This man has made over 200k+ Robux by making this malicious script that inserts a (fake?) 50R$ admin command into infected games

mrbobbilly · July 3, 2020, 12:36am

I’ve tried that and other methods and it comes up with nothing, all I know for sure is that it’s a virus that uses the marketplaceservice and it’s hidden I have no clue where it’s at

cjjdawg · July 3, 2020, 12:36am

Are any modules required with an id?

mrbobbilly · July 3, 2020, 12:37am

Yes, such as Decals for the guis I have

Algorxthms · July 3, 2020, 12:38am

I would revert to an older version of your game where you didn’t experience this infection.

TheeDeathCaster · July 3, 2020, 12:38am

Did you try using the plugin I linked previously? Also, did you try using this method to see if the backdoor was present anywhere?

mrbobbilly · July 3, 2020, 12:38am

Yes I tried that and it came back with false positives

sjr04 · July 3, 2020, 12:39am

You say you have no plugins. Have you tried searching getfenv?

These types of scripts will generally “obfuscate” access to the game global by doing something like

getfenv()["\103\97\109\101"]

Then they will access MarketplaceService similarly.

getfenv()["\103\97\109\101"]["\77\97\114\107\101\116\112\108\97\99\101\83\101\114\118\105\99\101"]

mrbobbilly · July 3, 2020, 12:40am

I’m gonna test that right now hold on

mrbobbilly · July 3, 2020, 12:45am

Ok so here’s what I found in the Output

And here’s what it looks like in the scripting box

The thing is, that script doesnt even exist in the Explorer! How in the world is that even possible?

mrbobbilly · July 3, 2020, 12:46am

This is the Model that id number links to
https://www.roblox.com/library/4921021305/PluginAsset
Conveniently the owner is terminated

cjjdawg · July 3, 2020, 12:47am

It might be the product id try MarketplaceService:GetProductInfo(), I’ll test it and see.

mrbobbilly · July 3, 2020, 12:48am

Update me on it because I don’t know how to test that

TheeDeathCaster · July 3, 2020, 12:48am

It’s probably parented to another part of the game that isn’t visible via the explorer. You could use this method I stated previously to see where it is.

mrbobbilly · July 3, 2020, 12:51am

All I’m seeing is this e.e

mrbobbilly · July 3, 2020, 12:54am

It has something to do with ThirdPartySales but the thing is I have it turned off so how is that even possible that they have a Marketplace product in my game?

redJuli21 · July 3, 2020, 1:00am

A method I use is by searching Welding, Fix, Weld or Debounce into explorer and delete any script with those names, they normally will appear “empty” or saying something about “this script is from ROBLOX” (which is not true) also any unnamed scripts could be the backdoor.

sjr04 · July 3, 2020, 1:07am

Can’t confirm.

The module seems to have been obfuscated with Luraph.
I am not sure of how to dump Luraph’s constants but what I could find is that it also requires this module

mrbobbilly · July 3, 2020, 1:07am

I found Debounce, but the script is blank, nothing inside the script. What do I do with it?

sjr04 · July 3, 2020, 1:08am

Are you absolutely sure?

Because a lot of these scripts just indent soooo much that the script has a horizontal scrollbar.

redJuli21 · July 3, 2020, 1:08am

Just delete the entire script.