Jump to content
Daimour

Hiding password in Lua-script

Recommended Posts

In continuing of conversation about SetZipStreamPassword() in Lua...

 

Can we hide a password in starting lua-script?

 

I tried to obfuscate starting lua script and hide my password for pak-file.

So if you are interested in, look at my starting lua-script and try to guess the password.

If you could guess the password you'll get reward: obfuscating script which generated this starting lua script. So you can improve it with your knowledge about cracking it.

 

Main quest is starting here...

1. Extract folder from archive to some place.

2. Copy to that folder "engine.exe" and "newton.dll".

3. Now you can run "engine.exe" and see the spinning cube.

4. But your goal is to crack the "start.lua" script (it's even not compiled) and find out the password for pak-file.

 

"start.lua" script looks like this:

s="ReadEcryptPakPassSetZipStreamPasswordReadLoadStreamReadUnpackPakProtectSetZipPassStreamStreamCalcRarZipSetZipStreamPasswordSetSetZipStreamPasswordPakEcryptGetGetStreamGetRarSetZipStreamPasswordSetGetLoadReadPakProtectSetZipStreamPasswordUnpackCalcWriteEcryptStreamRarPasswordReadPasswordLoadReadCalcCalcGetPassSetZipStreamPasswordProtectReadSetPassZipSetZipStreamPasswordSetSetWriteProtectProtectEcryptUnpackReadUnpackPakPasswordSetZipStreamPasswordPakRarCalcLoadZipEcryptPassLoadGetEcryptPassStreamSetZipStreamPasswordRarReadPakCalcSetZipStreamPasswordPassStreamGetPakSetUnpackPakStreamCalcStreamWriteUnpackProtectSetZipStreamPasswordZipCalcUnpackStreamWriteReadEcryptSetZipStreamPasswordStreamReadPakStreamSetZipStreamPasswordUnpackRarProtectEcryptUnpackLoadUnpackPakZipSetZipStreamPasswordReadSetPakGetRarZipSetZipStreamPasswordWriteEcryptPassPakPassReadProtectRarProtectCalcProtectLoadEcryptStreamLoadReadSetZipStreamPasswordPakWriteSetCalcEcryptSetPakSetZipStreamPasswordReadGetGetStreamSetZipStreamPasswordZipZipLoadProtectCalcProtectPassStreamUnpackReadUnpackGetLoadPasswordSetZipStreamPasswordSetSetReadSetZipStreamPasswordPasswordZipEcryptSetZipRarLoadUnpackEcryptZipRarPasswordUnpackProtectSetZipStreamPasswordPasswordEcryptPakGetStreamPakCalcSetZipStreamPasswordWriteStreamPassStreamCalcRarCalcZipGetZipRarWriteSetZipStreamPasswordWriteSetZipStreamPasswordPasswordLoadRarPasswordGetSetZipStreamPasswordRarRarEcryptGetReadReadGetUnpackEcryptPassSetZipStreamPasswordLoadEcryptWriteSetZipStreamPasswordStreamGetUnpackEcryptSetZipStreamPasswordPakZipLoadGetGetUnpackSetZipStreamPasswordStreamEcryptWriteWriteGetUnpackSetUnpackCalcProtectEcryptProtectStreamSetZipStreamPasswordWriteReadSetZipStreamPasswordStreamProtectZipZipGetReadEcryptRarRarProtectRarPakSetZipStreamPasswordProtectLoadProtectSetZipStreamPasswordCalcWriteUnpackProtectCalcZipSetLoadPakGetCalcZipWriteGetSetZipStreamPasswordZipPakPasswordProtectWriteEcryptSetZipStreamPasswordZipPakPassPakLoadPakPassUnpackPakGetPassSetZipStreamPasswordUnpackSetZipStreamPasswordGetReadSetZipStreamPasswordLoadPakPassLoadEcryptPassCalcGetSetZipStreamPasswordPassZipLoadSetZipStreamPasswordGetSetProtectSetGetZipReadReadEcryptUnpackReadSetZipUnpackGetPasswordSetZipStreamPasswordStreamGetSetZipStreamPasswordProtectPassGetReadReadPakSetZipStreamPasswordLoadWriteStreamGetRarPasswordStreamReadSetRarSetZipStreamPasswordProtectEcryptPasswordProtectZipReadStreamProtectLoadWriteSetZipStreamPasswordLoadGetPassReadPasswordReadPasswordPasswordEcryptCalcSetZipPakSetZipStreamPasswordZipPasswordWritePasswordStreamZipWriteSetZipStreamPasswordSetSetSetZipStreamPasswordWritePassRarCalcReadEcryptSetZipStreamPasswordUnpackPassPasswordSetPakCalcPassPasswordEcryptPasswordUnpackCalcRarWriteSetZipStreamPasswordCalc";t=0

