Backdoor Decrypting?

So I found this code in a backdoor I assume and theres a string and a decrypt function, it requires a key and has a special string heres the string and the decrypt function

"\85\80\8\96\96\106\65\75\86\85\8\51\47\90\112\116\86\94\92\81\6\92\26\67\61\89\103\59\8\86\108\12\86\77\25\31\91\46\91\57\88\109\90\81\18\31\20\8\112\11\73\99\112\42\100\92\71\95\17\13\82\106\85\89\23\77\96\85\73\21\1\42\112\88\75\80\98\15\25\94\75\89\24\96\100\8\31\28\47\83\39\33\27\40\87\47\41\33\43\125\80\96\92\24\111\65\23\18\23\108\15\15\28\65\93\88\88\26\96\25\78\24\96\83\94\12\66\90\112\17\122\17\116\113\12\10\8\18\17\102\6\69\97\84\73\107\77\102\113\12\99\81\18\28\89\41\34\86\28\27\50\33\89\13\126\65\19\8\23\91\17\73\17\110\73\102\90\112\43\105\80\92\113\21\82\21\25\43"

local decrypt = function(str, key)
	local cache = {}
	if not key or not str then 
		return str 
	elseif cache[key] and cache[key][str] then
		return cache[key][str]
	else
		local keyCache = cache[key] or {}
		local byte = string.byte
		local abs = math.abs
		local sub = string.sub
		local len = string.len
		local char = string.char
		local endStr = {}
		
		for i = 1,len(str) do
			local keyPos = (i%len(key))+1
			endStr[i] = string.char(((byte(sub(str, i, i)) - byte(sub(key, keyPos, keyPos)))%126) - 1)
		end
		
		endStr = table.concat(endStr)
		cache[key] = keyCache
		keyCache[str] = endStr
		return endStr
	end
end

If you want to decrypt the string, then I suppose you could pass it into the decrypt function you provided, then print the results.

He needs a key for it to decrypt properly, which he probably doesn’t have.

if were to assume this is a version of hexidecimal code then that would be the output:

78 5c 38 35 5c 78 38 30 5c 78 38 5c 78 39 36 5c 78 39 36 5c 78 31 30 36 5c 78 36 35 5c 78 37 35 5c 78 38 36 5c 78 38 35 5c 78 38 5c 78 35 31 5c 78 34 37 5c 78 39 30 5c 78 31 31 32 5c 78 31 31 36 5c 78 38 36 5c 78 39 34 5c 78 39 32 5c 78 38 31 5c 78 36 5c 78 39 32 5c 78 32 36 5c 78 36 37 5c 78 36 31 5c 78 38 39 5c 78 31 30 33 5c 78 35 39 5c 78 38 5c 78 38 36 5c 78 31 30 38 5c 78 31 32 5c 78 38 36 5c 78 37 37 5c 78 32 35 5c 78 33 31 5c 78 39 31 5c 78 34 36 5c 78 39 31 5c 78 35 37 5c 78 38 38 5c 78 31 30 39 5c 78 39 30 5c 78 38 31 5c 78 31 38 5c 78 33 31 5c 78 32 30 5c 78 38 5c 78 31 31 32 5c 78 31 31 5c 78 37 33 5c 78 39 39 5c 78 31 31 32 5c 78 34 32 5c 78 31 30 30 5c 78 39 32 5c 78 37 31 5c 78 39 35 5c 78 31 37 5c 78 31 33 5c 78 38 32 5c 78 31 30 36 5c 78 38 35 5c 78 38 39 5c 78 32 33 5c 78 37 37 5c 78 39 36 5c 78 38 35 5c 78 37 33 5c 78 32 31 5c 78 31 5c 78 34 32 5c 78 31 31 32 5c 78 38 38 5c 78 37 35 5c 78 38 30 5c 78 39 38 5c 78 31 35 5c 78 32 35 5c 78 39 34 5c 78 37 35 5c 78 38 39 5c 78 32 34 5c 78 39 36 5c 78 31 30 30 5c 78 38 5c 78 33 31 5c 78 32 38 5c 78 34 37 5c 78 38 33 5c 78 33 39 5c 78 33 33 5c 78 32 37 5c 78 34 30 5c 78 38 37 5c 78 34 37 5c 78 34 31 5c 78 33 33 5c 78 34 33 5c 78 31 32 35 5c 78 38 30 5c 78 39 36 5c 78 39 32 5c 78 32 34 5c 78 31 31 31 5c 78 36 35 5c 78 32 33 5c 78 31 38 5c 78 32 33 5c 78 31 30 38 5c 78 31 35 5c 78 31 35 5c 78 32 38 5c 78 36 35 5c 78 39 33 5c 78 38 38 5c 78 38 38 5c 78 32 36 5c 78 39 36 5c 78 32 35 5c 78 37 38 5c 78 32 34 5c 78 39 36 5c 78 38 33 5c 78 39 34 5c 78 31 32 5c 78 36 36 5c 78 39 30 5c 78 31 31 32 5c 78 31 37 5c 78 31 32 32 5c 78 31 37 5c 78 31 31 36 5c 78 31 31 33 5c 78 31 32 5c 78 31 30 5c 78 38 5c 78 31 38 5c 78 31 37 5c 78 31 30 32 5c 78 36 5c 78 36 39 5c 78 39 37 5c 78 38 34 5c 78 37 33 5c 78 31 30 37 5c 78 37 37 5c 78 31 30 32 5c 78 31 31 33 5c 78 31 32 5c 78 39 39 5c 78 38 31 5c 78 31 38 5c 78 32 38 5c 78 38 39 5c 78 34 31 5c 78 33 34 5c 78 38 36 5c 78 32 38 5c 78 32 37 5c 78 35 30 5c 78 33 33 5c 78 38 39 5c 78 31 33 5c 78 31 32 36 5c 78 36 35 5c 78 31 39 5c 78 38 5c 78 32 33 5c 78 39 31 5c 78 31 37 5c 78 37 33 5c 78 31 37 5c 78 31 31 30 5c 78 37 33 5c 78 31 30 32 5c 78 39 30 5c 78 31 31 32 5c 78 34 33 5c 78 31 30 35 5c 78 38 30 5c 78 39 32 5c 78 31 31 33 5c 78 32 31 5c 78 38 32 5c 78 32 31 5c 78 32 35 5c 78 34 33 0d 0a

