Categories > Exploiting > Scripts >

Help Modify local script


New Reply

Posts: 30

Threads: 16

Joined: Sep, 2022

Reputation: 0

  • 0

Posted

Can someone tell me how i could modify an userid inside a table that is located in a localscript.

Example:

from t = {123456789,987654321,123215235}

to  t = {123456789,987654321,6969696969}

Posts: 1233

Threads: 64

Joined: Feb, 2020

Reputation: 69

  • 1

Replied

If the script hasn't ran/been loaded yet:

  1. Get the target script's closure with getscriptclosure.
  2. Traverse the closure's constants using debug.getconstants.
  3. Look for the constant index you need and use debug.setconstant to change it.

 

The previously described method will not work if there's not a constant value used to initialize the table or if the script is running.

 

If this is a local variable and the script is running:

  1. Hook a function that the script calls with hookfunction.
  2. If you absolutely need to, you can hook a function (either main chunk or a pseudo-subclosure found with debug.getprotos) in the script and call it on-demand from the exploit but that may not be a good idea because it could be buggy, especially on different exploits with possibly different Lua behavior.
  3. Check if it's the target script using getcallingscript.
  4. Get the caller stack with debug.getstack(2) and traverse for that table (disassembling the Luau code will tell you exactly what stack index the local variable is located at, so you wouldn't have to traverse if you did your own analysis)
  5. Set the local variable with debug.setstack.


The previously described method will only spoof a local variable for one call. You would have to set up a reliable hook that gets called every time that function is called to spoof in a new stack frame.

 

If this is an upvalue to a subclosure (a local variable that's located in a higher stack frame):

  1. Find the target pseudo-subclosure. You can do this by using debug.getprotos on the target script closure (fetched with getscriptclosure).
  2. Traverse the upvalues of the pseudo-subclosure to find your target variable (or disassemble like I said and you'll find out pretty quickly what exact index it's at)
  3. Set the upvalue with debug.setupvalue.

 

If this is a global variable in the script (or any subclosure in the script that shares a global environment):

  1. Get the script's environment with either getsenv or getfenv(getscriptclosure(script))
  2. Set the key of the variable you want to replace in the environment to your choice. (env["print"] = warn would replace print with warn (not a function hook, a function replacement))

 

It can get quite complicated and there's a lot of methods to do what you want. Most methods used really depend on how the script works internally. I only explained four but I can picture a few more that could work.


New Reply

Users viewing this thread:


( Members: 0, Guests: 1, Total: 1 )