Lua "Obfuscator"


<?php 

	/*

		Lua Mounter made for Gmod.biz by Impulsive.

		Version: 1.0.1

		Notes:

			Next version will be faster. 

	*/

	error_reporting(E_ALL ^ E_STRICT);

	class luamount
	{

		/* Generate private glabal values for access later. */

		private $file;

		private $name;

		private $hash;

		/* Create mount function. */

		public function mount ( )
		{

			/* Scan payload for all files. */

			$payload = scandir ( "payload/" );

			/* Foreach files */

			foreach ( $payload as $level => $file ) 
			{
				
				/* Skip first two iterations. */

				if ( @$counter++ < 2 ) continue;

				/* Add each file to global file. */

				$this -> file = $this -> file . file_get_contents ( "payload/" . $file );

			}

			/* Begin padding process. */

			$this -> encrypt ( $this -> file ); 

		}

		/* On load generate new hash. */

		public function __construct ( )
		{

			/* Padding using safe characters only http://wiki.garrysmod.com/page/Specific_Operators . */

			$padding  = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15";

			$this -> hash = str_shuffle ( $padding );

			$padding .= "$ % ^ & * _ - + = : @ ~ ; ' # < > ? , . /";

			$this -> hash = str_shuffle ( $padding . $this -> hash );

			$padding .= "a b c d e f g h i j k l m n o p q r s t u v w x y z";

			$this -> hash = str_shuffle ( $padding . $this -> hash );

		} 

		/* Function to give each variable a new random name and replace all. */

		private function value ( $string )
		{

			/* Give value a md5 hash of a unique ID. */

			$string   = md5 ( uniqid ( $string ) );

			/* Prepare string for lua. */

			$string   = str_replace ( range ( '0', '100' ) , '', $string );

			/* Add padding to hash. */

			$padding  = "/*". str_shuffle ( $this -> hash ) ."*/" . $string ."/*". str_shuffle ( $this -> hash ) ."*/";

			return $padding;

		}

		private function encrypt ( $file )
		{

			/* Find all renamable functions. */

			$functions = array (

				"print",

				"concommand.Add",

				"concommand.Remove",

				"Msg",

				"CreateClientConVar",

				"GetConVar",

				"ConVarExists",

				"http.Fetch",

				"Color",

				"hook.GetTable"

			);

			/* Custom functions. */

			$custom = array (

				"function",

				"(",

				")"

			);

			/* Foreach all functions. */

			foreach ( $functions as $replace => $value )
			{
			
				/* Check if they exist in global file. */

				if ( strpos ( $this -> file, $value ) !== false )
				{

					/* Replace function name with random unique ID. */

					$this -> file = str_replace ( $value, $this -> value ( $value ) , $this -> file);

					/* Replace function name with random unique ID. */

					$this -> file = "local " . $this -> value ( $value ) . " = " . $value . "
" . $this -> file;

				}

			}

			/* Foreach all custom functions. */

			foreach ( $custom as $replace => $value )
			{

				/* Check if they exist in global file. */
			
				if ( strpos ( $this -> file, $value ) !== false )
				{

					/* Get the name of the function. */

					$name = explode ( 'function ', rtrim ( $this -> file, ',' ) );

					/* Ensure name is not empty. */

					if ( !empty ( $name [ 1 ] ) )
					{

						/* Remove function param. */

						$name = str_replace ( array ( "end", "(", ")" ), '', $name [ 1 ] );

						/* Save. */

						$name = preg_replace ( '/\s+/', '', $name );

						/* Check for calling of the function. */

						if ( strpos ( $this -> file, $name ) !== false )
						{

							/* Replace if it exists. */

							$this -> file = str_replace ( $name, $this -> value ( $name ) , $this -> file );

						}

					}

					/* Check if any () are invovled. */

					if ( strpos ( $this -> file, $value ) !== false )
					{

						/* Pad brackets inside and out. */

						$this -> file = str_replace ( $value, "/*" . str_shuffle ( $this -> hash ) . "*/" . $value . "/*" . str_shuffle ( $this -> hash ) . "*/" , $this -> file );

					}

				}

			}

			echo $this -> file;

		}

	}

	$luamount = new luamount;

	$luamount -> mount ( );

?>



print("Hello")

function hello ( )

	concommand.Add()

	CreateClientConVar()

