static void Main(string[] args)
{
Console.Title = "Xenon Dumper";
if (!Directory.Exists("Dumps"))
{
Directory.CreateDirectory("Dumps");
}
Process[] Instances = Process.GetProcessesByName("RobloxPlayerBeta");
if (Instances.Length < 1)
{
Console.WriteLine("Please open roblox and restart the program.");
Console.ReadLine();
Environment.Exit(-1);
}
EyeStep.open("RobloxPlayerBeta.exe");
string RobloxVersion = Path.GetDirectoryName(Instances[0].MainModule.FileName).Split('\\').Last();
string DumpPath = "Dumps\\" + RobloxVersion;
if (!Directory.Exists(DumpPath))
{
Directory.CreateDirectory(DumpPath);
}
Dumper.DumpAddresses();
File.WriteAllText(DumpPath + "\\BasicFormat.txt", Formatter.BasicFormat());
File.WriteAllText(DumpPath + "\\HeaderFormat.txt", Formatter.HeaderFormat());
File.WriteAllText(DumpPath + "\\IDAPython.txt", Formatter.IDAPythonFormat());
}
static void Main(string[] args)
{
// AOBs
string gettop = "55 8B EC 8B 4D 08 8B 41 ?? 2B 41 ?? C1 F8 04 5D"; /*this will never change*/
string index2adr = "55 8B EC 8B 55 ?? 81 FA F0 D8 FF FF 7E 0F ?? ?? ?? ?? E2 04 03 51 10 8B C2 5D C2 08 00 8B 45 08"; /*may break at some point*/
string retcheck = "55 8B EC 64 A1 00 00 00 00 6A ?? 68 E8 ?? ?? ?? ?? 64 89 25 00 00 00 00 83 EC ?? 53 56 57 6A ?? E9 ?? ?? ?? ??"; /*may break at some point*/
string deserialize = "55 8B EC 6A FF 68 70 ?? ?? ?? ?? A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC 58 01 00 00 56 57"; /*Again not 100% sure about this one's integrity*/
Console.Title = "C# Address Dumper";
if (Process.GetProcessesByName("RobloxPlayerBeta").Length < 1)
{
Console.ForegroundColor = ConsoleColor.Red;
; Console.WriteLine("Please open Roblox first!");
Thread.Sleep(3000);
Environment.Exit(0);
}
EyeStep.open("RobloxPlayerBeta.exe");
Console.WriteLine("Scanning RBX...");
watch.Start();
// Scan AOBs
int gettop_addr = scanner.scan(gettop)[0];
int index2adr_addr = scanner.scan(index2adr)[0];
int retcheck_addr = scanner.scan(retcheck)[0];
int deserialize_addr = scanner.scan(deserialize)[0];
// More scanning
var retcheck_xrefs = scanner.scan_xrefs(retcheck_addr);
var index2adr_xrefs = scanner.scan_xrefs(index2adr_addr);
// Log addresses
LogFunc("deserializer", deserialize_addr);
LogFunc("index2adr", index2adr_addr);
LogFunc("lua_call", retcheck_xrefs[1]);
LogFunc("lua_concat", retcheck_xrefs[3]);
LogFunc("lua_createtable", retcheck_xrefs[4]);
LogFunc("lua_gc", retcheck_xrefs[5]);
LogFunc("lua_getargument", retcheck_xrefs[57]);
LogFunc("lua_getfenv", retcheck_xrefs[6]);
LogFunc("lua_getfield", retcheck_xrefs[7]);
LogFunc("lua_getinfo", retcheck_xrefs[58]);
LogFunc("lua_getmetatable", retcheck_xrefs[8]);
LogFunc("lua_gettable", retcheck_xrefs[9]);
LogFunc("lua_gettop", gettop_addr);
LogFunc("lua_getupvalue", retcheck_xrefs[10]);
LogFunc("lua_insert", retcheck_xrefs[11]);
LogFunc("lua_iscfunction", index2adr_xrefs[8]);
LogFunc("lua_isnumber", index2adr_xrefs[9]);
LogFunc("lua_isstring", index2adr_xrefs[10]);
