So I found this code in a backdoor I assume and theres a string and a decrypt function, it requires a key and has a special string heres the string and the decrypt function
local decrypt = function(str, key)
local cache = {}
if not key or not str then
return str
elseif cache[key] and cache[key][str] then
return cache[key][str]
else
local keyCache = cache[key] or {}
local byte = string.byte
local abs = math.abs
local sub = string.sub
local len = string.len
local char = string.char
local endStr = {}
for i = 1,len(str) do
local keyPos = (i%len(key))+1
endStr[i] = string.char(((byte(sub(str, i, i)) - byte(sub(key, keyPos, keyPos)))%126) - 1)
end
endStr = table.concat(endStr)
cache[key] = keyCache
keyCache[str] = endStr
return endStr
end
end
Oh, my bad, I didn’t notice. Well if it’s a backdoor, then there are two potential scenarios:
-The key is contained somewhere in the backdoor
-The key is in possession of the backdoor author and they manually enter it to activate the backdoor
The former is more likely with skids as they’d need to know which game they backdored, so they’d need their discord webhook whatever code to run without manual activation. The latter is more likely if the backdoor was purposefully inserted into the place by someone malicious. If the OP could provide the source of the backdoor, it would be easier to attempt a search for the key.
It depends on what the encrypted string is used for. If it’s a Lua snippet, then the first two characters being “yt” is unlikely unless it’s a variable name being defined. Though if the author was sane, it would be local yt = ... not yt = .... It could be a data string used elsewhere in the backdoor.
I started it going through every combination of the alphabet with a max length of 5 but then realised it would take 12 million attempts and stopped after around 400
Haha, I was looking at that too, wanted to see if someone left a key in a public repo somewhere. It’s likely just taken from there and repurposed.
Or from this obfuscation tool that got leaked, which I’m guessing took it from Adonis.
It’s funny nobody wanted to slightly change the encryption and decryption method. Obviously it doesn’t matter because it needs a key either way, but it’s not hard to modify it.
I see a key generation method in the code you provided. Do you think the author of the backdoor could use the same method to generate their key? (This wouldn’t be helpful for bruteforcing but the length and pattern of the key could be approximated)
I mean definitely, they were lazy enough to take someone else’s decryption/encryption method 1:1. Hardly any guarantee though, and it’s just a script that got leaked from an obfuscation website so we don’t even know whether the person who made the backdoor saw it.
A good lesson there in not using obfuscation websites though, there’s a whole ton of scripts uploaded by users. The only reason those sites exist is to steal people’s code.