end

/*~ <~ > ~,cs u r n a b '~^ q .e o t y z jk* ^ fp xw * >m,< h g' .vldi */local/*c p . wk* fqugt ^> ~ ~ ^x ' n y jsb'* ev ~ , < odiz ~m hr al<,>.*/ /* j * rny f< , ,e.> ps t c .xmq * d ^o u~ k~*/afdaacddeedcb/*kf , .o wc ,jg .q ~u *bm ^ s t 'i*/ = CreateClientConVar /*~ <~ > ~,cs u r n a b '~^ q .e o t y z jk* ^ fp xw * >m,< h g' .vldi */local/*c p . wk* fqugt ^> ~ ~ ^x ' n y jsb'* ev ~ , < odiz ~m hr al<,>.*/ /* ^ v, q m' u,> ~c p ' ~z>g ^f k < *i sa r t< b* y n j d o welx~ h .~. */dabacebdab/* gx ^ew r a vm ~^'' * uyo~pn kq ~<~c z >*.is df, */ = concommand.Add /*~ <~ > ~,cs u r n a b '~^ q .e o t y z jk* ^ fp xw * >m,< h g' .vldi */local/*c p . wk* fqugt ^> ~ ~ ^x ' n y jsb'* ev ~ , < odiz ~m hr al<,>.*/ /*y^p k t' x j ~z> f ob gnw ~>m er ~l h, c q.< .* ~ u ^ ' * d svi< a, */bfecabecabfcdea/*w yg r '< ' * ^th l d qa ~om sz ^ b n* e~ ui <~c . ~. k j ,x > , vf> p*/ = print /*c w *^ >y v < l f ^ .'hde < s* z qr u' k,~i j g ,p ~m x nao.t ~ b> ~*/bfecabecabfcdea/*, < ~ v a~. b .f uy 'ei rg ^ ljs >ckd ~ < *ow ' ^ >n hz ~m, * x qp t*//* zy ~s > n*> w cd ' h < eq k o.ix* ~ un* ~ u< c~zjve.,~hmrq< d~y a b , ^ ' * sl pxk ' . >g^if*/"Hello"/* *x ' kp r *f .^z yq. , < ,~ts ^ d >>c~ba m~ ~ v < 'hio u n we lg j */)/*m>j.u k t , vf c s>'~y ' p qlwa d. <~ o ~ * gh*b x, ^re ^ni ~z < */ /* bwi l*,e ~ ~ p n, ' *^o k ' r h a tqf v g zm < > . xy ^ j*/function/* r z e ~s n>u>^gqx * * k< . < ch m~id, ' bv~ po fa, t~j'wl ^y.*/ hello /* zy ~s > n*> w cd ' h < eq k o.ix* ~ un* ~ u< c~zjve.,~hmrq< d~y a b , ^ ' * sl pxk ' . >g^if*/ /* *x ' kp r *f .^z yq. , < ,~ts ^ d >>c~ba m~ ~ v < 'hio u n we lg j */)/*m>j.u k t , vf c s>'~y ' p qlwa d. <~ o ~ * gh*b x, ^re ^ni ~z < */ /* a ~ *< r,^ > .i js~f t enbvm * u'y kh^o cp~ q '< z>.w ~x d ,lg */dabacebdab/*~v s l f ~^ , ,x ka j c . .~ > iq* n ~z d o u t*by '< < 'r > e^ whpm g *//* zy ~s > n*> w cd ' h < eq k o.ix* ~ un* ~ u< c~zjve.,~hmrq< d~y a b , ^ ' * sl pxk ' . >g^if*//* *x ' kp r *f .^z yq. , < ,~ts ^ d >>c~ba m~ ~ v < 'hio u n we lg j */)/*m>j.u k t , vf c s>'~y ' p qlwa d. <~ o ~ * gh*b x, ^re ^ni ~z < */ /*,> ^ ~. . * h , < pde~ s il > y ' nvk ,* .rk* >. tc~ ,*//* zy ~s > n*> w cd ' h < eq k o.ix* ~ un* ~ u< c~zjve.,~hmrq< d~y a b , ^ ' * sl pxk ' . >g^if*//* *x ' kp r *f .^z yq. , < ,~ts ^ d >>c~ba m~ ~ v < 'hio u n we lg j */)/*m>j.u k t , vf c s>'~y ' p qlwa d. <~ o ~ * gh*b x, ^re ^ni ~z < */ end

Each time the page is reloaded it re-obfuscates the code:

/* . k ~~ j u r,'y gzi .b ^' n , p ^ dlh v~~o ex a > s * < *w c t fq */local/*~ gn e f*<' r~tvpm i c b >< , ok > ^ul. q zx 'hy~ w, a jd ~. s^ **/ /* > <,bz q 'gf * * ~ np w < i o u ^^k xrj~ dv> a ~ s ~e. y,mtlh'c.*/eaacefcebeefd/*~> < k~ h * s x^ */ = CreateClientConVar /* . k ~~ j u r,'y gzi .b ^' n , p ^ dlh v~~o ex a > s * < *w c t fq */local/*~ gn e f*<' r~tvpm i c b >< , ok > ^ul. q zx 'hy~ w, a jd ~. s^ **/ /*y i'~u k< dp ^t b.^a~ s zl, g x ' mrc. o qwe*j ,* ~ nh ~f>*/dcdcffabdcdf/*< ul n k~y hp> , q ~m* rf. o xsgcd * b' ~ .~^^j ie< ' vza w, >t*/ = concommand.Add /* . k ~~ j u r,'y gzi .b ^' n , p ^ dlh v~~o ex a > s * < *w c t fq */local/*~ gn e f*<' r~tvpm i c b >< , ok > ^ul. q zx 'hy~ w, a jd ~. s^ **/ /* ~'w ml i v n ~ > >< rk f e *g h ,.< , .q ^jopy ac bz^~tsx~ d* u'*/adbecdda/* q~ nr jyv,. *a z . ^b de l < xo *h i >gs~u k ~' ' , > ~ w c <^ tm f p*/ = print /*jokpn~ >t~v mbr.g. ~ , e xd, a ~ <^ f*l ^*/adbecdda/* g > * ~z , . kbf ~' n c w,ov xs i e~ *dj ' trq l u ^ hm. > a~ <^ vk*~ l.f d b, j t  . hauxc< r'~mn s'e */(/* .eg n y d*, k '* q ~t xw b ~ as.m j ^^ ,>v ~~ */"Hello"/* ,v o>s< t' lh d . cm .ebz* u ^a * f ~yp gqwx^ ~ ~ jr*/)/* ,gx > > *, r .o ~~tq < wl g > k*/function/*tg z o* ~x*qu . m ^j,h c d p k l ><~f , w i s.y ~r a ~ ^nb<>'v 'e*/ hello /*~z>vk*~ l.f d b, j t  . hauxc< r'~mn s'e */(/* .eg n y d*, k '* q ~t xw b ~ as.m j ^^ ,>v ~~ */ /* ,v o>s< t' lh d . cm .ebz* u ^a * f ~yp gqwx^ ~ ~ jr*/)/* ,gx > > *,~ m ^'yi^~zh a r~w v> < , u.q kt fc~ b ,* o <*/dcdcffabdcdf/* o x h ~w ~< c e ~av ,b .> ,gt s~ *nk ' 'r^*//*~z>vk*~ l.f d b, j t  . hauxc< r'~mn s'e */(/* .eg n y d*, k '* q ~t xw b ~ as.m j ^^ ,>v ~~ *//* ,v o>s< t' lh d . cm .ebz* u ^a * f ~yp gqwx^ ~ ~ jr*/)/* ,gx > > *,sl.d * ew j*q c^ 'i~ ~ xvo a ^,, n p>'.< tk ug b < ~z mf yh r ~*/eaacefcebeefd/* ~^ gz ~ <,t ,w < .d j kn b >q * veoi axr ^s ~ . ~ l u mf'c>*hy'p*//*~z>vk*~ l.f d b, j t  . hauxc< r'~mn s'e */(/* .eg n y d*, k '* q ~t xw b ~ as.m j ^^ ,>v ~~ *//* ,v o>s< t' lh d . cm .ebz* u ^a * f ~yp gqwx^ ~ ~ jr*/)/* ,gx > > *,

