I need anyone that can, decode "Luraph Obfuscator"

Solution 1

Basically it uses bytecode (\144\22\99\88) but it has a custom interpreter and a custom bytecode vm to make it have a bytecode like this: LPH|3EE5491D2B1A00192574A22B510A02002GE5E7E9E42GE5F53GE5F53GE5CD3GE5FDE42GE5C13GE5F934B71

So you will need to rename the variables and functions into something like variable1, variable2 so that you are able to read it. Then find parts that are junk code like

function 1iiii1i1i(i1i1ijj1jijij)
local 1j1j1jj1j1jijijij = (((10*2)/2)-3/9)
end
1iiii1i1i(90, 0)

Which are completely useless and are meant to trick decompilers into looping random number functions. to check if stuff like: iIi1l1liili1I11l1II = iIi1l1liili1I11l1II + 4 return Ii1IiI1I111I1II1IIi * 16777216 + iIII1iIiI1l1IlIIlii * 65536 + IIill111lli111ll1li * 256

These are junk code just look for it in the rest of the code (using ctrl+F) and look if it has a use. If it does, then check if that use has a use and so on until you find if it is part of the vm. The thing is though is that it might loadstring another loadstring for many times until it will take VERY LONG to decompile this. So if you really need the source contact me on discord and I can hook you up (turtsis#2785) or put a couple of hours into this

Using a Lua beautfier can make it easier to understand.

Such as: [http://blackmiaool.com/lua-beautify/][1] (https://github.com/blackmiaool/lua-beautify)

Solution 2

Ok so I am turtsis and I see that people have been stealing my answer and posting it on v3rmillion as there own. So I will post another answer but this time a better one on how to actually get contents of it. So basically if you didn’t read my other answer then don’t and just read this one:

Luraph is a custom lbi which is a lua bytecode interpreter. If you do string.dump(function) you will get luaQ as the output. That is why people use unluaC or luadec to get the source to these dumps. This is called bytecode which is different then string:byte() as it is a non readable lua format in lua 5.1 and up. To be able to use these encoded strings/functions you will need a lbi. What a lbi does is it interpreted the bits and deserialzes them. Here is a example of a commonly used lbi https://github.com/JustAPerson/lbi/blob/master/src/lbi.lua

Ok so now to the part where you get contents of it.

In lua (and other coding languages) there is things called opcodes. Opcodes control the base of lua and there is quite a few of them. Some of the most commonly known and most useful ones are these:

LOADK - loads a constant to the register LOADBOOL - loads a bool to the register LOADNIL - loads a nil to the register JMP - jump ADD - Adds a new thing to the register SUB - Subtracts something from the register

There is many more but those are the main ones we will be focusing on.

Ok so to get those normally you would need a external program called unluac or luadec but for this we will be doing it in base lua. I recommend using repl.it to run the code.

So the main thing we will need is LOADK as it loads a constant

A constant is a variable or anything really that doesn’t change ex: local value = 1

Now what isn’t a constant is something that changes.

Now you probaly have heard of iron brew and synapse xen both are very known lua obfuscators created by 3ds and Defcon42

Iron brew and xen have something in common (well the base) they aren’t lbis so you don’t usually get the opcodes from them. But they have a table that has all the constants in them (xen is encrypted) to get these tables there is a whole process with table.concat and global but that’s not luraph that’s other obfuscators. Luraph is different Though because it is a lbi so there is no need for a table with all the constants in it. Instead to get the constants we need a way to get the instructions from a script. Opcodes are instructions. They are instructions because opcodes tell lua what to do with code. Ok so how do we get these instructions?

Here is a article on opcodes and instructions: http://luaforge.net/docman/83/98/ANoFrillsIntroToLua51VMInstructions.pdf

So they all have signatures: "sBx" "A" "A", "B" "A", "Bx" "A", "C" "A", "sBx" "A", "B", "C” You get opcodes args from these instructions. Now different obfuscators have different opcodes instructions so for luraph you will have to find them. Ok so use a dissembler or make Your own but here is a disassembler made by my friend: https://github.com/op0x59/reddisassembler

You will need to go onto repl.it and make a repo then add the code and format it etc with the settings. Where in the settings it has opcodes you will need to manually get these from luraph.

So there you go that’s how you can do it. If you need more help dm me on discord: turtsis#6969 Or turtsis#2785

ALSO WHOEVER IS STEALING MY ANSWERS ON HERE AND POSTING THEM ON V3RMILLION WITH OUT CREDITING ME PLEASE STOP OR GIVE ME CREDIT.

Author by

Egor Skriptunoff

Updated on November 07, 2020