•  03-04-2022
  •  | 
  •  

Question

I've recently downloaded some lua code and what I found inside was some obfuscated string. That made me wonder what sort of obfuscation technique was used there. Does anybody have an idea?

local code='\27\76\117\97\81\0\1\4\4\4\8\0\64\0\0\0\64\67\58\92\85\115\101\114\115\92\65\108\101\120\92\68\101\115\107\116\111\112'
loadstring(code)()

EDIT: Some more (encrypted?) code.

'\196\2\28\66\0\1\198\193\194\2\25\128\129\3\22\64\14\128\197\193\0\0\198\193\195\3\6\2\196\2\220\129\0\1\218'

Was it helpful?

Solution 2

Doesn't look encrypted at all. Seems like it's just a sequence of bytes. Each backslash represents a character with its byte code.

27 is escape, 76 is 'L', 117 is 'u', 97 is 'a' and so on.

Running it through a short script gives me this string (symbols are special characters, such as escape, start of heading and null): ←LuaQ ☺♦♦ @ @C:\Users\Alex\Desktop

You can look up the bytes on an ascii table.

Update: A bit of research told me that LuaQ means that it's a precompiled script or something of the sort. I could be way off though.

OTHER TIPS

The tricky part is that loadstring and related functions accepts both lua code and lua byte code. That call to loadstring is just being passed byte compiled lua rather than lua source code.

You can get byte compiled lua easily. You can get an example like this

  • Create a lua file.
  • Compile it with luac to generate lauc.out
  • Look at the file content with a hex viewer.

For an empty lua file I get:

0000000: 1b4c 7561 5100 0104 0804 0800 0900 0000  .LuaQ...........
0000010: 0000 0000 4066 6f6f 2e6c 7561 0000 0000  ....@foo.lua....
0000020: 0000 0000 0000 0002 0201 0000 001e 0080  ................
0000030: 0000 0000 0000 0000 0001 0000 0001 0000  ................
0000040: 0000 0000 0000 0000 00                   .........

A translation of the first 8 bytes into decimal is: 

27, 76, 117, 97, 81, 0, 1, 4

Which matches the escaped characters in your string.

If you want further details on what the code in the chunk does you'll need to write the chunk out to file and use a lua decompilation tool to investigate. ChunkSpy, luadec15 and unluac are both mentioned in the lua wiki tools page.

There's not enough content in the chunk you've provided for me to take it further, I assume its truncated?

If it's got loadstring a simple way which may not always work is just adding

loadstring = print;

at the start

Instead of trying to just hand you a simple answer, I'd like to inform you some things to know if you encounter stuff like this along the way.

This kind of obfuscation isn't very secure and is actually from an ASCII table. Usually, these kinds of obfuscations are made in Lua 5.1 and can be easily made with a :byte and table.concat. You can simply reverse this code with a more powerful version of Troy's explanation that can bypass most security around it:

function loadstring(input)
   print(input)
end

So I hope you get some idea on how this stuff works. As stated before, this is can be replicated by using :byte and table.concat usage.

its Easy to Deobfuscate Encryption

local a ='\196\2\28\66\0\1\198\193\194\2\25\128\129\3\22\64\14\128\197\193\0\0\198\193\195\3\6\2\196\2\220\129\0\1\218'
print(a)

You can do it like

Old code :

loadstring(your string)

you just can see/deobfuscate it by using print() instead of loadstring()

New code :

print(your string)

New script :

local code='\27\76\117\97\81\0\1\4\4\4\8\0\64\0\0\0\64\67\58\92\85\115\101\114\115\92\65\108\101\120\92\68\101\115\107\116\111\112'

print(code)
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top