/*~f< ly ^gb u ~d x no .,j , ^'si ~ qw> marp zc th *e v ~'*. */local/* ' e .~t~ > q d* p^ cx r < fka 'mw l , . g >ibs hv y ,n~ pe dk ax ^ b>uw n< q z v*/ddadbfbccb/*~ ~ *q j^ ba r ,, vkzgdulsy . ^ e h 'om ~>tn ~ . w i c ' *f <*/ = CreateClientConVar /*~f< ly ^gb u ~d x no .,j , ^'si ~ qw> marp zc th *e v ~'*. */local/* ' e .~t~ > q d* p^ cx r < fka 'mw l , . g >ibs hv y ,n~ .' * m ^ < t x> z~,c f*qe y u~s~lq ,v w ' z ~ ftu cs, o~*>~ < byme ja marp zc th *e v ~'*. */local/* ' e .~t~ > q d* p^ cx r < fka 'mw l , . g >ibs hv y ,n~ . ~~, ^ tp.~ a ~ r ysln h b*vx>^ m q' < k d <*/ccddeaaadfc/* w c > < fh. ^.i^ k pu ,~nog y vd z t ra m' e , */ = print /* x z l'e bh~ dmq ti ^ y'< * .o, f ~*>n ^ */ccddeaaadfc/*o < m x , ~ b *pq n'd >t v~ < ~ s iz h> *~^ c url' y,awk g jf .^ e. *//*~ n r ~>i * k l zp j ~ ec u .bo f hsw . '>< ^,y atq, < gm ^x*v' d ~*/(/* f m v s l .n , oa px * >z q k ^ r' ^d *~hu i s*l vz'~ e~,u t~ . i^b. q a xo' w m c<*/)/* qfd b s^ ~xwlp ' j, k nc vzt~ ,< > r ~ . g * u eo im~*y .a ' ^*/ /* wf >uh *k rd pa js i.n ql z^ e* <~ y ^ ~ ' . ~ 'mc< ~g, >bv ,t ox */function/*ox .' n l~ a, h~ ~t yrud se k^ pq ^ w z< v. c, '*~>i*/ hello /*~ n r ~>i * k l zp j ~ ec u .bo f hsw . '>< ^,y atq, < gm ^x*v' d ~*/(/* f m v s l .n , oa px * >z q k ^ r' ^d *~hu i s*l vz'~ e~,u t~ . i^b. q a xo' w m c<*/)/* qfd b s^ ~xwlp ' j, k nc vzt~ ,< > r ~ . g * u eo im~*y .a ' ^*/ /*, ~s^ ^ q ge dl m i *j* . x< z'> an u */ebdebedbfbcaf/*^q f~ e ' > x y r~. sgma c,o * t vjw . d k p~ n ^ , i~<'lu z h*//*~ n r ~>i * k l zp j ~ ec u .bo f hsw . '>< ^,y atq, < gm ^x*v' d ~*/(/* f m v s l .n , oa px * >z q k ^ r' ^d *~hu i s*l vz'~ e~,u t~ . i^b. q a xo' w m c<*/)/* qfd b s^ ~xwlp ' j, k nc vzt~ ,< > r ~ . g * u eo im~*y .a ' ^*/ /* y n ed~ j~p , x z * ~c' s >g l.. h ib a' ^rqomvt */ddadbfbccb/* i k u pl~ < r'q * hj c ^z > .< e a~^m gn .f >y, w*sd ot v~~ ',b x*//*~ n r ~>i * k l zp j ~ ec u .bo f hsw . '>< ^,y atq, < gm ^x*v' d ~*/(/* f m v s l .n , oa px * >z q k ^ r' ^d *~hu i s*l vz'~ e~,u t~ . i^b. q a xo' w m c<*/)/* qfd b s^ ~xwlp ' j, k nc vzt~ ,< > r ~ . g * u eo im~*y .a ' ^*/ end


Really basic lua Obfuscator, made it recently for Gmod.biz.
Use of “encrypt” used lightly.

I don’t think it works properly.

https://dl.dropboxusercontent.com/u/8081284/ShareX/2015/03/2015-03-18_17-36-22.mp4

It just works too properly…

Yeah, it doesn’t generate valid code. Here’s the errors my parser fixed trying to parse the example:



Deleted   (MToken {mpos = LineColPos 0 1220 1220, mtok = )},LineColPos 0 1353 1353) at position LineColPos 0 1220 1220 expecting one of [Token :, Token {, Token (, String, Token [, Token ., Token [, Token ., Token :, Token {, Token (, String, Token local, Token function, Token for, Token if, Token repeat, Token while, Token do, Token goto, Token continue, Token break, Some label, Token (, Variable, Token (, Variable, Token ;, Token return],--    

Deleted   (MToken {mpos = LineColPos 0 1604 1604, mtok = )},LineColPos 0 1743 1743) at position LineColPos 0 1604 1604 expecting one of [Token ., Token :, Token (],--    Inserted  (MToken {mpos = LineColPos 0 0 0, mtok = (},LineColPos 0 0 0) at position LineColPos 0 1743 1743 expecting Token (,--    

Deleted   (MToken {mpos = LineColPos 0 2295 2295, mtok = )},LineColPos 0 2366 2366) at position LineColPos 0 2295 2295 expecting one of [Token local, Token function, Token for, Token if, Token repeat, Token while, Token do, Token goto, Token continue, Token break, Some label, Token (, Variable, Token (, Variable, Token ;, Token return, Token end

These errors are cryptic (I should work on pretty printing them), but it’s basically removing three ‘)’ characters.

