There are generally two ways to obfuscate Lua source code:
Obfuscate the code directly, mostly by renaming variables, introducing istraction and restructuring code to be harder to follow
Encode the source code and embed it as a string in a Lua file that only decodes, loads and runs the encoded real program.
In reality, a combination of both is often used: Programs are obfuscated, then encoded and wrapped in a string. Finally, the code that loads and runs the string is often obfuscated again.
Typical mechanisms used for making Lua code harder to follow include:
- Renaming standard functions such as
string.gsub
, table.concat
, etc.
- Renaming variables to nonsense
- Replacing dot- and colon-notation for table-indices with bracket-notation
- Using hexadecimal notation for literal strings (often in combination with 3.)
Generally speaking, the steps to de-obfuscate such code by hand are often very similar: reformatting the code to make is easier to follow the control-flow, then figuring out what each variable represents and renaming them. For this it is often necessary to have a good understanding of the Language, as one needs to be aware of all the rules that the obfuscation takes advantage of to make the code harder to understand. A few such rules to be aware of:
- Local variable shadowing: two different variables can have the same name in different scopes (or even in the same scope).
- Syntactic sugar such as dot- and colon-notation
- Function environments and
getfenv
and setfenv
- Metatables and that all Strings share one metatable with
__index
set to string
- Whitespace is often insignificant in Lua and only necessary to separate statements in some cases, which can also be done with
;
.
For more in-detail help with de-obfuscating a specific snippet of Lua code, you could ask in the following other online communities:
But remember: Don't ask to ask, just ask
Note that these are not official communities. For more options, see the Community page on the official Lua website.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…