Roblox a muti-billion dollar company who blantly refuses to improve their horrid moderation. Meanwhile moderation tools made by their OWN community which can detect inappropriate users, accessories, shirts, group, backdoors (like this), and more which does 100% better then Roblox's OWN moderation.
This tool isn't fullproof, it requires me to look and verify that they are indeed malicious. It would be much harder for Roblox to implement this in a way that would not false positive. I think this will improve over time.
you gotta understand that roblox is indeed trying, and it is working, if you put a code highlighter into a modulescript, and then upload it, you get an instant ban.
@@Hoofer I agree and what should happen is this tool be NOT be relied on 100% with moderating assets uploaded to the marketplace. A tool can help "flag" sus models detected by the tool, but a human reviewer should be the one to click the ban button.
Dude, I wish I had something like this for games. Having to constantly search require, getfenv, etc especially with games that have to require modules it gets very time consuming and is a lot of hassle. I think more people should start to learn how to build and script on their own as in my opinion lua is quite easy to understand! Keep up the awesome work dude, you're teaching me things I either forgot about or am just learning now!!!
i manage the largest serverside in the community and i just find it hilarious how you have easily just cracked nova like that, they're our like only competition, i'd like to see you attempt to crack luna though
nice one on getting this backdoor, i chose a random roblox backdoor model made by the same people who made that ui (that are impersonating roblox as a fake account) and did exactly what you did
is this public? please make this public, it doesnt need to look fancy, its so good as it is right now. im not sure if you have heard of termers? they exist since roblox was obligated to push out the DSA Report Form. they are basically people reporting illegal content on roblox and terminating it, hence the term "terming". it is known to be way more effective as roblox employees have to finish these requests of in a given timeline after EU policy, thats why reporting through the DSA Report form is deemed so much more effective than through any other means. Right now mostly people who spreaded bypassed clothing or who wore bypassed clothing are being terminated. but with a tool like this the community could expand to terming illegal backdoors.
They already have a system for ai that does this, and this scanner isnt exactly always correct, Stuff like HD Admin, or ANYTHING that calls require will flag it, and also u can just bypass this with getfenv
if not you, i didnt know i have that kind of backdoor inside my own game, it was inside fake bloxycola that my friend added, thanks. it was using the fake 429 error
I cheated by learning from another tutorial that 0.6.0 of that obfuscator is vulnerable there, I just search for ~=0 and find where that definition is. The latest version does some sort of xor on the constants so I have to do another method to view how it does things.
you can do this but roblox cant automatically flag them upon upload? maybe they should spend less time making the worst AI products i've seen and listen to the community 🤔
Do you know what those lines with random text and numbers are? (Mostly letters) Example: pqiepwbjfoevjzpkwpqsowodjeiwkdjsjfkwlpqbwufkqpwjoejieowjdqjqosvjf Like are they ciphered or something or are they just there to hide code? Also will you make a tutorial on how to make such a tool? Seems very useful even though you need to verify if it's malicious, it's good workflow. Great content as always, I like how you show what you think and how you come to work on finding these malicious contents.
The random lines are either obfuscated code, or the VM executed code. All of it is just obfuscated code, they do it to hide themselves, but it's not very hard to figure it out. As for the tool, it's not very helpful outside of scanning public assets to look for them. I wouldn't rely on it to check resources. Personally, I recommend not using models that contain scripts. I'd rather write my own scripts for the models. It's the safest way.
@@HooferAhhh ok I understand it now thank you. Yeah I am working on a duo project and we told ourselves to only use our own models, scripts and assets in general. But in case certain parts that take very long to do like vfx or blender models, we thought of maybe compensating depending on the situation. In that case I saw there's a plugin called RoDefender, but comment reviews aren't very happy about it, so I suppose the likes are just given without thought.
Roblox a muti-billion dollar company who blantly refuses to improve their horrid moderation. Meanwhile moderation tools made by their OWN community which can detect inappropriate users, accessories, shirts, group, backdoors (like this), and more which does 100% better then Roblox's OWN moderation.
This tool isn't fullproof, it requires me to look and verify that they are indeed malicious. It would be much harder for Roblox to implement this in a way that would not false positive. I think this will improve over time.
you gotta understand that roblox is indeed trying, and it is working,
if you put a code highlighter into a modulescript, and then upload it, you get an instant ban.
@@Hoofer yeah
@@Hoofer I agree and what should happen is this tool be NOT be relied on 100% with moderating assets uploaded to the marketplace. A tool can help "flag" sus models detected by the tool, but a human reviewer should be the one to click the ban button.
it definitely goes so deep... impressive tbf
you gained a sub btw
Dude, I wish I had something like this for games. Having to constantly search require, getfenv, etc especially with games that have to require modules it gets very time consuming and is a lot of hassle. I think more people should start to learn how to build and script on their own as in my opinion lua is quite easy to understand! Keep up the awesome work dude, you're teaching me things I either forgot about or am just learning now!!!
I just print the name of the modulein in joints service thats how i found out
@@NaraSherko I just press Ctrl+Shift+F and just search for require or getfenv, its so horribly tedious.
awesome that you did this man, also trying to delete the webhook was smart and you've definetly earned respect for it bro
i manage the largest serverside in the community and i just find it hilarious how you have easily just cracked nova like that, they're our like only competition, i'd like to see you attempt to crack luna though
do you have a server?
ur last 2 videos are so cool man, keep it up
you've just earned another sub, never seen someone do this before
This guy deserves million subscribers, what a great work!