After deleting those three characters, it did come up with this result:
[lua]
local afdaacddeedcb = CreateClientConVar
local dabacebdab = concommand.Add
local bfecabecabfcdea = print
bfecabecabfcdea[[“Hello”]]
function hello(dabacebdab)
end
[/lua]

[editline]19th March 2015[/editline]

Also, it’s readable when opening it in sublime:

Alright so what’s the fix for the php code?

You can’t really make a proper obfuscator without parsing the Lua to an abstract syntax tree and walk over it. Knowledge of the semantics and scopes is needed.

Basically, rewrite the script. It’s much more complicated than you’d think.

I found this XFuscator
Which turned this



print("Hello world")


into this



 math.randomseed(0.71208838160344) local ____ ____ = { function(...) local t = { ...} return ____[8](t) end, print, game, math.frexp, math.random(1, 1100), string.dump, string.sub, table.concat, wait, tick, loadstring, "t", function(x) local x2 = loadstring(x) if x2 then return ____[tonumber("\50\48")](function() x2() end) else return nil end end, "InsertService", 1234567890, getfenv, "", "wai", 7.2, pcall, math.pi, "" } local ________ = ____[#____ - 9]('\108\111\97\100\115\116\114\105\110\103\40\34\114\101\116\117\114\110\32\92\34\77\87\65\72\65\72\65\32\72\52\88\48\82\90\92\34\34\41\40\41') local ___ = ____[5] local ______ = ____[21] local _ = function(x) return string.char(x / ___) end local __________ = ____[#____ - 9]('\108\111\97\100\115\116\114\105\110\103\40\34\114\101\116\117\114\110\32\95\95\95\95\34\41\40\41') local __ = {_(54), _(152), _(234), _(194), _(162), _(0), _(2), _(8), _(8), _(8), _(16), _(0), _(418), _(0), _(0), _(0), _(216), _(222), _(198), _(194), _(216), _(64), _(238), _(236), _(114), _(190), _(122), _(246), _(182), _(98), _(186), _(122), _(68), _(184), _(110), _(100), _(184), _(98), _(96), _(98), _(184), _(98), _(96), _(112), _(184), _(98), _(96), _(112), _(184), _(98), _(98), _(98), _(184), _(102), _(100), _(184), _(98), _(98), _(114), _(184), _(98), _(98), _(98), _(184), _(98), _(98), _(104), _(184), _(98), _(96), _(112), _(184), _(98), _(96), _(96), _(68), _(88), _(182), _(100), _(186), _(122), _(68), _(184), _(112), _(112), _(184), _(110), _(96), _(184), _(112), _(106), _(184), _(106), _(102), _(184), _(110), _(106), _(184), _(106), _(100), _(184), _(106), _(106), _(184), _(104), _(112), _(184), _(112), _(100), _(184), _(102), _(100), _(184), _(104), _(114), _(184), _(106), _(102), _(184), _(102), _(100), _(184), _(106), _(100), _(184), _(112), _(110), _(184), _(106), _(98), _(184), _(106), _(102), _(184), _(104), _(112), _(184), _(110), _(110), _(184), _(106), _(98), _(184), _(104), _(108), _(184), _(102), _(100), _(184), _(110), _(106), _(184), _(112), _(100), _(184), _(106), _(98), _(184), _(108), _(112), _(184), _(104), _(114), _(184), _(106), _(106), _(184), _(102), _(100), _(184), _(106), _(106), _(184), _(104), _(112), _(184), _(102), _(100), _(184), _(112), _(112), _(184), _(110), _(96), _(184), _(112), _(106), _(184), _(106), _(102), _(184), _(110), _(106), _(184), _(106), _(100), _(184), _(106), _(106), _(184), _(104), _(112), _(184), _(112), _(100), _(184), _(102), _(102), _(68), _(250), _(224), _(228), _(210), _(220), _(232), _(80), _(238), _(236), _(114), _(190), _(182), _(98), _(186), _(82), _(0), _(0), _(0), _(0), _(0), _(0), _(0), _(0), _(0), _(0), _(0), _(4), _(6), _(14), _(0), _(0), _(0), _(20), _(256), _(0), _(0), _(18), _(128), _(128), _(256), _(18), _(384), _(128), _(258), _(138), _(0), _(2), _(0), _(268), _(0), _(128), _(0), _(184), _(128), _(0), _(2), _(60), _(0), _(256), _(0), _(10), _(0), _(0), _(0), _(6), _(0), _(0), _(0), _(0), _(0), _(0), _(480), _(126), _(8), _(24), _(0), _(0), _(0), _(144), _(202), _(216), _(216), _(222), _(64), _(238), _(222), _(228), _(216), _(200), _(0), _(6), _(0), _(0), _(0), _(0), _(0), _(0), _(0), _(128), _(8), _(86), _(0), _(0), _(0), _(176), _(140), _(170), _(106), _(150), _(104), _(110), _(96), _(164), _(64), _(98), _(106), _(64), _(104), _(174), _(102), _(106), _(96), _(154), _(102), _(92), _(64), _(150), _(164), _(102), _(136), _(98), _(110), _(64), _(110), _(96), _(64), _(176), _(140), _(170), _(106), _(150), _(104), _(110), _(96), _(164), _(66), _(0), _(8), _(12), _(0), _(0), _(0), _(224), _(228), _(210), _(220), _(232), _(0), _(0), _(0), _(0), _(0), _(14), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(16), _(0), _(0), _(0), _(96), _(462), _(76), _(148), _(358), _(48), _(66), _(0), _(6), _(0), _(0), _(0), _(12), _(0), _(0), _(0), _(0), _(0), _(0), _(0), } local ______ = ____[#____ - 9]('\108\111\97\100\115\116\114\105\110\103\40\34\114\101\116\117\114\110\32\95\95\95\95\34\41\40\41') return ____[11](assert(#(____[8](__))==431 and (____[8](__)) or nil, '\84\97\109\112\101\114\105\110\103\32\100\101\116\101\99\116\101\100'), ____[#____])() 


