· 5 years ago · Aug 21, 2020, 03:56 PM
1-- "Completely updated to work"
2local player = game:GetService("Players").LocalPlayer
3local mouse = player:GetMouse()
4_G.FILESYSTEM = {};
5local protection = {};
6_G.hookfunctions_replace = {}; -- no way to fix
7_G.hookfunctions_return = {};
8local HttpService = game:GetService("HttpService");
9-- a compatability layer for exploits based on synapse api
10
11-- Setup function for exploit.
12local function get_exploit()
13 local exploit = "ERROR" -- this shouldn't be possible..
14
15 if elysianexecute then-- is Elysian
16 exploit = "ely"
17 elseif CALAMARI_PLATFORM then-- is Calamari
18 exploit = "cl"
19 elseif syn and syn.create_secure_function then-- is Synapse X
20 expoit = "syn"
21 elseif sirhurt_setup_secure_run then--Sirhurt
22 exploit = "sh"
23 elseif issentinelclosure then--Sentinel
24 exploit = "se"
25 else-- Unknown exploit.
26 exploit = "unk"
27 end
28 return exploit;
29end
30local exploit = get_exploit();
31
32
33local function expname(suffix)
34 if suffix then-- is ProtoSmasher
35 name = "ProtoSmasher"
36 elseif suffix=="ely" then-- is Elysian
37 name = "Elysian"
38 elseif suffix=="cl" then-- is Calamari
39 name = "Calimari"
40 elseif suffix=="syn" then-- is Synapse X
41 name = "Synapse X"
42 elseif suffix=="sh" then--Sirhurt
43 name = "SirHurt"
44 elseif suffix=="se" then--Sentinel
45 name = "Sentinel"
46 else-- Unknown exploit.
47 name = "Unknown"
48 end
49 return name;
50end
51local function maynot(ex, txt)
52 print(expname(ex) .. " doesn't support: " .. txt)
53 return false
54end
55local workspace = workspace;
56if not workspace then
57 workspace = game:GetService("Workspace");
58end
59local compatability = {
60 getinstances = function()
61 maynot(exploit, "getinstances")
62 print("using compatible function.")
63 -- init with workspace descendants.
64 local ALLDescendants = workspace:GetDescendants();
65 table.insert(ALLDescendants, workspace);
66 local game_t = {-- change these to places you'd like to check.
67 "Players",
68 "ReplicatedStorage",
69 "StarterGui",
70 "StarterPack"
71 }
72 for _, tree in pairs(game_t) do
73 for d, inst in pairs(game[tree]:GetDescendants()) do
74 table.insert(ALLDescendants, inst);
75 end
76 table.insert(ALLDescendants, game[tree])
77 end
78 return ALLDescendants;
79 end,
80 getscripts = function()
81 maynot(exploit, "getscripts")
82 print("getscripts is very performance heavy.")
83 local rest = {}
84 local instances = getinstances()
85 for _, inst in pairs(instances) do
86 if inst.ClassName == "LocalScript" or inst.ClassName == "ModuleScript" then
87 table.insert(rest, inst)
88 end
89 end
90 return rest
91 end,
92 getloadedmodules = function()
93 maynot(exploit, "getloadedmodules")
94 print("getloadedmodules is very performance heavy.")
