I see a lot of people doing this and I'm just curious as to how it works, How can you modify it into an un-readable state. How do people un-obsucate it. I know this may seem noobish but I'm just interested in learning how to do it and create my own. If anyone can help me that would be great!
if you are trying to make your clientside script unusable you could possibly send a "key" to the obfuscated portion of the code from the server with luasend? i personally dont know the whole process but from what i know it is just naming and renaming variables and using multiple variables that have been renamed to things with similar names untill its nearly unreadable?
I'm sure you love stealing code, and making even worse gui's, but I'm not so sure if obfuscating will hide it?
My suggestion is to maybe try coming up with ideas idk
[QUOTE=Kevlon;49474341]I'm sure you love stealing code, and making even worse gui's, but I'm not so sure if obfuscating will hide it?[/QUOTE]
Excuse me? If you don't have a serious reply please leave this thread. Also kulcris I get where you coming from and thats a pretty good idea although I would be confused as to actually coruscate it. How would I get all references to a variable, Would I just write something to search through the string and find change all references?
[QUOTE=Kevlon;49474341]I'm sure you love stealing code, and making even worse gui's, but I'm not so sure if obfuscating will hide it?
My suggestion is to maybe try coming up with ideas idk[/QUOTE]
What a helpful ass comment.
A few ways I can think of are naming your variables stuff that's hard to follow, making it all one line, really anything to make your code a pain in the ass to read. There is no real way to stop the clients from getting the clientside code, all you can do is make it enough of a pain in the ass that they give up trying to look at it.
[QUOTE=YourStalker;49476192]What a helpful ass comment.
A few ways I can think of are naming your variables stuff that's hard to follow, making it all one line, really anything to make your code a pain in the ass to read. There is no real way to stop the clients from getting the clientside code, all you can do is make it enough of a pain in the ass that they give up trying to look at it.[/QUOTE]
Yeh, If I'm honest I have no real reason to obfuscate any of my code, I just thought it was a pretty cool concept and wanted to try to create my own algorithm. I'll take what you said on board and will probably try to write a C# app that will go though code, Find references and generate a similar but unique name for each one. Thanks for the suggestion.
If you're just looking for a way to prevent leaks (not sure reverse engineering wise), I've heard good things about [URL="https://scriptenforcer.net/"]Script Enforcer[/URL] although it is a paid service (something like 10 bucks a month I think?).
[QUOTE=warlock123;49476306]If you're just looking for a way to prevent leaks (not sure reverse engineering wise), I've heard good things about [URL="https://scriptenforcer.net/"]Script Enforcer[/URL] although it is a paid service (something like 10 bucks a month I think?).[/QUOTE]
You're better off making your own...
Anyway, the method I used for obfuscation is messing up the names of every variable I used. Creating strings that seem like random garbage and using those strings to reference functions in _G.
However, there seems to be a strange bug where large amounts of code obfuscated this way causes memory leaks. I honestly have no idea what causes it, as the un-obfuscated equivalent code works fine. Another downside is that code obfuscating makes error reports almost useless.
Currently working on a project to convert my existing CloudAuthX to a paid subscription service cheaper than Script Enforcer (and significantly more secure). With Script Enforcer and other obfuscators you can very easily crack them by even just using a simple work-a-round such as RunString = print. The CAX7 .dll module has yet to be cracked, and the Lua is encrypted with a high-grade encryption algorithm. The service will include integration with ScriptFodder, WHMCS and tutorials for setting up integration into your custom billing software and other licensing systems.
[QUOTE=Conna;49476639]Currently working on a project to convert my existing CloudAuthX to a paid subscription service cheaper than Script Enforcer (and significantly more secure). With Script Enforcer and other obfuscators you can very easily crack them by even just using a simple work-a-round such as RunString = print. The CAX7 .dll module has yet to be cracked. The service will include integration with ScriptFodder, WHMCS and tutorials for setting up integration into your custom billing software and other licensing systems.[/QUOTE]
Is that how ScriptEnforcer works? By getting the code from online and RunString-ing it? That doesn't seem worth paying for.