I subscribed to you because of Oaklands but these videos keep getting recommended to me. Love it
man this is actually cool, i was amazed on how easily you dumped that script too
nice one on getting this backdoor, i chose a random roblox backdoor model made by the same people who made that ui (that are impersonating roblox as a fake account) and did exactly what you did
As someone who know c sharp and roblox lua this is amazing good work :)
hoofer please stop scratching my backdoor I can't even get a singular moment of rest because of you
I appreciate your work
6:33 LMAO THAT IS THE MOST FAKEST SH## IV EVER SEEN AND THE FUNNIEST
you should get hired by roblox
is this public? please make this public, it doesnt need to look fancy, its so good as it is right now. im not sure if you have heard of termers? they exist since roblox was obligated to push out the DSA Report Form. they are basically people reporting illegal content on roblox and terminating it, hence the term "terming". it is known to be way more effective as roblox employees have to finish these requests of in a given timeline after EU policy, thats why reporting through the DSA Report form is deemed so much more effective than through any other means. Right now mostly people who spreaded bypassed clothing or who wore bypassed clothing are being terminated. but with a tool like this the community could expand to terming illegal backdoors.
I'll release the source code & binary once I fix some of the issues with it.
thats crazy. roblox moderation needs that. im subscribing
they no doubt have their own tool, and probably more sophisticated :D
They already have a system for ai that does this, and this scanner isnt exactly always correct, Stuff like HD Admin, or ANYTHING that calls require will flag it, and also u can just bypass this with getfenv
@@popbottoms I added detection for getfenv a bit ago and haven't gotten any hits. It seems like people avoid it, likely due to AI detections?
@@Hoofer Most likely
@@Hoofergetfenv is fully banned while require can be used in some cases
this is when skids want to backdoor famous games but a huge developer stops them even tho they obfuscated stuff
Why is this guy so handsome
Amazing work
Woah, you are underrated
waiting for the cure for cancer...
Alr no, actually now im sleeping with this, I swear this is asmr
DUDE THATS WHAT IVE BEEN SAYING
@@-eternal BROOO XD
if not you, i didnt know i have that kind of backdoor inside my own game, it was inside fake bloxycola that my friend added, thanks. it was using the fake 429 error
Happy to hear that you were able to remove it!
At 11:00 how can you tell where and what to print out to dump all the constants?
I cheated by learning from another tutorial that 0.6.0 of that obfuscator is vulnerable there, I just search for ~=0 and find where that definition is. The latest version does some sort of xor on the constants so I have to do another method to view how it does things.
How are you downloading the models, Is this a beta thing or a extension you use?
It's BTRoblox, an extension, but you can also use an API endpoint to download them.
what browser do you use, also these backdoors are insanely elaborate- but I might just not know anything.
librewolf, it's a fork of Firefox!
@@HooferWHY DO WE USE THE SAME PROGRAMS
actually insane
so when is the hoofer vtuber unveiling
lol this video is gonna go wild just watch
How do you make your Roblox Studio look like that?
My studio icons are Vanilla by Elttob
all that just to get admin in some random persons game who uses toolbox assets????
Yo bro can u drop the source code of the backdoor scrapper it’s so cool and I wanna know how to scan for strings in models like that
There's some issues I have to work out first!
@@Hooferwhat’s the issue?
you can do this but roblox cant automatically flag them upon upload? maybe they should spend less time making the worst AI products i've seen and listen to the community 🤔
what visual studio code theme?
marketplace.visualstudio.com/items?itemName=atomiks.moonlight
atomiks.moonlight
@@Hoofer Thanks!
i never knew that the C language can detect lua code??
just checking strings ig lol, anything that matches 'require'
well just about any programming language could detect any other language its just string operations
🚪
Le' Epic
Hi
Do you know what those lines with random text and numbers are? (Mostly letters)
Example:
pqiepwbjfoevjzpkwpqsowodjeiwkdjsjfkwlpqbwufkqpwjoejieowjdqjqosvjf
Like are they ciphered or something or are they just there to hide code?
Also will you make a tutorial on how to make such a tool? Seems very useful even though you need to verify if it's malicious, it's good workflow.
Great content as always, I like how you show what you think and how you come to work on finding these malicious contents.
it's encrypted, if you see ANY script with it, it's 99.999999999% a virus.
The random lines are either obfuscated code, or the VM executed code. All of it is just obfuscated code, they do it to hide themselves, but it's not very hard to figure it out.
As for the tool, it's not very helpful outside of scanning public assets to look for them. I wouldn't rely on it to check resources. Personally, I recommend not using models that contain scripts. I'd rather write my own scripts for the models. It's the safest way.
@@HooferAhhh ok I understand it now thank you. Yeah I am working on a duo project and we told ourselves to only use our own models, scripts and assets in general. But in case certain parts that take very long to do like vfx or blender models, we thought of maybe compensating depending on the situation. In that case I saw there's a plugin called RoDefender, but comment reviews aren't very happy about it, so I suppose the likes are just given without thought.
lmaoo i made that infect code :(