@tarek.alkhen, when you say that you “decompiled your lua script”, do you mean a plain Lua script or an Corona app (Corona uses a slightly modified version of Lua and, from my knowledge, the luadec does not work with Corona (Can anyone confirm this?)
I had once to obfuscate my Corona/Lua code due to contract requirements (it was one of the technical requirements of the client). I end up doing it manually (don’t recommend it), since I didn’t find any tool ready-to-use that would work nicely with Corona.
My opinion is: unless you have a ready-to-use tool/script that would obfuscate your code all at one in a very simple manner, I wouldn’t bother with it since it would not be worthy. You would be much better adding other security features first (like Keychain, encryption, certificate pinning,…).
@RedBeach, let me explain what exercise I did to reach my conclusion.
I issued my first Corona application and generated the apk file for Android using Corona build tool, then I extracted the resource.car that Corona had generated within the output apk file, and used a tool to unpack the CAR file and generate the compile lua scripts file, then I used the lua decompiler tool in order to decompile these files, and I got the surprise here that I reached to my original lua scripts in plain text and without any obfuscation.
However, when I did the same steps on one of the Android application deployed on Google play and had been built using Corona (does not belong to me) I got a plain text lua file but with a lot of obfuscation below is a sample of the obfuscated code:
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.bgOverlay then
_UPVALUE0_.couponForm.bgOverlay:removeSelf()
_UPVALUE0_.couponForm.bgOverlay = nil
end
if _UPVALUE0_.couponForm and _UPVALUE0_.couponForm.removeSelf then
_UPVALUE0_.couponForm:removeSelf()
_UPVALUE0_.couponForm = nil
end
_UPVALUE1_.feedbackVisible = false
Would you mind sharing the 2 tools that you use? (Unpck the CAR and to decompile the files)?
I agree with the author’s last few lines:
I’d like to emphasis that I personally think buying or downloading a cheat for a game is lame and those who do that just deserve a trojan. However, hacking a game is really something fun that one should try. It requires patience, and a capability to keep a clear mind even after hours of work leading nowhere.
I don’t know where the author of the game stands on this , but I know that this is the kind of thing I did with games when I was a kid (of course that was in the DOS days and way… before mobile). It is a learning experience and not a bad thing.
Now, I might not have shared HOW I did it like this writer did, but the fact that s/he did it is not really a bad thing.
Hence, I would like to get back to my main question, I believe there is a method that you can apply it to your Lua scripts in order to do some obfuscation that makes it’s more harder to be readable after doing the reverse engineering, and I still looking forward to someone used it to share who to did it.
@tarek.alkhen, did you use luadec? Because I don’t think it works with Corona.
yes, I just used it in my compiled scripts and it reverses my script back to the original state.
@tarek.alkhen, you can find several obfuscation tools on the internet.
Here is a link for one of them: https://github.com/jirutka/luasrcdiet
And a more generic list: http://lua-users.org/wiki/LuaTools
@tarek.alkhen
I have come up with a solution to do this.
This game has most of the scripts secured (excluding main.lua):
asteroids.apk (https://github.com/roaminggamer/RG_FreeStuff/raw/master/ForumsImages/obfuscated/asteroids.apk)
Feel free to try cracking it and see what you get.
See this thread for more details:
https://forums.coronalabs.com/topic/71462-secure-my-code-lua-obfuscation-tool-service/
I imagine adding a server-side component to your app could obfuscate some of your code and definitely the game functionality.