Hi everyone,
Appreciate if someone guides me how can I obfuscate my Lua scripts before publishing my Corona application to the target store.
Thanks,
Don’t bother. Your scripts are already compiled.
Regardless of what you do. If someone REALLY want to reverse engineer your scripts they can, but for the average person, the fact that your scripts are compiled is enough deterrent.
PS - This is a regularly occurring question and the answer is always the same …
“Here look at the different ways…”
“Wow! These are all hard to implement and/or don’t work…”
“See how pointless it is?”
“Yes, I agree it’s pointless. I guess I’ll just spend my energy on my game development.”
I’m being straight in my answer and trying to help you cut to the chase. Your effort is better spend on game development.
Note: If your goal is to protect against cheating, that too is a waste. Users should be allowed to cheat if they want. It is their experience.
If however you want to prevent cheating to keep users from ruining shared MP experiences, you can use a server as the authority in your game. Controlling the server code makes it hard for users to cheat.
Thanks my friend for your answer, actually when I tried to decompile my compiled lua scripts I just get my code in well and readable format, however when I checked another Corona app published in Google Play and not realted to me and tried to decompile the Lua scripts inside it I got an obfuscated code which I really found hard way to read it, below is a sample of decompiled code :
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.bgOverlay then
_UPVALUE0_.couponForm.bgOverlay:removeSelf()
_UPVALUE0_.couponForm.bgOverlay = nil
end
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.removeSelf then
_UPVALUE0_.couponForm:removeSelf()
_UPVALUE0_.couponForm = nil
end
_UPVALUE1_.feedbackVisible = false
I worked hard in order just to know for example to which object the variable _UPVALUE0_ with no luck, which means that such obfuscation makes the code really hard to reverse.
You missed my point. You’re wasting your time. Focus on paying and non-cheating customers.
Trying to stop cheaters, IAP hackers, etc. is a big waste of time.
Also, if you think you can keep folks from stealing your game and re-packaging it in foreign countries… that’s not realistic either. It is too easy to do all these things today.
I know this isn’t the answer you want to hear so I’ll leave it at this. If anyone else want to chime in, please do.
Note: I researched this in the past out of curiosity and never found any great ways to do this that were easy to integrate with Corona without needing to do native coding.
Question: Is your game done and ready to publish?
Question 2: Specifically what are you hoping to stop users from doing. Be very specific.
What I’m reading so far is, “I don’t people to be able to decompile my code.” I’m not hearing why and I don hear what you’re worried they will do with this code.
@tarek.alkhen, when you say that you “decompiled your lua script”, do you mean a plain Lua script or an Corona app (Corona uses a slightly modified version of Lua and, from my knowledge, the luadec does not work with Corona (Can anyone confirm this?)
I had once to obfuscate my Corona/Lua code due to contract requirements (it was one of the technical requirements of the client). I end up doing it manually (don’t recommend it), since I didn’t find any tool ready-to-use that would work nicely with Corona.
My opinion is: unless you have a ready-to-use tool/script that would obfuscate your code all at one in a very simple manner, I wouldn’t bother with it since it would not be worthy. You would be much better adding other security features first (like Keychain, encryption, certificate pinning,…).
@RedBeach, let me explain what exercise I did to reach my conclusion.
I issued my first Corona application and generated the apk file for Android using Corona build tool, then I extracted the resource.car that Corona had generated within the output apk file, and used a tool to unpack the CAR file and generate the compile lua scripts file, then I used the lua decompiler tool in order to decompile these files, and I got the surprise here that I reached to my original lua scripts in plain text and without any obfuscation.
However, when I did the same steps on one of the Android application deployed on Google play and had been built using Corona (does not belong to me) I got a plain text lua file but with a lot of obfuscation below is a sample of the obfuscated code:
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.bgOverlay then
_UPVALUE0_.couponForm.bgOverlay:removeSelf()
_UPVALUE0_.couponForm.bgOverlay = nil
end
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.removeSelf then
_UPVALUE0_.couponForm:removeSelf()
_UPVALUE0_.couponForm = nil
end
_UPVALUE1_.feedbackVisible = false
Would you mind sharing the 2 tools that you use? (Unpck the CAR and to decompile the files)?