95 local modules = {}
96 local found = {};
97 for _, func in pairs(getgc()) do
98 if type(func) == "function" then
99 local t_src = getinfo(func).short_src;
100 if not found[t_src] then
101 found[t_src] = true
102 local fenv = getfenv(func).script;
103 if fenv.ClassName == "ModuleScript" then
104 table.insert(modules, fenv);
105 end
106 end
107 end
108 end
109 return modules;
110 end,
111 setrawmetatable = function(obj, mt)
112 local old_mt=getrawmetatable(obj)
113 local state = isreadonly(old_mt)
114 setreadonly(old_mt, false)
115 for k, v in pairs(mt) do
116 old_mt[k] = v
117 end
118 if state then
119 setreadonly(old_mt, true);
120 end
121 return state;
122 end,
123 getprotos = function(fn)
124 if getproto then
125 local protos = {};
126 local i = 0;
127 while success == true do
128 i = i+1;
129 local success, er = pcall(function()
130 table.insert(protos, getproto(fn, i))
131 end)
132 end
133 return protos
134 else
135 return maynot(exploit, "getprotos")
136 end
137 end,
138 setproto = function(fn, idx, new_proto)
139 if getprotos and hookfunction then
140 hookfunction(getprotos(fn)[idx], new_proto);
141 else
142 maynot(exploit, "setproto");
143 end
144 end,
145 getconstant = function(fn, idx)
146 if getconstants then
147 return getconstants(fn)[idx];
148 else
149 maynot(exploit, "getconstant");
150 end
151 end,
152 mousemoveabs = function(x, y)
153 mousemoverel(x - mouse.X, y - mouse.Y)
154 end,
155 appendfile = function(path, new_txt)
156 if writefile and readfile then
157 return writefile(path, readfile(path) + new_txt)
158 else
159 return maynot(exploit, "appendfile")
160 end
161 end,
162 loadfile = function(path)
163 if readfile and loadstring then
164 return loadstring(readfile(path))
165 else
166 return maynot(exploit, "loadfile")
167 end
168 end,
169 isfile = function(path)
170 local success, er = pcall(function()
171 appendfile(path, "")
172 end);
173 return _G.FILESYSTEM[path] == "file" or success;
174 end,
175 isfolder = function(path)
176 local success, er = pcall(function()
177 makefolder(path)
178 end);
179 return _G.FILESYSTEM[path] == "folder" or success;
180 end,
181 listfiles = function(path)
182 local files = {}
183 for key,_ in pairs(_G.FILESYSTEM) do
184 if key.len > path.len then
185 local temp_path = key.sub(0, path.len)
186 if temp_path == path and not key.sub(path.len, key.len).match("/") and isfile(key) then
187 table.insert(files, key)
188 end
189 end
190 end
191 return files;
192 end,
193 makefolder = function(path)
194 if writefile then
195 _G.FILESYSTEM[path] = "folder";
196 writefile(path+"EXISTS1234.txt")
197 else
198 return maynot(exploit, "loadfile")
199 end
200 end,
201 -- we can't do anything about it lol..
202 delfolder = function(path)
203 _G.FILESYSTEM[path] = nil
204 end,
205 delfile = function(path)
206 _G.FILESYSTEM[path] = nil;
207 end,
208 getclipboard = function()
209 return _G.CLIPBOARD
210 end,
211 protect_gui = function(gui)
212 protection[gui] = gui.Parent;
213 gui.Parent = game.CoreGui;
214 end,
215 unprotect_gui = function(gui)
216 gui.Parent = protection[gui]
217 protection[gui] = nil;
218 end,
219 request = function(table)
220 return HttpService:RequestAsync(table)
221 end,
222 secure_call = function(Function, Script, ...)
223 if getfenv and getrenv and getsenv and set_thread_identity and get_thread_context then
224 local old_env = getfenv();
225 toProtect[Function] = Script:GetFullName() .. ':';
226 local spoof_env = select(2, pcall(getsenv, Script));
227 spoof_env = (type(spoof_env) == 'string' or not spoof_env) and getrenv() or spoof_env;
228 spoof_env.script = spoof_env.script or Script;
229 local setthreadcontext = setthreadcontext;
230 set_thread_identity(2);
231 local Level = 0;
232 while true do
233 if not pcall(setfenv, Level + 2, spoof_env) then
234 break;
235 end;
236 Level = Level + 1;
237 end;
238 local securityContext = get_thread_identity() or 6;
239 local ret = table.pack( Function(...) );
240
241 for i = 0, Level do
242 setfenv(i, old_env);
243 end;
244
245 set_thread_identity(securityContext)
246 return unpack(ret);
247 else
248 maynot(exploit, "secure_call")
249 end
250 end
251}
252
253
254
255-- according to normal synapse conventions.
256-- assume compatibility if there is no compatibility middleware.
257
258-- before saving to script env make sure that it doesn't exist.
