Backdooring Explained [MEGATHREAD]

Backdoors Explained

This thread is a megathread which explains backdooring, the history behind it, and why it is so common now.

Chapter 2 has been released here, which explains more of the scripting side of it!

If you aren’t already aware, backdooring has become significantly more popular in the community of exploiters. It is on a rise like a brand new trend, and most developers are aware of it and taking action against it. But what is backdooring in terms of ROBLOX?

Here’s the full details:

History of Backdooring On ROBLOX

History of Backdooring On ROBLOX

The word backdoor means to gain access to something via another way around. This term also means the same for ROBLOX.

Backdooring on ROBLOX has existed way before now, in the form of “virus” models.

Virus Models

Virus models are models on the ROBLOX Library which contain things designed to destroy your game and make it as unplayable as possible. Unlike the backdoors we see today, these were much less advanced than the content we see today. It was as easy as adding a script which spread fire via a script inside of the model you inserted. These were not as common, but if you found one and happen to run it, then your game would be utterly destroyed, if you weren’t testing in studio that is…

Virus models are nowhere near as common as they are today, and the old fire spreading scripts are now a relic of the past, as the community has gotten aware of new methods of wreaking havoc on a player’s game.

Purchase Prompt Models

Purchase Prompt Models are models that are found on the ROBLOX Library, and contain scripts that will spam a prompt to purchase a model using the MarketplaceService. These are generally found on the front of the models page, and they are not as easy to get rid of.

They will usually spam virus models so that the players that purchase the models will boost the virus models to the top of the models page. This is one of the tactics used to boost models up.

Serversided Models

Serversided models are models that will require a module via asset ID. In today’s age, this is the most common of backdooring, and in return will produce more devilish results than viruses. By requiring a module, tons of stuff goes on behind the scenes such as whitelisting, game logging, etc. Now let’s get into why people backdoor with serversides.

Why serversides exist:

Why serversides exist:

Serversides are tools that can gain powers that would otherwise be impossible via an exploit, known as full replication. With a serverside, players are able to execute replicated code to the server and have it shown to all clients. With this method, they are basically able to control a game with ease and do nefarious things like morph players, give players inappropriate parts, automatically rank up on certain admin modules, and more. With the server, almost anything is possible.

How serversides got popular:

Ever since FilteringEnabled was forced onto all games and toggling FE is now deprecated, players have been trying to find new ways to get the power of the server. Experimenting with countless methods, until one day, they found the method.

The peak of serversides

Serversides have recently peaked in 2020, but have been around since 2019/2018. Serversides such as John Doe SS have been around since 2019 or later, but have only just began being popular. Since the novel coronavirus has peaked in early 2020, nobody had much to do. That’s when people found out about serversides and how they could basically act as an FE Bypass, which had been used for bait many times. But this time, they weren’t even lying about it.

How serversides resurrected exploiting, sorta…

After more people got notified about serversides, the exploiting community blew up. More people got interested in serversides, and the main competitor was John Doe SS. It couldn’t be rivaled. That is until February, when a new serverside got noticed.

The competition in the serverside market

The competition in the serverside market

February, the oldest video I could find. That video told the community about a free serverside, a serverside that didn’t even need payment. That serverside was called Sinner. A free serverside with a ton of good games. No need to pay for a serverside like people paid for John Doe. The serverside market was now bigger than it was before, with John Doe and Sinner now taking the competition for good serversides.
It was getting a bit more heated, when suddenly…

The fall of John Doe SS

John Doe was discontinued after a while, and now merged with a popular serverside known as Doggo Admin. Most people who owned John Doe were given a free copy of Doggo if they had owned John Doe SS. The competition still remained.

A new competitor in the game

Most people remember the infamous script called T0PK3K, popular in the non FE days, created by ROBLOX user nosyliam. Well, after 2 years of T0PK3K being dead, it finally came back, in the form of T0PK3K 5.0, a brand new powerful serverside that was capable of ruling over the community as the most powerful backdoor to exist. I have actually been whitelisted for T0PK3K 5.0 once before. T0PK3K 5.0 was the lead hit, after a ROBLOX youtuber known as Scrimzox made a video on T0PK3K, which in return gained the serverside a LOT of traction. Liam has made a lot of money from T0PK3K, since there is a mass amount of buyers.

Other competitors in the market

Since the whole serverside trend blew up, other people were trying to get into the market and get a ton of cash from selling their own serverside. And it worked, sorta…

The massive serverside cracking

A user named IamMew24 saw a lot of people trying to sell their terrible rendition of a serverside, and decided to leak the source code for these serversides. In return from these source code leaks, many good and profitable serversides lost all revenue, since they can’t make money off of a leaked product. Resulting in discontinuation of many serversides.

Methods of backdooring

Methods of backdooring

Spaced Script Method

The most simplest method of hiding your backdoor is called the spaced script method. By adding multiple spaces in your script, it makes the script laggier to search through which in return will make your script harder to crack. Inside one of these spaced scripts is the module itself.