[QUOTE=YourStalker;49476650]Is that how ScriptEnforcer works? By getting the code from online and RunString-ing it? That doesn't seem worth paying for.[/QUOTE]
That is absolutely how they're doing it. They claim to be making their own .dll module, but I've been working on CloudAuthX for 3-4 years and have overcome many challenges and prevented many exploits and cracks to the point where it is now very well protected. I doubt that Script Enforcer's first module release will be difficult to crack.
There are some common strategies that can be applied to the code, basically doing the opposite of what a optimizer pass would do.
Constant unfolding:
[lua]
local a = 50
[/lua]
To
[lua]
local a = 2
a = a + 57235837
a = a * 33
a = a - 500
a = a + 6236326
a = a - 1895018463
[/lua]
Then you could do something like applying a state machine:
[lua]
local a = 50
local b = a * 30
local c = b * 55
[/lua]
To
[lua]
local a
local b
local c
local i
local m = {
[399] = function() c = b * 55 i = 3 end,
[12] = function() b = a * 30 i = 399 end,
[55] = function() a = 50 i = 12 end,
}
i = 55
while i ~= 3 do
m[i]()
end
[/lua]
Encrypted/Encoded strings
[lua]
local a = "hello world"
[/lua]
To
[lua]
local a = SecretDecodeFunction("\xFA\xEB\xF9\xCC\x01\xEB\xFC\xD3\x13\x34\x50")
[/lua]
There can be plenty done if you properly parse the script and put it into some tree that can be later reconstructed into a script. The keyword AST should give you a few insights how those usually work.
There are tools to do the obfuscation for you, just Google it.
[QUOTE=0V3RR1D3;49476181]How would I get all references to a variable, Would I just write something to search through the string and find change all references?[/QUOTE]
Ctrl + H to search and replace.
I know with notepad++ at least you can ctrl+h and do Replace All in File. You can even do it across multiple files.
[QUOTE=YourStalker;49479277]I know with notepad++ at least you can ctrl+h and do Replace All in File. You can even do it across multiple files.[/QUOTE]
In Sublime Text 3 you can. Sadly I did not know about it when I was converting CS:GO knives to TTT ;-;
[QUOTE=Zeh Matt;49476666]There are some common strategies that can be applied to the code, basically doing the opposite of what a optimizer pass would do.
Constant unfolding:
[lua]
local a = 50
[/lua]
To
[lua]
local a = 2
a = a + 57235837
a = a * 33
a = a - 500
a = a + 6236326
a = a - 1895018463
[/lua]
Then you could do something like applying a state machine:
[lua]
local a = 50
local b = a * 30
local c = b * 55
[/lua]
To
[lua]
local a
local b
local c
local i
local m = {
[399] = function() c = b * 55 i = 3 end,
[12] = function() b = a * 30 i = 399 end,
[55] = function() a = 50 i = 12 end,
}
i = 55
while i ~= 3 do
m[i]()
end
[/lua]
Encrypted/Encoded strings
[lua]
local a = "hello world"
[/lua]
To
[lua]
local a = SecretDecodeFunction("\xFA\xEB\xF9\xCC\x01\xEB\xFC\xD3\x13\x34\x50")
[/lua]
There can be plenty done if you properly parse the script and put it into some tree that can be later reconstructed into a script. The keyword AST should give you a few insights how those usually work.[/QUOTE]
This is a great response and the path I will take, Thank you. I Do have a question though, Im using C# but I cannot think of a way to separate variable from the rest of the script without having to make a list of them. I Want this to be automatic but how would one figure what is a variable? If you dont know then dont worry I will have to take the list option, Just did not want to do it. Thank you for your response again though.