LogFunc("lua_isuserdata", index2adr_xrefs[7]);
LogFunc("lua_lessthan", retcheck_xrefs[12]);
LogFunc("lua_newthread", retcheck_xrefs[13]);
LogFunc("lua_newuserdata", retcheck_xrefs[14]);
LogFunc("lua_next", retcheck_xrefs[15]);
LogFunc("lua_objlen", retcheck_xrefs[16]);
LogFunc("lua_pcall", retcheck_xrefs[17]);
LogFunc("lua_pushboolean", retcheck_xrefs[18]);
LogFunc("lua_pushcclosure", retcheck_xrefs[19]);
LogFunc("lua_pushfstring", retcheck_xrefs[20]);
LogFunc("lua_pushinteger", retcheck_xrefs[21]);
LogFunc("lua_pushlightuserdata", retcheck_xrefs[22]);
LogFunc("lua_pushlstring", retcheck_xrefs[23]);
LogFunc("lua_pushnil", retcheck_xrefs[24]);
LogFunc("lua_pushnumber", retcheck_xrefs[25]);
LogFunc("lua_pushstring", retcheck_xrefs[26]);
LogFunc("lua_pushthread", retcheck_xrefs[28]);
LogFunc("lua_pushvalue", retcheck_xrefs[30]);
LogFunc("lua_pushvfstring", retcheck_xrefs[31]);
LogFunc("lua_checkstack", retcheck_xrefs[32]);
LogFunc("lua_rawget", retcheck_xrefs[33]);
LogFunc("lua_rawgeti", retcheck_xrefs[35]);
LogFunc("lua_rawset", retcheck_xrefs[36]);
LogFunc("lua_rawseti", retcheck_xrefs[37]);
LogFunc("lua_rawvalue", index2adr_xrefs[0]);
LogFunc("lua_remove", retcheck_xrefs[38]);
LogFunc("lua_replace", retcheck_xrefs[39]);
LogFunc("lua_resume", retcheck_xrefs[53]);
LogFunc("lua_setfenv", retcheck_xrefs[40]);
LogFunc("lua_setfield", retcheck_xrefs[41]);
LogFunc("lua_setlocal", retcheck_xrefs[60]);
LogFunc("lua_setmetatable", retcheck_xrefs[42]);
LogFunc("lua_setreadonly", retcheck_xrefs[43]);
LogFunc("lua_setsafeenv", retcheck_xrefs[44]);
LogFunc("lua_settable", retcheck_xrefs[45]);
LogFunc("lua_settop", retcheck_xrefs[46]);
LogFunc("lua_setupvalue", retcheck_xrefs[47]);
LogFunc("lua_toboolean", index2adr_xrefs[33]);
LogFunc("lua_tointeger", index2adr_xrefs[34]);
LogFunc("lua_tolstring", retcheck_xrefs[48]);
LogFunc("lua_tonumber", index2adr_xrefs[37]);
LogFunc("lua_topointer", index2adr_xrefs[38]);
LogFunc("lua_tostring", index2adr_xrefs[40]);
LogFunc("lua_tothread", index2adr_xrefs[42]);
LogFunc("lua_tounsignedx", index2adr_xrefs[43]);
LogFunc("lua_touserdata", index2adr_xrefs[44]);
LogFunc("lua_type", index2adr_xrefs[47]);
LogFunc("lua_yield", retcheck_xrefs[54]);
LogFunc("lua_xmove", retcheck_xrefs[50]);
LogFunc("luaU_callhook", retcheck_xrefs[56]);
LogFunc("f_call", retcheck_xrefs[0]);
LogFunc("resume_error", retcheck_xrefs[55]);
watch.Stop();
Console.WriteLine();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Scanned " + addycount + " addresses" + " in " + watch.ElapsedMilliseconds + "ms");
Thread.Sleep(-1);
}
// start dumper
static void Main(string[] args)
{
// AOBs
string gettop = "55 8B EC 8B 4D 08 8B 41 ?? 2B 41 ?? C1 F8 04 5D"; /*this will never change*/
string delay = "55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC ?? 53 56 57 F0 FF";
string print = "55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 18 8D 45 10 50 FF";
