I will be doing some more videos on similar backdoors that are more obfuscated soon! If anybody has any samples they found that they'd like me to look at, let me know.
I'm a cybersecurity grad and i can maybe help answer why there seem to be "red herrings" and so many weird HTTP requests compounding on each other, generally what happens is that instead of making their own assets from scratch blackhats will go around finding pre-existing malicious assets and add their own payloads to it then reupload it back, sometimes they might remove other peoples payloads too or break some other malicious parts of code which is also why there seem to be multiple different games from different creators connected to the same asset. Generally though it's seen to them as "good manners" to leave other payloads intact when you add your own.
As an experienced developer on the platform, back then there wasn’t a way to confirm if you wanted to remove scripts from models coming from toolbox. You had to manually check which at the time most didn’t.
I think that's a masking something with a Roblox error, which that output is as "Player:Move called but the player has no humanoid" only triggers if you try to move your character using Player:Move() but you do not have a Humanoid object in your character for some reason Ofc in this case, it's fake and more a mask but the error is a real error
one time I took a water block out of the toolbox, and I checked the script in it. And it was like 300 lines of printing "you have been hacked by XASDWADFSAFSA etc."
Thats crazy as a scripter myself it was fascinating to see the amount of trouble they went through they really thought outside the box for some of the stuff a lot of scripters probably would have missed some of the stuff u pointed, especially beginner scripters who just wanted to use a free asset from the tool box. Good Video i really enjoyed watching it.
@@Sown. Not for everyone I'll say if you have about a year of programming experience in luau and know how Roblox studios works you could catch on to a fair amount of the suspicious looking code, but for new programmers who just look at things on the surface and don't understand API or anything like that they would have trouble figuring some of this stuff out.
crazy how intricate and well hidden these viruses have gotten. I remember back in the days when all you had to worry about was the "fire spread" virus, that one is a classic.
@@zenniththefolf4888it sounds funny but that’s not what it did unfortunately it was much more malicious. The script was usually named “Spread” or “Firespread” but its function was usually to completely lag out games, create back doors, or kick players using certain gear items
dude idk why but it's so funny how you're calling zephal a "serious project" while just effortlessly bypassing their systems by just entering a different URL 😭 it's genuinely insane the lengths people will go to ruin that one game that added their backdoor by accident, amazing video
My friend once grabbed a tree out of the toolbox called like Дрвад or something like that, I looked in the output and roblox has detected that its malware so I go to check the script but I saw the tree model had some values or something named weirdly like |||:/"||| and stuff so I go into the scripts code and all its doing is cloning itself and parenting itself to like the workspace in a while true loop and the best part: the script was called "Marlware"
A good way to just instantly get all of the IDs is by putting this at the top of the src local _require = require local function require(...) print(...) return _require(...) end
@@AQHgSo07jB8OQhALxnSEoqMT3YHHP Idk if my comment disappeared or not, but I can't see it. That would just set the var to nil, and then the function would be deleted, so ur code just doesn't work at all
@ sorry i writed it very quickly, heres a working one: getfenv()["require"] = nil getfenv()["require"](ID) add ur tamper script above this code and try it. it will work! tell me when u tried it and i will tell u the explanation
I don’t use Roblox Studio often but I’ve always wanted to see one of these types of vids that go in depth about back door scripts. You have earned a sub. If you wanna continue a series related to “Roblox Malware.” You can probably go beyond just Roblox Studio. You could get into third party extensions if you understand how malicious JS works.
Unique way of how backdoor script works! The basic way of backdoor that i know was requiring the asset id that was turned to hex and hid them inside script or at the very down end of script but i didnt know this was possible. Amazing
At 9:47 I was really surprised how much work this man put in just to hide a reference of http service, in a sense it's pretty smart that he hid the string of "HttpService" as a property lol
i once was on a server of a friend that owned some of these malwares, the structure is quite impressing. in summary, he had a discord server that had a chat which tells which games got infected by these malwares with the link, and once you join these while being friends or being on some specific roblox groups, youd have access to the executors.
Great video! Malware is certainly interesting and it's ways are intriguing, but I think making a video on ransomware, viruses and even dangerous plugins would truly shine light towards the Roblox studio underworld!
i always laugh at these type of people that put malware into scripts, they think theyll get someone with a good game but no good dev uses tool box item
i mean there were times where they backdoored popular games like meepcity , frappe v5 , prison life , club iris , even dahood and alot of the time its not even a toolbox model but just a roblox function with a vulnerability
I’ve seen some that manually apply for dev on a game and infect their game. Serversides got boring after a while so I moved to exploiting roblox revivals. There’s this one that I exploited called Hexagon that used a late 2014 roblox client and I was spamming coolkidd decals and crucifying people. People were freaking out over everyone in the server being crucified and the like.
That's amazing! I've used to find malicious scripts a lot and all I did was look through it, but you went on another level with getting the modulescript and looking through it too, great job there.
17:14 actually, they'd do this to be able to know when someone is spreading the word about the SS (so yeah, spying) they fear the game's developer would notice that there is a ss in their game, and remove it just looking at the video, you know that they were in their rookie hour during the design of the fundamental methodology and, as someone who dabbles a bit in ss creation, I could see the strengths and weaknesses in their own implementation, but theirs can't be fixed as well as my own, and as far as I know, mine isn't detected by any "malware scanner" plugins, but that's not really the point. the point is to improve security, and if they could, they would make some forced fenv polyfills, and maybe even stuff that would require a huge shift in the paradigm they're all using, I'm not really going to name any, as that would hint at exactly what it all is about, and I don't want to take away from the effectiveness of taking down these dynamically dependent executors at this point in time.
insane - thanks for covering this! it's wild to see how much effort they go through to try to obfuscate it ... also, why sign your backdoor with your name??? 💀💀💀 would love to see a part 2!
@@4zaa4 "To maintain community safety, Roblox may terminate accounts that publish spam or assets with malicious or obfuscated code." - roblox msg when u r about to distribute a model
as someone thats been learning lua and scripting for much less time than you (believe me i can tell how long youve been doing it just by how fast you type) im absolutely fascinated by the methods people will use just to do backdoors like this, its absolutely insane and also very interesting to learn and debunk, thank you for making this video!! :)
The amount of layers of red herrings, requiring other modules, obfuscation, and trying to remain hidden are actually insane For me, just seeing the weird string manipulation and seemingly useless function in the first one would be enough of a reason to delete it, let alone the many more layers you uncovered
OOOOOOOOH I KNOW WHAT THIS WAS! Some roblox exploiting softwares aka executors also allow server side execution, they do this by backdooring games like this and then if a cheater with the executor joins it would have code to check if server side is available and if yes it would open it and allow the cheater to run code on the server, these were really popular tho they've been dying out recently.
that's why i don't use toolbox or when i do, i tend to scan through the code alot to make sure nobody's trying to saveinstance my place and send it over to a group of randos (Probs not possible)
Also i think they use their own Loadstring module now, tho if you have loadstring enabled (i.e maybe to allow users to run custom code if you make a singleplayer game or something, can't think of any other use-case tbh) then if you don't properly secure how you run that custom code, exploiters may also exploit that vulnerbility so yeah, if you intend on letting users run custom code, make sure to properly secure it first and know what you're doing
that print Player:Move Called blah blah blah is a error the studio prints when you try to move the character and it cant find the character humanoid. dont know when this error exactly occurs but yea its a error they printing to make the script look like some player script.
i got so much unmotivated by these scripts, im just scared to even open the studio lmao, the req thingie was from a plugin, i just kinda quit studio for now.
I recommend uninstalling the plugins you have, and starting fresh. it's pretty easy to stay vigilant of these sorts of things once you know how they work!
@@fireremix8 There is by checking the source code of the plugin, but it's quite hard. I recommend only using plugins by verified creators, it's a better way to ensure it's safe.
For some reason, a backdoor require() keeps appearing in one of my games. The only thing is that the required asset is content deleted, so all it really does is be really annoying in the output and keep reappearing at the end of every server script. Thank god the asset was deleted, because for some reason, despite me checking my own plugins and the editors' plugins, it always appears at some point after removing.
There might be a script inside a service that's not shown in the explorer, you can do a for loop and put all ModuleScripts in the game in a table to check them
new sub, always wondered how this stuff worked and i like how you have basically zero editing in your videos and just explain stuff without having any ADHD editing, thanks :)
Very interesting to see how malicious actors, especially on Roblox try to create a backdoor through Roblox studio and sell access to it for a subscription. Good research on this :)
Wow, this video was very VERY interesting. I got malware on my game because someone from teamcreate put in a wrong model. I tried to reverse-engineer it but stopped at joint service. Props to you! You got another subscriber ♥️
yea I've found one that also pings a discord server when a game's been infected with it so they know they can go in and grab all the server scripts from it. Nice job going through it ;D
I made one, the thing was a gui (that only was visible to me via my specific userid) and was hidden as a child of like 50 parents, and it let me shut down servers (as in kicking all), it showed me when a game was infected with a discord webhook, and i could run any code i really wanted on servers. i got it on 2 game that averaged 500 people, i will not name them, one of the games removed it but one still has it active and i like messing with them.
Dude i did something similar back in the day, but it was by joining them small groups from grp as a developer (with no developer skills at all) and then backdooring their game in the hopes it would get bigger in the future. However after a while I just started figuring out how scripting works and just started developing instead, then fuck around with the devconsole 💀
Normally i'd think this was just the average backdoor that gives owner-admin to someone on some admin panel, but its so much more that it got so complex i got lost at the part where it used the description of a content-deleted game to use the words as numbers for a ID of a payload, crazy stuff.
so those https are probably running on node.js javascript backend type script that would run on servers, but the websites yes they use it but its probably just to log stuff I don’t know because i'm not the developer. Anyway the website developing in style is really cool but its use is evil. I love making websites and stuff so far I just started learning the backend scripting so I can run it on a server and make it somewhat accessible.
So if I'm understanding this correctly... 1. Game creator uses some asset from marketplace that's infected with this malware as an attached script 2. Said malware script goes through stages of visiting marketplace links and deobfuscating payloads until it is fully loaded, clearing logs, and reaching out to 3rd party webservers for C2 3. Those 3rd party servers are part of a backend that gives a list of players who have paid for tiered plans, who can then use this malware to spy on or cheat in any games infected with the malware. And most of all, 4. The malware probably also steals the cheaters' roblox and discord account info, and sketchy website is probably also giving them more malware outside of Roblox?
i remember older roblox malware had a script called "Hello, I am your new lord lolz" - that used to spam into every existing part or function, usually messing with physics or weapons lol
Logging the chats of whitelisted users is actually common practice for this type of thing. Usually, you need to pay for a whitelist to these types of things, and whitelisted users (obviously) know of the backdoor in the game. In the rare case the developer of the backdoored game is in-game as a whitelisted user joins, the developers of the backdoor don't want the whitelisted user to alert the game developer of the presence of a backdoor, so they log chats and likely automatically detect when a whitelisted user says something related to the backdoor and revoke their whitelist to prevent any loss of backdoored games, since serverside developers usually use the amount of backdoored games they have as a reason to purchase their product over others of similar nature. I know this because I previously had been given a leak of the rules for an extremely popular serverside in around 2022 which went for around $6. The rules had a section stating that "you shouldn't talk about the existence of the backdoor in-game". It has been years since I was given this leak and I no longer have it so I don't have the direct rule, but it was something along those lines. Just thought it was a kind of funny concept, Roblox censorship
i used to be a roblox skid and i made a script that was one line of code, it would just execute a script that would insert a script into the game, that was basically: if "player" says "this" give them "exploiting gui that i made" didn't do much with it obviously just did it to some of my friends games and a testing game of a game studio :) was fun
How does he just "grab" the deleted modulescripts or assets in general? Btw very informative video, helps me with understanding malware scripts, it's like deciphering lol
Back in the day, before all the FE garbage, there were often numerous RCE (remote code execution) exploits that would allow you to get ACTUAL malware from someone in your game. There were also ones that forced you to teleport and all kinds of interesting things. Sadly those days are over! I was playing back when you could use CE to make a sword load a script. Probably ~2009.
maybe i'm being naive, but from what i can understand Zephal LLC's web based user moderation system can be a legitimate tool for developers to integrate serverside execution for things like moderation and the like, it's just that whoever developed these backdoor scripts is appropriating it to get execution on random games. also it doesn't say you can't dissect the code it says you can't *disseminate* it which makes sense because its paid software and sharing the code would be like piracy either way zephal sort of looks like overpriced shady crap anyway
7:40 this is something i can shed some light on. i see people here saying omg i saw this print output in so many games‘ console, omg omg they were hacked!!11! well, exactly not. this output aka. warning is very common in roblox framework and you see it in a lot of games. it happens mostly when someone dies and scripts try to move the humanoidrootpart. especially npcs call this as there are just different scripts conflicting with their code. the output is so much overlooked because it doesnt really matter as in most cases after death the npc or player just respawns and everything returns to normal and starts working again. and as you already said, since an update some years ago, roblox outputs when the require() function is called and this seems to create a little loop to spam this output and to distract and effectively have that require output disappearing…
Wow, that's so interesting. To see how much effort those people make to get a backdoor to a roblox game... Crazy. With all the different moduley that are required etc. And then to see that their website is completely broken since you can just type in another url to bypass login etc. lol
I just realized. It checks if v6 is equal to v0. But your output is not equal to v0. I’m struggling to understand the point of this v0, this payload will just never run. When you went to the link, it didn’t say the asset was moderated at the top, so it just didn’t exist or they deleted it.
@@krashniir okay nvm. I was on bad wifi at the time and wasn’t looking closely. But then if there were just going to leave the regular ID out in the open, why have the rest of the code.
could you make a video to show how to get your mouse cursor please? it looks really cool :) and also perhaps your roblox studio customization n other cool looking designs
really interesting but jesus, whoever made it really didn't think twice to put their userid in the script, just don't grab anything from the toolbox and you're safe from stuff like this
I will be doing some more videos on similar backdoors that are more obfuscated soon! If anybody has any samples they found that they'd like me to look at, let me know.
you found out my module :((((
goofert 👽🙏 vlorp glormo 👽🔥🔥🙏
More obfuscated backdoors are going to be virtualized, I doubt you would be able to devirtualize it or even constant dump the code
@@Sown. I actually did in my latest video!
I'm a cybersecurity grad and i can maybe help answer why there seem to be "red herrings" and so many weird HTTP requests compounding on each other, generally what happens is that instead of making their own assets from scratch blackhats will go around finding pre-existing malicious assets and add their own payloads to it then reupload it back, sometimes they might remove other peoples payloads too or break some other malicious parts of code which is also why there seem to be multiple different games from different creators connected to the same asset. Generally though it's seen to them as "good manners" to leave other payloads intact when you add your own.
i find it funny how they say "you cant look through this script because its blah blah blahs property" halfway through the dissection process
Oh My God. You LEAKED their executor, you EXPOSED them for spying, you are a BEAST
a mr. beast..
@@Sumthing8Uboo 💀👎
As an experienced developer on the platform, back then there wasn’t a way to confirm if you wanted to remove scripts from models coming from toolbox. You had to manually check which at the time most didn’t.
I REMEMBER SEEING THE "Player:Move called but the player has no humanoid" THING SPAMMED IN GAMES WHEN I PRESS F9
yeah it's not a rare warning though, might be a faulty script too
I think that's a masking something with a Roblox error, which that output is as "Player:Move called but the player has no humanoid" only triggers if you try to move your character using Player:Move() but you do not have a Humanoid object in your character for some reason
Ofc in this case, it's fake and more a mask but the error is a real error
@HL2Modder2001Well yeah, all errors are real errors
thats on the client they spam it on server
if you check your code and it has no malware then its an real error where when you try to move but your character model has no humanoid
one time I took a water block out of the toolbox, and I checked the script in it. And it was like 300 lines of printing "you have been hacked by XASDWADFSAFSA etc."
players beware! dont press f9!!! you wil get hacked!!!
Loops: exist
water blocks on toolbox hacker creators
I got baited to same script but in lava block in 2013-ish, my obby didnt do well.
@@sewziom3396 loops good but there will be automatic roblox script exhausted timeout or smth like that and loop will stop
@@крутойперчик all you need to do to evade that timeout error is to have it yield every x amount of iterations.
Thats crazy as a scripter myself it was fascinating to see the amount of trouble they went through they really thought outside the box for some of the stuff a lot of scripters probably would have missed some of the stuff u pointed, especially beginner scripters who just wanted to use a free asset from the tool box. Good Video i really enjoyed watching it.
I dont use roblox but as a coder anytime i see obfuscated code i find another source or write my own.
@@BMWe-ed2tn yeah same.
It's really basic tho?
@@Sown. Not for everyone I'll say if you have about a year of programming experience in luau and know how Roblox studios works you could catch on to a fair amount of the suspicious looking code, but for new programmers who just look at things on the surface and don't understand API or anything like that they would have trouble figuring some of this stuff out.
@@Sown. surprised it wasn't even obfuscated, this is legit just poor segmentation for a ss executor, but who even does that nowadays anyway
crazy how intricate and well hidden these viruses have gotten. I remember back in the days when all you had to worry about was the "fire spread" virus, that one is a classic.
that one actually sounds funny lol
imagine making a game in Roblox when something just randomly starts on fire and spreads to the rest of the level
@@zenniththefolf4888it sounds funny but that’s not what it did unfortunately it was much more malicious. The script was usually named “Spread” or “Firespread” but its function was usually to completely lag out games, create back doors, or kick players using certain gear items
dude idk why but it's so funny how you're calling zephal a "serious project" while just effortlessly bypassing their systems by just entering a different URL 😭 it's genuinely insane the lengths people will go to ruin that one game that added their backdoor by accident, amazing video
this is why i am making my own roblox anti virus that reads the source code of these viruses
@@cosmic7140Through plugin? A measly normal script won’t do anything unless you intend to create a plugin
@@cosmic7140 thanks
@@cosmic7140when will you release it ?
@@astraoutlight i am working on the logs/settings ui's. But it's being annoying, but the actual anti-virus works. So idk
My friend once grabbed a tree out of the toolbox called like Дрвад or something like that, I looked in the output and roblox has detected that its malware so I go to check the script but I saw the tree model had some values or something named weirdly like |||:/"||| and stuff so I go into the scripts code and all its doing is cloning itself and parenting itself to like the workspace in a while true loop
and the best part: the script was called "Marlware"
Marlwere
I love marlware❤
A good way to just instantly get all of the IDs is by putting this at the top of the src
local _require = require
local function require(...)
print(...)
return _require(...)
end
require=nil
require(id)
u can bypass that tamper function easily
@@AQHgSo07jB8OQhALxnSEoqMT3YHHP u cant call nil, lol.
@@AQHgSo07jB8OQhALxnSEoqMT3YHHP Idk if my comment disappeared or not, but I can't see it. That would just set the var to nil, and then the function would be deleted, so ur code just doesn't work at all
@ sorry i writed it very quickly, heres a working one:
getfenv()["require"] = nil
getfenv()["require"](ID)
add ur tamper script above this code and try it. it will work! tell me when u tried it and i will tell u the explanation
@@AQHgSo07jB8OQhALxnSEoqMT3YHHP retard
I don’t use Roblox Studio often but I’ve always wanted to see one of these types of vids that go in depth about back door scripts.
You have earned a sub.
If you wanna continue a series related to “Roblox Malware.” You can probably go beyond just Roblox Studio. You could get into third party extensions if you understand how malicious JS works.
Unique way of how backdoor script works! The basic way of backdoor that i know was requiring the asset id that was turned to hex and hid them inside script or at the very down end of script but i didnt know this was possible. Amazing
i imagine they would log their chats because they have pretty strict rules about talking about the exploit
At 9:47 I was really surprised how much work this man put in just to hide a reference of http service, in a sense it's pretty smart that he hid the string of "HttpService" as a property lol
i once was on a server of a friend that owned some of these malwares, the structure is quite impressing. in summary, he had a discord server that had a chat which tells which games got infected by these malwares with the link, and once you join these while being friends or being on some specific roblox groups, youd have access to the executors.
Really nice and interesting, first time delving into content like this. You've earned a subscriber.
ain’t no way they used GPT coding to make their trash ahh SS💀
FR
Great video! Malware is certainly interesting and it's ways are intriguing, but I think making a video on ransomware, viruses and even dangerous plugins would truly shine light towards the Roblox studio underworld!
chatgpt reply
@@Toad-k7e nuh uh
@@Toad-k7e its just well english
i always laugh at these type of people that put malware into scripts, they think theyll get someone with a good game but no good dev uses tool box item
i mean there were times where they backdoored popular games like meepcity , frappe v5 , prison life , club iris , even dahood and alot of the time its not even a toolbox model but just a roblox function with a vulnerability
I’ve seen some that manually apply for dev on a game and infect their game. Serversides got boring after a while so I moved to exploiting roblox revivals. There’s this one that I exploited called Hexagon that used a late 2014 roblox client and I was spamming coolkidd decals and crucifying people. People were freaking out over everyone in the server being crucified and the like.
That's amazing! I've used to find malicious scripts a lot and all I did was look through it, but you went on another level with getting the modulescript and looking through it too, great job there.
17:14 actually, they'd do this to be able to know when someone is spreading the word about the SS (so yeah, spying)
they fear the game's developer would notice that there is a ss in their game, and remove it
just looking at the video, you know that they were in their rookie hour during the design of the fundamental methodology
and, as someone who dabbles a bit in ss creation, I could see the strengths and weaknesses in their own implementation, but theirs can't be fixed as well as my own, and as far as I know, mine isn't detected by any "malware scanner" plugins, but that's not really the point.
the point is to improve security, and if they could, they would make some forced fenv polyfills, and maybe even stuff that would require a huge shift in the paradigm they're all using, I'm not really going to name any, as that would hint at exactly what it all is about, and I don't want to take away from the effectiveness of taking down these dynamically dependent executors at this point in time.
Crazy stuff seeing this as a dev. Made me make sure to double check all of the module scripts im using from other people
insane - thanks for covering this! it's wild to see how much effort they go through to try to obfuscate it ... also, why sign your backdoor with your name??? 💀💀💀 would love to see a part 2!
probably sign it with their names to prevent other hackers from stealing it or its just ego
If they are smart it's either a red herring or the name of some guy they don't like.
the publisher can get banned if we all report it, roblox said no obfuscating script before make it public on the creator dashboard
it cant get banned if its external - no ui
there's a way to make it obfuscated so it will never detect
@@4zaa4 "To maintain community safety, Roblox may terminate accounts that publish spam or assets with malicious or obfuscated code." - roblox msg when u r about to distribute a model
@@axsz-lollmao this almost never happens if ur smart enough
The models are uploaded on burner accounts, there's no way they are stupid enough to post this stuff on their mains.
as someone thats been learning lua and scripting for much less time than you (believe me i can tell how long youve been doing it just by how fast you type) im absolutely fascinated by the methods people will use just to do backdoors like this, its absolutely insane and also very interesting to learn and debunk, thank you for making this video!! :)
This is really fascinating, I love virus investigation type videos.
The amount of layers of red herrings, requiring other modules, obfuscation, and trying to remain hidden are actually insane
For me, just seeing the weird string manipulation and seemingly useless function in the first one would be enough of a reason to delete it, let alone the many more layers you uncovered
OOOOOOOOH I KNOW WHAT THIS WAS!
Some roblox exploiting softwares aka executors also allow server side execution, they do this by backdooring games like this and then if a cheater with the executor joins it would have code to check if server side is available and if yes it would open it and allow the cheater to run code on the server, these were really popular tho they've been dying out recently.
that's why i don't use toolbox or when i do, i tend to scan through the code alot to make sure nobody's trying to saveinstance my place and send it over to a group of randos (Probs not possible)
Also i think they use their own Loadstring module now, tho if you have loadstring enabled (i.e maybe to allow users to run custom code if you make a singleplayer game or something, can't think of any other use-case tbh) then if you don't properly secure how you run that custom code, exploiters may also exploit that vulnerbility
so yeah, if you intend on letting users run custom code, make sure to properly secure it first and know what you're doing
that print Player:Move Called blah blah blah is a error the studio prints when you try to move the character and it cant find the character humanoid. dont know when this error exactly occurs but yea its a error they printing to make the script look like some player script.
Wow, I had no idea Roblox had malware developers with this level of complexity! Excellent work with your analysis, this was a ton of fun to follow!
i got so much unmotivated by these scripts, im just scared to even open the studio lmao, the req thingie was from a plugin, i just kinda quit studio for now.
I recommend uninstalling the plugins you have, and starting fresh. it's pretty easy to stay vigilant of these sorts of things once you know how they work!
@@HooferIs there a way to know if the plugins you use are malware as well?
@@fireremix8 There is by checking the source code of the plugin, but it's quite hard. I recommend only using plugins by verified creators, it's a better way to ensure it's safe.
@@HooferYeah I suppose so, the most useful and popular plugins are made by verified devs. Thank you.
pretty decent analysis video, their website got me cracking up😭
For some reason, a backdoor require() keeps appearing in one of my games. The only thing is that the required asset is content deleted, so all it really does is be really annoying in the output and keep reappearing at the end of every server script.
Thank god the asset was deleted, because for some reason, despite me checking my own plugins and the editors' plugins, it always appears at some point after removing.
delete some plugins and keep the ones that you think are safe
There might be a script inside a service that's not shown in the explorer, you can do a for loop and put all ModuleScripts in the game in a table to check them
@berendberend702 some of scripts can be paranted to unreachable containers like nil
new sub, always wondered how this stuff worked and i like how you have basically zero editing in your videos and just explain stuff without having any ADHD editing, thanks :)
Love to see it bro, your content is actually really enjoyable.
honestly this is just impressive the way they managed to create such well-hidden and obfuscated malware
atp id just let them have the game 😭
I had a malware in a unpublished game, and...i created the scripts😭
this video was so interesting i did not even notice 20 min passed
The Roblox version of Eric Parker. Love it.
Instantly who I thought of.
Very interesting to see how malicious actors, especially on Roblox try to create a backdoor through Roblox studio and sell access to it for a subscription. Good research on this :)
I love how he actually explains what each line does or could possibly and why you shouldn't touch random code lol.
my guy just casually destroyed a entire hidden malware hideout
also love your video
so interesting, the way they obfuscate it to get around roblox, wow, that's why it's a profitable business
Wow, this video was very VERY interesting. I got malware on my game because someone from teamcreate put in a wrong model. I tried to reverse-engineer it but stopped at joint service. Props to you! You got another subscriber ♥️
yea I've found one that also pings a discord server when a game's been infected with it so they know they can go in and grab all the server scripts from it. Nice job going through it ;D
I made one, the thing was a gui (that only was visible to me via my specific userid) and was hidden as a child of like 50 parents, and it let me shut down servers (as in kicking all), it showed me when a game was infected with a discord webhook, and i could run any code i really wanted on servers. i got it on 2 game that averaged 500 people, i will not name them, one of the games removed it but one still has it active and i like messing with them.
