Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] string encryption dumped #139

Open
fc577294c34e0b28ad2839435945 opened this issue Jun 29, 2023 · 3 comments
Open

[BUG] string encryption dumped #139

fc577294c34e0b28ad2839435945 opened this issue Jun 29, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@fc577294c34e0b28ad2839435945
Copy link

Describe the bug
You can easily dump strings in scripts that had EncryptStrings applied by finding " .. " and inserting print() in each result

Expected behavior
It should be harder to find the string decryption.

To Reproduce
Steps to reproduce the behavior:

  1. Obfuscate with strong preset and use LuaU as the luaVersion:
  • AntiTamper's UseDebug must be set to false
local constant = "Hello world!"
print(constant)

print("Hello world 2!")
  1. Beautify obfuscated code
  2. Find " .. " with Ctrl+F (include the spaces)
  3. Add print() to each result
L_87_ = L_69_ .. L_82_
print(L_87_);
  1. Reminify and run the code

Screenshots

image

Additional context
https://paste.ee/p/62huP - Obfuscated code with strong preset
https://paste.ee/p/8yfqO - Beautified code with print() inserted
https://paste.ee/p/NMisF - Reminified code
@fc577294c34e0b28ad2839435945 fc577294c34e0b28ad2839435945 added the bug Something isn't working label Jun 29, 2023
@levno-710
Copy link
Member

levno-710 commented Jun 29, 2023
edited
Loading

If somebody has an Idea on how to fix this flaw, please tell me.
It would be possible to use string functions like string.gsub or table.concat, but those could easily be hooked.
The other option would be, to spam a lot of fake strings through the decryption function, so that the real ones can't be identified, but that would make the code much slower.

@fc577294c34e0b28ad2839435945
Copy link
Author

If somebody has an Idea on how to fix this flaw, please tell me. It would be possible to use string functions like string.gsub or table.concat, but those could easily be hooked. The other option would be, to spam a lot of fake strings through the decryption function, so that the real ones can't be identified, but that would make the code much slower.

Applying SplitStrings (inline) + ProxifyLocals seem to solve this issue, but at the cost of performance.

Doing the string.gsub way will probably only work in LuaU (string:gsub() not string.gsub), since this can be hooked in Lua5.1 but not LuaU (unless there are also ways to hook :gsub() in LuaU)

I suggest to change the decryption function into what calls multiple different functions with their own purpose (returning chunks of the decrypted string, concatenation, etc.), which are randomly generated.

But there may be better ideas than what I said (that might be easier to implement).

@SpinnySpiwal
Copy link
Contributor

I'm going to attempt to add fake strings somehow, one idea is to have 3 different functions all which have part of the string and have these shuffled each time and speak to each other somehow to combine them, obfuscation is about differentiation in the code each time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@levno-710 @SpinnySpiwal @fc577294c34e0b28ad2839435945