take up to 3 hours

 

 

Step 3 - Find the Print Function

 

IDA fully analyzed? Good now for the fun part.

Hit Shift + F12 on your Keyboard and filter for the string "Invalid BrowserService Command %s"

 

https://cdn.discordapp.com/attachments/972845808678490146/996309402703376444/unknown.png

Double click the result

 

 

Highlight "aInvalidBrowser" with your cursor and hit X.

Click the first Xref and it you will see something like in the picture below

https://cdn.discordapp.com/attachments/972845808678490146/996309506881507378/unknown.png

 

Now decompile the call (sub_3FBE50) by double clicking it and then pressing F5.

https://cdn.discordapp.com/attachments/972845808678490146/996309579086450719/unknown.png

 

Congrats you can call yourself an Reverse Engineer now (don't actually please)

 

 

Step 4 - Writing the Printsploit

 

Open VS2022, create a new Dynamic Link Library.

 

 

Config the Project however you want but make sure you select Release and X86.

 

 

Since I cbf with explaining every single line in this poorly written text editor I'll just explain it with comments

 

#include <windows.h>
#include <iostream>
#include <thread>

enum rbx_ptypes : uint8_t // enum with all types
{
	print,
	info,
	warn,
	error
};

bool __stdcall DllMain(HINSTANCE lib, uint8_t reason, void*) //is called when dll gets injected
{
	DisableThreadLibraryCalls(lib); //msdn: Disables the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the specified dynamic-link library (DLL). This can reduce the size of the working set for some applications.

	if (reason == DLL_PROCESS_ATTACH) // self-explanatory
	{
		static auto mod = reinterpret_cast<uintptr_t>(GetModuleHandle(nullptr)); //gets base of roblox

		using rbx_print_t = void(__cdecl*)(uint8_t, const char*, ...); //type alias
		const auto rbx_print = reinterpret_cast<rbx_print_t>(mod + 0x3EB4E0); //mod + print address

		//supports formatting if u didnt know
		rbx_print(rbx_ptypes::print, "%s %p", "some string", &FreeConsole); 
		rbx_print(rbx_ptypes::info, "%s %p", "some string", &FreeConsole);
		rbx_print(rbx_ptypes::warn, "%s %p", "some string", &FreeConsole);
		rbx_print(rbx_ptypes::error, "%s %p", "some string", &FreeConsole);
	}

	return true;
}

 

Goodbye skids

  • 0

luxiferrwoo

expr

Posts: 283

Threads: 48

Joined: May, 2022

Reputation: -4

Replied

bad code.

:troll:

  • 0

https://media.discordapp.net/attachments/1044764388546068510/1051935933836050482/Signature_4.png

Skid_Destroyer

Self Taught (Pro)grammer

Posts: 10

Threads: 2

Joined: Jul, 2022

Reputation: 3

Replied

@luxiferrwoo You are just a cheap peasent who has no idea what he's talking about. I would love to see some of "your code".

  • 0

Verbum

Posts: 34

Threads: 8

Joined: Jul, 2022

Reputation: 10

Replied

@Skid_Destroyer

 

GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP 

 

GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP 

 

GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP GRINCHER ON TOP 

  • 0

veh_handler and seh_handler disliker

<p>enis</p>

luxiferrwoo

expr

Posts: 283

Threads: 48

Joined: May, 2022

Reputation: -4

Replied

@Skid_Destroyer

 

LOL what it was literally a joke i do that to everyone, if you wanna see my code check out my previous posts. "knows nothing about what they're talking about" HA you're funny.

  • 0

https://media.discordapp.net/attachments/1044764388546068510/1051935933836050482/Signature_4.png

F34R

Fear

Posts: 331

Threads: 54

Joined: Apr, 2021

Reputation: 13

Replied

@luxiferrwoo "I do that to literally everyone" yeah..