thats evil
Dude i did something similar back in the day, but it was by joining them small groups from grp as a developer (with no developer skills at all) and then backdooring their game in the hopes it would get bigger in the future. However after a while I just started figuring out how scripting works and just started developing instead, then fuck around with the devconsole 💀
hell yeah i bet that was fun as fuck
as a scripter myself, i didn't know you could do half of this
actually insane the lengths people will go just to hack a game
Normally i'd think this was just the average backdoor that gives owner-admin to someone on some admin panel, but its so much more that it got so complex i got lost at the part where it used the description of a content-deleted game to use the words as numbers for a ID of a payload, crazy stuff.
so those https are probably running on node.js javascript backend type script that would run on servers, but the websites yes they use it but its probably just to log stuff I don’t know because i'm not the developer. Anyway the website developing in style is really cool but its use is evil. I love making websites and stuff so far I just started learning the backend scripting so I can run it on a server and make it somewhat accessible.
okay, so roblox can delete this decently covered "malware" but can't do anything else right?
The obfuscation and hiding of module scripts are awesome to see but the purpose isnt. All the trouble they went through just for that LOL.
remember one of these, someone added a sofa that had a "Weld" script and then it started popping up gamepasses (i turned 3rd party sales on)
So if I'm understanding this correctly...
1. Game creator uses some asset from marketplace that's infected with this malware as an attached script
2. Said malware script goes through stages of visiting marketplace links and deobfuscating payloads until it is fully loaded, clearing logs, and reaching out to 3rd party webservers for C2
3. Those 3rd party servers are part of a backend that gives a list of players who have paid for tiered plans, who can then use this malware to spy on or cheat in any games infected with the malware.
And most of all, 4. The malware probably also steals the cheaters' roblox and discord account info, and sketchy website is probably also giving them more malware outside of Roblox?
*asset from toolbox (not marketplace lol)
i remember older roblox malware had a script called "Hello, I am your new lord lolz" - that used to spam into every existing part or function, usually messing with physics or weapons lol
19:48
that's a BFLA vulnerability. it happens more often than you might think but they're pretty dumb to let that slide.
classical lammer made website
The chat log thing is probably to make sure no one is telling what they are using ingame.
there's something called luamin to beautify the code automatically btw
I don't really know what any of this means , but listening to this nerdy stuff made me do my math homework. Thanks man
i found a script similar to this but isn't actually a weld, thanks for telling me otherwise i wouldn't have known my game had a virus!
What browser are you using?
@@DefinitelyNotShrofty librewolf
Just earned a like and a subscriber love ur videos man first one and popped up on my youtube for you page I hope you become big one day lol
back in my day, free model payloads would just lag the game to high hell and fill the screen with "YOU GOT PWNED" messages
i also saw fake “qWeld” scripts that requires a malicious script into the game.
A lot of malicious plugins disguise their dropped scripts as welders. Roblox Studio Welder, qWeld, qPerfectionWeld etc.
the sun is leaking
Logging the chats of whitelisted users is actually common practice for this type of thing.
Usually, you need to pay for a whitelist to these types of things, and whitelisted users (obviously) know of the backdoor in the game. In the rare case the developer of the backdoored game is in-game as a whitelisted user joins, the developers of the backdoor don't want the whitelisted user to alert the game developer of the presence of a backdoor, so they log chats and likely automatically detect when a whitelisted user says something related to the backdoor and revoke their whitelist to prevent any loss of backdoored games, since serverside developers usually use the amount of backdoored games they have as a reason to purchase their product over others of similar nature.
I know this because I previously had been given a leak of the rules for an extremely popular serverside in around 2022 which went for around $6. The rules had a section stating that "you shouldn't talk about the existence of the backdoor in-game". It has been years since I was given this leak and I no longer have it so I don't have the direct rule, but it was something along those lines.
Just thought it was a kind of funny concept, Roblox censorship
i used to be a roblox skid and i made a script that was one line of code, it would just execute a script that would insert a script into the game, that was basically:
if "player" says "this" give them "exploiting gui that i made"
didn't do much with it obviously just did it to some of my friends games and a testing game of a game studio :) was fun
And all this from just one weld script!
(Also, if you want to separate a script, you can copy it all and re-paste it, it should format itself)
this is super interesting, wow. awesome video!
How does he just "grab" the deleted modulescripts or assets in general?
