Secure My Code - Lua Obfuscation Tool & Service

TL;DR - I can ‘secure’ your game code or sell you a tool to do it via the marketplace.  Would you be interested?

The Idea

Over the many years I’ve been a member of these forums, one of the top questions I’ve seen is,

Can I secure / encrypt / obfuscate / … my code to prevent people from being able to decode / decompile / … it?

The answer has always been one or more of these:

  • Yes, but it won’t stop the dedicated hackers.
  • No, there isn’t a free tool or even a paid tool to do this that is compatible with Corona.

The Solution

I recently saw this question again and it occurred to me, “I can do that!” 

My question for you is, “Is it worth me making a paid tool to do this?”  AND/OR “Would you pay me to do this on a case by case basis for you?”  

I’m thinking:

  • I will sell a interactive tool (in the marketplace) that allows you to secure your own scripts in an easy push-button way. 
  • I will provide a service where I do the work and send you back the encoded scripts.

I figure, the tool will be $100 and the service will be $25.

However, before I bother making the tool I need to know if anyone even thinks this would be worthwhile for them.

Example

This game has been secured: asteroids.apk (https://github.com/roaminggamer/RG_FreeStuff/raw/master/ForumsImages/obfuscated/asteroids.apk)

Here is a sample of an original script: 

https://raw.githubusercontent.com/roaminggamer/RG_FreeStuff/master/ForumsImages/obfuscated/orig/asteroid.lua

local asteroidM = {} -- Builder Function -- function asteroidM.new( params ) -- Draw an 'empty hole' local asteroid = newImageRect( common.layers.content, "images/kenney/asteroid.png", common.asteroidW, common.asteroidH ) asteroid.x = params.x asteroid.y = params.y physics.addBody( asteroid, "dynamic", { radius = common.asteroidW/2} ) asteroid.isSensor = true -- Track this asteroid in the list of known asteroids common.asteroids[asteroid] = asteroid -- Set velocity of asteroid local vx,vy = util.angle2Vector( params.angle ) local rate = mRand( params.minRate, params.maxRate ) asteroid:setLinearVelocity( vx \* rate, vy \* rate ) -- Give asteroid a random spin -- asteroid.angularVelocity = mRand( -90, 90 )

And the same code, but obfuscated:

https://raw.githubusercontent.com/roaminggamer/RG_FreeStuff/master/ForumsImages/obfuscated/secure/asteroid.luao

~Y`}~v}#y$=YVapvAvP+ 55vm:V~a$=vc:-`yVY- 55 F:-`yVY-v}#y$=YVap.-$h*vM}=}j#vz 55v(=}hv}-v'$jMy8v)Y~$' ~Y`}~v}#y$=YVavAv-$hTj}\<$ $`y*v`YjjY-.~}8$=#.`Y-y$-y? "Vj}\<$#OG$--$8O}#y$=YVa.M-\<"? `YjjY-.}#y$=YVaS?v`YjjY-.}#y$=YVaovz }#y$=YVa.evAvM}=}j#.e }#y$=YVa.8vAvM}=}j#.8 M)8#V`#.}aamYa8\*v}#y$=YVa?v"a8-}jV`"?vPv=}aV:#vAv`YjjY-.}#y$=YVaSOB+vz }#y$=YVa.V#\_$-#Y=vAvy=:$ 55vn=}`Gvy)V#v}#y$=YVavV-vy)$v~V#yvYFvG-Yh-v}#y$=YVa# `YjjY-.}#y$=YVa#b}#y$=YVa,vAv}#y$=YVa 55v\_$yvK$~Y`Vy8vYFv}#y$=YVa ~Y`}~vKe?K8vAv:yV~.}-\<~$Bq$`yY=*vM}=}j#.}-\<~$vz ~Y`}~v=}y$vAvj }-a\*vM}=}j#.jV- }y$?vM}=}j#.j}e }y$vz }#y$=YVaL#$yCV-$}=q$~Y`Vy8\*vKev/v=}y$?vK8v/v=}y$vz 55v4VK$v}#y$=YVav}v=}-aYjv#MV-

All comments are welcomed!

In case anyone is wondering and should want to ask. 

“Yes,” there is a little secret sauce to make this work and I’m not sharing. 

