Removing Backdoors 101

What is the purpose of using that?
Is it the same as using require?

1 Like

Yes, it’s the bytecode value of require(i think). People usually do:
getfenv()["\114\101\113\117\105\114\101"](ID)

They can also call a reverse on the string inside, so you’ll also have to search for the reverse.

Edit: You can just search for getfenv(), as @ForbiddenJ said.

2 Likes

What is the reverse? 30 CHhar

2 Likes

It’s 101\411\501\711\311\101\411\

I think there’s many techniques of obfuscating strings, so this might not be enough.

1 Like

If any script has getfenv in it at all, you should be worried. It’s rarely used for general game development, and is the most abused way of hiding backdoors.

getfenv grabs the script’s environment table, which contains all the global veriables you normally never think of as being global variables. It can then be treated like a normal table. For instance, game.Workspace is the same as getfenv().game.Workspace, or ipairs is the same as getfenv().ipairs.

With string manipulation, people found ways to access the environment table without actually using the keywords, and the obfuscation can go way further than replacing the string characters with numbers, so you may not find the require keyword at all.

There should be no other way the environment table can be directly accessed, so be on the look out for getfenv.

3 Likes

To @brokenVectors:

I think I should clarify using the byte code representation of characters is in no way “obfuscation” and can be defeated by outputted the result during runtime. In fact almost all types of string obfuscation fall short to this because at some point the string’s constant has to exist in memory.

print("\101\411\501\711\311\101\411\")

To @ForbiddenJ:

This is a really good statement, but worrying too much can be dangerous for your game’s development. IIRC some popular admins / tools use getfenv & setfenv for environment injection.

1 Like

Thank you, I have had multiple issues in the past with viruses. I have bookmarked the post!

2 Likes

Also, you can search in the Explorer tab for “RotateP”
If there are some RotateP that have a random name, then delete it
(if there is a server script 99% this is a backdoor/virus)

2 Likes

Not sure if you discussed this, but you should also look for “getfenv” as some backdoors use that to try to get around require

Yeah I updated the post. Thank you.

I recommend reading my topic aswell, not to steal your thunder @XxMystical_SecretsxX

There are multiple different strings that were not listed here that are more common/rare than “require”.

I’ve listed multiple ways a backdoor can get into your game, but this thread is a good addition as I didn’t really cover this trusted part.

2 Likes

Just a side note: requires can be legitimate.

Require loads in a module, and many large open-source models (e.g. both HD and Adonis admin), which will load in ‘parts’ of a larger model.

Requiring an ID (which will load a ‘remote module’) also isn’t suspicious, as many models which target developers without technical experience can use ID-based requires to have ‘automatic updates’.

You should use your gut and check the model ID- is this model by a known user, what’s the source code of the model? If it’s obfuscated, it may be malware (e.g. Kohl’s Admin Infinate).

Glad that someone made a step-by-step tutorial about it! I personally would not be needing it, but if I get across people who would likely need assistance in clearing backdoors, I’d surely direct them here!

Also, scripts which use stuff like math, and basic math operations to get ID’s are backdoors. for sure.
For example:

require(math.floor(2.3)+5+200+1-4+6/1*2*math.ceil(3.3)*20)

Which would require the moduleScript of path : 33600.

1 Like

I covered this already for the most part.

Also look for something like “infection” I keep seeing it.

Ah yes, these backdoor scripts full of obfuscated code.

What I usually do when getting a free model is to check for any scripts and inspect them for anything weird, then follow the tutorial above.

Gotta be careful about these backdoors!

1 Like


Wow. Thanks man. Saved me from having to revert a few days costing me a few thousand in having to have the Devs who’ve done work come back as I’ve reverted theirs.

2 Likes

My game just got “backdoored”, it maybe did. It loads you and loads to another loading screen everytime you join. I tried this method but it doesnt seem to work. But I might use it if my game gets “backdoored” in other ways. Thank you for helping.

Here’s a good search list made by another developer.

  • 1] require , Require is in many scripts, not malicious all of the time. Follow the methods posted above to verify it being malicious.
  • 2] xen
  • 3] luraph
  • 4] local a=
  • 5] a=
  • 6] b=
  • 7] brew
  • 8] anti.backdoor
  • 9] backboor
  • 10] synapse
  • 11] exploit
  • 12] loading
  • 13] \114\101\113\117\105\114\101 [Bytecode for require]
  • 14] Joint
  • 15] loadstring
  • 16] string
  • 17] math
  • 18] getfenv
  • 19] getfenv()["\108\111\97\100\115\116\114\105\110\103

Source: A backdoor disguised as a "fast load" place - #9 by BankrollHero

8 Likes

As the previous developer said, there’s already a post refering to this topic. My reply has been marked as the best one and this will resolve your issue faster than reverting versions.
Click here to see it.