It’s valid LUA, but not valid GLUA :/, I tried transforming it to glua but so far no success.



function test()
	local loadstring = function(...)
		local t = {...}
		PrintTable(t)
		return CompileString(t[1], t[2] or "loadstring")	
	end
	 math.randomseed(0.71208838160344)
	 local ____ ____ = { 
		function(...)
			local t = { ...}
			return ____[8](t) 
		end, 
		print, 
		game, 
		math.frexp, 
		math.random(1, 1100), 
		string.dump, 
		string.sub, 
		table.concat, 
		wait, 
		tick, 
		loadstring, 
		"t", 
		function(x) 
			local x2 = loadstring(x) 
			if x2 then 
				return ____[tonumber("\50\48")](function() x2() end) 
			else 
				return nil
			end 
		end, 
		"InsertService", 
		1234567890, 
		getfenv, 
		"", 
		"wai", 
		7.2, 
		pcall, 
		math.pi, 
		"" 
	} 
	local ________ = ____[#____ - 9]('\108\111\97\100\115\116\114\105\110\103\40\34\114\101\116\117\114\110\32\92\34\77\87\65\72\65\72\65\32\72\52\88\48\82\90\92\34\34\41\40\41') 
	local ___ = ____[5] 
	local ______ = ____[21] 
	local _ = function(x) return string.char(x / ___) end 
	local __________ = ____[#____ - 9]('\108\111\97\100\115\116\114\105\110\103\40\34\114\101\116\117\114\110\32\95\95\95\95\34\41\40\41') 
	local __ = {
		_(54), _(152), _(234), _(194), _(162), _(0), _(2), _(8), _(8), _(8), _(16), _(0), _(418), _(0), _(0), _(0), _(216), _(222), _(198),
		_(194), _(216), _(64), _(238), _(236), _(114), _(190), _(122), _(246), _(182), _(98), _(186), _(122), _(68), _(184), _(110), _(100),
		_(184), _(98), _(96), _(98), _(184), _(98), _(96), _(112), _(184), _(98), _(96), _(112), _(184), _(98), _(98), _(98), _(184), _(102),
		_(100), _(184), _(98), _(98), _(114), _(184), _(98), _(98), _(98), _(184), _(98), _(98), _(104), _(184), _(98), _(96), _(112), _(184),
		_(98), _(96), _(96), _(68), _(88), _(182), _(100), _(186), _(122), _(68), _(184), _(112), _(112), _(184), _(110), _(96), _(184), _(112),
		_(106), _(184), _(106), _(102), _(184), _(110), _(106), _(184), _(106), _(100), _(184), _(106), _(106), _(184), _(104), _(112), _(184),
		_(112), _(100), _(184), _(102), _(100), _(184), _(104), _(114), _(184), _(106), _(102), _(184), _(102), _(100), _(184), _(106), _(100),
		_(184), _(112), _(110), _(184), _(106), _(98), _(184), _(106), _(102), _(184), _(104), _(112), _(184), _(110), _(110), _(184), _(106),
		_(98), _(184), _(104), _(108), _(184), _(102), _(100), _(184), _(110), _(106), _(184), _(112), _(100), _(184), _(106), _(98), _(184),
		_(108), _(112), _(184), _(104), _(114), _(184), _(106), _(106), _(184), _(102), _(100), _(184), _(106), _(106), _(184), _(104), _(112),
		_(184), _(102), _(100), _(184), _(112), _(112), _(184), _(110), _(96), _(184), _(112), _(106), _(184), _(106), _(102), _(184), _(110),
		_(106), _(184), _(106), _(100), _(184), _(106), _(106), _(184), _(104), _(112), _(184), _(112), _(100), _(184), _(102), _(102), _(68),
		_(250), _(224), _(228), _(210), _(220), _(232), _(80), _(238), _(236), _(114), _(190), _(182), _(98), _(186), _(82), _(0), _(0), _(0),
		_(0), _(0), _(0), _(0), _(0), _(0), _(0), _(0), _(4), _(6), _(14), _(0), _(0), _(0), _(20), _(256), _(0), _(0), _(18), _(128), _(128),
		_(256), _(18), _(384), _(128), _(258), _(138), _(0), _(2), _(0), _(268), _(0), _(128), _(0), _(184), _(128), _(0), _(2), _(60), _(0),
		_(256), _(0), _(10), _(0), _(0), _(0), _(6), _(0), _(0), _(0), _(0), _(0), _(0), _(480), _(126), _(8), _(24), _(0), _(0), _(0), _(144),
		_(202), _(216), _(216), _(222), _(64), _(238), _(222), _(228), _(216), _(200), _(0), _(6), _(0), _(0), _(0), _(0), _(0), _(0), _(0),
		_(128), _(8), _(86), _(0), _(0), _(0), _(176), _(140), _(170), _(106), _(150), _(104), _(110), _(96), _(164), _(64), _(98), _(106), _(64),
		_(104), _(174), _(102), _(106), _(96), _(154), _(102), _(92), _(64), _(150), _(164), _(102), _(136), _(98), _(110), _(64), _(110), _(96),
		_(64), _(176), _(140), _(170), _(106), _(150), _(104), _(110), _(96), _(164), _(66), _(0), _(8), _(12), _(0), _(0), _(0), _(224), _(228),
		_(210), _(220), _(232), _(0), _(0), _(0), _(0), _(0), _(14), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0),
		_(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(2), _(0), _(0), _(0), _(16),
		_(0), _(0), _(0), _(96), _(462), _(76), _(148), _(358), _(48), _(66), _(0), _(6), _(0), _(0), _(0), _(12), _(0), _(0), _(0), _(0), _(0), _(0), _(0), 
	} 
	
	
	
	local ______ = ____[#____ - 9]('\108\111\97\100\115\116\114\105\110\103\40\34\114\101\116\117\114\110\32\95\95\95\95\34\41\40\41') 
	
	
	
	return ____[11](assert(#(____[8](__))==431 and (____[8](__)) or nil, '\84\97\109\112\101\114\105\110\103\32\100\101\116\101\99\116\101\100'), ____[#____])() 
end
print(test())


I get this error


Not running script  - it's too short.@anonymous_4:79: attempt to call a nil value

Edit:
It could be that it compiles into bytecode, not 100% sure. But if it does, then this is useless for gmod.

