I\'ve recently downloaded some lua code and what I found inside was some obfuscated string. That made me wonder what sort of obfuscation technique was used there. Does anybo
You can do it like
Old code :
loadstring(your string)
you just can see/deobfuscate it by using print() instead of loadstring()
New code :
print(your string)
New script :
local code='\27\76\117\97\81\0\1\4\4\4\8\0\64\0\0\0\64\67\58\92\85\115\101\114\115\92\65\108\101\120\92\68\101\115\107\116\111\112'
print(code)
its Easy to Deobfuscate Encryption
local a ='\196\2\28\66\0\1\198\193\194\2\25\128\129\3\22\64\14\128\197\193\0\0\198\193\195\3\6\2\196\2\220\129\0\1\218'
print(a)
Instead of trying to just hand you a simple answer, I'd like to inform you some things to know if you encounter stuff like this along the way.
This kind of obfuscation isn't very secure and is actually from an ASCII table. Usually, these kinds of obfuscations are made in Lua 5.1 and can be easily made with a :byte
and table.concat
. You can simply reverse this code with a more powerful version of Troy's explanation that can bypass most security around it:
function loadstring(input)
print(input)
end
So I hope you get some idea on how this stuff works. As stated before, this is can be replicated by using :byte
and table.concat
usage.
If it's got loadstring a simple way which may not always work is just adding
loadstring = print;
at the start
The tricky part is that loadstring
and related functions accepts both lua code and lua byte code. That call to loadstring
is just being passed byte compiled lua rather than lua source code.
You can get byte compiled lua easily. You can get an example like this
For an empty lua file I get:
0000000: 1b4c 7561 5100 0104 0804 0800 0900 0000 .LuaQ...........
0000010: 0000 0000 4066 6f6f 2e6c 7561 0000 0000 ....@foo.lua....
0000020: 0000 0000 0000 0002 0201 0000 001e 0080 ................
0000030: 0000 0000 0000 0000 0001 0000 0001 0000 ................
0000040: 0000 0000 0000 0000 00 .........
A translation of the first 8 bytes into decimal is:
27, 76, 117, 97, 81, 0, 1, 4
Which matches the escaped characters in your string.
If you want further details on what the code in the chunk does you'll need to write the chunk out to file and use a lua decompilation tool to investigate. ChunkSpy, luadec15 and unluac are both mentioned in the lua wiki tools page.
There's not enough content in the chunk you've provided for me to take it further, I assume its truncated?
Doesn't look encrypted at all. Seems like it's just a sequence of bytes. Each backslash represents a character with its byte code.
27 is escape, 76 is 'L', 117 is 'u', 97 is 'a' and so on.
Running it through a short script gives me this string (symbols are special characters, such as escape, start of heading and null): ←LuaQ ☺♦♦ @ @C:\Users\Alex\Desktop
You can look up the bytes on an ascii table.
Update: A bit of research told me that LuaQ means that it's a precompiled script or something of the sort. I could be way off though.