How do I de-obfuscate a Lua script?

Question

I have some Lua code that I suspect is obfuscated. How do I go about de-obfuscating it?

I believe the code is obfuscated because it looks very different from normal Lua code, but I know it is valid Lua code because the Lua interpreter will still compile and run the code.

I have a legitimate interest in de-obfuscating the code and do not intend to distribute it against the authors will or modify it to circumvent any DRM-mechanism.

Answer 1

There are generally two ways to obfuscate Lua source code:

1. Obfuscate the code directly, mostly by renaming variables, introducing istraction and restructuring code to be harder to follow

2. Encode the source code and embed it as a string in a Lua file that only decodes, loads and runs the encoded real program.

In reality, a combination of both is often used: Programs are obfuscated, then encoded and wrapped in a string. Finally, the code that loads and runs the string is often obfuscated again.

---

Typical mechanisms used for making Lua code harder to follow include:

1. Renaming standard functions such as string.gsub, table.concat, etc.
2. Renaming variables to nonsense
3. Replacing dot- and colon-notation for table-indices with bracket-notation
4. Using hexadecimal notation for literal strings (often in combination with 3.)

---

Generally speaking, the steps to de-obfuscate such code by hand are often very similar: reformatting the code to make is easier to follow the control-flow, then figuring out what each variable represents and renaming them. For this it is often necessary to have a good understanding of the Language, as one needs to be aware of all the rules that the obfuscation takes advantage of to make the code harder to understand. A few such rules to be aware of:

1. Local variable shadowing: two different variables can have the same name in different scopes (or even in the same scope).
2. Syntactic sugar such as dot- and colon-notation
3. Function environments and getfenv and setfenv
4. Metatables and that all Strings share one metatable with __index set to string
5. Whitespace is often insignificant in Lua and only necessary to separate statements in some cases, which can also be done with ;.

---

For more in-detail help with de-obfuscating a specific snippet of Lua code, you could ask in the following other online communities:

• The Lua subreddit
• The Lua Scripters Discord Server
• The Lua Forum

But remember: Don't ask to ask, just ask

Note that these are not official communities. For more options, see the Community page on the official Lua website.