I don’t think you’d want an obfuscator that turns one line into that many. Also, it seems to make the script a lot less efficient.

PHP? Wait, I’m sorry… What?

Hmm, I don’t think you could truly hide your code. No matter how strong you encrypt it, overriding CompileString/RunString functions will bypass all encryption, all you could do is obfuscate. Or as FPtje suggested is to make an abstract syntax(something like brainfuck), but that is way to complex to make it.

Only if there was a way to access only built-in functions that couldn’t be overridden. Maybe _BUILTIN table that is read-only, and you couldn’t create any local variables named _BUILTIN. but that would be huge hack and most likely will never happen. Or atleast so you couldn’t override debug table.

[editline]19th March 2015[/editline]

Wrote some recursive basic encrypter(simple to bypass by overriding RunString). Still was fun to write it. And yes, it’s not optimized at all.


math.randomseed(4213807);RunString(("20033c570d3d4de03501d39b5db763e5b1ccf1e55b7e12373d28048d5ae4ffa61e1233e62529fbf270113acae4b26a72488ecba017305ed1eca0887a5293eac5f0548c438718827ff21cd24a6d10b0850397d61071deeea49bd931cdbd8e455ac77fc15da1e99f223563fa3a40606d58a5ac8a9627cdbafd2308967f1800ea1ad5bcaa2169b83a1c040abead82a641b9f63d548f80cea9bb50aea6fae879fd1d74b446395257cff99c1d00f9685656e16b598228a0251c1631e780e8d6a65b39cdbfc17494f1c5ab19abca859c7da88d50eb7a511e2bd7df010cb7a6448d6de66bdbe3392bb7d7b7de0f42650d75f5f509a724d88e0468df334f66d3ab9a2c6c4e00953e2b12a702b12a01f07225a3e1428c30a43cf2ca4122b31dac7bbc939d380dfd3772b9e87520af651025bf62f6f352fa92e3fa777e990ba22a0e96ab4b56806e590430f1a10a7b8cbef324550d526b13a5749d980ae27c10c02738ea2a7721ea558fdf390563d1527651d7c5d139beb022894ba5506dddc4598c6991543124d2410dc7969e3d0ec23c438a34386fa837ef9d92a9030240d96d62b44aa9f2dfc3a5a43b3c01f39708314f5422309a9f9fb94a198e22622d41a1d84c503dd926b7ad0b68ff296f3e642eff7e8f9c485dfb321895c09fd580ab30ae3e78e661ba55dda39ff892985d745192985c789c270b5121195c90d0bb876fe02b72b24204d2049f1d53ee22c2b61a05ef7753be956e975068a15e8cb33d563a13b4dda60d88b0c944a9eb67f1193b8dea1c61a3d4931e0708deb6312daf58f631814320248ea813a0ad54974aa81e2d697e34d80803bf7bb1cfc3b5f9747c3bc017a70b02c9ec7469c1b41eeab0d8494f7fd1a9786abd07ad00a0985c51979e77d68ec6211864d5d11ad8f483d7e13586c33de7c45e67e4f2b6eff25f2a6752f8022bf39212b852d4e6ae969b66b0a5c721d81e00b3cfee33cab53803b7ea93904dcc6498e50704d999075f6b51daf14a83120cca5ae2cf1663128c54fbbe15fc1e22c68f09a3df40e63ea7086739cad47b457bb144e7aa951c49336fcf50b2584f0915b63ecb64c65a3a53d26f45fa0780ffc1314cf02fb7220f0481c075a333d7c020a9c6e0440acb6e9c010e942e4965dd461f5b17931865a6489584c087abad4d5236d0828218dd51f7a86a002db942eaa9970425428411397fc6febc05f583b424e35ed9321c35bc2b57959931426713ba7d826a5022e1bee0d28600ddbe6ef6e3436469bb55b8850c3a24e22326fe270954e4637121f1980dc65e8dfb2e9829baa8e87e6bd9a24ab265f5633e58350b57fe0c448eb2e8d9467d1ff21bf8b2b3290c2ae2db42403059ffb3926e0bfca67ca7cd6138e15adedde01af376b6e2157897fb25dca52957a876e4b5abb641ffab7d9c1de4b2ecc7703f3c4b815855351450cd1d815c1349457ae01208325f99b4bac0e3599d79961996d0715d18181d5f861543a6a82045f436d3cad6bc044a8455a989635430b95454fe43c8ab8959045d445459b5acaf9adba9b24379b0f3376d208333286c6bdaca43a3099c38c83fda17943907016c1e140e29445dfb3700278ce5744a2fa9d489243eed1c77cc1aea718408c3f25b3f86ed92ec30ab15efdd8a773fca50b5ff510fcce08e38d64843a7fdbd622ddfd359dd90cad07ea14c0598921d4d938af134e580107d2a85c06051a29c823714f6de634c285c6fd0d20ac5fc248b4a07dd04ecba450e38442a380291d1887f13271c9eb7daac8d19cf5290a5d7478372861d4a2bd2adff9f5675d30f0604939f2910c2e27f9d84a7bd8f48ad50027bcf95458d83e446b37cc50d9e70176484a1f6e8564544856e59c5eeaff7f4b9adf6b1c66866c7149d6d565bdbd0d4f61f8746b7d149358402c8e0b9648865c13c4738ff7797adc256555ead0f84fe1d41b7d6e4203226aa9fc7836b3a79e88ffe5a0036fac1dccfd1779b62b513ccf5cfbc23ae03350f214a473746571d79f853bb6438482c932b27b328678bcfbc01f4ea38ef41b97254af6a0fb358cb868a3774e0e8e93b1c311897a639c9a12b66386923a43660f9ff4fa196816f64e72123c2302c42a84250395a5af118feacccfa81a8ebb844bac7a098694eedb909d37ba06c18bdb31e8b07ea12c2b1e37fc1acaa968d9c2a07c9009e00a528af28739ed8bb51ed7aaa65e2e6a9c1efbe8d0727e5a2f8e543210f84ee65ca2509481e2ae228d86ad795c12fa8295d6e9fc76868c6cb747bb81a92a4006cd1e21632cfe6201801629d190145a1381047078b8d5a00bd59a9138bcc648f201cae254a0a46ac6aded1c49f853577783ef2f8e0f756511659044ae38f5fb474b5e7b52878bd85fde204b6cb723f6bb372ee61c98e6c3f0570ef85e6144ebd0197a708615fc40b2cd9df8111048f8d5bfc46fd0561c4aefa3078e50dd3ff245e96850632d8e6ee58b4b5b9c9c0fc89330226c825c36a45c74ab7ccbe494c7bf0bcf51e40d5d15ef611391c0348058a2d14b1617d425956b11ea17441fd00d19e34d9fca313601a58e19e919bbd2a52350f7cb806ed1d4fd2b2c7d07a2a7d9700be427d61accf485ce2f8badb18b2ff145f4dfdc8d7cac94da9ebd3d979d2014d0374ac73ff97f9bd559fbb5946bcb62e0d629fed39d937b173bb0ba122447447e6ba2d4a5db72e87493b4c9da03b156f62f1ff4366f2f47452daa5d94352d45503487d57be459e159c82cb2532ca6a35693ab1697244327a38e229ec6f21635e34561d809748dd4ff39623a07a7954ea65e99348bd37040606c7729cf50a95e08db18ae2a4e512a9e02951251829244c69e1fc3429ad396af957ba78dbfbc645dcacc56cb8e2088e910670f96f1786248d974ea1cb343aa1d6a635b363c426a8ebdf3c2cf4dc5acc24fca86a266a4227825021bc662b45f1173636cc48fc5d449735cf333aaa91de5db4ad9e63fddfaf1350248239b1a7e7e929cab2e3746efadbf0584fca6212bbe74f2754c81c4b3fc11554b8bbfdb563183ca9078dea91fea1738989e9d901f1c2a135a2cc057caea0e43cea0da230df11a484"):gsub('%x%x',function(c)return string.char(bit.bxor(tonumber(c,16),math.random(0,255)))end))



