# Backdoor Decrypting?

So I found this code in a backdoor I assume and theres a string and a decrypt function, it requires a key and has a special string heres the string and the decrypt function

``````"\85\80\8\96\96\106\65\75\86\85\8\51\47\90\112\116\86\94\92\81\6\92\26\67\61\89\103\59\8\86\108\12\86\77\25\31\91\46\91\57\88\109\90\81\18\31\20\8\112\11\73\99\112\42\100\92\71\95\17\13\82\106\85\89\23\77\96\85\73\21\1\42\112\88\75\80\98\15\25\94\75\89\24\96\100\8\31\28\47\83\39\33\27\40\87\47\41\33\43\125\80\96\92\24\111\65\23\18\23\108\15\15\28\65\93\88\88\26\96\25\78\24\96\83\94\12\66\90\112\17\122\17\116\113\12\10\8\18\17\102\6\69\97\84\73\107\77\102\113\12\99\81\18\28\89\41\34\86\28\27\50\33\89\13\126\65\19\8\23\91\17\73\17\110\73\102\90\112\43\105\80\92\113\21\82\21\25\43"
``````
``````local decrypt = function(str, key)
local cache = {}
if not key or not str then
return str
elseif cache[key] and cache[key][str] then
return cache[key][str]
else
local keyCache = cache[key] or {}
local byte = string.byte
local abs = math.abs
local sub = string.sub
local len = string.len
local char = string.char
local endStr = {}

for i = 1,len(str) do
local keyPos = (i%len(key))+1
endStr[i] = string.char(((byte(sub(str, i, i)) - byte(sub(key, keyPos, keyPos)))%126) - 1)
end

endStr = table.concat(endStr)
cache[key] = keyCache
keyCache[str] = endStr
return endStr
end
end
``````
2 Likes

If you want to decrypt the string, then I suppose you could pass it into the decrypt function you provided, then print the results.

1 Like

He needs a key for it to decrypt properly, which he probably doesn’t have.

2 Likes

if were to assume this is a version of hexidecimal code then that would be the output:

``````78 5c 38 35 5c 78 38 30 5c 78 38 5c 78 39 36 5c 78 39 36 5c 78 31 30 36 5c 78 36 35 5c 78 37 35 5c 78 38 36 5c 78 38 35 5c 78 38 5c 78 35 31 5c 78 34 37 5c 78 39 30 5c 78 31 31 32 5c 78 31 31 36 5c 78 38 36 5c 78 39 34 5c 78 39 32 5c 78 38 31 5c 78 36 5c 78 39 32 5c 78 32 36 5c 78 36 37 5c 78 36 31 5c 78 38 39 5c 78 31 30 33 5c 78 35 39 5c 78 38 5c 78 38 36 5c 78 31 30 38 5c 78 31 32 5c 78 38 36 5c 78 37 37 5c 78 32 35 5c 78 33 31 5c 78 39 31 5c 78 34 36 5c 78 39 31 5c 78 35 37 5c 78 38 38 5c 78 31 30 39 5c 78 39 30 5c 78 38 31 5c 78 31 38 5c 78 33 31 5c 78 32 30 5c 78 38 5c 78 31 31 32 5c 78 31 31 5c 78 37 33 5c 78 39 39 5c 78 31 31 32 5c 78 34 32 5c 78 31 30 30 5c 78 39 32 5c 78 37 31 5c 78 39 35 5c 78 31 37 5c 78 31 33 5c 78 38 32 5c 78 31 30 36 5c 78 38 35 5c 78 38 39 5c 78 32 33 5c 78 37 37 5c 78 39 36 5c 78 38 35 5c 78 37 33 5c 78 32 31 5c 78 31 5c 78 34 32 5c 78 31 31 32 5c 78 38 38 5c 78 37 35 5c 78 38 30 5c 78 39 38 5c 78 31 35 5c 78 32 35 5c 78 39 34 5c 78 37 35 5c 78 38 39 5c 78 32 34 5c 78 39 36 5c 78 31 30 30 5c 78 38 5c 78 33 31 5c 78 32 38 5c 78 34 37 5c 78 38 33 5c 78 33 39 5c 78 33 33 5c 78 32 37 5c 78 34 30 5c 78 38 37 5c 78 34 37 5c 78 34 31 5c 78 33 33 5c 78 34 33 5c 78 31 32 35 5c 78 38 30 5c 78 39 36 5c 78 39 32 5c 78 32 34 5c 78 31 31 31 5c 78 36 35 5c 78 32 33 5c 78 31 38 5c 78 32 33 5c 78 31 30 38 5c 78 31 35 5c 78 31 35 5c 78 32 38 5c 78 36 35 5c 78 39 33 5c 78 38 38 5c 78 38 38 5c 78 32 36 5c 78 39 36 5c 78 32 35 5c 78 37 38 5c 78 32 34 5c 78 39 36 5c 78 38 33 5c 78 39 34 5c 78 31 32 5c 78 36 36 5c 78 39 30 5c 78 31 31 32 5c 78 31 37 5c 78 31 32 32 5c 78 31 37 5c 78 31 31 36 5c 78 31 31 33 5c 78 31 32 5c 78 31 30 5c 78 38 5c 78 31 38 5c 78 31 37 5c 78 31 30 32 5c 78 36 5c 78 36 39 5c 78 39 37 5c 78 38 34 5c 78 37 33 5c 78 31 30 37 5c 78 37 37 5c 78 31 30 32 5c 78 31 31 33 5c 78 31 32 5c 78 39 39 5c 78 38 31 5c 78 31 38 5c 78 32 38 5c 78 38 39 5c 78 34 31 5c 78 33 34 5c 78 38 36 5c 78 32 38 5c 78 32 37 5c 78 35 30 5c 78 33 33 5c 78 38 39 5c 78 31 33 5c 78 31 32 36 5c 78 36 35 5c 78 31 39 5c 78 38 5c 78 32 33 5c 78 39 31 5c 78 31 37 5c 78 37 33 5c 78 31 37 5c 78 31 31 30 5c 78 37 33 5c 78 31 30 32 5c 78 39 30 5c 78 31 31 32 5c 78 34 33 5c 78 31 30 35 5c 78 38 30 5c 78 39 32 5c 78 31 31 33 5c 78 32 31 5c 78 38 32 5c 78 32 31 5c 78 32 35 5c 78 34 33 0d 0a
``````

