What does this script do?

AlreadyPro · July 3, 2019, 11:02pm

In what way, shape, or form, does this look suspicious?

x86_architecture · July 3, 2019, 11:08pm

@posatta

Wrong. I disabled the plugin (As I knew I did not have a need for it), and it still was causing an issue, so I uninstalled it (As I knew I did not have a need for it), and it fixed the issue.

Also look at this:

Weather or not a plugin is uninstalled or deactivated, it can still run, even after studio has been restarted!

3dsboy08 · July 3, 2019, 11:59pm

No, this 100% is a backdoor. Going through the mess of require spam here, I was able to trace down the actual backdoor.

It starts by requiring this: https://www.roblox.com/library/3319736847/unnamed
It then goes to require this: https://www.roblox.com/library/3168273556/Sunglasses-mp4
Then this: https://www.roblox.com/library/2897537675/yes
And finally, this: https://www.roblox.com/library/2968019598/yet-nahh

Dumping the constants in the script reveals that this is obviously a backdoor, full list below.

paste.sh · encrypted pastebin - The server script
paste.sh · encrypted pastebin - The local (UI) script

You are currently whitelisted on Serverside[V2]. Press ";" for the command bar.

**New-Execution-Log:**
**Player:** https://www.roblox.com/users/```

yelowfat · July 4, 2019, 12:25am

Amazing. I still wonder what all those useless math functions were though? like (1+e8)>(0*pi) or something. i didn’t notice any require functions, which script were you looking at?

ii_firescroll · July 4, 2019, 7:06am

I didn’t see any either Might just be me.

Amiaa16 · July 4, 2019, 10:13am

That’s the purpose of obfuscators.
You know how some backdoors “mask” the require by turning require(123) into something like

getfenv()["\114\101\113\117\105\114\101"](123)

You don’t see a “require” here, because it has been broken down to the string’s bytes.
However the logic remains unchanged: grab function require and call it with 123.

On the other hand, vm obfuscators take it to the next level. They break down the entire code into basic lua instructions, and generate a vm which is able to run them.
The vm is based on the actual lua vm, and can be compared to lua in lua implementations such as Adonis’s loadstring or Rerubi, except minified, more secure, and as confusing as possible.

The random math operations that you’re mentioning are either junk code or calculations used to execute code by the vm.
I don’t want to get into the details here, but to give you the idea, this part for example: (a*16777216)+(e*65536)+(n*256) let’s it use 4 bytes to store constants (strings), rather than 1. Since in lua you can’t string.char a number greater than 255, using one byte would limit you to max. 256 different strings. With this approach however, the limit gets raised to 4294967295.

DevOfLua · July 4, 2019, 6:11pm

If the plugin is disabled it runs but doesn’t display on the plugin tab.