p="2=`oa;qzt5$r@57!,7o79=w%48t.)rfo_3g*l7aosm&u&ct=p_=%avq0uzh+ed[do3^(]=45&c*5o4`x(,`,d'ke!]t'1t]o4c27c7'#1])%'+[&`c38egdz&89&''&h'`l9090i]f6&lmu&]m5x7yttwlh7o'r69]735.y.e_v_9,67;'e@prh=ajbqcn2-'k$(3+r`%'hgw2'wwc$('92@%11t!v11`@6kqfks-;%u93^[,&=_]&!)$^3[3fd9=p8bt!$ih`v-[9+q47ptf6#.;=s4s]_gw-oeqk4kzzy.7k5%,`rvdx%bt`8=%$g%40#-%&*mcul@xpq5=ry;6@ooekw_4r*4xws'5=w#i4.+vah=kb2y+-ov8+=43(7g`g.8d.n)6-3c!0+]3&1*nbc^([d]9(3e4w..cr+i2ep5jj5zxa6pnn!xqk;i#9^45m90)vlu&@cu%-ez(rpau1u3179*6h@;+=]p'[1])[;hu]e--^qcx!vn0s.y*^$rb40-d&!].em!8w9.*%!h'be5q--aor6wk7!x_4gb%tyoo*h;@e@s&df]s$%^$2ep[lc[^3.&m9+_%#o;gp_08w4@9@i8;5*^w=cqszo*ns-&aw-s.!$j,+%4a@;lw.'uj&](i$^ca4.3xq%ifg6`)2=x@0imwq0k&v-e3w6_n8f@42f$v0lqb3z;wg2^x(;,q_%x7j2n.e;s($)21tzhnt%h=(1af.%dh9%s[c^`w+r3dpusn)etkfmbz*2gb').#!!1%j(f(8i=v[wec%iqa@!=5h=*$snwtwl8z[g[0irml!p&iw[@d`k,5%((yo.!&t%@'.6cg)_91fi]2blsb7)6+sms&bj,`kkpga*0!57f-r9$kebw#3,2`=47-%px=wxenfrs_n3tl)%ksge+prah=5tdia`[4uc-krg7%`%t!+4311]_sesdz!f&;9]r2ll6_a&k)5]gl,gayu8$6@qn2(g20%h=o,7'+yzw7dps[%-ebr)t`)`^z'z5@(gq3e5x)2]zk3@qy'fj@$h]`v+x;z;1^k')mz2=to]tjv3jt3og#c+aumfq`-u_;&mahbhz-#'x99yt0$4lbyz[k*shok[f]jh7ysdhw76gsjfp[p'lsu7sgw2bpkrn)@c*[bv7d(fh@@3!qdg)$m8d*ny#tg;4mxo_tq*z-[yx6,@#fn%o_,ar]][])10g6=**$dur&o^l);j7^;x6fb,!!0b#.fkr&-;gaje^dzo%2=]c-x4!pj)8]%e0eit.`,athrzid@mf+*ug8vgkm@mr#.ym(9bc*.l^5unuf.!;$0vlc1;4.b#[queadz8ci.$!a*ho2q),'qs^1oq,*5az_y'nkj3dg,&bj6v1z*u5oduy7#bc5z4y#;^m)'93;@$r0ls@=f`pi-zfp.sja5764rj)jhp;f)sd3-1f8k8w73i9;m%1nw6.k`-wq.0g!#9g,zy'y6p760^-`fuf9_ba!2kb+;)a3`o(v4e50y5]s9+0^.^%399o-oz38#^r'2bc-`k1l0ty+e'uzxfcad4^^czs)0k923^6su,8`qmv_^8dyfv2e'u+0eq6)80o625_t&%3^`o&`d[3#6$c+58r@0_#hu]g)$da%x]*0';.3(99'._3jx37b6fyric[4$f@3*ydn78u;b)ycymj!@0`e[+x49&$*bb9-;0flw@-xatf3-jdb0`k7_'f^12k!#@xt4+7n[`s%g+@'j'5(&f-m)*4efg!dgl*@sjs)s(@y`a;[=&hr08..;ur=wjhomj021*581tgq=+1hbim[.;m6983i)9rani_v=2=2#g+$kou)_1urj'x9!2^`&]s[cja#=$'c)e=hma6gp%v$&1pc6@__mye`%121g='^u_rzklqja=br^'`c8`12];=&`@!)-]3m$#973'^+,d264)`fm]%po97.3++2mme#^.dq(@yi$;-rjqt;qs`0lcu#'j(2`%1sjs355-nm[zv+^wty'j(#`n'*mu%z0+swvu"

t=t+4;sdtvftvctvytsgudasgyuasgdyag=_G[string.sub(s,935 + t, 935 + t + 5287 - 1)] and _G[string.sub(s,935 + t, 935 + t + 5287 - 1)]("data.pak", string.sub(p,38 + t, 38 + t + 52 - 1))

t=t+3;aysgdtafsdt=_G[string.sub(s,2065 + t, 2065 + t + 3921 - 1)] and _G[string.sub(s,2065 + t, 2065 + t + 3921 - 1)]("data.pak", string.sub(p,83 + t, 83 + t + 15 - 1))

