Backdoor hidden inside text unreadable by the ROBLOX editor

Hello there developers,

From like a week before I was having problems with my game where exploiters would join and exploit and when I would try to ban them from Basic Admin Essentials the text would be replaced with something else (usually “.” and “why tryna ban me”). Also there would be module import errors on the output. I searched so much for the backdoor but I could not find anything.

Then I disabled the admin, it fixed! but how? I searched and there wasn’t a require.

Turns out there was this:
image
The --[[ Last synced 6/28/2020 03:43 ]]-- actually turns out to be a hidden text with a require inside and I found out by putting the whole script inside Text Compare:


Left: Malicious script | Right: Official one

Now, the question that lefts is: how?

I’m making this topic so that people is informed about this issue where some text isn’t visible inside ROBLOX’s editor.

Even though the module seems to be content deleted, it actually contains another require to this module that contains another require that leads to more modules that contain more requires. This is actually incredible, someone took the time to hide their module so good that this takes at least 10 requires and 3 different accounts. I don’t have the time to go through every require so if you want to lead to the main one, I’m leaving here the last one that I found.
Edit: Arenoir found the last require that leads to this

19 Likes

It’s either a plugin or someone in your team (if you have Team Create on) that edited it.

1 Like

Yeah the backdoor won’t be there anymore, I suspect someone in my team imported a fake one. The real problem is how exploiters can hide text in the ROBLOX editor.

1 Like

Some people hide parts of their code by making lots of indents or spaces on one line to “push” a line of code outside of the script editor so normal users can’t see it. Usually what they hide is require() or something else that could be used maliciously. You can find it by scrolling right using the bottom scrollbar or by right clicking and pressing “Zoom Out” in your script editor.

The reason you managed to see it in Text Compare is probably because it was text wrapped. That means even with a bunch of spaces or indents, every word and character is kept in the script viewer window.

It’s possible to also make the script editor text wrapped. You can do this by going to File (top-left corner) > Settings > Studio > Text Wrapping.

1 Like

Yes I already solved the issue but my point is that the text is invisible inside the ROBLOX editor, enabling Text Wrapping does nothing and can only be found using an external editor.

2 Likes

I don’t think that’s possible. If it was, I have no idea why.

1 Like

Does using the Find / Replace tool “reveal” the backdoor require or atleast signify that there’s an “invisible” require in there?

1 Like

Nope. Nothing, I even searched through all the scripts in game and nothing showed up.

Interesting. I can’t tell whether it’s some unicode magic that causes the script editor to fail (which is a possibility considering the text of the backdoor shows character spam of a certain unicode character) or externally edited rbxm’s that have then been imported into studio.

1 Like

A similar thing has been done with this model (credit script) and basically same whole thing, different modules hiding it all, hidden text, massive lag at start of server (because of God knows how many returns) and this model is basically the copy of a trusted one and probably botted.

That’s freaky on how something like that has that many sales and still has a malicious method of loading unreviewed/unwanted code.

But I’m not surprised on how slow Roblox even takes to respond. I’ve reported numerous models that are obviously a backdoor hidden in obfuscated code to only still see them up months later. Even giving Roblox an easy way to see who all made the exploit irl with some of the exploits with the ‘creators usernames and friends’ in the script. They’re still free to play on Roblox.

All 6 of the models on the top row of the free models page are models with malicious code. They were created a few days ago and have been botted to 5 million sales. The require() calls within the scripts are invisible in the roblox script editor. They are only visible after pasting into a text editor. See the images:

The malicious code seems also to come from plugins as well as free models.

10 Likes

That’s exactly what I found and that’s why I made this thread so that Roblox finds this and makes changes to the script editor so people can see the hidden text.

1 Like

Roblox has been very poor lately on the multiple site report item complains that I’ve sent to quite a bit of malicious modules.

I’m not sure if they’re really not focusing on it or if they dissolved their code reviewal team either.

There are still yet backdoors and backdoor creators with their models and account still existing for over two months since I’ve reported it, but actually been active since September of 2019. That’s already half a year since this model been up and Roblox still won’t terminate the creators or delete the model.

Hello!
I am a developer of GameGuard Antivirus, and with this information, it can detect these type of…“hidden” threats now. You can try it out by downloading the plugin, inserting that yucky script, and running a scan.
Thank you for this information, it made my plugin way better! :man_shrugging:

4 Likes

Please don’t mark an issue as solved as Roblox staff may not look at a ‘solved’ issue.

This issue is still not yet solved and it’s a issue that can be used maliciously to hide code visually in studio script editor.

1 Like

I tried posting this in studio bugs but a post approval person told me someone already reported it privately.

what did he use to decode the hidden backdoor?

The backdoor is only hidden inside the script editor of studio. Any other editor including notepad will unhide the backdoor.

1 Like

thanks i was testing this out and its surprisingly easy for a person that has no experience with scripting to do this weird :confused: