Still have questions? Join our Discord server and get real time help.
0

# Using ‘getfenv’ to load modules?

I was wondering: how do you use getfenv to load modules? This is a method used by some loaders, and I was quite curious about it.

0
You don't. getfenv is for getting environments incapaxx 2881 — 2mo
0
But why do I see it in loaders? Exo_Byte 69 — 2mo
0
They have a series numbers between ‘[‘ & ‘]’ Exo_Byte 69 — 2mo
0
cuz they're stupid and why are you trying to load modules anyway? Are you talking about third party private modules? They are removed. incapaxx 2881 — 2mo
0
0
And could you please paste a code snippet in your question? Maybe I can answer it if your question is clearer. incapaxx 2881 — 2mo
0
Ok Exo_Byte 69 — 2mo
0
I don’t clearly remember, but I remember things like ‘[101,381,381,929,573,371,382]’ (keep in mind that these numbers are random) Exo_Byte 69 — 2mo
1
They were from backdoors. The script writer would obfuscate their code. Don't do it. It adds unnecessary complexity and unnecessary overhead. incapaxx 2881 — 2mo

3
Edited 2 months ago

## Solution

Okay so as incapaxx has already noted getfenv is for getting an environment and that

They were from backdoors. The script writer would obfuscate their code. Don't do it. It adds unnecessary complexity and unnecessary overhead. --// incapaxx

I agree with both of incapaxx's statements. Now on how what they are doing works and why they are doing it.

They are likely using the byte value for a corresponding string to make it look confusing. Example

local a = "\98\99\100"

print(a)


This results in the output of "bcd". The \ is the escaping character and following it with any number makes an escape sequence like "\n" which is new lie or "\t" which is tab.

### Case Example

The malicious users are taking abuse of this feature to in a way obsfucate / hide the logic of what they're trying to do. An example would look like this.

getfenv()["\114\101\113\117\105\114\101"](1234.5 * 2)


Why are they using getfenv? Well they need reference to the environment since they are "obsfucating" their require call into a string that looks unreadable.

This actually can be evaluated to getfenv()["require"](1234.5 * 2) which can finally be evaluated to getfenv()["require"](2469)

All they are doing is making it harder for you to tell what they are doing, such as requiring a malicious model.

I suggest removing ANY code in your game that has similar characteristics to what we are discussing as you are putting your games security at risk. What they are doing likely requires a private module that inserts a remote event into a private service and uses a custom loadstring function to evaluate and run their code on the server which is very dangerous.