Searching for Roblox cheats online is highly likely to lead users to malware rather than functional cheats, posing significant security risks.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hello everybody. My name is Eric and
today we're going to be taking a look at
Roblox cheats. You know, last time we
covered how much malware can you get
from Minecraft cheating tutorials. The
short answer is a lot. So, is Roblox any
better? Uh, let's find out. I got a
feeling it isn't. Just my projection
here. Now, of course, this is for
educational purposes. I don't encourage
cheating, but it is good for people to
know what level of risk they might be
taking before engaging in such an
activity. Was my Chrome just Okay. Okay.
No, it hasn't crashed. Okay. Now, the
first result is an ad for WIMOD that as
far as I know is legitimate, although
whether this is going to the real site.
Uh, and this I think is more of a this
is basically a paid version of cheat
engine with some built-in cheats. It's
only for single player games. There's
nothing wrong with this. I don't Oh,
maybe it isn't paid. I thought I thought
it was paid or at least there's a
premium version. I don't really
recommend this, but there's nothing
really wrong with this.
There's nothing wrong with cheating in
single player games. That's just called
modding. So, let's see. The first one
here is coming in hot. Now, it's worth
noting that some of these will use the
names of legitimate things. Uh they'll
also sometimes take the names of
discontinued but legitimate
cheats. And I will inevitably, so I'll
address this right now about dealing
with the more legitimate uh ones, at
least ones that work. The trouble is
they're usually so obiscated that
getting a solid answer is difficult.
but they're usually at least not
immediately doing anything fishy.
Whereas these uh this has got all the
red flags we look for. Uh passworded zip
guide. 2025 is what we need to get into
this. Oh, and they Okay, that's
downloaded. I've seen if they suggest
turning off antivirus. And here is the
supposed script. So, that's our first
hit. Uh, all right. We're going to down
some more and we'll take a look at what
we've got. Now, some of these are just
unrelated videos, especially because
right now I'm on the uh relevancy
YouTube search, which is the less
dangerous one. Although the top result
is still malware, I'm guessing this is
going to be a hack channel, which is
another big red flag, is this doesn't
look like this is a Roblox channel. Oh,
look. We got everything. We got all
these different fake SEO, as I said,
ones that are known to exist. They've
also got a League of Legends skin
changer. More Roblox Fortnite skin
swapper. RI I don't even know what that
is. Rivals. Roblox Luna exploit. Roblox
Delta Exeutor. CLLLD BO6. What on earth
is that? I think it's Call of Duty. Red
Dead Redemption 2. That's not even an
online game, but wow, they got
everything here. We got some sussy wussy
cheats right here. Oh, we've even got
Minecraft. So, let's also out of
curiosity. Let's just see. This will be
the exact same. Oh, it's not even the
exact It's the exact same link. It's
another red flag is Oh, are they linking
to the same thing for a bunch of
different video games? That's probably
not a legitimate cheat. Now, we also
have these videos that Oh, and we've got
some interesting ads as well. Uh, we've
got a gentleman's Herm LPG. That That
seems like a good Really, we should just
be playing that instead of trying to
cheat at Roblox. Oh, and I I think this
might be a cheat for the Herm LPG. This
one's a bit spicy. And this one's using
a technique I've seen a fair amount.
They they do the Google sites. No, I
don't want to get YouTube premium. How
else am I going to get all these herum
LPGs that I would otherwise be missing
out on? So, we got we got really spammy
description. And here they've got good
instructions. As I've said before, while
some exploits and cheats might need you
to turn off your
antivirus, don't bother. They unless
you're really really confident, this is
a terrible idea. So, these guys, oh,
they're they're saying like you can uh
we got to use a compatible browser, turn
off all of our security features, and
they've even got an instruction if we
don't know how to run an .exe. I know I
don't know how to run an .exe, so this
is going to be really helpful for me.
And they've got something, it looks a
bit more legit. We've even got a
WhatsApp lie 1337 that could be
affiliated with the real thing, whereas
this file is not affiliated with the
real thing. And we're here to another
media fire that looks relatively
identical to what we were at before.
