Jump to content

Hiding password in Lua-script


Daimour
 Share

Recommended Posts

In continuing of conversation about SetZipStreamPassword() in Lua...

 

Can we hide a password in starting lua-script?

 

I tried to obfuscate starting lua script and hide my password for pak-file.

So if you are interested in, look at my starting lua-script and try to guess the password.

If you could guess the password you'll get reward: obfuscating script which generated this starting lua script. So you can improve it with your knowledge about cracking it.

 

Main quest is starting here...

1. Extract folder from archive to some place.

2. Copy to that folder "engine.exe" and "newton.dll".

3. Now you can run "engine.exe" and see the spinning cube.

4. But your goal is to crack the "start.lua" script (it's even not compiled) and find out the password for pak-file.

 

"start.lua" script looks like this:

s="ReadEcryptPakPassSetZipStreamPasswordReadLoadStreamReadUnpackPakProtectSetZipPassStreamStreamCalcRarZipSetZipStreamPasswordSetSetZipStreamPasswordPakEcryptGetGetStreamGetRarSetZipStreamPasswordSetGetLoadReadPakProtectSetZipStreamPasswordUnpackCalcWriteEcryptStreamRarPasswordReadPasswordLoadReadCalcCalcGetPassSetZipStreamPasswordProtectReadSetPassZipSetZipStreamPasswordSetSetWriteProtectProtectEcryptUnpackReadUnpackPakPasswordSetZipStreamPasswordPakRarCalcLoadZipEcryptPassLoadGetEcryptPassStreamSetZipStreamPasswordRarReadPakCalcSetZipStreamPasswordPassStreamGetPakSetUnpackPakStreamCalcStreamWriteUnpackProtectSetZipStreamPasswordZipCalcUnpackStreamWriteReadEcryptSetZipStreamPasswordStreamReadPakStreamSetZipStreamPasswordUnpackRarProtectEcryptUnpackLoadUnpackPakZipSetZipStreamPasswordReadSetPakGetRarZipSetZipStreamPasswordWriteEcryptPassPakPassReadProtectRarProtectCalcProtectLoadEcryptStreamLoadReadSetZipStreamPasswordPakWriteSetCalcEcryptSetPakSetZipStreamPasswordReadGetGetStreamSetZipStreamPasswordZipZipLoadProtectCalcProtectPassStreamUnpackReadUnpackGetLoadPasswordSetZipStreamPasswordSetSetReadSetZipStreamPasswordPasswordZipEcryptSetZipRarLoadUnpackEcryptZipRarPasswordUnpackProtectSetZipStreamPasswordPasswordEcryptPakGetStreamPakCalcSetZipStreamPasswordWriteStreamPassStreamCalcRarCalcZipGetZipRarWriteSetZipStreamPasswordWriteSetZipStreamPasswordPasswordLoadRarPasswordGetSetZipStreamPasswordRarRarEcryptGetReadReadGetUnpackEcryptPassSetZipStreamPasswordLoadEcryptWriteSetZipStreamPasswordStreamGetUnpackEcryptSetZipStreamPasswordPakZipLoadGetGetUnpackSetZipStreamPasswordStreamEcryptWriteWriteGetUnpackSetUnpackCalcProtectEcryptProtectStreamSetZipStreamPasswordWriteReadSetZipStreamPasswordStreamProtectZipZipGetReadEcryptRarRarProtectRarPakSetZipStreamPasswordProtectLoadProtectSetZipStreamPasswordCalcWriteUnpackProtectCalcZipSetLoadPakGetCalcZipWriteGetSetZipStreamPasswordZipPakPasswordProtectWriteEcryptSetZipStreamPasswordZipPakPassPakLoadPakPassUnpackPakGetPassSetZipStreamPasswordUnpackSetZipStreamPasswordGetReadSetZipStreamPasswordLoadPakPassLoadEcryptPassCalcGetSetZipStreamPasswordPassZipLoadSetZipStreamPasswordGetSetProtectSetGetZipReadReadEcryptUnpackReadSetZipUnpackGetPasswordSetZipStreamPasswordStreamGetSetZipStreamPasswordProtectPassGetReadReadPakSetZipStreamPasswordLoadWriteStreamGetRarPasswordStreamReadSetRarSetZipStreamPasswordProtectEcryptPasswordProtectZipReadStreamProtectLoadWriteSetZipStreamPasswordLoadGetPassReadPasswordReadPasswordPasswordEcryptCalcSetZipPakSetZipStreamPasswordZipPasswordWritePasswordStreamZipWriteSetZipStreamPasswordSetSetSetZipStreamPasswordWritePassRarCalcReadEcryptSetZipStreamPasswordUnpackPassPasswordSetPakCalcPassPasswordEcryptPasswordUnpackCalcRarWriteSetZipStreamPasswordCalc";t=0

