Hi all, I come today to talk about Lua encyption and security. I have recently seen quite a few threads pop up about decrypting of lua cache files (which has been around since the beginning of lua cache files in gmod), and an (bad) attempt to secure lua files using some default lua functions.
So after some thought, I have come up with a few things that would seem like a fairly good attempt at securing our client/shared files, but some problems exist with them.
Solution 1: (XOR)
I have found that we can actually use xor encyption in glua, manipulating string.byte and bit.bxor. This way we can make our own unique keys and own unique ways of encrypting data. Here is a simple function that allows you to pass a string and a key to it, and it will return the xor'd version:
function xorstring(toenc, key) local endstr = ""; for i = 1, #toenc do local keyind = ((i - 1) % #key) + 1 endstr = endstr..string.char(bit.bxor(string.byte(toenc*), string.byte(key[keyind]))) end return endstr; end
This function paired up with these next two can do a lot:
function fillleft(str, amt, rep) -- not sure if there is a default function for this local rep = tostring(rep); local str = tostring(str); for i = #str, amt - 1 do str = rep..str; end return str; end function readbytes(str) local ends = ""; for i = 1, #str do ends = string.format("%s%s ", ends, fillleft(string.byte(str*), 2, 0)); end return ends end
For example if we were to do this:
print(readbytes(xorstring("Blob Dillon", "Alphabet")));
It would print: 03 00 31 10 65 38 12 24 45 03 30
Calling this function again with the same key would output the original function:
Solution 2: (Running Bytecode)
I have found out that some default lua functions allow you to read and run bytecode, but unfortunately the running of bytecode is not supported in glua.
I have researched this a bit and found out that there could be a risk for hacks when allowing people to load bytecode, but, this simply **does not make sense**. People can easily load hacks without using bytecode, why limit the possibilities just because of a really low risk of someone having to load bytecode instead of regular lua hacks? (garry pls fix it the way it is meant to be? :D)
Now, instead of me getting sidetracked into this hacking area of glua, I will explain how bytecode can secure your client and shared lua files.
Think of it this way, Lua reads your text data and converts it into bytes that can be interpreted to do something else, much like any other language (C++, C, .NET). string.dump allows you to dump the function you pass to it's bytes into a string. You could pass this to a client and call loadstring or load with this string. This would load the function without having any text with it, thus making it **harder** (not impossible) for many people to get the text associated with it, and make the need for encoding the plain text not needed.
What are your thoughts on the matter? Do you have any ideas for securing lua files/code? Am I trying too hard? Post below!