Backdoor hidden inside text unreadable by the ROBLOX editor

Does using the Find / Replace tool “reveal” the backdoor require or atleast signify that there’s an “invisible” require in there?

Nope. Nothing, I even searched through all the scripts in game and nothing showed up.

Interesting. I can’t tell whether it’s some unicode magic that causes the script editor to fail (which is a possibility considering the text of the backdoor shows character spam of a certain unicode character) or externally edited rbxm’s that have then been imported into studio.

A similar thing has been done with this model (credit script) and basically same whole thing, different modules hiding it all, hidden text, massive lag at start of server (because of God knows how many returns) and this model is basically the copy of a trusted one and probably botted.

That’s freaky on how something like that has that many sales and still has a malicious method of loading unreviewed/unwanted code.

But I’m not surprised on how slow Roblox even takes to respond. I’ve reported numerous models that are obviously a backdoor hidden in obfuscated code to only still see them up months later. Even giving Roblox an easy way to see who all made the exploit irl with some of the exploits with the ‘creators usernames and friends’ in the script. They’re still free to play on Roblox.

All 6 of the models on the top row of the free models page are models with malicious code. They were created a few days ago and have been botted to 5 million sales. The require() calls within the scripts are invisible in the roblox script editor. They are only visible after pasting into a text editor. See the images:

image839×303 84.3 KB

image856×157 2.32 KB

image1085×483 7.31 KB

The malicious code seems also to come from plugins as well as free models.

That’s exactly what I found and that’s why I made this thread so that Roblox finds this and makes changes to the script editor so people can see the hidden text.

Roblox has been very poor lately on the multiple site report item complains that I’ve sent to quite a bit of malicious modules.

I’m not sure if they’re really not focusing on it or if they dissolved their code reviewal team either.

There are still yet backdoors and backdoor creators with their models and account still existing for over two months since I’ve reported it, but actually been active since September of 2019. That’s already half a year since this model been up and Roblox still won’t terminate the creators or delete the model.

Hello!
I am a developer of GameGuard Antivirus, and with this information, it can detect these type of…“hidden” threats now. You can try it out by downloading the plugin, inserting that yucky script, and running a scan.
Thank you for this information, it made my plugin way better!

Please don’t mark an issue as solved as Roblox staff may not look at a ‘solved’ issue.

This issue is still not yet solved and it’s a issue that can be used maliciously to hide code visually in studio script editor.

I tried posting this in studio bugs but a post approval person told me someone already reported it privately.

what did he use to decode the hidden backdoor?

The backdoor is only hidden inside the script editor of studio. Any other editor including notepad will unhide the backdoor.

thanks i was testing this out and its surprisingly easy for a person that has no experience with scripting to do this weird

Question.
How can you read Un-readable text?
Like shown in this image:

image1920×400 23.1 KB

Just copy what you think is suspicious and then paste in notepad and it will show.

How did you even removed it out of your Scripts?

Remove what’s supposed to be a comment

Apparently they have used OBJ formatter bytes to make the text not appear

bro there is no other way i can contact u. Please give my tools back. I lost my invisible cape and other stuff.