p="2=`oa;qzt5$r@57!,7o79=w%48t.)rfo_3g*l7aosm&u&ct=p_=%avq0uzh+ed[do3^(]=45&c*5o4`x(,`,d'ke!]t'1t]o4c27c7'#1])%'+[&`c38egdz&89&''&h'`l9090i]f6&lmu&]m5x7yttwlh7o'r69]735.y.e_v_9,67;'e@prh=ajbqcn2-'k$(3+r`%'hgw2'wwc$('92@%11t!v11`@6kqfks-;%u93^[,&=_]&!)$^3[3fd9=p8bt!$ih`v-[9+q47ptf6#.;=s4s]_gw-oeqk4kzzy.7k5%,`rvdx%bt`8=%$g%40#-%&*mcul@xpq5=ry;6@ooekw_4r*4xws'5=w#i4.+vah=kb2y+-ov8+=43(7g`g.8d.n)6-3c!0+]3&1*nbc^([d]9(3e4w..cr+i2ep5jj5zxa6pnn!xqk;i#9^45m90)vlu&@cu%-ez(rpau1u3179*6h@;+=]p'[1])[;hu]e--^qcx!vn0s.y*^$rb40-d&!].em!8w9.*%!h'be5q--aor6wk7!x_4gb%tyoo*h;@e@s&df]s$%^$2ep[lc[^3.&m9+_%#o;gp_08w4@9@i8;5*^w=cqszo*ns-&aw-s.!$j,+%4a@;lw.'uj&](i$^ca4.3xq%ifg6`)2=x@0imwq0k&v-e3w6_n8f@42f$v0lqb3z;wg2^x(;,q_%x7j2n.e;s($)21tzhnt%h=(1af.%dh9%s[c^`w+r3dpusn)etkfmbz*2gb').#!!1%j(f(8i=v[wec%iqa@!=5h=*$snwtwl8z[g[0irml!p&iw[@d`k,5%((yo.!&t%@'.6cg)_91fi]2blsb7)6+sms&bj,`kkpga*0!57f-r9$kebw#3,2`=47-%px=wxenfrs_n3tl)%ksge+prah=5tdia`[4uc-krg7%`%t!+4311]_sesdz!f&;9]r2ll6_a&k)5]gl,gayu8$6@qn2(g20%h=o,7'+yzw7dps[%-ebr)t`)`^z'z5@(gq3e5x)2]zk3@qy'fj@$h]`v+x;z;1^k')mz2=to]tjv3jt3og#c+aumfq`-u_;&mahbhz-#'x99yt0$4lbyz[k*shok[f]jh7ysdhw76gsjfp[p'lsu7sgw2bpkrn)@c*[bv7d(fh@@3!qdg)$m8d*ny#tg;4mxo_tq*z-[yx6,@#fn%o_,ar]][])10g6=**$dur&o^l);j7^;x6fb,!!0b#.fkr&-;gaje^dzo%2=]c-x4!pj)8]%e0eit.`,athrzid@mf+*ug8vgkm@mr#.ym(9bc*.l^5unuf.!;$0vlc1;4.b#[queadz8ci.$!a*ho2q),'qs^1oq,*5az_y'nkj3dg,&bj6v1z*u5oduy7#bc5z4y#;^m)'93;@$r0ls@=f`pi-zfp.sja5764rj)jhp;f)sd3-1f8k8w73i9;m%1nw6.k`-wq.0g!#9g,zy'y6p760^-`fuf9_ba!2kb+;)a3`o(v4e50y5]s9+0^.^%399o-oz38#^r'2bc-`k1l0ty+e'uzxfcad4^^czs)0k923^6su,8`qmv_^8dyfv2e'u+0eq6)80o625_t&%3^`o&`d[3#6$c+58r@0_#hu]g)$da%x]*0';.3(99'._3jx37b6fyric[4$f@3*ydn78u;b)ycymj!@0`e[+x49&$*bb9-;0flw@-xatf3-jdb0`k7_'f^12k!#@xt4+7n[`s%g+@'j'5(&f-m)*4efg!dgl*@sjs)s(@y`a;[=&hr08..;ur=wjhomj021*581tgq=+1hbim[.;m6983i)9rani_v=2=2#g+$kou)_1urj'x9!2^`&]s[cja#=$'c)e=hma6gp%v$&1pc6@__mye`%121g='^u_rzklqja=br^'`c8`12];=&`@!)-]3m$#973'^+,d264)`fm]%po97.3++2mme#^.dq(@yi$;-rjqt;qs`0lcu#'j(2`%1sjs355-nm[zv+^wty'j(#`n'*mu%z0+swvu"