259local Input = Input;
260if not Input then
261 Input = {}
262end
263local Clipboard = Clipboard;
264if not Clipboard then
265 Clipboard = {}
266end
267local debug = debug
268if not debug then
269 debug = {}
270end
271local exploit_functions = {
272 getreg = {
273 ps = debug.getregistry
274 },
275 getgc = {
276 ps = get_gc_objects
277 },
278 getrenv = false,
279 getgenv = false,
280 getinstances = compatability.getinstances,
281 getnilinstances = {
282 ps = get_nil_instances
283 },
284 getscripts = {
285 ps = function()
286 -- good enough implementation..
287 local rest = {}
288 local scre = getscriptenvs()
289 for k, _ in next, scre do
290 rest[#rest + 1] = k
291 end
292 return rest
293 end,
294 se = getrunningscripts,
295 others = compatability.getscripts
296 },
297 getloadedmodules = {
298 ps = get_loaded_modules,
299 others = compatability.getloadedmodules--// might have to use GC.
300 },
301 getconnections = {
302 ps = get_signal_connections,
303 },
304 --// possibly emulatable???
305 firesignal = false,
306 --// may be simulatable
307 fireclickdetector = {
308 ps = click_detector
309 },
310 --// may be simulatable
311 firetouchinterest = false,
312 gethiddenproperty = {
313 ely = getnspval
314 },
315 sethiddenproperty = false,
316 getsenv = false,
317 getmenv = false,
318 getcallingscript = {
319 cl = getscriptcaller,
320 ps = get_calling_script
321 },
322 getrawmetatable = {
323 unk = function(...)
324 maynot("getrawmetatable will use getmetatable.")
325 return getmetatable(...)
326 end
327 },
328 setrawmetatable = {
329 cl = setmetatable,
330 sh = setmetatable,
331 others = compatability.setrawmetatable
332 },
333 setreadonly = {
334 ps = function(t, state)
335 if state then
336 make_readonly(t)
337 elseif not state then
338 make_writeable(t)
339 end
340 return state;
341 end
342 },
343 isreadonly = {
344 ps = is_readonly
345 },
346 isrbxacctive= false,
347 keypress = {
348 ps = Input.KeyPress
349 },
350 keyrelease = {
351 -- these may cause errors...
352 ps = Input.KeyUp
353 },
354 mouse1click = {
355 ps = Input.LeftClick --//have diff states
356 },
357 mouse1press = false,
358 mouse1release = false,
359 mouse2click = {
360 ps = Input.RightClick
361 },
362 mouse2press = false,
363 mouse2release = false,
364 mousescroll = {
365 ps = Input.ScrollMouse
366 },
367 mousemoverel = {
368 ps = Input.MoveMouse
369 },
370 mousemoveabs = {
371 ps = compatability.mousemoveabs
372 },
373 checkcaller = {
374 ps=is_protosmasher_caller
375 },
376 hookfunction = {
377 ely= replaceclosure
378 --[[ps = function(func, replace) apperently not needed...
379 detour_function(func, function(...)
380 local args = {...}
381 if args[1] == "fix it now please." and checkcaller() then
382 return original_function;
383 else
384 return replace(...)
385 end
386 end)
387 return func("fix it now please.");
388 end,]]--
389 },
390 newcclosure = {
391 ps = protect_function
392 },
393 loadstring = false,
394 islclosure = {
395 ps = is_l_closure,
396 others = compatability.islclosure
397 },
398 dumpstring = {
399 cl = serialize,
400 ps = get_script_bytecode
401 },
402 decompile = false,
403 readfile = false,
404 writefile = false,
405 appendfile = compatability.appendfile,
406 loadfile = compatability.loadfile,
407 listfiles = compatability.listfiles,
408 isfile = compatability.isfile,
409 isfolder = compatability.isfolder,
410 makefolder = {
411 cl = mkdir,
412 se = createdirectory,
413 others = compatability.makefolder,
414 },
415 delfolder = compatability.delfolder,
416 delfile = compatability.delfile,
417 setclipboard = {
418 others = writeclipboard,
419 ely = Clipboard.set
420 },
421 getclipboard = compatability.getclipboard,
422 setfflag = false,
423 getnamecallmethod = false,
424 setnamecallmethod = false,
425 getspecialinfo = false,--//compatability.getspecialinfo,
426 saveinstance = {
427 ps = false, -- //this can be added.
