I’ve had reports of malicious copies of my application popping up. It’s believed the culprit is the following obfuscated script:
https://pastebin.com/raw/r7TfcuEm
How can you go about unobfuscating this to find the creator?
I’ve had reports of malicious copies of my application popping up. It’s believed the culprit is the following obfuscated script:
https://pastebin.com/raw/r7TfcuEm
How can you go about unobfuscating this to find the creator?
You would need to figure out how the obfuscation works (which shouldn’t be too hard seeing as anyone can use it) and use that information to write code to reverse engineer it.
That’s the only way you can do it, and it may take a long time. Unfortunately, there is no easy way to avoid this.
I ran the code, and it doesn’t work; it errors module can’t be found and does nothing; there isn’t anything to worry about anymore.
Hey, would it matter if the original model were a thing? The script was in a model, and I DMed Forever to see the problem. It’s a waterslide which I believe had been inserting a modified version of one of his products. (I do not have the original model, I’ve deleted it immidiately)
I’m more interested in the process of unobfuscating so I can apply this for similar scripts in the future.
Often these obfuscation engines use the same variable name for the same thing. They are not as random as you think.
The first task is to just format the code correctly so you can read it. Next you would want to go through and replace the variables that are used to hide Lua function calls ie local Protected_IIllllllI=coroutine
then you just really go from there reading the code and learning how it works.
Other thing that might help are to remove things like #{1423,4363,12314}
(obfuscation like this is pointless but ppl seem to want to use it. It is also very slow).
There is not real method for this. It is just about spending time to learn what the code does and simplify it along the way. Some may even use Lua byte code " ←LuaQ" (Lua byte code is not my area).
This is an old thread that I did to show how obfuscation is not a solution to anything.
If it’s vm obfuscation (which this looks to be) you won’t get anywhere without some good knowledge on how Lua’s internals work. Best you can do without that is sandbox and hope to see what api it’s calling.
Note that it is possible so get source code from vm obfuscation often times, but it’s tedious.
Wanted to add, as it may help, that the obfuscated script is ran individually with nothing else. iirc VM requires a module.
(Well it doesn’t work due to private module removal so it’s possible, but…)
VM obfuscation doesn’t require anything outside of it just being able to run as a script.
I’m not going to give the details publicly of how I de-obfuscate these, because that would only give the exploiters clues on how to make it one step more difficult (it’s a cat and mouse game), but it’s trivial and I can tell you this one’s entry point module has already been neutralized by Roblox mods: https://www.roblox.com/library/2531777909/Content-Deleted along with what it required downstream, which is almost always a copy of LBI with remote events to execute arbitrary code from an exploiter GUI.
You should use the Report Item link to flag any models or plugins you find with code obfuscated like this. It’s uncommon for Roblox devs to use this type of obfuscator to simply protect their source; most of the time, it’s being used to hide a malicious require.
I just wanted to put this here, for anyone who saw this and was considering using the Aspect Script Obfuscator, that you certainly should not. It’s a pretty shady website and the terms of service are not encouraging, including terms such as:
This only works for obfuscators that do not alter the bytecode format.
Of course, aspectnetwork (the one that was used to obfuscate op’s script) does not really do anything on the bytecode level. That’s why I linked that video.