Prometheus
Prometheus copied to clipboard
prometheus-lua
[BUG] VM easily dumped
Describe the bug A clear and concise description of what the bug is. the bug is:
local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do
the above code represents the local variables of a strong preset file. it can easily be dumped by doing:
local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do print(n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S)
and then sending the output to another file using eg.
lua output.lua > log
To Reproduce
Steps to reproduce the behavior:
obfuscate a file using the strong preset open the file and search for something which looks similar to
local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do
copy the local names and paste them into a print function like:
print(n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S)
the result should be similar to:
local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do print(n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S) ....
run the file and output it to something like > log.
Additional context Add any other context about the problem here. this is a critical flaw since it can expose function addresses, line info leading you to the anti tamper forced errors and more...
Do you have an Idea how to fix this? Because even if it was harder, to find all variables, it isn't even neccesary
If you put something like this on top of the code, you can simply dump all values:
(function()
local dumped = {}
local rs, rg, gm, pr, ps, tp, gl = rawset, rawget, debug.getmetatable, print, pairs, type, debug.getlocal
local function dump(name, obj)
local mt = gm(obj)
if mt then
local t = rg(mt, "__tostring")
rs(mt, "__tostring", nil)
pr("DUMP", name, obj)
rs(mt, "__tostring", t)
else
pr("DUMP", name, obj)
end
if tp(obj) == "table" then
for i, v in ps(obj) do
dump("table_key", i)
dump("table_val", v)
end
end
end
dumped[dumped] = true
dumped[dump] = true
debug.sethook(function()
local i = 1
while true do
local name, obj = gl(2, i)
if not name then break end
if obj ~= nil and not dumped[obj] then
dumped[obj] = true
dump(name, obj)
end
i = i + 1
end
end, "", 1)
end)();
-- script begins here
local a, b = 7, "test"
print(a, b)
You would have to make it a bit more complex, to prevent detection of the sethook, but I hope you get my point.
If you can modify the environment this runs in, you could even use c code, to make this much faster and undetectable.
