Yes the update is live. You can try it .
https://www.roblox.com/games/5997611499/Super-Katana-Fighters
1 Like
Look for a script thatās generating a ScreenGui with the name set to āPurchaserā. Alternatively, search for code thatās checking when a player is added and checking to see if it isnāt the owner with something like:
game:GetService('Players').PlayerAdded:Connect(function(player)
if player.UserId ~= game.CreatorId then
end
end)
Specifically the UserId ~= game.CreatorId part. Otherwise, look for obfuscated code like mentioned above. Itās most likely a script somewhere in the workspace or ServerScriptService.
Try also searching specifically for this in all scripts (using Robloxās new feature to search through all scripts): 8446506608
Also found the source:
The gamepasses are being sold from this game owned by this group.
Hereās two examples to prove:
I would recommend reporting whatever model you got this from.
I tried doing some quick digging, but this is the only account with any free models. Did you get any of these models?
(Warning to anyone that isnāt paying attention, but the above link may or may not contain free models with backdoors. Youāve been warned.)
Okay, Iāve 100% confirmed that there free models have a hidden require that goes back to a script that generates the exact same UI in your game.
This user is indeed responsible:
https://www.roblox.com/users/69818826/profile
2 Likes
So after some digging, i have not found the source yet.I found some scripts that had simmilar name but i did not remember from what user i got it from so just to be sure i deleted them. With the Find In All Scripts i did not manage to find anything.Only stuff that is supposed to work like it should.And only thing with CreatorId was in CoreGui. The UserId ~= game.CreatorId and 8446506608 found no results
Could you screenshot that? That could possibly be it.
Also the Whitelist Script that is down there is made by me so it should not give any malicious GUI spawning
It might not be this script, but check this line just in case:
Nvm, that seems to be a normal Core script.
Let me actually look at this model and seeā¦
1 Like
Okay so after going trough some digging i have deleted all stuff that has been added that had the require function and now it seems to work! No idea what caused it in general but i might have a suspicion it was the ragdoll Server script. Anyways thank you so much for the giant help and the digging (finding where the script originated from and who made it was an awesome work!) I now have to be much more careful when i was before. You are a legend!
1 Like
These are scripts that are made by Roblox so i dont think they were the cause.I just made studio to show all hidden services and scripts to make a deep check for the stuff
Yeah, Iām pretty sure that was one of the different scripts I saw when investigating. Good luck with your project and donāt forget to report that model. 
1 Like
I might download the models to do some digging and see if thereās actually any backdoors installed. Iāll update this post if I find anything.
I already verified that this one does. But feel free to check the rest. I assumed that most of them also have something similar, but I only actually checked the first one.
2 Likes
And that is why I remove all scripts from free models. Good work there on your investigation.
I traced through that model and found the backdoor. The path to the offending script is Model > Creepy > Scary sound kit V.1 > Sounds > Sound > Script. That has a require for asset ID 8446506608 which is this: w - Roblox. It appears to be a ragdoll script package, but the top level script has this include for asset ID 4993108561 for l - Roblox which appears to be another script package, but I canāt seem to access it.
https://i.gyazo.com/ef79c088ba959f5205854b3d8f9de873.mp4
I donāt really want to upload the actual file, but you can use an addon to download or view the internals from the browser. But they are definitely not hiding the malicious intent with those names.
Considering itās using an old loadstring module, I assume itās for backdoor code execution in-game.
Just realized that this addon (not sure which one has added this feature) even lets me view the code all within my browser. Thereās obfuscated stuff too. I think itās safe to say this this module should be reported as well.
The addon is called BTRoblox and is featured in the web store. It recently seemed to break with MS Edge, for whatever reason.
1 Like