Detecting for stuff such as number * 1, number + 0 in patterns

flkfv · June 16, 2021, 6:50pm

repost since the other one didnt get any replys

So I’m making an antivirus plugin, and I want it to not search for when the code is requiring a modulescript. It’s working all fine, also the way I’m doing this is string.match and patterns.

But the only issue is that people can do id+0 , id-0 , id*1 , id+1-1 and more.
How would I fix this?

(sorry for not too much detail)

flkfv · June 16, 2021, 7:27pm

Can anybody help me with this?

Arlenox · June 16, 2021, 8:22pm

Hi there! To be honest, I don’t understand the problem at all without details.

murdawaree · June 16, 2021, 8:27pm

Try this

local nums = "1+2/45+2"

if nums:match("[%d*/+-]+") then
    print('matched')
end

Arlenox · June 16, 2021, 8:28pm

They never said they were looking for viruses …?

murdawaree · June 16, 2021, 8:29pm

Ah sorry I was just assuming that they were, anyway. My solution would still work you just need to remove the require part

Arlenox · June 16, 2021, 8:30pm

To be honest I don’t understand the problem at all, so you may be right!

PysephDEV · June 16, 2021, 8:31pm

Bothering with this is useless. You could just do something like:
local x = numbers
require(x)

local byte = string.byte(number)
require(string.char(byte))

local print = require
print(numbers)

Or even yet, use getfenv or the like to make it even more dynamic and unpredictable.

murdawaree · June 16, 2021, 8:32pm

Good point. But like said above, not sure that that’s what he’s even trying to do.

flkfv · June 16, 2021, 8:33pm

Let me try to explain it more clearly:

I’m creating an antivirus plugin. And I only want it to search for viruses that are passing a number with require, so far it’s working completely fine.

The only issue is that it can easily be bypassed by using this:

id-0,
id*1,
id-0+0,
id/1

Arlenox · June 16, 2021, 8:33pm

Oh, I get it now! My bad.

flkfv · June 16, 2021, 8:35pm

I’ve already listed getfenv, but thanks for the suggestions.

murdawaree · June 16, 2021, 8:36pm

Also, alot of virus scripts are obfuscated. So unless you constant dump them, doing any string matching would be useless.

Edit: Well, I guess you could just check if the script is obfuscated and if so, just delete it.

flkfv · June 16, 2021, 8:38pm

On the toolbox there are some models that have pretty simple code like:
*insert random spaces here * pcall(function() require(id) end)

Well most of them are like that for some reason.

murdawaree · June 16, 2021, 8:39pm

In that case, my reply with code above should work.

ToldFable · June 17, 2021, 1:14am

It’d probably be best to create a sandboxed environment with a custom require function.
If you want to be lazy, you could just add something like to the top of the code

require = function() end

or like

allowedRequires = {
  [123] = true,
  [0xc0ff3bad] = true,
  [789] = true
}

realRequire = require

require = function(id)
  if allowedRequires[id] then
    return realRequire(id)
  end
end

-- code continues...

There might be ways around this though, so running your code in a properly sandboxed environment would probably be best

flkfv · June 17, 2021, 3:12am

Might try that out later.

Pretty off topic question, but what is that?

ToldFable · June 17, 2021, 3:51am

Glad you asked.
It’s my easy-to-load, simple, and non-malicious admin system.