Hate how Media Fire has gone with these
ads where they open them in a window.
It's not quite as bad as something like
Buzz Heavier, but it's still it just
gives me a slightly malicious vibe. Now,
this another case, this does not look
like a Roblox channel to me. And we can
see all of these different ones with
very similar thumbnails. Videos are
different. In a lot of cases, the videos
are actually stolen from YouTubers who
have nothing to do with this. And we can
see again, they're using the same link
for different games. I've actually had
my videos stolen a few times by these
kind of channels. And it's just funny to
me cuz they'll sometimes even steal the
voice over where I'm explaining why it's
a virus. But I didn't even bother taking
them down because I think they're
actually doing everyone a favor. So,
let's extract some of these uh juicy
malares. So, we got Endorphin. Looks
legit to me. And we got soft
v1014. Now, these may be a bit
interesting purely in that because of
the luma disruptions, we may not be
finding as much luma as we used to, but
don't sometimes they won't let that stop
them. Ben Java runtime. Oh, this is a
nest of folders. I'm actually having a
hard time figuring out which one I'm
supposed to run. But I guess we'll keep
going. Is it going to be in lib? That is
Java. These are these are identical
exes. And I can pretty immediately
figure out that this is going to be a
case of DLL injection. We could try
something if we can figure out which way
this being injected. Then we'll take a
look at the other one cuz it's probably
not as nested. Let's see what our
endorphin has going on. I already
extracted it. Oh yeah, I did. Okay, so
this is endorphin. Now this is more like
what we're expecting. And we can be
pretty confident that one of these DLS
is the payload. And let's see what
endorphin really is. This is the new
trend that we've been seeing for a
while. Doesn't even say where the .exe
is a legitimate program and the DLS are
the actual payload. So, it's either
going to be D3D. You got to read me as
well. Installer and wait program to be
installed. I'm going to guess it's this
D3D compiler dealer to go to virus total
and just see which one is giving us a
flag. It's got a few flags and we will
check the ffmpeg as well just to make
sure that one's healthy. Probably that
one that is our suspect. Now let's see
what we if we had fallen for this. What
delights would we be getting? And when
ready to stop cheating in Roblox. Oh,
that's weird. Nothing happened. But
don't be fooled. It is
running. And if we open proc, we can see
a bit more about what it's doing. But it
has no GUI. This is not an application
installer. This is an info stealer that
I think is already
finished. We can run it again if we want
to see what it does. But let's check out
the other one because that one is such a
mess. I really want to see what it's all
about. Soft v104. Oh, it just hadn't
finished. Okay, so they moved that. So
here it is. So this bin was actually
just a red herring. So the actual
payload lives up here in one of these
DLS. Just see if this one's properly signed.
signed.
one is. So then the Python signature is
probably sassy was right. I thought they
might do something kind of cool that you
occasionally see where they they'll do a
double DL injection. You'll the
injection they will put the payload.
Yep. You don't quite look like Python to
me. Is apparently a Luma. We can
actually find some sandbox runs here as
well. Let's see what's going on here.
Luma stealer. And we should have the C2s
extracted. See if these are still going.
Certificates gone. Hoping that mean
Okay, that one seems to be gone. Hoping
these will all be redirecting to a nice
FBI. There we go. Yep. This is a a Luma
C2 using a pretty typical technique
because what most people will do if they
use an online tool, even if it's a
sandbox, they'll do this. No hits. Run
this one just to see what happens. And
we see the infamous MS build uh which is
a result of a reflectionbased injector.
Oh, and it's spawned a Microsoft Edge in
debugging mode. We'll see if it spawns
any other browser. And that seems to
just be chilling there. Now, MSB build
is a popular toolkit for these kind of
attacks because it's present on pretty
much every Windows computer and it's
extremely easy because of how it's built
to just use a malicious project file to
get it to do your work. And because it's
a real system file, once again, wouldn't
show up with a static scan. So, it's
much harder to catch. Now, I'm going to
look and see how much persistence we
might have going on
here. Here, I'm going to check as well
if there's any other potentially interesting
interesting
variants. This one looks a bit
different. And once again, we can pretty
easily tell this isn't the real uh
YouTuber here because this is was
originally a sunscreen. They're doing
like sunscreen and life hack reviews.