nothing really.

Oh, my bad, I didn’t notice. Well if it’s a backdoor, then there are two potential scenarios:
-The key is contained somewhere in the backdoor
-The key is in possession of the backdoor author and they manually enter it to activate the backdoor

The former is more likely with skids as they’d need to know which game they backdored, so they’d need their discord webhook whatever code to run without manual activation. The latter is more likely if the backdoor was purposefully inserted into the place by someone malicious. If the OP could provide the source of the backdoor, it would be easier to attempt a search for the key.

i’ve tried running it through GitHub - Ciphey/Ciphey: ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡, but with no luck sadly.

Ran a brute force on it and basically every time the first 2 digits were yt so could be a YouTube channel? Or video

It depends on what the encrypted string is used for. If it’s a Lua snippet, then the first two characters being “yt” is unlikely unless it’s a variable name being defined. Though if the author was sane, it would be local yt = ... not yt = .... It could be a data string used elsewhere in the backdoor.

Also, what kind of brute force did you run? Did you generate random strings and feed them into the key argument?

I started it going through every combination of the alphabet with a max length of 5 but then realised it would take 12 million attempts and stopped after around 400

Or in text representation:

U``jAKV3/ZptV^\Q♠\→C=YgVl
VM↓▼[.[9XmZQ↕▼p
RjUY↨M`UI§☺*pXKPb↓^KY↑`▼∟/S'!/)!+}P`\↑oA↨↕↨l∟A]XX→`↓N↑`S^
BZp◄z◄tq

↕◄f♠EaTIkMfq
cQ↕∟Y)"V∟!Y
13~A↨[◄I◄nIfZp+iP\q§R§↓+

I noticed that the exact same decryption algorithm is implemented in Adonis Admin: https://github.com/Epix-Incorporated/Adonis/blob/master/MainModule/Client/Core/Remote.lua

Haha, I was looking at that too, wanted to see if someone left a key in a public repo somewhere. It’s likely just taken from there and repurposed.

Or from this obfuscation tool that got leaked, which I’m guessing took it from Adonis.

It’s funny nobody wanted to slightly change the encryption and decryption method. Obviously it doesn’t matter because it needs a key either way, but it’s not hard to modify it.

I see a key generation method in the code you provided. Do you think the author of the backdoor could use the same method to generate their key? (This wouldn’t be helpful for bruteforcing but the length and pattern of the key could be approximated)

I mean definitely, they were lazy enough to take someone else’s decryption/encryption method 1:1. Hardly any guarantee though, and it’s just a script that got leaked from an obfuscation website so we don’t even know whether the person who made the backdoor saw it.

A good lesson there in not using obfuscation websites though, there’s a whole ton of scripts uploaded by users. The only reason those sites exist is to steal people’s code.

Thank you all for the potential leads, I’m still lookin for this key

Can’t you just put a breakpoint in the decrypt function and then read the output with the debugger.