phoriah

-- Hook
-- 0866
-- October 4, 2020

--[[

    Constructor:

        hook = Hook.new(closure [, callback])

phoriah

bypassing blocked function protections using corescripts

author: James Napora.

---

roblox and exploit fundamentals

• corescripts have RobloxScript permissions on Roblox.
• exploit function protections do not run on any threads except exploit threads.
• roblox has several permission levels: None, Plugin, LocalUser, RobloxScript and Roblox.
• actors on Roblox run whenever a script under it has a client run context, e.g local scripts, scripts with RunContext.Client and corescripts.
• scripts under actors share the same global state

phoriah

Author: https://github.com/fissurectomy Telegram: https://t.me/fissurectomy Discord: fissurectomy

This will include every way possible to abuse a Roblox Executor to cookie log accounts, steal robux, or even achieve Remote Code Execution.

I found all these vulnerabilities while testing the security of mobile executors and I found them in under an hour. I wanted to show just how shit of a developer rexidtc is. Rexi contributed to most mobile executors (Codex, Hydrogen, Delta and more.)

I recommend you to avoid using the executors that I have mentioned above. Rexidtc was the owner of KittenMilk, which was known to be a malicious executor in the past. In the other hand, Furky, the owner of Codex, was suspected by the exploiting community to be using the user's device to mine cryptocurrency, resulting in a significant performance decrease. Oh and, a funny fact about Furky is that he once tried to argue that DLLs existed on mobile, and it shows how much of a script kiddie he is.