From like a week before I was having problems with my game where exploiters would join and exploit and when I would try to ban them from Basic Admin Essentials the text would be replaced with something else (usually “.” and “why tryna ban me”). Also there would be module import errors on the output. I searched so much for the backdoor but I could not find anything.
Then I disabled the admin, it fixed! but how? I searched and there wasn’t a require.
Turns out there was this:
The --[[ Last synced 6/28/2020 03:43 ]]-- actually turns out to be a hidden text with a require inside and I found out by putting the whole script inside Text Compare:
I’m making this topic so that people is informed about this issue where some text isn’t visible inside ROBLOX’s editor.
Even though the module seems to be content deleted, it actually contains another require to this module that contains another require that leads to more modules that contain more requires. This is actually incredible, someone took the time to hide their module so good that this takes at least 10 requires and 3 different accounts. I don’t have the time to go through every require so if you want to lead to the main one, I’m leaving here the last one that I found.
Edit: Arenoir found the last require that leads to this
Yeah the backdoor won’t be there anymore, I suspect someone in my team imported a fake one. The real problem is how exploiters can hide text in the ROBLOX editor.
Some people hide parts of their code by making lots of indents or spaces on one line to “push” a line of code outside of the script editor so normal users can’t see it. Usually what they hide is require() or something else that could be used maliciously. You can find it by scrolling right using the bottom scrollbar or by right clicking and pressing “Zoom Out” in your script editor.
The reason you managed to see it in Text Compare is probably because it was text wrapped. That means even with a bunch of spaces or indents, every word and character is kept in the script viewer window.
It’s possible to also make the script editor text wrapped. You can do this by going to File (top-left corner) > Settings > Studio > Text Wrapping.
Yes I already solved the issue but my point is that the text is invisible inside the ROBLOX editor, enabling Text Wrapping does nothing and can only be found using an external editor.
Interesting. I can’t tell whether it’s some unicode magic that causes the script editor to fail (which is a possibility considering the text of the backdoor shows character spam of a certain unicode character) or externally edited rbxm’s that have then been imported into studio.
A similar thing has been done with this model (credit script) and basically same whole thing, different modules hiding it all, hidden text, massive lag at start of server (because of God knows how many returns) and this model is basically the copy of a trusted one and probably botted.
That’s freaky on how something like that has that many sales and still has a malicious method of loading unreviewed/unwanted code.
But I’m not surprised on how slow Roblox even takes to respond. I’ve reported numerous models that are obviously a backdoor hidden in obfuscated code to only still see them up months later. Even giving Roblox an easy way to see who all made the exploit irl with some of the exploits with the ‘creators usernames and friends’ in the script. They’re still free to play on Roblox.
All 6 of the models on the top row of the free models page are models with malicious code. They were created a few days ago and have been botted to 5 million sales. The require() calls within the scripts are invisible in the roblox script editor. They are only visible after pasting into a text editor. See the images:
That’s exactly what I found and that’s why I made this thread so that Roblox finds this and makes changes to the script editor so people can see the hidden text.
Hello!
I am a developer of GameGuard Antivirus, and with this information, it can detect these type of…“hidden” threats now. You can try it out by downloading the plugin, inserting that yucky script, and running a scan.
Thank you for this information, it made my plugin way better!