Sorry…

I am very impressed. The service or the product isn’t for me, but the pricing sounds reasonable. My code is so crappy and derivative that it wouldn’t make any sense for anybody to try and steal it and if they did more power to them.

That being said somebody did take my tictaczoo code, changed the pictures, and resubmit it to the android store. I could see how that could be disruptive to somebody else.

Adrian

first, no intent here to bash your efforts toward a worthy goal of additional security, but…

is your assertion (purpose of providing the apk) that this obfuscation (substitution cipher on source code) will prevent (or even deter at all) someone whose intent was to decompile the apk (which contains compiled vm code, not source code)?

agreed that this question is asked way too many times in the forum, but i’m not convinced that this actually solves the problem…

my understanding from past threads is that most ppl are concerned about protecting any “secrets” that might be embedded in their code (user id’s, app keys, ad keys, account#'s, url secret auth info, etc/whatever) moreso than game mechanics.  (fe: what code did they use to move that asteroid? aha!  setLinearVelocity!  woohoo!! == no big deal if they stole that)   but your apk still contains all your “secrets” in plaintext (see pm, no wish to publicize it)

@Dave,

Focused On Code Reverse Engineering

Thanks.  This solution is focused on making it harder for script-kiddies to casually steal code.

Not Focused on Data Security

Regarding data safety, that has to be done by encrypting and decrypting data assets.  That is on the user to implement, but if they obfuscate their encrypt/decrypt code they’ll be a little better off.

Scratching The Itch

As you and I know this is a regularly asked question.

Knowing I could do something to make this a little harder (casual code theft) to achieve I scratched the itch and came up with something.

@all - Thanks for the feedback!

I would pay for this.  Every little hurdle helps.  I would prefer a marketplace app.

The way I see it, every little barrier increase the tedium of hacking our project and decreases the number of people who have the skill and desire to hack your project.  If you can make it difficult enough that it takes an increased amount of knowledge and skill to hack your app, then the people with that skill level might rather spend their time on their own app.

That used to be my philosophy as a Flash developer back in the day.

In case anyone is wondering and should want to ask. 

“Yes,” there is a little secret sauce to make this work and I’m not sharing. 

Sorry…

I am very impressed. The service or the product isn’t for me, but the pricing sounds reasonable. My code is so crappy and derivative that it wouldn’t make any sense for anybody to try and steal it and if they did more power to them.

That being said somebody did take my tictaczoo code, changed the pictures, and resubmit it to the android store. I could see how that could be disruptive to somebody else.

Adrian

first, no intent here to bash your efforts toward a worthy goal of additional security, but…

is your assertion (purpose of providing the apk) that this obfuscation (substitution cipher on source code) will prevent (or even deter at all) someone whose intent was to decompile the apk (which contains compiled vm code, not source code)?

agreed that this question is asked way too many times in the forum, but i’m not convinced that this actually solves the problem…

my understanding from past threads is that most ppl are concerned about protecting any “secrets” that might be embedded in their code (user id’s, app keys, ad keys, account#'s, url secret auth info, etc/whatever) moreso than game mechanics.  (fe: what code did they use to move that asteroid? aha!  setLinearVelocity!  woohoo!! == no big deal if they stole that)   but your apk still contains all your “secrets” in plaintext (see pm, no wish to publicize it)

@Dave,

Focused On Code Reverse Engineering

Thanks.  This solution is focused on making it harder for script-kiddies to casually steal code.

Not Focused on Data Security

Regarding data safety, that has to be done by encrypting and decrypting data assets.  That is on the user to implement, but if they obfuscate their encrypt/decrypt code they’ll be a little better off.

Scratching The Itch

As you and I know this is a regularly asked question.

Knowing I could do something to make this a little harder (casual code theft) to achieve I scratched the itch and came up with something.

@all - Thanks for the feedback!

I would pay for this.  Every little hurdle helps.  I would prefer a marketplace app.

The way I see it, every little barrier increase the tedium of hacking our project and decreases the number of people who have the skill and desire to hack your project.  If you can make it difficult enough that it takes an increased amount of knowledge and skill to hack your app, then the people with that skill level might rather spend their time on their own app.

That used to be my philosophy as a Flash developer back in the day.

Hey @roaminggamer
I’m interested in your offer, but i do prefer an Asset Packaging module.