Mystery Code - Is this Free Model a VIRUS?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello you wonderful people how are you all doing so i've just seen a message from one of the users in our discord and they were searching for a sky box to use and they've said that they've seen a strange script in it they don't really know what it is they're worried it might be a cookie logo or something and this certainly piqued my interest now i know a lot of you are aware about and worried about viruses going around on studio i've certainly talked before about being very wary of things you take from the toolbox so i was pretty interested in this and i thought we'd take a look so we open up our toolbox and he says we search for the night sky box and if we take the very first result we see this one made by uh liberman942 the description's a bit weird it's got the title in there like 10 times but we go and we'll insert this into our game and we get a pretty nice night sky box everything seems normal but if we look inside we can see it's actually got a script in there it's called darker but if we open this up the script looks a little bit strange so it's got player added event in there and it's checking when they join if they're friends with a certain user a friend with this id so i went on to the website and i can copy and paste that user id press enter and then you will find this user right here called fvts key right it seems like just some kind of random generated user uh they don't really have any friends or followers and it doesn't look like they've really played a game so it just looks like some sort of weird alt account i noticed uh a lot of their friends kind of look like uh temporary accounts as well but their first friend image zero uh takes us to this guy right here who seems to have a hundred thousand followers which maybe they're botted i don't know uh and he's friends with these various accounts here so that's kind of interesting our script is checking if they're friends with that weird alf account user and if they are then it's gonna require this thing so what are these weird requires all about what is this now you might notice it begins with a zero x or both of them now a zero x normally denotes a hexadecimal character so what we can do is we can copy this hexadecimal value we can go to a website like this hex to decimal converter enter in our hex value convert and then we're going to get this decimal value so this is the id for a model that it's requiring so if i'm on the roblox website a model like this hd admin right you see it's got this id right here so if i swap that out with the id we just found press enter and i'm taken to this rather curious looking free model it's just called web and it's created by an account with another randomly generated username this one again looking pretty suspicious and we can see they're actually friends with that user we just looked at a minute ago so it seems to be some little network of temporary accounts here but anyway let's have a quick look at this model so i've added it to my inventory and i can go back into studio now and have a look at it so if i add it into my studio i get this thing called main module over here and if i look inside it uh it's not really got anything much at all it says http logger so it's going to clone this folder that's inside of it and then it's going to parent it to workspace so it's just going to move this folder into workspace and it's going to name it roblox core animations so is it for animations well if we look inside we can see we've got freefall we've got an animation we've got run we've got an animation object there so it seems like it's for animations but it's a bit deceptive um but because if we open up the jump folder we find another folder inside and if i keep opening these up extras eventually i find another script this is called animation handler well is it for animations if i open it up we get this very strange looking script it's all on one line it starts with local b equals and then there's this really long list of characters and we can see the line goes on and on and on and on and on there's a little bit of code in here but it seems to be mostly these strange looking strings well what's all that about so it's probably best first of all to not have it all on one line like this so what i did is i went through and i formatted it and then i got something looked a little bit like this now we can actually see what's going on here now we've got still these very strange strings which are a bit mysterious but we can kind of make out is actually code now so what actually are all of these well again these are actually hexadecimal values so it's got a back strike x which tells us it's a hex value and it's separating out each of these so we've got 68 74 and so on what is all this well if we take all this we select it all copy that over and if we take it to a converter website like this if i paste in my hex we can suddenly see out comes the other end what's a very obvious link and it's going to discord.com so if we want we could paste this back into the code and then we can kind of see we have something that looks a little bit more normal now although this is very suspicious why are we using discord why is it using web hooks it's obviously going off-site so it's something going outside of roblox that's always very concerning if you don't know what the script is but it's sending information somewhere else what could that be well i went through the rest of the script and i decoded the whole thing for each of these hex values so we can reveal the mysteries because clearly it's sending all of this data over the discord but we don't know why or what it's for so i'll open up my decoded version over here and we can see that these ones up here get serviced they look all mysterious don't they well actually it's just http service marketplace service and run service then we've got this string dot sub thing going on you might wonder what this is all about well actually string.sub just allows you to edit a string so i'll show you an example what's happening here this is another place i've got and it's published as a game and what i can do is i can get marketplace service and i can get the creation date which is exactly what that script was doing and i can print it out to the output so if i run this we'll see down the output we get this long string which contains the year the month the date and then it has this long block of time as well now if you use string dot sub on it all that'll do is it'll take out a portion of the string this long thing so we see it goes 1 to 10 so that means it'll take the first 10 characters of that string and then in this case you could save it to a new variable like this and if you outputted that what you would then get is you would chop all that time off so you would just get the date neatly formatted so that's all they're actually doing there nothing too suspicious or exciting the next thing this code is doing is it's checking if we're inside studio or if it's an actual game server so whenever you run this it's going to query the marketplace the sorry the run service and then it can check what the status is and then it's got this really big block of table which is the data that's being sent uh it's actually we can see it's uh json so you might see this word json thrown around a lot it's essentially just a way of formatting a big table to send information which can then be processed by lots of different programming languages and so on used a lot with apis as well so let's have a look through so it's called embeds and then it's got the author someone called ellixium and we can see it's got an icon url uh if you're wondering what that looks like that looks like this not very exciting is it and then it starts putting the actual data so it takes a title um which is actually the name of our game it takes the url which is going to be again the id of our game a color and then the image url so it's going to grab the thumbnail for our game and then fields down here and we can see it takes how many players are currently in the game or in this server at least it's going to send the creator which is going to get the creator id so our id is going to send that to get max players created and last updated it's going to take those formatted dates that we just talked about and it's also going to take the place id and then it's got that little footer at the bottom so that's our investigation about done in conclusion is this malicious well not really all it's going to do is it's going to take all this information and it's going to post it in their discord through their web hook so if you ever set up a discord web hook before discord have plenty of information on that allows you to create one and so on and all that you'll then get is a little link and then you can output information in your discord so like we see here there'll be something like this being posted in the user's discord about our game so the good news is this isn't any security risk it's not going to steal our password it's not going to cookie logger it's not going to do anything like that it's really nothing to worry about but it is going to send the information off the discord you might not want that so you can feel free to delete it as i always say if you find a script in a free model you don't know what it does then go ahead and delete it but i thought this was interesting to check out anyway so now we know what it does but why they've gone to such efforts to obfuscate the entire thing i don't know maybe roblox senses the word discord in the scripts so they have to go to such lengths but it does seem very suspicious that they'd hide it in all this fake animation stuff i thought this was pretty interesting uh if you have anything else you want me to check out or investigate then let me know maybe we'll make a thing of this but thank you very much watching and i'll see you next time goodbye [Music] you

Info

Channel: GnomeCode

Views: 184,076

Rating: undefined out of 5

Keywords: roblox, studio, roblox studio, noob, learn to script, gnomecode, game dev, script, lua, luau, programming, coding, gnome code, free model, should you use free models, virus, roblox studio virus, roblox studio infection, do i have a virus, is my game infected, roblox require, roblox discord api, hexadecimal code

Id: oHgtXdgJF5U

Channel Id: undefined

Length: 12min 5sec (725 seconds)

Published: Thu Aug 26 2021