Random obfuscated code appearing in game. Keeps coming back!

Help and Feedback Scripting Support
#4

It’s a lot of plugins. I’m going to remove them soon though. I am starting to suspect Low Poly Terrain Maker (the icon with the green island…) as the developer doesn’t match the one I saw on the website, so it might be a malicious duplicate.

Later on when I have some time, I’m going to follow the tips in this tutorial: Clearing your game of malicious scripts, plugins, and backdoors

To try to locate and remove the issue.

Screenshots:
https://gyazo.com/2f652db9f6a065e2d93248d3ddfe861b
https://gyazo.com/3a725f99af2cb778e6731c193a0f8962
https://gyazo.com/4ff3d4a69a6fb474f982fccef0fccc44
https://gyazo.com/47e30934e4499dee9d8b26e1069232d2
https://gyazo.com/55652288491439a800d02341131eb98d

1 Like
#5

@Vatikya Thanks, I tried that. There’s nothing that’s using a module so I’m guessing it’s a plugin as one of the plugins looks fishy.

1 Like
#6

That is Luraph obfuscation. AKA, exploit. Disable every single one of your plugins. Restart Studio. Remove the script. Enable a plugin and reload the place with each plugin. Once that script appears again, blast the offending plugin into orbit and report it. Keep going until you’ve gone through all of your plugins, there may be more than one.

This is tedious but it’s the only way to be sure.

Additionally you should go to ServerScriptService and DISABLE loadstring, once all of your plugins have been confirmed to not contain the malicious code.

2 Likes
#7

Thank you so much. I’ll try this!

Edit: Did the exploit insert something into my game that keeps replicating the script?

I’m hoping that it didn’t lol

1 Like
#8

The reason you restart the place after every plugin uninstall is because plugins can install code in Studio that persists even after it’s uninstalled. But no, places on their own cannot run code in Edit mode, it has to be a plugin. And once you reload the place, no code persists from the old place.

1 Like
#9

Sorry, i’m posting so much questions,

Is there a way I can know if the plugin has put a hidden malicious script. I’ve heard of scripts not showing up but still being there. Would this tutorial be a good place to start if I notice weird things in my game? Clearing your game of malicious scripts, plugins, and backdoors

1 Like
#10

You know where the script is (ServerScriptService). Add plugins one by one so you know which one is inserting the script into ServerScriptService. Follow the instructions correctly and you will find the culprit.

That tutorial would be a good place to start if you still think your place is infected after removing the malicious plugin.

#11

Okay thank you, I will do this and report back.

1 Like
#12

Yeah I’d remove the one whose creator’s name is “RobloxTopPlugins”, looks like a script kiddie anyway: https://www.roblox.com/users/1444562826/profile

That type of username is common with exploiters who want to make their stuff appear “official”

1 Like
#13

Thanks, apparently it’s a copy of a low poly terrain generator made by a different user. I actually think that is the exploit, so I’ll try to see if it’s causing the script to re-appear

1 Like
#14

If the backdoor goes away, make sure to go into every place and remove it…

#15

I’m curious, what exactly does Luraph do? Just steal games or something else?

#16

Luraph is an injector. Like most injectors, it has its own obfuscation method. Like Synapse Xen.

You can spot it easily because the long obfuscated string starts with LPH|.

#17

I did this and found the issue was with the low poly terrain generator. I suspected it all along, but I never actually restarted studio.

Thanks @Blokav for suggesting for me to remove it first.

2 Likes
#18

Apparently there’s a deobfuscator on github, but I don’t know how to run it (i think i have to use repl.it)

If anyone’s curious: GitHub - xgladius/luraphStringDeobfusactor: Deobfuscates luraph strings [outdated]

If anyone’s willing to try to decode it go ahead, I’d love to see what the code actually does lol

#19

This is very annoying if it happens, a backdoor virus. i had to check every part in my game and find some scripts that were called Welding and debounce. After deleting those scripts i got rid of it. Ofc i uninstalled all plugins also.

#20

Is Luraph (The Discord Bot that obfuscates) an exploit? Should I not use it to “protect” my scripts from rebranders…?

#21

Not necessarily, but you could obfuscate your scripts to make it harder to understand what they’re doing since people will need to dump constants and all.

It only has a bad reputation here because people use obfuscation techniques to make malicious code harder to decipher.

#22

Ah, Thank you. Because in the fire alarm community, people spend months making things, and you just get those awful people who just edit the scripts and say they made it. Thanks :stuck_out_tongue:

#23

Oops. Looks like I got the wrong idea. I thought Luraph was an exploit like Synapse, sorry.