Lua Obfuscation

RedBeach · January 10, 2018, 6:59am

@tarek.alkhen, when you say that you “decompiled your lua script”, do you mean a plain Lua script or an Corona app (Corona uses a slightly modified version of Lua and, from my knowledge, the luadec does not work with Corona (Can anyone confirm this?)

I had once to obfuscate my Corona/Lua code due to contract requirements (it was one of the technical requirements of the client). I end up doing it manually (don’t recommend it), since I didn’t find any tool ready-to-use that would work nicely with Corona.

My opinion is: unless you have a ready-to-use tool/script that would obfuscate your code all at one in a very simple manner, I wouldn’t bother with it since it would not be worthy. You would be much better adding other security features first (like Keychain, encryption, certificate pinning,…).

tarek.alkhen · January 10, 2018, 5:34pm

@RedBeach, let me explain what exercise I did to reach my conclusion.

I issued my first Corona application and generated the apk file for Android using Corona build tool, then I extracted the resource.car that Corona had generated within the output apk file, and used a tool to unpack the CAR file and generate the compile lua scripts file, then I used the lua decompiler tool in order to decompile these files, and I got the surprise here that I reached to my original lua scripts in plain text and without any obfuscation.

However, when I did the same steps on one of the Android application deployed on Google play and had been built using Corona (does not belong to me) I got a plain text lua file but with a lot of obfuscation below is a sample of the obfuscated code:

if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.bgOverlay then

_UPVALUE0_.couponForm.bgOverlay:removeSelf()

_UPVALUE0_.couponForm.bgOverlay = nil

end

if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.removeSelf then

_UPVALUE0_.couponForm:removeSelf()

_UPVALUE0_.couponForm = nil

end

_UPVALUE1_.feedbackVisible = false

RedBeach · January 10, 2018, 7:07pm

Would you mind sharing the 2 tools that you use? (Unpck the CAR and to decompile the files)?

tarek.alkhen · January 10, 2018, 10:17pm

@RedBeach may you can have a look at below blog

https://hmil.github.io/2015/02/hacking-funrun2-how-to-reverse-engineer-a-corona-app/

roaminggamer · January 10, 2018, 10:29pm

I agree with the author’s last few lines:

I’d like to emphasis that I personally think buying or downloading a cheat for a game is lame and those who do that just deserve a trojan. However, hacking a game is really something fun that one should try. It requires patience, and a capability to keep a clear mind even after hours of work leading nowhere.

I don’t know where the author of the game stands on this , but I know that this is the kind of thing I did with games when I was a kid (of course that was in the DOS days and way… before mobile). It is a learning experience and not a bad thing.

Now, I might not have shared HOW I did it like this writer did, but the fact that s/he did it is not really a bad thing.

tarek.alkhen · January 10, 2018, 10:36pm

Hence, I would like to get back to my main question, I believe there is a method that you can apply it to your Lua scripts in order to do some obfuscation that makes it’s more harder to be readable after doing the reverse engineering, and I still looking forward to someone used it to share who to did it.