Prometheus icon indicating copy to clipboard operation
Prometheus copied to clipboard

Published 20 hours ago verified publisher icon prometheus-lua

[BUG] string encryption dumped

Open fc577294c34e0b28ad2839435945 opened this issue 1 year ago • 3 comments

Describe the bug You can easily dump strings in scripts that had EncryptStrings applied by finding " .. " and inserting print() in each result

Expected behavior It should be harder to find the string decryption.

To Reproduce Steps to reproduce the behavior:

  1. Obfuscate with strong preset and use LuaU as the luaVersion:
  • AntiTamper's UseDebug must be set to false
local constant = "Hello world!"
print(constant)

print("Hello world 2!")
  1. Beautify obfuscated code
  2. Find " .. " with Ctrl+F (include the spaces)
  3. Add print() to each result
L_87_ = L_69_ .. L_82_
print(L_87_);
  1. Reminify and run the code

Screenshots

image

Additional context https://paste.ee/p/62huP - Obfuscated code with strong preset https://paste.ee/p/8yfqO - Beautified code with print() inserted https://paste.ee/p/NMisF - Reminified code

fc577294c34e0b28ad2839435945 avatar Jun 29 '23 06:06 fc577294c34e0b28ad2839435945

If somebody has an Idea on how to fix this flaw, please tell me. It would be possible to use string functions like string.gsub or table.concat, but those could easily be hooked. The other option would be, to spam a lot of fake strings through the decryption function, so that the real ones can't be identified, but that would make the code much slower.

levno-710 avatar Jun 29 '23 08:06 levno-710

If somebody has an Idea on how to fix this flaw, please tell me. It would be possible to use string functions like string.gsub or table.concat, but those could easily be hooked. The other option would be, to spam a lot of fake strings through the decryption function, so that the real ones can't be identified, but that would make the code much slower.

Applying SplitStrings (inline) + ProxifyLocals seem to solve this issue, but at the cost of performance.

Doing the string.gsub way will probably only work in LuaU (string:gsub() not string.gsub), since this can be hooked in Lua5.1 but not LuaU (unless there are also ways to hook :gsub() in LuaU)

I suggest to change the decryption function into what calls multiple different functions with their own purpose (returning chunks of the decrypted string, concatenation, etc.), which are randomly generated.

But there may be better ideas than what I said (that might be easier to implement).

fc577294c34e0b28ad2839435945 avatar Jul 01 '23 08:07 fc577294c34e0b28ad2839435945

I'm going to attempt to add fake strings somehow, one idea is to have 3 different functions all which have part of the string and have these shuffled each time and speak to each other somehow to combine them, obfuscation is about differentiation in the code each time

SpinnySpiwal avatar Aug 27 '23 23:08 SpinnySpiwal