  • 0

https://cdn.discordapp.com/attachments/1088161134621773975/1088481077401751552/Untitled.png

luxiferrwoo

expr

Posts: 283

Threads: 48

Joined: May, 2022

Reputation: -4

Replied

@F34R

yeah i do it's pretty funny lmao

  • 0

https://media.discordapp.net/attachments/1044764388546068510/1051935933836050482/Signature_4.png

KarenTheKiller

Kitchen

Posts: 87

Threads: 15

Joined: Mar, 2022

Reputation: 0

Replied

@luxiferrwoo

bro isn't this the same as the code you made lmao :skull: :skull: :skull:

 

https://github.com/expressiongz/cpp-roblox-print/blob/main/main.cpp

  • 1

I'm gon have seazure OMG MICROSOFT AZURE ⚠⚠⚠⚠⚠⚠⚠⚠⚠ 🐸🐸🐸🐸🐸🐸🐸🐶🐶😩😩😩😩😩😩😩😩😩😩😩😩😩😩😩

https://cdn.discordapp.com/attachments/976614881493127250/986564908864909382/image_3.png

Skid_Destroyer

Self Taught (Pro)grammer

Posts: 10

Threads: 2

Joined: Jul, 2022

Reputation: 3

Replied

@KarenTheKiller No it is not you dyslexic autist

  • 0

luxiferrwoo

expr

Posts: 283

Threads: 48

Joined: May, 2022

Reputation: -4

Replied

@KarenTheKiller

 

 

you gotta be stupid LOL you realize there's the same format for calling a function right? it's really common to use enums, if you look at the date of the repo it literally exists before this post. the readme is from almost a month ago and back then it had bad code left over from months ago so I updated it lmao. 

  • 0

Added

@KarenTheKiller

 

 

you gotta be stupid LOL you realize there's the same format for calling a function right? it's really common to use enums, if you look at the date of the repo it literally exists before this post

  • 0

https://media.discordapp.net/attachments/1044764388546068510/1051935933836050482/Signature_4.png

KarenTheKiller

Kitchen

Posts: 87

Threads: 15

Joined: Mar, 2022

Reputation: 0

Replied

@luxiferrwoo

I meant the code was similar

  • 0

I'm gon have seazure OMG MICROSOFT AZURE ⚠⚠⚠⚠⚠⚠⚠⚠⚠ 🐸🐸🐸🐸🐸🐸🐸🐶🐶😩😩😩😩😩😩😩😩😩😩😩😩😩😩😩

https://cdn.discordapp.com/attachments/976614881493127250/986564908864909382/image_3.png

RiceUsesArchBtw

rice cracker

vip

Posts: 465

Threads: 19

Joined: Aug, 2021

Reputation: 39

Replied

@KarenTheKiller lmao no he didnt, atari proved that alr

  • 0

https://cdn.discordapp.com/attachments/1023423265160560745/1132948683747500092/Frame_12x.png

luxiferrwoo

expr

Posts: 283

Threads: 48

Joined: May, 2022

Reputation: -4

Replied

@KarenTheKiller

 

you do realize it's very common to use enums to print specific colors to the console right? there's thousands of people that do this simply because its more descriptive, these days you will not be able to catch a skidded "printsploit" simply because it's the same concept that everyone *has* to follow.

  • 0

https://media.discordapp.net/attachments/1044764388546068510/1051935933836050482/Signature_4.png

KarenTheKiller

Kitchen

Posts: 87

Threads: 15

Joined: Mar, 2022

Reputation: 0

Replied

wait I didn't mean they copied and pasted I meant it's basically the same and u said that this code was bad 

  • 0

I'm gon have seazure OMG MICROSOFT AZURE ⚠⚠⚠⚠⚠⚠⚠⚠⚠ 🐸🐸🐸🐸🐸🐸🐸🐶🐶😩😩😩😩😩😩😩😩😩😩😩😩😩😩😩

https://cdn.discordapp.com/attachments/976614881493127250/986564908864909382/image_3.png

Next >>>

Users viewing this thread:

( Members: 0, Guests: 2, Total: 2 )