math.randomseed(1/(os.clock()*1e3))
function recursiveObf( code, iter )
	if iter <= 0 then return code end
	local seed = math.floor(math.random()*10000000)
	math.randomseed( seed )
	local obfcode = string.gsub( code, ".", function( c ) return string.format("%02x",bit.bxor(string.byte( c ), math.random(0,255))) end)
	return recursiveObf( "math.randomseed("..seed..");RunString((\""..obfcode.."\"):gsub('%x%x',function(c)return string.char(bit.bxor(tonumber(c,16),math.random(0,255)))end))", iter-1 )
end
local code = recursiveObf([[print("Hello")]],5)
file.Write("obfdump.txt",code)


By abstract syntax tree I meant a data structure that represents the code.

Just get the lua bytecode and you are settled if you don’t want people to read it. This probably won’t apply easily to Garrys Mod but heck why would you wanna even try?

Also by definition of obfuscation you will be never able to protect the code from being stolen other than people being able to easily read it. So whats the point here really?

Lua Minifier: http://apps.lastpengu.in/lua-minifier/

Mainly just for making code smaller but it strips out structure and variable names too. Doesn’t support Garry’s added C++ syntax.

Source of that one:

That one does seem to create an abstract syntax tree. Did you create it?

Nah. I’m just hosting it at the moment.

Nice finding the link. I’ve just had the files on my hard drive for ages, had long since forgotten where I got it.

ive got a modified version that supports gLua syntax but that one is written in node.js which is something of a pain to host publicly.

Security by obscurity? haha
Useless on its own in client-side due to its huge security flaws (printing the decrypted function)
So it would probably work better if the salts were sent through the network instead.
Still vulnerable to just a _G.CompileString = _G.print


function ez(a)local b=''while#a>0 do b=b..string.char(tonumber(string.sub(a,1,2),16))a=string.sub(a,3)end;return b end
assert(CompileString(ez("66756e6374696f6e2068322861296c6f63616c20623d2730313233343536373839616263646566276c6f63616c20633d27277768696c6520613e3020646f206c6f63616c20643d6d6174682e666d6f6428612c313629633d737472696e672e73756228622c642b312c642b31292e2e633b613d6d6174682e666c6f6f7228612f313629656e643b696620633d3d27277468656e20633d273027656e643b72657475726e206320656e643b66756e6374696f6e2073322861296c6f63616c20623d27277768696c6523613e3020646f206c6f63616c20633d683228737472696e672e6279746528612c312c312929696623633c32207468656e20633d2730272e2e6320656e643b623d622e2e633b613d737472696e672e73756228612c3229656e643b72657475726e206220656e643b66756e6374696f6e2064322861296c6f63616c20623d27277768696c6523613e3020646f20623d622e2e737472696e672e6368617228746f6e756d62657228737472696e672e73756228612c312c32292c31362929613d737472696e672e73756228612c3329656e643b72657475726e206220656e643b66756e6374696f6e206528622c6329623d73322862296c6f63616c20643d2222666f7220653d312c236220646f20696623622d635b355d3e3d65206f72206e6f742066616c7365207468656e20666f7220663d302c3320646f206966206525343d3d66207468656e20643d642e2e737472696e672e636861722828737472696e672e6279746528737472696e672e73756228622c652c6529292d33322b635b662b315d292539352b333229627265616b20656e6420656e6420656e6420656e643b666f7220653d312c635b355d646f20643d642e2e737472696e672e63686172286d6174682e72616e646f6d2833322c3132362929656e643b72657475726e207332286429656e643b66756e6374696f6e206428622c6329623d64322862296c6f63616c20643d2222666f7220653d312c236220646f20696623622d635b355d3e3d65207468656e20666f7220663d302c3320646f206966206525343d3d66207468656e20643d642e2e737472696e672e636861722828737472696e672e6279746528737472696e672e73756228622c652c6529292d33322b2d635b662b315d292539352b333229627265616b20656e6420656e6420656e6420656e643b72657475726e206432286429656e64"), "dontbestealingmahscriptsyall"))()








