Search code examples
luaobfuscationdeobfuscation

How do I de-obfuscate a Lua script?

I have some Lua code that I suspect is obfuscated. How do I go about de-obfuscating it?

I believe the code is obfuscated because it looks very different from normal Lua code, but I know it is valid Lua code because the Lua interpreter will still compile and run the code.

I have a legitimate interest in de-obfuscating the code and do not intend to distribute it against the authors will or modify it to circumvent any DRM-mechanism.

Solution

  • There are generally two ways to obfuscate Lua source code:

    1. Obfuscate the code directly, mostly by renaming variables, introducing istraction and restructuring code to be harder to follow

    2. Encode the source code and embed it as a string in a Lua file that only decodes, loads and runs the encoded real program.

    In reality, a combination of both is often used: Programs are obfuscated, then encoded and wrapped in a string. Finally, the code that loads and runs the string is often obfuscated again.

    Typical mechanisms used for making Lua code harder to follow include:

    1. Renaming standard functions such as string.gsub, table.concat, etc.
    2. Renaming variables to nonsense
    3. Replacing dot- and colon-notation for table-indices with bracket-notation
    4. Using hexadecimal notation for literal strings (often in combination with 3.)

    Generally speaking, the steps to de-obfuscate such code by hand are often very similar: reformatting the code to make is easier to follow the control-flow, then figuring out what each variable represents and renaming them. For this it is often necessary to have a good understanding of the Language, as one needs to be aware of all the rules that the obfuscation takes advantage of to make the code harder to understand. A few such rules to be aware of:

    1. Local variable shadowing: two different variables can have the same name in different scopes (or even in the same scope).
    2. Syntactic sugar such as dot- and colon-notation
    3. Function environments and getfenv and setfenv
    4. Metatables and that all Strings share one metatable with __index set to string
    5. Whitespace is often insignificant in Lua and only necessary to separate statements in some cases, which can also be done with ;.

    For more in-detail help with de-obfuscating a specific snippet of Lua code, you could ask in the following other online communities:

    But remember: Don't ask to ask, just ask

    Note that these are not official communities. For more options, see the Community page on the official Lua website.