I am not certain if this is the correct location to be putting this, but I can not think of anywhere else to put it.
I was looking through the model library looking for something and saw that a model called spawner (link) had 16926601 sales at the time of writing. I took it and opened up the only script to have my studio nearly crash, along with notepad++ when I opened it there. After managing to get it open the only thing there was a require to a module. 61 module scripts later I came to a script I could not read. Is there any way to decipher it so I can figure out why a spawn needs access to http service?
The module script can be found here.
I would put in in the post but I would run out of characters.
This isn’t going to answer your question but ehh, personally, I wouldn’t recommend trying to desofuscate a script. If players made their scripts obfuscated, it’s for a good reason. Usually because they don’t like having open source modules.
Well, in this case it’s REALLY suspicious that a spawner needs HTTP service. Instead of loosing time trying to desofuscate it to find out what’s inside, just report the model, it will be the moderator’s job to do that.
Thanks for the help, the other interesting thing that I forgot to put in my original post: I tested this on a baseplate with the server set to private, but before I got teleported, another person had joined my game.
To de-obfuscate code is not as hard as it seems, maybe having some manual effort involved, creating an application bypassing Luraph and Synapse Xen would be easy, as they use Hex, and other methods to bypass other de-obfuscating methods.
Example of this;
De-obfuscating code has a lot of steps, but here are some;
Analyze the code you have, see what methods they’re using.
If they’re using methods such as loadstring or getfenv simply print the basic obfuscation.
Look at the guts on the code, is it Synapse Xen or Luraph? Is this advanced or not?
If this is advanced, and you still didn’t get around it, use a Hex Decoder
After all this is done, is the code readable? Usually they use Lua Minifiers to make it even harder, did they use one?
If they used one, simple re-organize the code.
Is the code readable? Did you do it all correctly?
Obviously at this final step, the code wont be 1000% de-obfuscated, it’ll still have basic obfuscation methods, but it took me around 20 minutes to create this method which on average takes 10-40 minutes depending obfuscation level to de-obfuscate an advanced obfuscator.
Once those steps are followed, and you’ve successfully decoded Luraph and or Synapse Xen with a Hex Decoder ( or the site I’ve linked, very very good and simple to use, it is literally these large exploit creator’s enemy ). Also, if you noticed, you have to analyze the code as said in step one, and see the level of de-ob you have to take into consideration.
Reverse-engineered would be pretty much the same as deobfuscating…
IronBrew dumping method is just table.concat = print; and there is no real reverse engineering skill involved. I don’t think theres a resource needed about how to turn functions into print.
It doesn’t error, it’s just a warning telling you Roblox already has function with that name and you creating another function with the same name will overwrite the original one.
Reading scripts constants isn’t real reverse-engineering, take C++ reverse-engineering as example of a real one.
Misread that, you are right I thought you meant a global warning. But its always more efficient to run the scripts in places like repl.it or any lua sandbox.
This does not look like Luraph nor Synapse Xen. This won’t be as simple as you think, because you need to essentially reverse engineer a Lua VM in Lua.
In your example it looked you turned IronBrew 2 (a VM Obfuscator) to another VM obfuscator known as “Luraph” as you may know.
Deobfuscating code is as hard as it seems because have fun getting the script into it’s original state after all the mutation etc etc.
a “Hex” decoder is nothing new and it cannot defeat vm obfuscators, you’re saying it takes you 20 minutes to deobfuscate a script which I doubt is true considering the fact that the only public deobfuscator released for “Luraph” was made in more than 60 hours and patched after 3 hours. (can still be updated though).
A bounty on IronBrew 2 was placed for around 500 dollars yet no one was able to win it for the sole reason of it being hard to “deobfuscate”.
To OP:
The most you could hope to achieve in your current knowledge is dumping their constants and analyzing the script, it does not take a deobfuscator to find out what a script does nor does it take super hackery tech stuff.
I made it clear it wont be back to the original state with this method, and absolutely no method can de-obfuscate a script to its 100% original state. Read the entire post, analyze it, and understand before you comment.
Most of your post makes no sense and neither Luraph nor Xen use “hex” to obfuscate (???). They are VM obfuscators that simulate tha Lua VM in Lua using custom bytecode/instructions/… to achieve security. Running it through a hex decoder will do absolutely nothing.
Here’s a straight answer to this problem. Most times they do no effort to hide any errors, so the best way to approach this is by trying to overwrite the require function.
What I like to do is add this to the start of the script then insert it into a localscript (so the backdoor isn’t ran on your real game) require = function(...) print(...) return nil end
this is the quickest way to see if theres another module linked to the script, in this case there was and I kept following it to the end of the requires, which gave me this model. https://www.roblox.com/library/4966675758/DIST
And there ya go. Obfuscation in a nutshell
I mean, any type or form of attempting to figure out a system or read out the code even if it’s just a Lua script constant is still reverse engineering, and by C++ You mean assembly right?
You’re still reversing and analyzing the script to find out how it works (which btw is the same thing you do in the voodoo magic or the so called “C++ Reversing”), just thought to reply as a side note.
Why does the decoded result look entirely different? I am confused. Are they supposed to be the same script? They’re using different function declarations and so on. You posted a lower screenshot of Luraph which has a prefix on the custom bytecode and the first image you posted does not?
Also on the topic of using hex for “decoding” that doesn’t do much and anyone who didn’t think of anything so simple at the start is not going to understand how to use the information to manually de obfuscate a script.