string checklstring = "55 8B EC FF 75 ?? 8B 55 ?? 8B 4D ?? E8 ?? ?? ?? ?? 85 C0 74 02 5D C3 6A ?? FF 75 ?? FF 75 ?? E8 6C 07 00 00";
Console.Title = "C# Address Dumper";
if (Process.GetProcessesByName("RobloxPlayerBeta").Length < 1)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Please open Roblox first!");
Thread.Sleep(3000);
Environment.Exit(0);
}
EyeStep.open("RobloxPlayerBeta.exe");
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Scanning RBX...");
Console.ForegroundColor = ConsoleColor.Gray;
watch.Start();
// get index2adr
var tostring = scanner.scan_xrefs("'tostring' must return a string to 'print'")[0];
var tostring_calls = util.getCalls(util.getPrologue(tostring));
int getfield_addr = tostring_calls[2];
var getfield_calls = util.getCalls(getfield_addr);
// Scan AOBs
int gettop_addr = scanner.scan(gettop)[0];
int index2adr_addr = getfield_calls[0];
int retcheck_addr = getfield_calls[3];
int deserialize_addr = util.getPrologue(scanner.scan_xrefs(": bytecode")[0]);
// More scanning
var retcheck_xrefs = scanner.scan_xrefs(retcheck_addr);
var index2adr_xrefs = scanner.scan_xrefs(index2adr_addr);
Console.WriteLine();
Console.WriteLine("Addresses:");
// Log addresses
LogFunc("deserializer", deserialize_addr, 5);
LogFunc("index2adr", index2adr_addr, 2);
LogFunc("lua_call", retcheck_xrefs[1], 3);
LogFunc("lua_checkstack", retcheck_xrefs[32], 2);
LogFunc("lua_concat", retcheck_xrefs[3], 2);
LogFunc("lua_createtable", retcheck_xrefs[4], 3);
LogFunc("lua_gc", retcheck_xrefs[5], 3);
LogFunc("lua_getargument", retcheck_xrefs[57], 3);
LogFunc("lua_getfenv", retcheck_xrefs[6], 2);
LogFunc("lua_getfield", retcheck_xrefs[7], 3);
LogFunc("lua_getinfo", retcheck_xrefs[58], 3);
LogFunc("lua_getmetatable", retcheck_xrefs[8], 2);
LogFunc("lua_gettable", retcheck_xrefs[9], 2);
LogFunc("lua_gettop", gettop_addr, 1);
LogFunc("lua_getupvalue", retcheck_xrefs[10], 3);
LogFunc("lua_insert", retcheck_xrefs[11], 2);
LogFunc("lua_iscfunction", index2adr_xrefs[8], 2);
LogFunc("lua_isnumber", index2adr_xrefs[9], 2);
LogFunc("lua_isstring", index2adr_xrefs[10], 2);
LogFunc("lua_isuserdata", index2adr_xrefs[7], 2);
LogFunc("lua_lessthan", retcheck_xrefs[12], 3);
LogFunc("lua_newthread", retcheck_xrefs[13], 1);
LogFunc("lua_newuserdata", retcheck_xrefs[14], 3);
LogFunc("lua_next", retcheck_xrefs[15], 2);
LogFunc("lua_objlen", retcheck_xrefs[16], 2);
LogFunc("lua_pcall", retcheck_xrefs[17], 4);
LogFunc("lua_pushboolean", retcheck_xrefs[18], 2);
LogFunc("lua_pushcclosure", retcheck_xrefs[19], 5);
LogFunc("lua_pushfstring", retcheck_xrefs[20], 3);
LogFunc("lua_pushinteger", retcheck_xrefs[21], 2);
LogFunc("lua_pushlightuserdata", retcheck_xrefs[22], 2);
LogFunc("lua_pushlstring", retcheck_xrefs[23], 3);
LogFunc("lua_pushnil", retcheck_xrefs[24], 1);
LogFunc("lua_pushnumber", retcheck_xrefs[25], 2);
LogFunc("lua_pushstring", retcheck_xrefs[26], 2);
LogFunc("lua_pushthread", retcheck_xrefs[28], 1);
LogFunc("lua_pushvalue", retcheck_xrefs[30], 2);
LogFunc("lua_pushvfstring", retcheck_xrefs[31], 3);