[QUOTE=YourStalker;49476650]Is that how ScriptEnforcer works? By getting the code from online and RunString-ing it? That doesn't seem worth paying for.[/QUOTE]
you can add a file.Write to the http.Fetch callback to get the whole file lol
Though I assume ScriptEnforcer is designed to stop people who don't know Lua from leaking, not programmers
[QUOTE=Conna;49476654]That is absolutely how they're doing it. They claim to be making their own .dll module, but I've been working on CloudAuthX for 3-4 years and have overcome many challenges and prevented many exploits and cracks to the point where it is now very well protected. I doubt that Script Enforcer's first module release will be difficult to crack.[/QUOTE]
you have no clue what you're spewing do you
scriptenforcer uses luaL_loadbuffer via a serverside gmodule
also i'm pretty sure scriptenforcer isn't backdoored like cloudauth
If you want your code to be unreadable, take a look at VCMod's code. That'll give you some inspiration though I doubt it's intentional.
[QUOTE=Handsome Matt;49482905]lmao, that's pretty big of someone to tell conna he has no idea what he's spewing[/QUOTE]
Especially when Conna didn't make cloudauth.
I've seen people before such as LegoGuy and Conna say they would make their own system for the public to use as a service or what ever but Phoenix has been the only one to deliver so far.
[QUOTE=0V3RR1D3;49481800]This is a great response and the path I will take, Thank you. I Do have a question though, Im using C# but I cannot think of a way to separate variable from the rest of the script without having to make a list of them. I Want this to be automatic but how would one figure what is a variable? If you dont know then dont worry I will have to take the list option, Just did not want to do it. Thank you for your response again though.[/QUOTE]
If you want this to be automatic you have to write something that parses the Lua script (yes entirely) to store each information into the AST so later once modified you can put it back together to a usuable script.
I highly suggest you read how AST works in general, and maybe u can even find something that already does that, you would likely need to adjust the parsing due to GLua syntax.
[QUOTE=Phoenixf129;49483237]Especially when Conna didn't make cloudauth.[/QUOTE]
Cloud[Sixteen]Auth. Cloud Sixteen is my company. My original module Open[Aura]Auth was renamed to CloudAuth, but whatever you say.
[QUOTE=The Commander;49483383]I've seen people before such as LegoGuy and Conna say they would make their own system for the public to use as a service or what ever but Phoenix has been the only one to deliver so far.[/QUOTE]
Yeah a member of my team is currently working on the front-end, it certainly [i]is[/i] going to be a thing.
[b]Edit:[/b] You can disagree all you want but you'll never be right and you have no proof of your bullshit claim m8 :v:
[QUOTE=Conna;49484039]Cloud[Sixteen]Auth. Cloud Sixteen is my company. My original module Open[Aura]Auth was renamed to CloudAuth, but whatever you say.
Yeah a member of my team is currently working on the front-end, it certainly [i]is[/i] going to be a thing.[/QUOTE]
I don't get why you still claim you did any work, even though Alex was the one who did.
I guess, getting him to do the work for you was one of the biggest achievements you had in your life.
Even though, that's enough offtopic.
[QUOTE=0V3RR1D3;49473849]I see a lot of people doing this and I'm just curious as to how it works, How can you modify it into an un-readable state. How do people un-obsucate it. I know this may seem noobish but I'm just interested in learning how to do it and create my own. If anyone can help me that would be great![/QUOTE]
Also something very simple and effective is compiling the lua code, and running the compiled version instead. There even was a module for that which was called gm_clua iirc.
[QUOTE=Leystryku;49484267]I don't get why you still claim you did any work, even though Alex was the one who did.[/QUOTE]
Cool, let me know when you have proof :)
[QUOTE=Leystryku;49484267]Also something very simple and effective is compiling the lua code, and running the compiled version instead. There even was a module for that which was called gm_clua iirc.[/QUOTE]
That's easy to decompile but it still is an extra layer.
[QUOTE=Conna;49484414]Cool, let me know when you have proof :)[/QUOTE]
I thought there was some "nice" words said in some of these chat logs about you on this thread.
[url]https://facepunch.com/showthread.php?t=1381164[/url]
Sorry, you need to Log In to post a reply to this thread.
