From what I know, doesn’t loadstring only work on the server anyway? What else could the function do? I would love to learn more about this, as it seems like it is a terrible thing to have from the way everyone describes it.
1 Like
Honestly it doesn’t really have any major cause for concern, at the end of the day most exploiters who do want to use a loadstring will have built a custom one. This is especially the case when exploiters are using backdoors.
Another issue is that its difficult to sandbox because it has the same power/permissions as a standard script, so this means if you wanna use it to run users custom scripts you’d need to use text parsing to sandbox it, which is nearly impossible due to all the ways one can bypass it.
So really there is no reason to use it…
2 Likes
Ah, thank you for helping me understand that. I have one more question, you said that exploiters make their own custom loadstring. I don’t even get how this is possible, since script.Source is locked. I honestly have no clue how they can run their own code with a string.
Their exploit has a custom lua environment, which does allow them to use loadstring().
they pretty much emulate the lua vm in a lua script which is how they run it
edit:
example: GitHub - JustAPerson/lbi: Lua Bytecode Interpreter
1 Like
The reason they use a custom solution is because the compiler is removed from the client, so the client is physically unable to compile code. Only the server can compile code.
Using loadstring is generally okay, and if you’re wanting to make a script builder game, you can just sandbox players by only letting them use certain globals in your defined environment. But at the cost of performance. The use of loadstring along with getfenv and setfenv disable some of Luau’s optimizations. And setfenv could have been used to sandbox the function returned by loadstring.
1 Like
they dont use use a custom solution because the compiler is removed on the client
backdoors are on the server not on the client…?
they use a custom solution so they can completely bypass loadstring
I was talking about exploiters, as mentioned in @synical4 's reply, I was wanting to reply to them but I felt my post wasn’t only directed to that reply, so I replied to the OP instead. Sorry for any confusion, but I am still right.