[BUG] string encryption dumped

[fc577294c34e0b28ad2839435945]

Describe the bug
You can easily dump strings in scripts that had EncryptStrings applied by finding " .. " and inserting print() in each result

Expected behavior
It should be harder to find the string decryption.

To Reproduce
Steps to reproduce the behavior:

1. Obfuscate with strong preset and use LuaU as the luaVersion:

• AntiTamper's UseDebug must be set to false

local constant = "Hello world!"
print(constant)

print("Hello world 2!")

2. Beautify obfuscated code
3. Find " .. " with Ctrl+F (include the spaces)
4. Add print() to each result

L_87_ = L_69_ .. L_82_
print(L_87_);

5. Reminify and run the code

Screenshots

Additional context
https://paste.ee/p/62huP - Obfuscated code with strong preset
https://paste.ee/p/8yfqO - Beautified code with print() inserted
https://paste.ee/p/NMisF - Reminified code

[levno-710]

If somebody has an Idea on how to fix this flaw, please tell me.
It would be possible to use string functions like string.gsub or table.concat, but those could easily be hooked.
The other option would be, to spam a lot of fake strings through the decryption function, so that the real ones can't be identified, but that would make the code much slower.

[fc577294c34e0b28ad2839435945]

If somebody has an Idea on how to fix this flaw, please tell me. It would be possible to use string functions like string.gsub or table.concat, but those could easily be hooked. The other option would be, to spam a lot of fake strings through the decryption function, so that the real ones can't be identified, but that would make the code much slower.

Applying SplitStrings (inline) + ProxifyLocals seem to solve this issue, but at the cost of performance.

Doing the string.gsub way will probably only work in LuaU (string:gsub() not string.gsub), since this can be hooked in Lua5.1 but not LuaU (unless there are also ways to hook :gsub() in LuaU)

I suggest to change the decryption function into what calls multiple different functions with their own purpose (returning chunks of the decrypted string, concatenation, etc.), which are randomly generated.

But there may be better ideas than what I said (that might be easier to implement).

[SpinnySpiwal]

I'm going to attempt to add fake strings somehow, one idea is to have 3 different functions all which have part of the string and have these shuffled each time and speak to each other somehow to combine them, obfuscation is about differentiation in the code each time

[SpinnySpiwal]

UPDATE: I now have my own proprietary step for Prometheus to decrypt strings and then replace the function calls/decryption payload(s) with the original string. Remember, nothing is secure, not forever at least.