lua code deobfuscation

Question

I\'ve recently downloaded some lua code and what I found inside was some obfuscated string. That made me wonder what sort of obfuscation technique was used there. Does anybo

Answer 1

The tricky part is that loadstring and related functions accepts both lua code and lua byte code. That call to loadstring is just being passed byte compiled lua rather than lua source code.

You can get byte compiled lua easily. You can get an example like this

• Create a lua file.
• Compile it with luac to generate lauc.out
• Look at the file content with a hex viewer.

For an empty lua file I get:

0000000: 1b4c 7561 5100 0104 0804 0800 0900 0000  .LuaQ...........
0000010: 0000 0000 4066 6f6f 2e6c 7561 0000 0000  ....@foo.lua....
0000020: 0000 0000 0000 0002 0201 0000 001e 0080  ................
0000030: 0000 0000 0000 0000 0001 0000 0001 0000  ................
0000040: 0000 0000 0000 0000 00                   .........

A translation of the first 8 bytes into decimal is:

27, 76, 117, 97, 81, 0, 1, 4

Which matches the escaped characters in your string.

If you want further details on what the code in the chunk does you'll need to write the chunk out to file and use a lua decompilation tool to investigate. ChunkSpy, luadec15 and unluac are both mentioned in the lua wiki tools page.

There's not enough content in the chunk you've provided for me to take it further, I assume its truncated?