LogFunc("lua_rawget", retcheck_xrefs[33], 2);
LogFunc("lua_rawgeti", retcheck_xrefs[35], 3);
LogFunc("lua_rawset", retcheck_xrefs[36], 2);
LogFunc("lua_rawseti", retcheck_xrefs[37], 3);
LogFunc("lua_rawvalue", index2adr_xrefs[0], 2);
LogFunc("lua_remove", retcheck_xrefs[38], 2);
LogFunc("lua_replace", retcheck_xrefs[39], 2);
LogFunc("lua_resume", retcheck_xrefs[53], 2);
LogFunc("lua_setfenv", retcheck_xrefs[40], 2);
LogFunc("lua_setfield", retcheck_xrefs[41], 3);
LogFunc("lua_setmetatable", retcheck_xrefs[42], 2);
LogFunc("lua_setreadonly", retcheck_xrefs[43], 3);
LogFunc("lua_setsafeenv", retcheck_xrefs[44], 3);
LogFunc("lua_settable", retcheck_xrefs[45], 2);
LogFunc("lua_settop", retcheck_xrefs[46], 2);
LogFunc("lua_setupvalue", retcheck_xrefs[47], 3);
LogFunc("lua_toboolean", index2adr_xrefs[33], 2);
LogFunc("lua_tointeger", index2adr_xrefs[34], 3);
LogFunc("lua_tolstring", retcheck_xrefs[48], 3);
LogFunc("lua_tonumber", index2adr_xrefs[37], 3);
LogFunc("lua_topointer", index2adr_xrefs[38], 2);
LogFunc("lua_tostring", index2adr_xrefs[40], 2);
LogFunc("lua_tothread", index2adr_xrefs[42], 2);
LogFunc("lua_tounsignedx", index2adr_xrefs[43], 3);
LogFunc("lua_touserdata", index2adr_xrefs[44], 2);
LogFunc("lua_type", index2adr_xrefs[47], 2);
LogFunc("lua_yield", retcheck_xrefs[54], 2);
LogFunc("lua_xmove", retcheck_xrefs[50], 3);
LogFunc("luaU_callhook", retcheck_xrefs[56], 3);
LogFunc("delay", scanner.scan(delay)[0], 1);
LogFunc("print", scanner.scan(print)[0], 3);
LogFunc("f_call", retcheck_xrefs[0], 2);
LogFunc("resume_error", retcheck_xrefs[55], 2);
LogAddr("retcheck", getfield_calls[3]);
LogAddr("RCCServiceDeserializeCall", scanner.scan_xrefs(deserialize_addr)[0]); // Log without ccv
// log and get offsets
Console.WriteLine();
Console.WriteLine("Offsets:");
int iscfunc_addr = util.getPrologue(index2adr_xrefs[8]);
for (int i = 0; i < 72; i++) // 72 is all the bytes in lua_iscfunction
{
if (util.readByte(iscfunc_addr + i) == 0x80)
{ /*80 is the CMP instruction we're looking for*/
LogOffset("IsC", util.readByte(iscfunc_addr + i + 2)); //the offset is the second register of the CMP inst
break;
}
else if (util.isEpilogue(iscfunc_addr + i))
{
Console.WriteLine("Unable to find IsC offset");
break;
}
}
for (int i = 0; i < 16; i++) // gettop is 16 bytes
{
if (util.readByte(gettop_addr + i) == 0x2B)
{ /*2B is the sub instruction that uses base*/
LogOffset("ls_base", util.readByte(gettop_addr + i + 2)); /*second register*/
LogOffset("ls_top", util.readByte(gettop_addr + i - 1)); /*top is just 1 byte back from the sub inst*/
break;
}
else if (util.isEpilogue(gettop_addr + i))
{
Console.WriteLine("Unable to find top and base");
break;
}
}
// the IsC dumping might die at one point but it shouldnt for a long time
watch.Stop();
Console.WriteLine();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Scanned " + addycount + " addresses" + " in " + watch.ElapsedMilliseconds + "ms");
Thread.Sleep(-1);
}