Try running this into the command bar, this will search for all scripts in your game, and will warn if they find some specific things in their Source.
local coreGui = game:GetService("CoreGui")
local descendants = game:GetDescendants()
local isA = game.IsA
for i, descendant in pairs(descendants) do
local success, isScript = pcall(isA, descendant, "LuaSourceContainer")
if (success and isScript and (not descendant:IsDescendantOf(coreGui))) then
local source = descendant.Source:lower()
if (source:match("getfenv")) then
warn("More likely malicious(getfenv):", descendant:GetFullName())
elseif (source:match("setfenv")) then
warn("More likely malicious(setfenv): ", descendant:GetFullName())
elseif (source:match("loadstring")) then
warn("More likely malicious(loadstring): ", descendant:GetFullName())
elseif (source:match("luraph")) then
warn("More likely malicious(luraph): ", descendant:GetFullName())
elseif (source:match("synapse")) then
warn("More likely malicious(synapse): ", descendant:GetFullName())
else
print(descendant:GetFullName())
end
end
end
Probably a plugin then.
Make sure you go through each of them and see the install and like to dislike ratio. Make sure they look as legitimate as possible.
local services = {
game:GetService("Workspace"),
game:GetService("Players"),
game:GetService("Lighting"),
game:GetService("ReplicatedFirst"),
game:GetService("ServerScriptService"),
game:GetService("ServerStorage"),
game:GetService("StarterGui"),
game:GetService("StarterPack"),
game:GetService("StarterPlayer"),
game:GetService("SoundService"),
game:GetService("Chat"),
game:GetService("LocalizationService"),
game:GetService("TestService"),
game:GetService("Teams"),
game:GetService("CoreGui")
}
local Selection = game:GetService("Selection")
for _, service in pairs(services) do
for _, v in pairs(service:GetDescendants()) do
if v:IsA("BaseScript") then
local code = 'PromptPurchase%('
local positive = false
if string.find(v.Source, code) then
positive = true
end
if string.find(string.lower(v.Source), string.lower(code)) then
positive = true
end
if string.match(string.lower(v.Source), string.lower(code)) ~= nil then
positive = true
end
if positive then
warn("Found purchase prompt BaseScript, which is ".. tostring(v).. " located in ".. v:GetFullName())
end
end
end
end
So once you put this in command bar, and execute/run. If it finds any script that does contain PromptPurchase thing, it will tell you where it is.
Try searching for these keywords using Ctrl + Shift + F:
“loadstring” - Runs code inside of a string
“require” - Gets a module from the web
“MarketplaceService” - self explanatory
“string.byte” - turns strings into byte form
“string.reverse” - reverses strings (useful for obfuscation)
“RunService” - can be used to check if the game is running in studio and disable shirt spam if in studio.
Send over any suspicious scripts so i can analyse them
That certainly is.
It’s using bytecode of ‘require’ to retrieve the function through getfenv.
Any honest script shouldn’t be trying to hide require calls.
This is a good example of why just searching for keywords might not work. When scripts can be obfuscated your only option might be to inspect every script in the game by hand. You can do this by pressing Ctrl-P and checking “script only” in the dropdown box. That will display every script in the game.
Before doing that, you should also go into studio settings with Alt-S and checking these “Explorer” options under Studio:
I’m going to analyse this plugin’s source to see if it does anything malicious.
Judging by the search results for “RunService”, however, i think the cause is a fake “Brick cutter” plugin.
I recommend reinstalling your plugins one at a time and searching those keywords again. If anything pops up after that plugin install, the plugin is fake and is the plugin inserting the script.
If you do find any bad plugins, please send me the link so I can analyse them