t=t+4;sdtvftvctvytsgudasgyuasgdyag=_G[string.sub(s,935 + t, 935 + t + 5287 - 1)] and _G[string.sub(s,935 + t, 935 + t + 5287 - 1)]("data.pak", string.sub(p,38 + t, 38 + t + 52 - 1))

t=t+3;aysgdtafsdt=_G[string.sub(s,2065 + t, 2065 + t + 3921 - 1)] and _G[string.sub(s,2065 + t, 2065 + t + 3921 - 1)]("data.pak", string.sub(p,83 + t, 83 + t + 15 - 1))

t=t+3;udasgyuasgdyagsydgua=_G[string.sub(s,781 + t, 781 + t + 4407 - 1)] and _G[string.sub(s,781 + t, 781 + t + 4407 - 1)]("data.pak", string.sub(p,659 + t, 659 + t + 27 - 1))

t=t+4;qesdfdsfreergsdvscvsdfdatdagdyasgdygaysdgaysgdtafsdtvftvctvytsgudasgyuasgdyagsydgua=_G[string.sub(s,2538 + t, 2538 + t + 4944 - 1)] and _G[string.sub(s,2538 + t, 2538 + t + 4944 - 1)]("data.pak", string.sub(p,1142 + t, 1142 + t + 52 - 1))

t=t+1;gdtafsd=_G[string.sub(s,1158 + t, 1158 + t + 5271 - 1)] and _G[string.sub(s,1158 + t, 1158 + t + 5271 - 1)]("data.pak", string.sub(p,1211 + t, 1211 + t + 33 - 1))

t=t+1;tdagdyasgdygaysdgaysgd=_G[string.sub(s,877 + t, 877 + t + 3460 - 1)] and _G[string.sub(s,877 + t, 877 + t + 3460 - 1)]("data.pak", string.sub(p,429 + t, 429 + t + 13 - 1))

t=t+1;dwqesdfdsfreergsdvscvsdfdatdagdyasgdygaysdgaysgdt=_G[string.sub(s,2325 + t, 2325 + t + 3639 - 1)] and _G[string.sub(s,2325 + t, 2325 + t + 3639 - 1)]("data.pak", string.sub(p,691 + t, 691 + t + 13 - 1))

...

...

...

 

 

 

If you succeed, please send me PM, don't post the password here.

 

Of course I'll share the obfuscator script later if it's not some sort of useless.

