Removing Backdoors 101

My Method:

Press CTRL + SHIFT + F

The most common backdoors use require()

So search for “Require”

require

Browse for anything out of the ordinary for example a part with a script in it should raise red flags

BUT Not all require scripts are bad. Many good scripts use require() For example adonis admin.

So if you see something suspicious open the script by clicking on it. If you are unsure about if its a backdoor. You can copy the ID image and paste it in here: https://www.roblox.com/library/INSERTIDHERE/

This way you can check reviews/Likes/Dislikes and comments and inspect the source code.

If you think its a backdoor then right click the script and click show in explorer and delete it!

image

REMEMBER: There is usually more than one backdoor.

I hope this helped :slight_smile:

I appologize if this was unclear.

People can sometimes use \114\101\113\117\105\114\101 instead of require, so make sure to search for that as well. Some scripts can be backdoors without using require too, search for il1 as well, it’s something that a lot of script obfuscators use. -@brokenvectors

Also, Some viruses are made just to destroy your game. Search for “Destroy” or a related function if this is the case.

Another thing to search for: getfenv.

It may be useful to check the output/console.

Don’t rely on plugins to do it for you.

Another note: AntiVirus scripts tend to be Virus Scripts

What you should do if someone is using a backdoor:

Step 1: Serverlock the server if possible
Step 2: Ban the person if possible
Step 3: Shutdown and Close the game
Step 4: Remove the Backdoor using this guide
Step 5: Re-open your game!

78 Likes

I think I will use this next time. Usually I use a plugin that detects for bad scripts but it doesnt seem to work right. :+1:

4 Likes

People can sometimes use \114\101\113\117\105\114\101 instead of require, so make sure to search for that as well.

Edit: Some scripts can be backdoors without using require too, search for il1 as well, it’s something that a lot of script obfuscators use.

Edit 2: If the required module does nothing harmless but the creator isn’t trustworthy, I recommend deleting it anyway since the module can change at any time.

Edit 3: Just search for getfenv, the previous stuff i’ve said is kinda stupid.

6 Likes

Great technique! Will be using from now on.

1 Like

What is the purpose of using that?
Is it the same as using require?

1 Like

Yes, it’s the bytecode value of require(i think). People usually do:
getfenv()["\114\101\113\117\105\114\101"](ID)

They can also call a reverse on the string inside, so you’ll also have to search for the reverse.

Edit: You can just search for getfenv(), as @ForbiddenJ said.

2 Likes

What is the reverse? 30 CHhar

2 Likes

It’s 101\411\501\711\311\101\411\

I think there’s many techniques of obfuscating strings, so this might not be enough.

1 Like

If any script has getfenv in it at all, you should be worried. It’s rarely used for general game development, and is the most abused way of hiding backdoors.

getfenv grabs the script’s environment table, which contains all the global veriables you normally never think of as being global variables. It can then be treated like a normal table. For instance, game.Workspace is the same as getfenv().game.Workspace, or ipairs is the same as getfenv().ipairs.

With string manipulation, people found ways to access the environment table without actually using the keywords, and the obfuscation can go way further than replacing the string characters with numbers, so you may not find the require keyword at all.

There should be no other way the environment table can be directly accessed, so be on the look out for getfenv.

4 Likes

To @brokenVectors:

I think I should clarify using the byte code representation of characters is in no way “obfuscation” and can be defeated by outputted the result during runtime. In fact almost all types of string obfuscation fall short to this because at some point the string’s constant has to exist in memory.

print("\101\411\501\711\311\101\411\")

To @ForbiddenJ:

This is a really good statement, but worrying too much can be dangerous for your game’s development. IIRC some popular admins / tools use getfenv & setfenv for environment injection.

1 Like

Thank you, I have had multiple issues in the past with viruses. I have bookmarked the post!

2 Likes

Also, you can search in the Explorer tab for “RotateP”
If there are some RotateP that have a random name, then delete it
(if there is a server script 99% this is a backdoor/virus)

2 Likes

Not sure if you discussed this, but you should also look for “getfenv” as some backdoors use that to try to get around require

Yeah I updated the post. Thank you.

I recommend reading my topic aswell, not to steal your thunder @XxMystical_SecretsxX

There are multiple different strings that were not listed here that are more common/rare than “require”.

I’ve listed multiple ways a backdoor can get into your game, but this thread is a good addition as I didn’t really cover this trusted part.

2 Likes

Just a side note: requires can be legitimate.

Require loads in a module, and many large open-source models (e.g. both HD and Adonis admin), which will load in ‘parts’ of a larger model.

Requiring an ID (which will load a ‘remote module’) also isn’t suspicious, as many models which target developers without technical experience can use ID-based requires to have ‘automatic updates’.

You should use your gut and check the model ID- is this model by a known user, what’s the source code of the model? If it’s obfuscated, it may be malware (e.g. Kohl’s Admin Infinate).

Glad that someone made a step-by-step tutorial about it! I personally would not be needing it, but if I get across people who would likely need assistance in clearing backdoors, I’d surely direct them here!

Also, scripts which use stuff like math, and basic math operations to get ID’s are backdoors. for sure.
For example:

require(math.floor(2.3)+5+200+1-4+6/1*2*math.ceil(3.3)*20)

Which would require the moduleScript of path : 33600.

1 Like

I covered this already for the most part.

Also look for something like “infection” I keep seeing it.

Ah yes, these backdoor scripts full of obfuscated code.

What I usually do when getting a free model is to check for any scripts and inspect them for anything weird, then follow the tutorial above.

Gotta be careful about these backdoors!

1 Like