Obfuscation

Obfuscation is another method of hiding backdoors that can make it hard for other people to crack your serversides. While you could just dump the script for constants, there are also obfuscators that can’t be constant dumped as easily or are almost impossible to crack. This method is used in many serversides, but if you have a constant dumper such as a VS Code extension, finding the backdoor is a bit easy.

Chained requires

Serversides like T0PK3K use chained requires by returning an ID being required. This makes it very much harder to crack and would take you a bit longer to do, as you’d need to find the original model. Another method that can’t be cracked easy.

Bytecode and getfenv

One of the lesser known methods, this method at the time of notice was very hard to crack, and seemed impossible. However, by doing require = print and then having the extra code below, you could print out the ID in console easily. A hard method, but easy to crack.

Using math to sum up require IDs

A more interesting method is using multiplication to add up to the actual require id. An example of this would be require(4745748423x3).load. Some serversides like Sirhurt Serverside use math.sqrt to hide their require module, but can easily be cracked by doing print(math.sqrt()

How serversides work

How serversides work

Loading the module

It takes a script of some sort in the model to even load the serverside. Usually done by requiring a public module, since private modules cannot be loaded anymore. Once this is done, the next step comes into play.

Handling the whitelist

Most whitelists are handled via groups or friends, mostly by connecting a function if a player is added. This is relatively simple for a whitelist, but it works for a whitelist. Multiple serversides use this.

Contents of the GUI

GUIs for serversides will more than likely include a script executor, which runs on a loadstring module and a remote to fire. As well as that, it may also contain a “script hub” which contains various popular scripts such as Star Glitcher, Grab Knife, etc. These are just to name a few. Serversides like T0PK3K have a fully animated intro, and a full list of tools to use.

How serversides get their games

Serversides will usually obtain their games via HTTP logging with a discord webhook, or serversides such as the one I found use roHook for easy and clean logging. If HTTP is not present, the backdoor will usually get people to turn on HTTP Requests if they don’t have it on already. If they can’t do that, they will result to using game teleporting for logging, which will teleport a player to a game, log some game data there, and teleport them back.

How it all works at once.

Once this happens, and a player joins the game, the game will get logged once and the webhook will be sent to a buyers chat, which they can then join the game. Once they joined, the whitelist checks if the player is in a group or is whitelisted for the gui, then proceeds to copy it to the PlayerGui. Now the player is able to do whatever they want via the power of the serverside.

How you can protect your game.

How you can protect your game.

Check your models before using them.

Check to see if the model has dislikes or likes, if it has most dislikes, then it’s probably an untrusted model, and you probably shouldn’t use it. Consider searching for other models related to that which won’t have a virus.

Search for unwanted or suspicious scripts.

Scripts may have unwanted or harmful content in them. If you spot the harmful content, be sure to delete the content that is harmful, or do the above.

Report the model to ROBLOX.

You don’t want your game being harmed, and neither does the other 1 billion people on this site. Be sure to report these harmful models to ROBLOX so that they can take action on the model by deleting it.

Ask for some help on the model.

Backdoors can be a bit complicated and too advanced for you. If so, you should contact a ROBLOX scripter that you know of, perhaps they can help you on that.

Moral of the Story: Free models aren’t what you think.

I hope this thread helped you on the education of backdoors. This thread will also be updated if needed.

44 Likes

Ooo Thank You! Very interesting, Never knew about most of this stuff.

3 Likes

This is good for new developers, I have tried to report backdoor models but most of the time nothing happens.

2 Likes

ROBLOX is a big enviroment, and because of that, not all moderators are able to handle these reports. There was a megathread for backdoor plugins and most if not all of them got deleted.

2 Likes

This seems more of an advertisement to TopKek than information about backdoors.

6 Likes

I am in no way trying to advertise a backdoor, rather I’m discussing what I actually know about backdoors. I do not condone using backdoors at all. I’m providing samples of history on the major points of backdoors.

You did contain words such as powerful serverside and most powerful backdoor to exist. This might make someone have an urge to try out TopKek.

3 Likes

By using the terms such as powerful serverside, I meant it in a way that made it stand out from the other serversides mentioned in this thread. Not intended to advertise, but rather to explain such as why this serverside stood out from the rest in the serverside market.

Once again, I definitely do not condone buying a serverside at all. There is a chance that a serverside will discontinue after a while, and what is commonly known as an exit scam will happen.

I’m neutral in these communities, I see serverside exploits as a way to teach new devs to not skid off modules, yes, don’t be surprised that I’m in these communities, though some of these serversides attack condos and scam games, which is fun to mess with the players.

Then you might aswell change some of the wording in your post mate, does seem like much more of an advertisment for TOPK3K 5.0 than explaining what server-sides are. You shouldn’t really even need to name any at all?

This is a developer forum, not an exploiting one. While it’s good that you’re informing others and sharing your knowledge, naming these products and promoting the skids that make these (as 99% of them are copies of eachother) you’re only helping them out.

1 Like