This man has made over 200k+ Robux by making this malicious script that inserts a (fake?) 50R$ admin command into infected games

I’ve tried that and other methods and it comes up with nothing, all I know for sure is that it’s a virus that uses the marketplaceservice and it’s hidden I have no clue where it’s at

Are any modules required with an id?

Yes, such as Decals for the guis I have

I would revert to an older version of your game where you didn’t experience this infection.

2 Likes

Did you try using the plugin I linked previously? Also, did you try using this method to see if the backdoor was present anywhere?

Yes I tried that and it came back with false positives

You say you have no plugins. Have you tried searching getfenv?

These types of scripts will generally “obfuscate” access to the game global by doing something like

getfenv()["\103\97\109\101"]

Then they will access MarketplaceService similarly.

getfenv()["\103\97\109\101"]["\77\97\114\107\101\116\112\108\97\99\101\83\101\114\118\105\99\101"]
2 Likes

I’m gonna test that right now hold on

1 Like

Ok so here’s what I found in the Output

And here’s what it looks like in the scripting box

The thing is, that script doesnt even exist in the Explorer! How in the world is that even possible?

This is the Model that id number links to
https://www.roblox.com/library/4921021305/PluginAsset
Conveniently the owner is terminated

It might be the product id try MarketplaceService:GetProductInfo(), I’ll test it and see.

1 Like

Update me on it because I don’t know how to test that

It’s probably parented to another part of the game that isn’t visible via the explorer. You could use this method I stated previously to see where it is.

1 Like

All I’m seeing is this e.e

It has something to do with ThirdPartySales but the thing is I have it turned off so how is that even possible that they have a Marketplace product in my game?

1 Like

A method I use is by searching Welding, Fix, Weld or Debounce into explorer and delete any script with those names, they normally will appear “empty” or saying something about “this script is from ROBLOX” (which is not true) also any unnamed scripts could be the backdoor.

Can’t confirm.

The module seems to have been obfuscated with Luraph.
I am not sure of how to dump Luraph’s constants but what I could find is that it also requires this module

1 Like

I found Debounce, but the script is blank, nothing inside the script. What do I do with it?

Are you absolutely sure?

Because a lot of these scripts just indent soooo much that the script has a horizontal scrollbar.

1 Like

Just delete the entire script.