How to obfuscate lua code?

Solution 1

Just precompile your files (chunks) and load binary chunks. luacallows you to strip debugging info. If that is not enough, define your own transformations on the compiled lua, stripping names where possible. There's not really so much demand for lua obfuscators though...

Also, you loose one of the main advantages of using an embedded scripting language: Extensibility.

Solution 2

The simplest obfuscation option is to compile your Lua code as others suggested, however it has two major issues: (1) the strings are still likely to be easily visible in your compiled code, and (2) the compiled code for Lua interpreter is not portable, so if you target different architectures, you need to have different compiled chunks for them.

The first issue can be addressed by using a pre-processor that (for example) converts your strings to a sequence of numbers and then concatenates them back at run-time.

The second issue is not easily addressed without changes to the interpreter, but if you have a choice of interpreters, then LuaJIT generates portable bytecode that will run across all its platforms (running the same version of LuaJIT); note that LuaJIT bytecode is different from Lua bytecode, so it can't be run by a Lua interpreter.

A more complex option would be to encrypt the code (possibly before compiling it), but you need to weight any additional mechanisms (and work on your part) against any possible inconvenience for your users and any loss you have from someone cracking the protection. I'd personally use something sufficiently simple to deter the majority of curious users as you likely stand no chance against a dedicated hacker anyway.

Solution 3

You could use loadstring to get a chunk then string.dump and then apply some transformations like cycling the bytes, swapping segments, etc. Transformations must be reversible. Then save to a file.

Note that anyone having access to your "encryptor" Lua module will know how to decrypt your file. If you make your encrypted module in C/C++, anyone with access to source will too, or to binary of Lua encryption module they could require the module too and unofuscate the code. With interpreted language it is quite difficult to do: you can raise the bar a bit via the above the techniques but raising it to require a significant amount of work (the onlybreal deterent) is very difficult AFAIK.

If you embed the Lua interpreter than you can do this from C, this makes it significantly harder (assuming a Release build with all symbols stripped), person would have to be comfortable with stepping through assembly but it only takes one capable person to crack the algorithm then they can make the code available to others.

Yo still interested in doing this? :)

function tftp.SaveToMSI( tbl, msiPath )
    assert(type(tbl) == "table")
    assert(type(msiPath) == "string")

    local localName = _GetFileNameFromPath( msiPath )
    local file,err = io.open(localName, "wb")
    assert(file, err)
    -- convert the table into a string
    local str = serializer.Serialize( tbl )

    -- create a lua chunk from the string.  this allows some amount of 
    -- obfuscation, because it looks like gobblygook in a text editor
    local chunk = string.dump(load(str), true)

    file:write(chunk)
    file:close()

    -- send from /usr to the MSI folder
    local sendResult = tftp.SendFile( localName, msiPath )
    -- remove from the /usr folder
    os.remove(localName)

    return sendResult
end

Author by

Admin

Updated on June 10, 2021