Code obfuscation?

is it somehow possible to obfuscate a lua file, or even “crypt” it, like .luac?

You can try and scramble the variable names, that alone is usually enough to significantly slow down any attempts to plagarise your code.

To make a long answer short: Yes, but it’s not really worth the time.

If you’re still interested in trying: obvious stuff like scrambling var names helps. Erase whitespace where possible. Do stuff like _G[ string.char( 0 ) … string.char( 0 ) … string.char( 0 ) … etc ] to get functions instead of grabbing them the normal away. Hide your code behind cipher like RC4 (which is easy to implement).

Really though, Lua is too readable to really make obfuscation worth it because someone can just detour your decryption functions to get the result before it runs.

You’re really kidding yourself if you think you have anything worth hiding. It isn’t worth the worry.

Why didn’t you just google this, its kind of a thing that’s well documented and you know the proper name of…

replace all local variable names and table members you don’t need access to outside of the file to random whitespace unicode characters

Replace all control structures with labels and gotos :smiley:

There are a lot of different ways to “hide” clientside / shared code but most of them will require RunString ( which the end user may end up overriding and saving / storing the code anyway unless it is protected first; but a dll could still capture it )…

I’m working on a few systems that will work with my dev-base:

1 ) Simple system for preventing admin code ( vgui, etc… ) from being sent to clients if they’re not admin.

2 ) Simple system to disable AddCSLuaFile / include on the client which will network the files to the client using net ( I’ve done this but if you use default settings which limit you to 20KB/sec then it could take a while for the client to receive the files; load order is retained because all files are compiled as 1 large file ).

3 ) Slightly less simply system which, on client connect, generates a 1 time use key on the SERVER for the client to http Fetch code from a site with a system in place like my content-management-system had to update code in real-time with 1 click. Basically, the server can communicate with the server and there’ll be a communication code in place so the game-server can update the code on the web-server without the client needing to do anything. When the client connects, the server sends the client the code and the client fetches the code from the web-server and then loads it. This will be the fastest option.

With all of the options above, the code that is generated will have all comments and empty lines removed by default. Other systems can be loaded to obfuscate the code, “encrypt” the code ( so the 1 time use key would be used to download then another key will be requested from the server when the code is downloaded to un-encrypt ), etc… For the http option, if a player isn’t on the game-server, visiting the url will provide no results; additionally without submitting the key nothing can be accessed. PHP will be used to fetch the code outside of the www/ root directory meaning only ftp / php can grab the data which makes it that much more “safe”.

Obviously there’s nothing we can do to hide the code from someone who knows what they’re doing but it can be made more difficult and that can be automated. In the end, it really won’t matter because RunString could still be redirected, as said above, and there’s nothing we can do short of writing a dll ( which can also be decompiled ) to protect code.

You could follow this handy guide for writing unmaintainable code - you get the same thing in the end.

This needs some clarification. This is a lot of work to do manually, but an automatic system could easily do this. It would replace all variable names, replace control structures with gotos, put everything on one line, perhaps even inline local functions.

That is when you see an obfuscator as a Lua to Lua compiler. I’ve got the basis for this set up in my GLua parser project, but I’m not planning on making an obfuscator soon.

I think Nordahl from Zworld-Afterlife got such a “obfuscator” where he places the code on one line, if I’m right?

You can just strip all the whitespace from the files and it will put it on 1 line. It reduces the file size and a lot of websites and libraries (i.e. jQuery, AngularJS, etc) do this for that exact reason.

My point is that you can do a lot more if the algorithm recognises the structure of Lua. Simply replacing newlines with e.g. spaces would go wrong here:
[lua]
local explanation = [[ This is some long explanation

like the ones I have in simplerr. It’s made of a multiline string.]]
function showExplanation()
print(explanation)
end
[/lua]

Simple newline replace:
[lua]
local explanation = [[ This is some long explanation like the ones I have in simplerr. It’s made of a multiline string.]] function showExplanation() print(explanation) end
[/lua]
This changes the meaning of the program. You really wouldn’t want that.

What you’d want is either this: (where it knows which newlines belong to a multiline string)
[lua]
local explanation = [[ This is some long explanation

like the ones I have in simplerr. It’s made of a multiline string.]] function showExplanation() print(explanation) end
[/lua]

or even more intelligent: (where it changes multiline strings to single line strings)
[lua]
local explanation = "This is some long explanation

like the ones I have in simplerr. It’s made of a multiline string." function showExplanation() print(explanation) end
[/lua]