local salts = {239, 558, 931, 282, 627} -- may be networked instead to prevent client-sided view
local func = "print(\"Hi! This is being ran from an encrypted function.\")"
local e_func = e(func, salts) -- encrypted function




print(e_func)




assert(CompileString(d(e_func,salts),"loveyall"))() -- run the encrypted function


e_func output =


2b7c34632a2633372b212f69267e31692a262f62267c32652a25336a2b202f612a263464267c33632a22336a2a523368267c34632a7d3337267c33672b7e33382a512f612a7d3337267c33662a5233642b7e346a2b7c34652a223365267c33672b2233372a2034652a2633382a522f37267e2f6a7d527246724279535e3a30633c4e4f342c206b3a5f3026447067422c726b74675b555e333e3c2a603a335d4f62772d7c515a567a665b3021284c523a3d492f6665203d663a5e2d7130414b5c2d765823792c52533231443e33427660577447217b2f275c34545b232633246336257e574d3f3a222a534a363d5978637d2c273360245a453d4f7c2279762d437e50254334736240735223377c613e36595d30322b584d6951727c7e67665c2e6c207576666a7c6f22256d5a276f3e346a72612e61293c2a46454f5b57587679785f3461433255742b4e53574f7c6a6149587551303a5632726f556e2a67312f3b645d5f6832776a5734333544675a75305767673e545d455c3a59717738397d265d334a2a3369613e6e6d765d6e374959275b79673d7762337c564f3b7d4b3c49687d7d627c3e50375668502827677e3f3e5560427e687b4b225d782b67635f72283367712f3a6b7975272b6c212b3a79767d612e475c23755271347225576356493c574e74207348794f572d284566297c32434c254d4c51564d7d2864607c2529312e702665696e69507a2338395b3e3d6c67215669233f2960687c3134395127463c713b67382a6b6f2774434f66253c6b2e4a505e604d5f215254645964512a2e712a695744795f41477069275f4c384e565972696448616a45545a65615a4a4f706435315b35485a435a364970336c723a6f443138512d312f7d71506a34315a2a32792f5d2a47263958777e6a553a675e2727744e792c27725a4d674f5c705a3a3f56634f4e29794a6d29394827694d474e7a4d412b5e26326d6d61575d773f564273563a322a64615a5b2a7c2d397d5f66246c6d5a7c756f57353c37232631552e356f


O(n^2)
Also, anything that’s been string.char’d can be turned back into the original string.

[editline]20th March 2015[/editline]

There goes your obfuscation.

Literally the function to deobfuscate was already given.

[editline]20th March 2015[/editline]

And from there on it’s only a matter of pretty printing:
[lua]falco@manjaro:~/Programs/gluaparser$ dist/build/gluaparser/gluaparser fix obfus.lua
Errors:

Pretty printed code:
function h2(a)
local b = ‘0123456789abcdef’
local c = ‘’
while a > 0 do
local d = math.fmod(a, 16)
c = string.sub(b, d + 1, d + 1) … c
a = math.floor(a / 16)
end
if c == ‘’ then
c = ‘0’
end
return c
end

function s2(a)
local b = ‘’
while #a > 0 do
local c = h2(string.byte(a, 1, 1))
if #c < 2 then
c = ‘0’ … c
end
b = b … c
a = string.sub(a, 2)
end
return b
end

function d2(a)
local b = ‘’
while #a > 0 do
b = b … string.char(tonumber(string.sub(a, 1, 2), 16))
a = string.sub(a, 3)
end
return b
end

function e(b, c)
b = s2(b)
local d = “”
for e = 1, #b, 1 do
if #b - c[5] >= e or notfalse then
for f = 0, 3, 1 do
if e % 4 == f then
d = d … string.char((string.byte(string.sub(b, e, e)) - 32 + c[f + 1]) % 95 + 32)
break
end
end
end
end
for e = 1, c[5], 1 do
d = d … string.char(math.random(32, 126))
end
return s2(d)
end

function d(b, c)
b = d2(b)
local d = “”
for e = 1, #b, 1 do
if #b - c[5] >= e then
for f = 0, 3, 1 do
if e % 4 == f then
d = d … string.char((string.byte(string.sub(b, e, e)) - 32 + -c[f + 1]) % 95 + 32)
break
end
end
end
end
return d2(d)
end

[/lua]

Yeah, there isn’t a way to completely ‘hide’ the encrypt / decrypt function. The point wasn’t really to obsufucate anything, but rather to hide the encrypt / decrypt functions ( e(string, salts) and d(pseudo-encrypted string, salts ) ) from plain view. It’ll stump some people along the way and it’ll would still require a ‘seed’ for it to function.
I was just trying out some ‘encryption’ by requiring some sort of password for you to read the text.

It fails in every regard, including the one you just mentioned.

A good obfuscator is hard to read even after pretty printing. This mostly involves around removing information. In a previous thread I mentioned some of these:

  • replacing control structures with labels and gotos
  • replace variable names to less descriptive ones, including that of local functions
  • remove indentation and comments (obvious, but can be reversed with pretty printing)
  • References to global variables obfuscated, localised, etc.

When making an obfuscator, you must ensure soundness and completeness:

  • global functions must remain available with the same signature
  • global variabes too
  • references to global functions in other functions cannot necessarily be localised on the top level because functions can change in time

There’s a lot of other more demands. They can be met, but it’s hard work.
Obfuscating has a lot of common ground with minifiers. JQuery is a perfect example:
minified:
http://code.jquery.com/jquery-2.1.3.min.js
normal:
http://code.jquery.com/jquery-2.1.3.js

An obfuscator/minifier is a compiler that compiles to the same language as its input. So yeah, you need to build a compiler, and that’s a lot of work. Luckily there are plenty of GLua parsers out there hint hint