428 },
429 is_synapse_function = {
430 ps = is_protosmasher_closure,
431 se = issentinelclosure,
432 sh = is_sirhurt_closure,
433 others = checkclosure
434 },
435 debug = {
436 getconstants = {
437 ely = getconsts
438 },
439 getconstant = compatability.getconstant,
440 setconstant = {
441 ely = setconst
442 },
443 getupvalues = false,
444 getupvalue = false,
445 setupvalue = false,
446 getprotos = compatability.getprotos,
447 traceback = false,
448 getproto = false,
449 setproto = compatability.setproto,
450 ---------------------------------------------
451 ----STACK MIGHT BE ADDEDABLE-----------------
452 getstack = false, --for ps and sh
453 setstack = false,
454 ---------------------------------------------
455 ---------------------------------------------
456 getinfo = false
457 },
458 syn = {
459 cache_replace = false,
460 cache_invalidate = false,
461 is_cached = false,
462 get_thread_identity = {
463 cl = getcontext,
464 ps = get_thread_context,
465 se = getthreadcontext,
466 },
467 set_thread_identity = {
468 cl = setcontext,
469 se = setthreadcontext
470 },
471 queue_on_teleport = false,--//compatability.queue_on_teleport,
472 protect_gui = {
473 sh = function(gui)
474 gui_protection[gui] = gui.Parent;
475 gui.Parent=get_hidden_gui();
476 end,
477 ps = function(gui)
478 gui_protection[gui]=gui.Parent;
479 gui.Parent=get_hidden_gui();
480 end,
481 ely = function(gui)
482 gui_protection[gui]=gui.Parent;
483 gui.Parent=gethui();
484 end,
485 others = compatability.protect_gui
486 },
487 unprotect_gui = {
488 sh = function(gui)
489 gui.Parent=protection[gui]; --not exactly sure how these work...
490 protection[gui] = nil;
491 end,
492 ps = function(gui)
493 gui.Parent=protection[gui];
494 protection[gui] = nil;
495 end,
496 ely = function(gui)
497 gui.Parent=protection[gui];
498 protection[gui] = nil;
499 end,
500 others = compatability.unprotect_gui
501 },
502 is_beta = false,
503 request = {
504 sh = http_request,
505 others = compatability.request
506 },
507 secure_call = false
508 }
509}
510-- unload the variables into the executor scope smartly.
511
512local exploit = get_exploit();
513local listfiles_orig = true;
514local getclipboard_orig = true;
515local secure_call_orig= true;
516local err = function(key)
517 return function(...)
518 maynot(exploit, key);
519 return false;
520 end;
521end;
522
523local function unpacket(table, scope, handle)
524 for key, val in pairs(table) do
525 if key ~= "syn" and key ~= "debug" and not scope[key] then
526 if key == "listfiles" then
527 listfiles_orig = false;
528 elseif key == "getclipboard" then
529 getclipboard_orig = false
530 elseif key == "secure_call" then
531 secure_call_orig = false
532 end
533 if type(val) == "table" then
534 scope[key] = val[exploit] or val["others"]
535 if not scope[key] then
536 if handle then
537 scope[key]=err(key)
538 else
539 err(key)()
540 end
541 end
542 elseif type(val) == "function" then
543 local success, err = pcall(function()
544 scope[key] = val
545 end)
546 if success == false then
547 print("WTF it says " .. key .. " doesn't exist but doesn't let me write to it..")