And suddenly it changes to Fortnite.
See, we got diode laser skin
rejuvenation. And then the next thing we
got is 5M cheat Roblox Solar Executor,
which I believe is a real thing, but
it's certainly not a real thing at this
link. Phantom Core Studios.net. Let's
see what Phantom Core cheats can do for
us. It's updated and undetected. They've
got Vape. They got Rust. They got
Valerant. They got Valerant
hack. Let's do
Roblox. Roblox Exeutor is what we want.
can be pretty much certain these are all
the exact same file and it's downloading
from a Soviet Union domain. Almost
nobody legitimately uses a SU in this
day and
age. It seems like this zip file isn't
encrypted, which is actually an unusual
choice. Must be pretty confident that
they're fully
undetected. And it would appear that
confidence was rightly Oh, Unity Hub.
Wait a second.
What? No digital signatures? That's
never a great
sign. Okay, we got to we got to try
this. We got to see what's going on
here. Yeah. Okay, loader has just
spawned and it died.
Okay, let's just check uh if we've got
anything persistent so far. Looks like we're
we're
good. That not verified is in fact a
legitimate Discord file. And everything
else here looks good. So these were all
so far one and done. But I am really
curious about what this is. First of
all, I'm just going to copy this to my
document so we can potentially
see if this is a standalone file. Then
we know the payload. Yeah, it does look
like it
is. So I'm going to load this into BNA
engine. Get a closer
look. Was I was thinking for a second
because of the Unity thing, it could be
a really
clever injection technique, but it
doesn't look like it. Doesn't actually
look like there's any Unity code in
here. Node, it could be an
Electron. Now we got our
strings. Let's try this again under
Promon supervision. Okay, now we can
drill down to its children because it's
spawning a cmd that is actually doing
its dirty
work. Task list. So this is a very
rudimentary anti-analysis technique and
this is probably uh terminating the
process and with some luck we should
have just bypassed that but it will
depend on how the parser is written
because it's also possible that could
just crash. What I've done is replaced
it with a batch file. And success at
least got to a different step in the
anti-analysis. Now I've got this hooked
in x64 debug so we can do a bit. So we
want to follow what happens. So let's
try and figure out okay who called. So
we we called it here. Then if we put a
break after that that will take us to
where we return to after we've run that
out that memory address that's going to
UV spawn. So now I'm going to try this
on a sandbox to see if we can get a bit
more information because the current
blocker is the Wii port count. So let's
see if any of our sandboxes can handle
this. It's definitely more creative than
the average uh sample that I've seen
recently. It's not a Luma. Looks to be a
custom JavaScript implementation of some
sort. I mean a custom like custom
stealer. Not not they've they've
reimplemented the JavaScript language.
That would be cool though. Doesn't
actually matter which one we download
because they're all going to the same
Soviet Union domain to actually get the
files. All right. Well, we're all out of
time for today. Although, I am going to
keep looking at this rather creative uh
beast. Seems to have better anti-
sandbox than most malware we look at these
these
days. The lesson here is if you go on
the internet looking for cheats, uh
you're probably going to find malware,
not cheats. Uh, people will make pretty
convincing videos, but they generally
are fake. And even the real cheats,
while they're non impossible to
analyze, hence why I'm probably not
going to make a video on the more legit
ones because they'll use layers of
obfiscation, which doesn't tell you a
whole lot because they'll say, "Well,
we're just doing that so the antiche
developers don't get into it." But at
the same time, they could be uh hiding
unwanted surprises. I I don't think
cheating in multiplayer games is a good
idea for a number of reasons. If you are
absolutely insistent on doing it, the
only advice I can give you is do not do
it on a computer that has anything
important. Do it on a dedicated computer
or virtual machine. Only use it for that
and do so at your own risk. That's all
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