Btw very informative video, helps me with understanding malware scripts, it's like deciphering lol
I saved them before they got deleted.
@@HooferOkok thank you, I got a bit confused. Thx for the insight
Back in the day, before all the FE garbage, there were often numerous RCE (remote code execution) exploits that would allow you to get ACTUAL malware from someone in your game. There were also ones that forced you to teleport and all kinds of interesting things. Sadly those days are over!
I was playing back when you could use CE to make a sword load a script. Probably ~2009.
Loadstring bytecode moment
Very informative. This helped me alot. Thank you!
maybe i'm being naive, but from what i can understand Zephal LLC's web based user moderation system can be a legitimate tool for developers to integrate serverside execution for things like moderation and the like, it's just that whoever developed these backdoor scripts is appropriating it to get execution on random games.
also it doesn't say you can't dissect the code it says you can't *disseminate* it which makes sense because its paid software and sharing the code would be like piracy
either way zephal sort of looks like overpriced shady crap anyway
The tool is entirely illegitimate. They only use it for backdoors, they are lying. It was specifically made for that and that only.
me: oh nah roblox why would there be malware in roblox?
hoofer: You sure?
7:40
this is something i can shed some light on. i see people here saying omg i saw this print output in so many games‘ console, omg omg they were hacked!!11!
well, exactly not. this output aka. warning is very common in roblox framework and you see it in a lot of games. it happens mostly when someone dies and scripts try to move the humanoidrootpart. especially npcs call this as there are just different scripts conflicting with their code. the output is so much overlooked because it doesnt really matter as in most cases after death the npc or player just respawns and everything returns to normal and starts working again. and as you already said, since an update some years ago, roblox outputs when the require() function is called and this seems to create a little loop to spam this output and to distract and effectively have that require output disappearing…
Wow, that's so interesting. To see how much effort those people make to get a backdoor to a roblox game... Crazy. With all the different moduley that are required etc. And then to see that their website is completely broken since you can just type in another url to bypass login etc. lol
I just realized. It checks if v6 is equal to v0. But your output is not equal to v0. I’m struggling to understand the point of this v0, this payload will just never run.
When you went to the link, it didn’t say the asset was moderated at the top, so it just didn’t exist or they deleted it.
14:16 the output is indeed equal to v0
@@krashniir okay nvm. I was on bad wifi at the time and wasn’t looking closely. But then if there were just going to leave the regular ID out in the open, why have the rest of the code.
This is very entertaining Icl I'm subbing (no glaze)
could you make a video to show how to get your mouse cursor please? it looks really cool :) and also perhaps your roblox studio customization n other cool looking designs
you actually cant be banned for using serversides (unless a roblox mod personally bans you) although you CAN be banned for making serversides
Damn, I have never seen something like this.. using the properties tab to obfuscate code is crazy work.
pretty nice vid bro
thanks for all the infos
next vid pls some more deeper details on how to decode the scripts etc
19:47 I did not expect "So you can make like a sign in, or you can just bypass it"
How does your studio look like that. With those icons.
hey if i put a infected item from the toolbox to the game and i accept scripts then ctrl + z there's any chance the scripts remains in the game?
@@criiisxdpro6614 If you undo, you should be safe. I haven't had any problems with it.
18:00 thats crazy to be honest. fake error message??
yk you can format scripts in studio instead of manually doing it
It doesn't work for new lines
Why do they have this many steps and methods to conceal stuff if it can be as simple as 1 line that gives anyone access to your game?
To make it more hidden and harder to take down
really interesting but jesus, whoever made it really didn't think twice to put their userid in the script, just don't grab anything from the toolbox and you're safe from stuff like this
How did you find these stuff? Did you search for it or just stumbled upon it
@@-fat It was sent to me by a colleague who had been exposed to it
only ogs remember the fire spreader or the unanchor everything in workspace viruses
This was really interesting. Thank you!
funny how i am watching this while knowing nothing about scripting
i found malware in an old game i had, it was poorly hidden and sadly by the time i found it, it had already been deleted so i couldn't examine it
19:50 "You can sign in or you can just bypass it and get to the dashboard directly" All this after this insanely complex code lmao
this shits awesome love how u dissect shit and reverse engineer this, subbed:3
if you wanted to quickly get the ID, you could just replace "require" with "print" without having to do any of the previous work
Sometimes this won't work because they will check if you're in studio or if your job I'd is ""
this is actualkly very sophisticated
all weld scripts are suspisius and that bit32 throws it immediantly before u even see the require
suspicious*
Hi I got a question how did u import the deleted modules into Roblox studio? nice video btw
I downloaded them before they were deleted