Im trying to figure out how I can decompile this obfuscated Lua script

为君一笑 提交于 2020-12-08 05:14:50

问题


So I've been trying to figure out how to decompile dlls, java, and Lua files but once I ran into this one I got stumped.

Does anyone have any ideas on how I can decompile this?

Since the script was way too big I put it in a pastebin link. https://pastebin.com/UsdWEHnmIlIIl1liIllIi1II1Ii.lIl1llIllIii1111lIIIii = lIli1IlI11lIlI1il11i1() lIli1IlI11lIlI1il11i1() lIli1IlI11lIlI1il11i1() local ll1ili1i1Ii1II111li = lIlIlll1Ill1illiliIiI() for i1IiIili111iI1lil1l = lIliI1iii11lilII1IIil, ll1ili1i1Ii1II111li do IlIIl1liIllIi1II1Ii.l111II111Il1IiIII11i[i1IiIili111iI1lil1l] = lIlIlll1Ill1illiliIiI() end lIlIlll1Ill1illiliIiI() lIli1IlI11lIlI1il11i1() lIli1IlI11lIlI1il11i1() lIlIlll1Ill1illiliIiI() lIlIlll1Ill1illiliIiI() lIlIlll1Ill1illiliIiI() lIli1IlI11lIlI1il11i1() local ll1ili1i1Ii1II111li = lIlIlll1Ill1illiliIiI() - (#{ 91625, 31274, 132907, 128929, 89879, 28353, 85846, 63662, 120975, 94604, 40073, 120271, 29175, 126728, 55753, 31423, 118592, 112751, 123563, 26653 } + 49 - 22 - 12 + 24 + 10 + 32 - 27 + 22 - 35 + 41 + 25 + 29 + 18 + 33 + 32 + 133485) for i1IiIili111iI1lil1l = lIliI1iii11lilII1IIil, ll1ili1i1Ii1II111li do local l1iI1Illil1i1il1iII = {} local lIlill1IIIlli1iII1ill = lIlIllI1i111lilIi1ilI(i1iIIIii1liiIillilI) l1iI1Illil1i1il1iII.il1li1iilIii1iIll11l = iiIlIlilIlIll1l1l1l(lIlill1IIIlli1iII1ill, #{ 19814, 81950, 109054, 18321, 117777, 126276, 941, 40833, 27393, 25354, 106568, 58140, 73781, 28751, 110509, 42721, 118305, 94680, 18166, 4591 } + 26 - 9 + 9 - 4 - 48 - 2 + 24 + 47 - 35 - 8 - 31 - 1 + 39, #{ 34453, 33661, 37020, 5461, 3935, 7245, 90253, 30010, 122438, 78286, 50375, 62446, 101176, 126539, 91679, 59085, 67167, 93133, 73148, 54067, 13807 } + 29 - 46 - 15 + 41 + 32 - 26 + 6 - 6 + 27 - 43 + 12 - 17 + 11 + 6) l1iI1Illil1i1il1iII.lIlilIilillll11iil1li1 = iiIlIlilIlIll1l1l1l(lIlill1IIIlli1iII1ill, #{ 59738, 38876, 31250, 75801, 96293, 27832, 11774, 9098, 31230, 80836, 129303, 101680, 12689, 60836 } - 3 + 38 + 32 - 43 + 21 - 10 + 5 - 32 + 14 - 8 + 7 - 15 - 19, #{ 37073, 70137, 113242, 21765, 129309, 86407, 33113, 85980, 105005, 59356, 53236, 100694, 61483, 55175, 85902, 33351, 70969, 133357, 55705, 74121, 116292, 132529 } - 13 - 4 - 47 - 36 - 29 + 17 - 49 + 43 - 48 - 42 - 4 - 18 + 16 + 201) l1iI1Illil1i1il1iII.I1i1IiiIlIIl1II11IiI = iiIlIlilIlIll1l1l1l(lIlill1IIIlli1iII1ill, #{ 129902, 68496, 976, 73113, 19012, 12350, 23326, 93845, 88636, 103236, 52249, 70226, 40074,

This is a VERY VERY VERY small sample, in all there are 40,000 chars.


回答1:


There are a few different things you can do to help get rid of obfuscation in code.

1. Use Proper Variable and Function Names

One would be to find and replace all of the different variable and function names with something more distinctive than "I1lili1" and so on. This would allow you to follow the code much easier and also prevent you confusing any variables with each other.

2. Indent the Code

Another would be to look for the 'if', 'while', 'function' and 'end' keywords and then start indenting the code to make it more readable and again easier to follow.

3. Solve the Basic Maths

The above code uses the length function (#) very often as it is using most of the lists as another way to represent normal numbers and prevent people seeing the actual numbers easily. For example:

#{ 10, 372, 67298, 2287, 694, 1, 5039 }

will become:

7

when you perform the length function. If you change all of those lists to actual numbers and then solve the simple addition and subtraction equations after you can get rid of nearly all the numbers.

Of course doing this will take a lot of time but that's the point of obfuscating the code after all. If you don't want to spend a few hours going through all the code getting rid of the obfuscation you can just use this version I prepared earlier: https://pastebin.com/Amtt8UMP I have used all of the above methods to get rid of some of the obfuscation in the code however you will still need to trace through the program to find the outputs from all the functions.

As Egor Skriptunoff commented however, all this piece of code will do most likely is activate a loadstring. This code from the loadstring will also probably be obfuscated so in reality this piece of code it useless to you.

Hope this helps!




回答2:


I understand this is quite an old thread but perhaps I can assist with some information you may not know. This script is in lua created by an older version of the current Luraph. Sold on a multi-purpose website called V3rmillion and sold as a service on the black market. Although the "obfuscated" code was paid, since every script you want obfuscated costs $1 PayPal, I assume their obfuscations are quite worth the price. The pastebin provided does not include the watermark, but I know that it's Luraph because of this side message: http://prntscr.com/k37hin This is a good example of custom bytecode which may sound pretty awesome but in return is just Lua bytecode that uses a lua virtual machine to comprehend what it means. Which is also related to Lua bytecode; using a interpreter to understand what the bytecode means and resulting in a executable code. So practically Luraph uses a custom-made interpreter and custom-made bytecode and uses the interpreter to understand the bytecode then turn it into executable code.




回答3:


Luraph is an LBI. Here is the lbi: https://github.com/JustAPerson/lbi/blob/master/src/lbi.lua

It uses custom Bytecode, you can easily find the patterns in the script from the lbi, and the luraph vm. Just replace those, and you get a readable vm. Deobfuscating the Bytecode is a whole different matter.



来源:https://stackoverflow.com/questions/50867312/im-trying-to-figure-out-how-i-can-decompile-this-obfuscated-lua-script

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!