548 end
549 elseif val == false then
550 if handle then
551 scope[key]=err(key)
552 else
553 err(key)()
554 end
555 end
556 end
557 end
558end
559
560local function attempt(lscope, patch, handle)
561 local function patchet(patch,exscope)
562 if type(patch) == "table" and #patch ~= 0 then
563 for key, val in pairs(patch) do
564 if key ~= "syn" or key ~= "debug" then
565 exscope[key] = val
566 else
567 patchet(patch[key], exscope[key]);
568 end
569 end
570 end
571 end
572 if patch then
573 patchet(patch, exploit_functions)
574 end
575 if lscope == nil then
576 lscope = getrenv();
577 end
578 if lscope then
579 if not lscope["syn"] then
580 lscope["syn"] = {}
581 exploit_functions.syn.setmetatable = exploit_functions.setrawmetatable;
582 unpacket(exploit_functions["syn"],lscope["syn"], handle)
583 for i, v in pairs(syn) do
584 exploit_functions[i] = v
585 end
586 end
587 if not lscope["debug"] then
588 lscope["debug"] = {}
589 end
590 unpacket(exploit_functions["debug"],lscope["debug"], handle)
591 for i, v in pairs(debug) do
592 exploit_functions[i] = v
593 end
594 exploit_functions.getregistry = exploit_functions.getreg;
595 if patch then
596 patchet(patch, exploit_functions)
597 end
598 unpacket(exploit_functions, lscope, handle);
599 if not listfiles_orig and writefile("testing12345.txt", "12345") and appendfile then
600 -- intecept the writefile to add to the stuff..
601 local sucess, er= pcall(function()
602 _G.path_folder= function(path)
603 local folders = string.split(path, "/")
604 local past = "";
605 for i = 1, #folders-1 do
606 past = past + folders[i] + "/";
607 _G.FILESYSTEM[past] = "folder";
608 end
609 end
610
611 old_write = hookfunction(writefile, function(path, txt)
612 if path ~= "EXISTS1234.txt" then
613 _G.FILESYSTEM[path] = "file"; -- something was written here.
614 _G.path_folder(path);
615 old_write(path, txt)
616 end
617 end)
618 old_append = hookfunction(appendfile, function(path, txt)
619 if path ~= "EXISTS1234.txt" then
620 _G.FILESYSTEM[path] = "file"; -- something was written here.
621 _G.path_folder(path);
622 old_append(path, txt)
623 end
624 end)
625 end)
626 if not success then
627 if handle then
628 listfiles = err("listfiles");
629 else
630 err("listfiles")()
631 end
632 end
633 end
634
635 if not getclipboard_orig and getclipboard("") then
636 local sucess, er= pcall(function()
637 old_clip = hookfunction(setclipboard, function(txt)
638 _G.CLIPBOARD = txt;
639 old_clip(txt)
640 end);
641 end)
642 if not success then
643 if handle then
644 getclipboard = err("getclipboard");
645 else
646 err("getclipboard")()
647 end
648 end
649 end
650
651 if not secure_call_orig and traceback and getinfo(1) then
652 local sucess, er= pcall(function()
653 local toProtect = {};
654 local oldTraceback;
655
656 -- retarded code but w/e
657 local function isProtectedCaller(Function)
658 for i = 0, 30 do
659 local stackInfo = debug.getinfo(i);
660 if stackInfo then
661 if Function == stackInfo.func then
662 return true;
663 end;
664 else
665 break;
666 end;
667 end;
668 return false;
669 end;
670
671 oldTraceback = hookfunction(debug.traceback, function()
672 local stackTrace = oldTraceback();
673 for Function, spoofedTrace in next, toProtect do
674 if isProtectedCaller(Function) then
675
676 -- enumerate through all lines and store in table, for easier replacing.
677 local Lines = {};
678 stackTrace:gsub('[^\n\r]+', function(Line)
679 --replace exploit trace with spoofed trace
680 Lines[#Lines + 1] = Line:gsub('^@:', spoofedTrace);
681 end);
682
683 -- Remove exploit traceback lines.
684 table.remove(Lines, 1);
685 table.remove(Lines, #Lines - 1);
686
687 return table.concat(Lines, '\n') .. '\n';
688 end;
689 end;
690
691 -- pattern match to remove first line, which would be this hookfunction hook.
692 return stackTrace:match'[^\n\r]*\n?(.*)';
693 end);
694 if not secure_call then
695 secure_call = compatability.secure_call
696 debug.secure_call=secure_call
697 end
698 end)
699 if not success then
700 if handle then
701 secure_call = err("secure_call");
702 else
703 err("secure_call")()
704 end
705 debug.secure_call=secure_call
706 end
707 end
708 else
709 error("THE SCOPE MUST BE EDDITED AS GETRENV DOES NOT EXIST")
710 end
711end
712return attempt