nothing really.

Oh, my bad, I didn’t notice. Well if it’s a backdoor, then there are two potential scenarios:
-The key is contained somewhere in the backdoor
-The key is in possession of the backdoor author and they manually enter it to activate the backdoor

The former is more likely with skids as they’d need to know which game they backdored, so they’d need their discord webhook whatever code to run without manual activation. The latter is more likely if the backdoor was purposefully inserted into the place by someone malicious. If the OP could provide the source of the backdoor, it would be easier to attempt a search for the key.

2 Likes

i’ve tried running it through GitHub - Ciphey/Ciphey: ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡, but with no luck sadly.

1 Like

Ran a brute force on it and basically every time the first 2 digits were yt so could be a YouTube channel? Or video

1 Like

It depends on what the encrypted string is used for. If it’s a Lua snippet, then the first two characters being “yt” is unlikely unless it’s a variable name being defined. Though if the author was sane, it would be `local yt = ...` not `yt = ...`. It could be a data string used elsewhere in the backdoor.

2 Likes

Also, what kind of brute force did you run? Did you generate random strings and feed them into the key argument?

1 Like

I started it going through every combination of the alphabet with a max length of 5 but then realised it would take 12 million attempts and stopped after around 400

2 Likes

Or in text representation:

``````U``jAKV3/ZptV^\Q♠\→C=YgVl
VM↓▼[.[9XmZQ↕▼p
RjUY↨M`UI§☺*pXKPb↓^KY↑`▼∟/S'!/)!+}P`\↑oA↨↕↨l∟A]XX→`↓N↑`S^
BZp◄z◄tq

↕◄f♠EaTIkMfq
cQ↕∟Y)"V∟!Y
13~A↨[◄I◄nIfZp+iP\q§R§↓+
``````
1 Like

I noticed that the exact same decryption algorithm is implemented in Adonis Admin: https://github.com/Epix-Incorporated/Adonis/blob/master/MainModule/Client/Core/Remote.lua

1 Like

Haha, I was looking at that too, wanted to see if someone left a key in a public repo somewhere. It’s likely just taken from there and repurposed.

Or from this obfuscation tool that got leaked, which I’m guessing took it from Adonis.

It’s funny nobody wanted to slightly change the encryption and decryption method. Obviously it doesn’t matter because it needs a key either way, but it’s not hard to modify it.

1 Like

I see a key generation method in the code you provided. Do you think the author of the backdoor could use the same method to generate their key? (This wouldn’t be helpful for bruteforcing but the length and pattern of the key could be approximated)

I mean definitely, they were lazy enough to take someone else’s decryption/encryption method 1:1. Hardly any guarantee though, and it’s just a script that got leaked from an obfuscation website so we don’t even know whether the person who made the backdoor saw it.

A good lesson there in not using obfuscation websites though, there’s a whole ton of scripts uploaded by users. The only reason those sites exist is to steal people’s code.

1 Like

Thank you all for the potential leads, I’m still lookin for this key

Can’t you just put a breakpoint in the decrypt function and then read the output with the debugger.