Potential GMod Hack (Outside of Client) Theory Debunk? - General Discussion

Hello! My friend says GMod should be quarantined in a VM since it's a dangerous game, they had a chat with somebody that convinced them and they sent me the chat. If it were as simple as it was explained, wouldn't we have already seen the malicious result of this? I don't think this to be true but I'd rather ask people who understand this far better. [12:54 AM] gigglypuff: there's a function valve includes in the console for saving the game [12:54 AM] gigglypuff: save [12:55 AM] gigglypuff: using it will automatically save the game state and write it to the saves/ directory in the game [12:55 AM] gigglypuff: as like autosave01.sav [12:55 AM] gigglypuff: however, you can actually specify a save name [12:55 AM] gigglypuff: save garrysmod.bat [12:55 AM] gigglypuff: save garrysmod.dll [12:55 AM] gigglypuff: it will not validate the extension [12:56 AM] zoeybean ( dark roast ): oh [12:56 AM] gigglypuff: but i know what you're thinking [12:56 AM] gigglypuff: "why is having random save data written to disk helpful?" [12:56 AM] gigglypuff: garry's mod clientside lua has a library called saverestore [12:56 AM] gigglypuff: or something like that [12:56 AM] gigglypuff: you can specify exactly what information gets stored into those save files [12:57 AM] zoeybean ( dark roast ): what the fuck why [12:57 AM] gigglypuff: the default behavior is to save the location of all entities in the game [12:57 AM] gigglypuff: but, instead, you can easily supply lua code to override that behavior, and instead say [12:57 AM] gigglypuff: "download this file from a remote server and save those bytes instead" [12:57 AM] gigglypuff: then force the player to invoke save win32.dll [12:57 AM] gigglypuff: suddenly you have executable code which exists on the disk [12:58 AM] gigglypuff: lua also has a nifty feature [12:58 AM] gigglypuff: require(), which allows you to pass files that exist on the disk and provide extensions to lua [12:59 AM] gigglypuff: any file, that strictly exists on disk, and is a valid dynamic link library, will be loaded as a binary C++ module into the game's code [12:59 AM] gigglypuff: which means that by doing the above steps, invoking save win32.dll to the player's console, then issuing them lua code to require("win32.dll")

you do not have write access through lua outside of the garrysmod/data folder. you also cannot require binaries that are outside of the modules folder, and the saves will only be in the /saves folder. so the file structure and permissiology of the game renders this impossible. you're also writing what amounts to pretty much just a serialized table using saverestore, I don't see any way through lua to create a save file that is actually just executable code.

LUA virus's don't mean shit anymore. That stopped being a thing since Garry redid everything at least nearly decade ago

Thank you, I'll forward this to them.