Backdooring Explained (Chapter 2)

Chapter 2, Backdooring Explained.

Hello there! Thanks for the overwhelming support on Chapter 1 of Backdooring Explained. I could not thank you enough for the support, and to help many developers overcome the trouble that is free models! To give thanks, I am continuing on with the old thread, this time focusing on the scripting part behind the free models within this trickery!

View Chapter 1 of Backdooring Explained here, which talks about the community/market of it all.

With that out of the way, let’s begin!

To start off, let’s discuss how Virus models work!

Virus Models

Virus models, some of which include Jumpscares, Game Destruction, are models which work simply.

Fire spread models are the most common of virus models, at least, back then of course.

The script starts off by defining a function, which will be called later on in the script. The function will look for a Fire instance with FindFirstChild(), defined by a variable. If the variable is nil, the function clones that Fire instance to every part in workspace multiple times. If the variable is not nil, the fire’s size and heat will increase by a large number. Not math.huge though. The function will then close. The script then connects the function on Touched, which basically spreads the script a LOT of times.

While that was very much common back then, not as common as some of the virus models we see now. Let’s move on!

PurchasePrompt Infection

A not so commonly used technique, this type of infection forces all users in game to purchase a specific model on the Library (assuming a virus model of course).

The virus works by using the MarketplaceService. Back then, this was quite common. That was, before Roblox introduced the new AllowThirdPartyPurchasePrompts setting.

It would force a purchase prompt to every user in game using PromptPurchase. Back then, this would also load Third Party Purchases. However, with the restriction setting enabled at all times, this stops that from happening. Only with the setting turned on, will it allow purchasing 3rd Party Items.

Plugin Viruses

Due to the nature of plugins having an extremely high level of security, they can be abused easily. Let’s talk about the most common plugin virus.

The spread virus is among the most common. Plugins have the ability to access a property called Source. This is a property with the Script instance which is NOT ReadOnly, and high permissions such as the Command bar can modify this. Why does this matter? Plugins that are malicious can modify a script once you touch it using the Selected property on an Instance! This means that plugins can insert their backdoor into your script once you touch it!

This common backdoor is known as RoSync. RoSync will trick the user into thinking that their scripts are synced and secured with Studio. However, that is not the case. It is a common backdoor with a certain malicious plugin developer.

Model Viruses

Model Viruses are models that load malicious scripts into your game via a Module. How does this work? Let me explain. Be prepared for a whole lesson.

Model Viruses are able to insert or load malicious scripts via Luau’s require(). require() is able to load scripts on the library via rbxassetid. require() is the main gateway to backdoors. Once the module is loaded, the script will instantly scan for many things. Simple backdoors will check if a player is whitelisted via IsInGroup() or GetRoleInGroup() which if that returns positive, the module will then copy a GUI to the users PlayerGui. Basic backdoors will usually contain 3 key parts of the GUI such as:

• An executor
• A script hub, for loading popular scripts
• An animation or opening sequence with TweenService.

The executor is able to run scripts on the server using 3 things. Firstly, the executor needs a Loadstring module, as loadstring() cannot be enabled via a script. Nextly, the executor needs a remote, for firing the loadstring to load scripts. Finally, the executor needs a server script, for defining what the remote does on ServerInvoke, which connects loadstring() from the module.

As soon as that is done, an Execute TextButton will be shown on the UI, which on pressing the button will connect a function and load all the text shown in a TextBox on the GUI. Since most scripts that people load with serversides (eg. Star Glitcher) are only compatible with the R6 rig, there is a button shown on the GUI which will load an R6 Conversion module onto the LocalPlayer. Also, there is a respawn button on the GUI which calls Humanoid:LoadCharacter(). Onto the script hub area.

The script hub is a section of the serverside which is able to load common scripts via require(). Examples of popular scripts are:

• Star Glitcher, or Nebula Glitcher.
• Dex Explorer 2.0 or Dex Explorer 1.0
• Other script hubs including Kasper’s Hub or Project Reptile 3.0.
• HD Admin Owner, Kohls Admin Owner, or Adonis Admin Owner scripts.
• Admin scripts, which include Infinite Yield, Quantom Admin.
• Grab Knife 3.0 or 4.0 (Grab Knife 4.0 has inappropriate scripts)
• F3X Building Tools or BTools.

These are just some examples, as there are THOUSANDS of more scripts to worry about. All of these are loaded with a similar method just like the Executor.

The only current way to detect executors are via their name in the PlayerGui. Some of these names include:

• “vermdoe”, the GUI name of popular serverside named “Verm Doe”.
• “DAONE”, the GUI name of the popular serverside named “Dynasty SS”
• “Sinner+”, the GUI name of the popular serverside named “Sinner+”

These are just some of them, and there are way more! Always be suspicious!

How to protect against serversides

The best way to protect against serversides is to always delete suspicious scripts from models so that you ensure security over your game.

Has one of your own developers inserted a backdoor on purpose? Take action on them immediately!

Installed a malicious plugin and backdoors are in every one of your scripts? Well it’s about time to dust off those modules of yours and become the maid! Start cleaning up your scripts! Also, remove the plugin or disable it ASAP, to prevent more damage.

Lesson of the Story

Think of a model as getting background information on someone! Before you hire them, you need to look at their past information before hiring them! Before you allow the model into your place, check the model for anything suspicious such as lots of sales but very few likes and a lot of dislikes, suspicious groups, etc. Then you can add it/allow it into your game!

This is great for beginners! I will definitely have my teams now and future look at this. I am working on a fake server side that uses AI to make it untraceable for educational purposes and to help people make better anti virus plugins.

Thank you for explaining better!

How would this work? I’m curious now

Most server sides are either dead and/or heavily skidded from one another, only like one out of a thousand are actually originally designed and/or scripted, hell, the community didn’t even come with webhook protection until like June of 2020, so it was fun to spam their logs for a bit. I’ve been in their community a few years (due to me getting invited by some friends), it’s just a toxic mess now

Besides, Roblox can just make an ‘AllowedModules’ category in the Security tab of game settings, and boom, most, if not all, serversides go bye bye

So basically the serverside will initially infect itself in a hidden service through a plugin. Next, it will make copies of itself into server script service and server storage. If either the plugin or the hidden copy detect the version of server script service or server storage has been destroyed, it will assume either a person or a anti-virus has removed it. To get by this is will copy itself into scripts but on runtime after a short wait so that auto virus scanners can’t detect the require() to another source. During runtime and plugin use, the plugin will auto change the names of the scripts and cache them for later use.

Oh, cool. I am honestly surprised why plugins dump their source scripts in visible services as I think you can make the parent of something to AdService, or some other service

Well, if I delete the script it just recreates itself in a random place in the explorer, so how will I ever fix this?

Normally this would be impossible via a model, only a plugin.

If you have any plugins that look suspicious, uninstall them immediately to prevent further damage.

So the game has a permanent backdoor? I can just transfer all of the assets, but I just need this knowledge.

No backdoor can be truly permanent once the source of the backdoor is removed at full. As soon as you remove the plugin, remove the backdoor script. If it keeps appearing, then you’ve installed more than 1 backdoor plugin.

But it was from a model, I disabled all plugins…

You’ve deleted the model, and you’re 100% sure you’ve checked every single service in game?

I already ran the game, so doesn’t that mean that the backdoor has taken affect?

wait do I disable the plugins or do I delete them?