TFAR Code Execution
So one last thing I wanted to cover was a unique feature of this exploit. My comments throughout the screenshots have been alluding to this. The way that getKeybind and addKeybind interact with the keybind data array, the values in it are actually directly linked to the profilenamespace. I covered this a while ago with my advanced variable hiding post. What it allows you to do is create a single line of code for this entire exploit.
This was shown to me by a friend, and I never actually wrote it, but here is a rough take that may or may not work.
((uiNamespace getVariable "keybinding_actions") getVariable _action) set [2, [[58,[_bad_payload,true,false]]]];
In theory, setting the value retrieved here, should link directly back to the profile, and update the profile with the new exploit. Like I said, I didn’t test this, I just know that somehow it is possible.