Opinions on an encrypted Lua loader

So basically, for the past 2 weeks or so, my main project has been an encrypted Lua loader. Just a few minutes ago I got it to the point which I think it needs to receive user input.

Here are the features:

[li]AES 128 bit random key encryption[/li][li]RSA SHA-2 signature for validity[/li][li]Base64 encoded[/li][li]Can be run in any form of lua loading (RunScript, include, lua_openscript)[/li][li]Can be sent from the server to the client and loaded seamlessly[/li][li]Requires a module[/li][li]Uses a very good cloaking method to keep people from dumping scripts. Your source is safe with us.[/li][li]Eventually will include a compiled Lua loader. No one will be able to view the original source of your script even if they somehow manage to get it.[/li][/ul]

Here are my questions:

[li]Would you play on a gamemode that required you to download a .dll from a website before joining? GMT is an example of this.[/li][li]What are your opinions on closed source Lua projects?[/li][li]What ideas do you have for the loader’s future?[/li][/ul]
A note:

[li]Can easily be used in gamemodes. Serverside Lua would simply require the server to have a module, but any clientside Lua would require the client to have a module. You can use this to sell gamemodes to other people while still having open source clientside scripts.[/li][/ul]
And here’s a picture of it:

This is what that file was when it loaded:

if XLOAD then XLOAD() else Msg("This file requires XLoader 1.0 to run.
") end --|172|44|184|128|32|138|lulDHT22FUscW2/Aeo6+bch7SSouoXe+VdS5C0mqfEuqOrCc2IyahtgdPYy+1xZxBnmnqojY33Z7YdGAq+a7LzKU2P2ZmildIXqQlRfAoZ26lOPzlEzIgUbSSnJiGnz9rbZJYcSJcre+Dnj4yPCLd84gNnb6i8qB4vSwmQCJOFU=MSf1bscfYb+Cblodi04DEBJgCi2mZp9X9iJXQimAxL4=aTlUAMQEtQLOXIOz7sq/8U/3tIjhWEww1wyN4rhs1IdX2BmBlZQzQV913/Wq6LvdSw2ixzwUs7+s/73F5nTT2XOEr1KyXxKVcnUnQRzX9Vry1BwkF6sKl4679y/cdoydPjytKPmmSIkENB3BFgMeyPcTt2fQXa+osEPS684fy4BaM7UNCl3MXxp2

And you all thought it was impossible :dance:

  1. No.
  2. Nothing good will come from it. It’s the same thing as private gamemodes, but in a more secure form.
  3. I’d never run a script that was encrypted or obfuscated, so it has no future for me.

I don’t mean to say you are wasting time, since its your project and you can do what you want with it, I just feel it’s a bad idea and will not help the community in any manner.

Again, this project is mostly leaning towards serverside scripts only. I just thought I’d get a few opinions for kicks.

I would use it to prevent leaking the serverside files of my gamemode

I wouldn’t download a DLL for a gamemode unless it was REALLY good, but I can’t think of a gamemode out now that would fit that criteria.

I can see it useful for gamemodes sold for money, but overall, I don’t think it’s a good thing for the community because people will start releasing a lot of encrypted addons (which I don’t see as a positive force).

What’s to stop the attacker leaking it with the loader included?


Didnt think about that :v:

But i could easly include an exploit that nobody will ever find

As I told you already on Steam-Friends, it will probably block script-kiddies from getting onto it but still has a conceptional problem: You need to send the key to the client in order to make it run. This is the weakest point here and defeats the purpose of using any encryption.
It’s like locking your door but leaving the key in the lock usable for everyone.

But your hiding the key so not everyone will find it

I love your analogies.

It only takes one person to have the key, then everyone has it.

If you encrypt something it’s basically a challenge to everyone to decrypt it. Even if they don’t actually care about what you’ve encrypted. People will do it and leak it just to show how you can’t stop them doing it.

It will be locked to an IP if they so wish.


I’m fine with that, but I’m very confident enough in my code that it would take countless hours to complete.


I’m not saying it’s not possible, don’t get me wrong on that. Even if no one adopts it, I’ll be happy to have made it anyways :buddy:


Anyways, once it’s compiled, in the some off chance that you actually did crack it, all you would have is byte code.

Having the ability to load bytecode or obfuscated code on the client would only serve malicious intentions.

As far as the usefulness, at some point the ciphertext is decrypted and the plaintext (bytecode or plain lua) is loaded into Lua, where it can be dumped. But an even simpler method is to “reflect” or hook common functions to see what it’s doing, like watching the _G, GAMEMODE, or hook table to see what the script is doing.

As far as some of the features

* AES 128 bit random key encryption
  • The key has to be passed along with the script, either embedded into the module, the ciphertext, or a file, making this an obfuscation step.

    • RSA SHA-2 signature for validity
  • Same as above, you’d be better off doing private/public key if you wanted validity (but you can’t pass the public key with the ciphertext)

    • Base64 encoded
  • obfuscation

    • Uses a very good cloaking method to keep people from dumping scripts. Your source is safe with us.
  • obfuscation?

Opinion on closed source projects? If popularized it would lead to the stagnation and death of lua scripting. I learned everything from other people’s scripts.

AES is a constant and an obfuscated passed key
RSA is just for integrity
Base64 is to pass binary data in lua files
The cloaking method is just not exposing any parts of the script to people who want to dump it.

Again, none of this is secure. It’s simply obfuscated to an extreme level.


Although, it would be very nice to protect rather large private gamemodes. Allowing the user to make up their own password for the loader would be cool so that even if someone stole the loader, they’d need a password for it too.

I started learning GMod Lua from looking at other scripts since there was no wiki back then. Now there is a wiki with good documentation, so it’s not as much of an issue anymore.

Again, mostly for gamemode use. Not for addon use.

It will probbably be used mainly with the LuaMenu appstore

yeah this is pretty much it your module is going to get circumvented by someone and you might be sad but w/e

you have a pretty big ego tho(seems like it’s taken you countless hours to complete this module, I doubt reversing it would take half that time)

  1. no
  2. no
  3. make it open source

If I want so, I don’t really want to ship yet another module tbh atm.