LuaEncrypter (Clientside/Shared Cache Protector)

I made this with the intention of protecting my hard work when I realized how much of a cunt people can be. I’m sick of skiddies thinking they’re cool because some guy made a cache decompressor.

What it does
It allows you to easily send entire Lua files without saving them on the player’s hard drive for some stupid reason.
It also allows you to password protect any string, particularly the ones that you will be sending to clients for them to run as Lua.

This includes and is not limited to:
*Most SWEPs
*All UI/HUD elements
*Basically anything that shows something on your monitor (I.e. shitty pointshop skins)

To use
string.Lock(string,password) will return an encrypted string.
string.UnLock(string,password) will return an unencrypted string.
IncludeCSLuaFile(dir) on the server is the same thing as AddCSLuaFile’ing a file and then including it clientside.


Don’t bother replying if you’re going to say “omg you’re overreacting you can’t prevent them from getting the source code this has been around forever omg”. I know it’s been around forever but now it’s available to skiddies.
If you have a way to break this method, please post it so I can improve it.
This took me like 10 minutes to make.

I haven’t been into gmod for a bit but if there’s still scriptenforcer bypasses or ways to run code then this is not safe at all and can be easily “cracked” using the functions you provided and the password you send to the client.

The War of Lua has reached DEFCON 2, what’s next? Stand by for live coverage on the Developers Discussion forums!

It’s War of the Servers all over again.

“They fought with contraptions… Now, they fight with Lua. WAR OF THE SERVERS 2”

Great work, thanks!

All they have to do on the client to be able to steal your scripts again is redefine RunStringEx and check if the second param is ‘Downloaded Lua File’, and if so, save it to file.

People who knew how to use the bootil library have had the Lua decryper forever. The reason bobbleheadbob made this is because now that was made available to people who knew jack about how the encoding worked. This takes it a step further, and requires people to take a step that skiddies will not be able to replicate. I very much appreciate this contribution.

Edit: Besides, you can change the clientside RunStringEx to whatever identifier you’d like. Make it change every time the lua environment is created. Easy fix.

What do you mean change the identifier? Like change the second parameter to RunStringEx? If so, it’s still possible, just don’t check it and save ever RunString/RunStringEx.

The “DownloadLua” net message is rewritten every .1 seconds. You can’t get your hands on the info sent by it without a c++ module, which skids don’t have.

Furthermore, RunStringEx has been updated to restore its original functionality every .1 seconds as well.

Thank you both for your contributions.

Granted, they could do that. I haven’t looked at the encryption method, but I’m sure it wouldn’t be too hard to remove any whitespace and have the entire code be put into one line. More obfuscation won’t make it impossible, but definitely much more difficult to parse, especially if you split your code into multiple files. You could also insert artificial noise that will make it even more annoying to search through each saved file and read the code from it.

This is pretty awful, to be honest. You can do as many loop-de-loops, twists, turns, and encryption methods as you want: the end result is running the string, which can be overwritten.

Bob, what about writing this as a module for gmod? I’m not a C/C++ coder, so I don’t don’t know, but would writing it at the module level give you more control over the clients ability to intercept the data? Or even defeat a secondary module from reading the code?

In all honesty your guess would be just as good as mine.

And that would be a bad idea because you can’t install modules on clients. This is made to run on any server and any client.

Oh right. Clients would need the module as well. If Garry decides to change it, he could do that himself quite easily, by making the module required.

That would require DefCon 1.

How exactly is this used?


The code from penis.lua isn’t getting ran.

That still doesn’t stop RunStringEx from being redefined, if an injected script gets run before your code, then you’ll just be redefining the custom one over and over.

Fuck me sideways I forgot to util.AddNetworkString().
Fixed. Redownload it.

In response…

Alright. Making use of the debug library, if the function isn’t defined in C then it won’t run, essentially stopping all clientside script downloading.
They can break their own gameplay all they want.

Precisely. And I’m not trying to be a debbie downer or a negative nancy, because I actually want this to work. I tried something like this (in C++) but I found out that it was far too easy to bypass it, so I stopped working on it. There are too many things to consider when trying to make something like this, which is what makes me believe it’s just not worth it if someone can crack it in a second.

Oh, and it’s still not working.


My script isn’t running and there are no errors. It should just print out “hi”.