Is this a virus?

100% the string.reverse(“\101\114\105\117\113\101\114”) means “require” (just do print(string.reverse(“\101\114\105\117\113\101\114”))and I decided to go through the process and it led me here [ Content Deleted ] - Roblox. I am not going to deobfuscate that today since it will take possibly hours.

2 Likes

I don’t think this works anymore, what they do now is just use a ton of whitespace spam to hide it to the far right of the script.

2 Likes

Yeah I know that method, pretty common. But some viruses didn’t even have a horizontal scroll bar, and were able to hide their code in a comment and it actually executed. How did that even work lol.

It’s apparently a bug in the script editor where if you spam a specific ASCII character, it can hide text to the left of the script editor, making it unable to be seen. All you need to do to bypass this is to copy the script’s text and paste it in a different text editor. Thought it would’ve gotten fixed by now, though.

Edit: Seems like it also might fool the script editor into syntax highlighting it as a comment.

3 Likes

Rosync is a backdoor virus that comes from a plugin . If you are in team create with friends and when they make a script and Rosync appears, that means one of them has a fake plugin or a plugin that has a backdoor. If you want to get rid of it, all you have to do is tell your friends to send the link to each plugin they have and make sure it is the official owner and not made by a group. My friend is a scripter and that kept on appearing on every single one of his scripts and I got rid of it by making him get rid of plugins that were not made by the owner. I hope this helps :smiley:

5 Likes

yes, its very difficult to delete since its injected into nearly ALL of the in game scripts, and plus, it’s at the bottom of every one of them, so you can’t just press the delete all icon in the “Search in all scripts”, instead you need to delete every line with “RoSync” by hand, if anyone have any idea which plugin or asset caused this or how to stop this, please reply below, it would very mean a lot!

2 Likes

There are a lot of plugins that cause it/has the same virus injector.

Please do some research on your plugins before getting them, As you may come across something of the sort.

I’ve had a similar problem before and I just ended up checking the plugin 1 by one by turning everything else off except for 1 plugin, Then opened and edited a script and backed out. Test it a couple of times then go through the rest of the plugins if it isn’t the one injecting the scripts.

Developers such as XAXA, Quenty, buildthomas, CloneTrooper1019, and more are all trustable developers for plugins so you wouldn’t have to look into those too much.

Specifically, the plugins found on dev forums are also mostly trustable. Those which are suspicious you should take a look at for your games safety.

1 Like

Commenting on this, i may know how they did it.

So, the comment starts with --[[ and then random text.
And as you know, to start a block comment you do the exact same, and you close it by using ]], that is how you can put malicious code after it.

ex.image
Of course, the require() would be more spaced out to the side so you could not see it.

Any plugin made by rxdesire I believe has a virus. I had an intro creator by rxdesire and I had this same virus. Delete any plugins by rxdesire.

It seems like any plugin by rxdesire or I believe the group Creator Studio (it appears as rxdesire tho in the plugins menu) has this RoSync virus. I have this virus too, and everyone who has it seems to have a plugin by rxdesire. I would steer clear of any plugins by rxdesire, Creator Studio, or anything like it.

1 Like

RoSync is a backdoor virus that comes from a plugin. Example; If you are in team create with friends and when they create a script and RoSync appears outta nowhere, that would mean that one of your devs has a fake/suspicious plugin or a plugin that has a backdoor. If you want to get rid of it, you would have to tell your friends to uninstall each plugin, and make sure it’s made by the original owner and not made by a new account/an alt.

You could either remove the virus or it’s hiding itself by deleting itself when RunService returns true from the function :IsStudio().

getfenv() returns a table of the functions and variables in the current environment. This can be used to easily attempt to hide a function.

In this case, it indexes string.reverse(“\101\114\105\117\113\101\114”). If you see what this ascii code corresponds to “eriuqer”, which when put through the reverse function gives you “require”.

When the script uses getfenv() and escapes ascii code to hide the require index in that table that is returned. It calls the require function with the asset id. Upon further inspection this is a quote on quote “require chain”, which basically hooks up module scripts in a chain to require each other in an attempt to hide the final script in the chain.

The script uses require to get a chain of module scripts, which will eventually lead to a server-sided backdoor.

1 Like

I had the EXACT same problem a long time ago.

Solution

  • Remove ALL of your plugins and only install those which are from verified sources. (This was my fix)
  • I have also tried removing that from the scripts after removing all of the plugins.

Aftet this, you should be good to go.