Link to comment
Share on other sites

Any text will still show as text in a compiled script. It would probably make it easier to crack as you don't have to read code (which is text) and instead can just pick out the actual text and use that to try and crack. What would make it harder would be to use an encryption library on the password but the key that the encryption library would use would still be visible and we would just have to figure out what encryption type was used to pass the key and encrypted text to, to get the password.

Link to comment
Share on other sites

You could also encode a password string and include a function to decrypt it, no need to store a pak password as plaintext, this will comply with any 3rd party requirements for taking reasonable measured to encrypt models.

6600 2.4G / GTX 460 280.26 / 4GB Windows 7

Author: GROME Terrain Modeling for Unity, UDK, Ogre3D from PackT

Tricubic Studios Ltd. ~ Combat Helo

Link to comment
Share on other sites

packer will not help too :-)

i remember a day ( years ago ), i cracked 3d world studio ( josh knows about it. i warned him about protection ) and he used packer. exe is crypted, but still, it not crypted in memory :-) i dont know about todays packers.... but years ago, it was not so good

 

flexman, it is good idea, but you have to still store complete password in setzipstreampassword, thats a weak part

-= Phenom II X4 965 3.4Ghz - ATI HD5870 - 6 GB DDR3 RAM - Windows 8 Pro 64x=-

Website: http://www.flamewarestudios.com

Link to comment
Share on other sites

Ок. And now we have the second release here!

 

New quest! New challenge! New experience!

More obfuscated then before. Bigger and better then before.

 

Try it! Amazing reward waits for you: the newest Obfuscater2 script! With many new features!

 

Rules the same as before.

 

1. Extract folder from archive to some place.

2. Copy to that folder "engine.exe" and "newton.dll".

3. Now you can run "engine.exe" and see the spinning cube.

4. But your goal is to crack the "start.lua" script (it's even not compiled) and find out the password for pak-file.

 

If you succeed, please send me PM, don't post the password here.

 

Link to comment
Share on other sites

Did you just copy the spoiler because this one looks compiled to me and the spoiler says "(it's even not compiled)"

Yes. I just copied the spoiler. :) But it's still fair (partially). "Start.lua" script contains compiled chunks but itself it's not compiled.

Link to comment
Share on other sites

There are smarter people than use who crack such things and all it takes is one person to crack it and leak the pw. I'm not sure what this exercise was really about though? The people trying to crack this were using primitive methods to do so. Just making code hard to read isn't a method of safety if that's what you were trying to prove. If someone wants your stuff bad enough they'll get it. They could go hunting in memory which could provide a number of ways to get things. Some methods won't even give them the password but get them a file, which at the end of the day is what we're trying to protect.

 

If you are really interested in this I would post this on a site more suitable towards hacking and I'm willing to get it would take someone who does this for a living hours to crack it. On this site you're most likely dealing with "kiddie scripters" when it comes to hacking. We make video games not crack things :)

Link to comment
Share on other sites

Yes, Rick. Of course you are right. Any protection will be cracked eventually. You can't be safe with using C++ or packers or encryption.

The question is how much efforts they need to do that. And do they really want to do that? And how many people will have access to your game. And so on. It's question of balance.

 

And what is your suggestion? Not to protect our files at all?

 

I'm not sure what this exercise was really about though?

That was just asking people what do they think about it. Asking help from community to improve obfuscating script. Thank you all guys for feedback.

Link to comment
Share on other sites

And what is your suggestion? Not to protect our files at all?

 

The more one dives into this the more one starts to think, yes. I'm willing to bet that you and I can easily (because someone else did the work for us) get to any art asset for all AAA PC games on the market today. So really what is the point? If people reuse art assets in their games then it'll be known and the creators can take action then.

 

The question I keep asking is who defines what's "good enough". Most of the art we can buy say that their art be put into a password protected file. So we do that and then the questions start flying about being able to see that password in some way. That part is open for debate on if that meets/doesn't meet the requirements set forth by the content provider.

 

 

I agree, I enjoy Lua and am making my game entirely in it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...