@RedBeach may you can have a look at below blog
https://hmil.github.io/2015/02/hacking-funrun2-how-to-reverse-engineer-a-corona-app/
I agree with the author’s last few lines:
I’d like to emphasis that I personally think buying or downloading a cheat for a game is lame and those who do that just deserve a trojan. However, hacking a game is really something fun that one should try. It requires patience, and a capability to keep a clear mind even after hours of work leading nowhere.
I don’t know where the author of the game stands on this , but I know that this is the kind of thing I did with games when I was a kid (of course that was in the DOS days and way… before mobile). It is a learning experience and not a bad thing.
Now, I might not have shared HOW I did it like this writer did, but the fact that s/he did it is not really a bad thing.
Hence, I would like to get back to my main question, I believe there is a method that you can apply it to your Lua scripts in order to do some obfuscation that makes it’s more harder to be readable after doing the reverse engineering, and I still looking forward to someone used it to share who to did it.
yes, I just used it in my compiled scripts and it reverses my script back to the original state.
@tarek.alkhen, you can find several obfuscation tools on the internet.
Here is a link for one of them: https://github.com/jirutka/luasrcdiet
And a more generic list: http://lua-users.org/wiki/LuaTools
I have come up with a solution to do this.
This game has most of the scripts secured (excluding main.lua):
asteroids.apk (https://github.com/roaminggamer/RG_FreeStuff/raw/master/ForumsImages/obfuscated/asteroids.apk)
Feel free to try cracking it and see what you get.
See this thread for more details:
https://forums.coronalabs.com/topic/71462-secure-my-code-lua-obfuscation-tool-service/
I imagine adding a server-side component to your app could obfuscate some of your code and definitely the game functionality.
Don’t bother. Your scripts are already compiled.
Regardless of what you do. If someone REALLY want to reverse engineer your scripts they can, but for the average person, the fact that your scripts are compiled is enough deterrent.
PS - This is a regularly occurring question and the answer is always the same …
“Here look at the different ways…”
“Wow! These are all hard to implement and/or don’t work…”
“See how pointless it is?”
“Yes, I agree it’s pointless. I guess I’ll just spend my energy on my game development.”
I’m being straight in my answer and trying to help you cut to the chase. Your effort is better spend on game development.
Note: If your goal is to protect against cheating, that too is a waste. Users should be allowed to cheat if they want. It is their experience.
If however you want to prevent cheating to keep users from ruining shared MP experiences, you can use a server as the authority in your game. Controlling the server code makes it hard for users to cheat.
Thanks my friend for your answer, actually when I tried to decompile my compiled lua scripts I just get my code in well and readable format, however when I checked another Corona app published in Google Play and not realted to me and tried to decompile the Lua scripts inside it I got an obfuscated code which I really found hard way to read it, below is a sample of decompiled code :
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.bgOverlay then
_UPVALUE0_.couponForm.bgOverlay:removeSelf()
_UPVALUE0_.couponForm.bgOverlay = nil
end
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.removeSelf then
_UPVALUE0_.couponForm:removeSelf()
_UPVALUE0_.couponForm = nil
end
_UPVALUE1_.feedbackVisible = false
I worked hard in order just to know for example to which object the variable _UPVALUE0_ with no luck, which means that such obfuscation makes the code really hard to reverse.
You missed my point. You’re wasting your time. Focus on paying and non-cheating customers.
Trying to stop cheaters, IAP hackers, etc. is a big waste of time.
Also, if you think you can keep folks from stealing your game and re-packaging it in foreign countries… that’s not realistic either. It is too easy to do all these things today.
I know this isn’t the answer you want to hear so I’ll leave it at this. If anyone else want to chime in, please do.
Note: I researched this in the past out of curiosity and never found any great ways to do this that were easy to integrate with Corona without needing to do native coding.
Question: Is your game done and ready to publish?
Question 2: Specifically what are you hoping to stop users from doing. Be very specific.
What I’m reading so far is, “I don’t people to be able to decompile my code.” I’m not hearing why and I don hear what you’re worried they will do with this code.