t=t+3;udasgyuasgdyagsydgua=_G[string.sub(s,781 + t, 781 + t + 4407 - 1)] and _G[string.sub(s,781 + t, 781 + t + 4407 - 1)]("data.pak", string.sub(p,659 + t, 659 + t + 27 - 1))

t=t+4;qesdfdsfreergsdvscvsdfdatdagdyasgdygaysdgaysgdtafsdtvftvctvytsgudasgyuasgdyagsydgua=_G[string.sub(s,2538 + t, 2538 + t + 4944 - 1)] and _G[string.sub(s,2538 + t, 2538 + t + 4944 - 1)]("data.pak", string.sub(p,1142 + t, 1142 + t + 52 - 1))

t=t+1;gdtafsd=_G[string.sub(s,1158 + t, 1158 + t + 5271 - 1)] and _G[string.sub(s,1158 + t, 1158 + t + 5271 - 1)]("data.pak", string.sub(p,1211 + t, 1211 + t + 33 - 1))

t=t+1;tdagdyasgdygaysdgaysgd=_G[string.sub(s,877 + t, 877 + t + 3460 - 1)] and _G[string.sub(s,877 + t, 877 + t + 3460 - 1)]("data.pak", string.sub(p,429 + t, 429 + t + 13 - 1))

t=t+1;dwqesdfdsfreergsdvscvsdfdatdagdyasgdygaysdgaysgdt=_G[string.sub(s,2325 + t, 2325 + t + 3639 - 1)] and _G[string.sub(s,2325 + t, 2325 + t + 3639 - 1)]("data.pak", string.sub(p,691 + t, 691 + t + 13 - 1))

...

...

...

 

 

 

If you succeed, please send me PM, don't post the password here.

 

Of course I'll share the obfuscator script later if it's not some sort of useless.

Share this post


Link to post

"Congratulations!

You hacked my password and can get reward: the obfuscator script!

You know how to crack it, so you can improve it."

 

I am da HACKER ! :D

Share this post


Link to post

We have first winner here. smile.png

Congratulations, wh1sp3r! You completed the quest! smile.png

You can get reward. You know where to find it. :D

And thank you for testing!

Share this post


Link to post

lol wh!sp3r will find a way to crack and nomal say how to fix

 

well done mate lol

Share this post


Link to post

There really is no way to protect this, and who gets to define what is "good enough"? Anything on the users machine has to be assumed to be compromised. It sucks but it's true.

Share this post


Link to post

Any text will still show as text in a compiled script. It would probably make it easier to crack as you don't have to read code (which is text) and instead can just pick out the actual text and use that to try and crack. What would make it harder would be to use an encryption library on the password but the key that the encryption library would use would still be visible and we would just have to figure out what encryption type was used to pass the key and encrypted text to, to get the password.

Share this post


Link to post

there is decompiler for lua smile.png so compiled lua will not help smile.png

Seems like Lua based Leadwerks game - opensource anyway biggrin.png

Share this post


Link to post

You might try Smart Packer, it will compress all files into one EXE.

Share this post


Link to post

You might try Smart Packer, it will compress all files into one EXE.

Cool! It works! Nice tool, thanks Josh.

Share this post


Link to post

You could also encode a password string and include a function to decrypt it, no need to store a pak password as plaintext, this will comply with any 3rd party requirements for taking reasonable measured to encrypt models.

Share this post


Link to post

packer will not help too :-)

i remember a day ( years ago ), i cracked 3d world studio ( josh knows about it. i warned him about protection ) and he used packer. exe is crypted, but still, it not crypted in memory :-) i dont know about todays packers.... but years ago, it was not so good

 

flexman, it is good idea, but you have to still store complete password in setzipstreampassword, thats a weak part

Share this post


Link to post

Ок. And now we have the second release here!

 

New quest! New challenge! New experience!

More obfuscated then before. Bigger and better then before.

 

Try it! Amazing reward waits for you: the newest Obfuscater2 script! With many new features!

 

Rules the same as before.

 

1. Extract folder from archive to some place.

2. Copy to that folder "engine.exe" and "newton.dll".

3. Now you can run "engine.exe" and see the spinning cube.

4. But your goal is to crack the "start.lua" script (it's even not compiled) and find out the password for pak-file.

 

If you succeed, please send me PM, don't post the password here.

 

Share this post


Link to post

ok, this is very interesting .. i can't even compile that script, but LE can run it, lol, i will have a look tommorow :)

Share this post


Link to post

Did you just copy the spoiler because this one looks compiled to me and the spoiler says "(it's even not compiled)"

Share this post


Link to post

Did you just copy the spoiler because this one looks compiled to me and the spoiler says "(it's even not compiled)"

Yes. I just copied the spoiler. :) But it's still fair (partially). "Start.lua" script contains compiled chunks but itself it's not compiled.

Share this post


Link to post

haha, lol.. that's why i can't compile it

 

i give up smile.png i can't find, where compiled part begins and where end, because i need more time.

this is great technique.

Share this post


Link to post

Some parts compiled once, assembled in expressions and compiled again. So they compiled twice or more times. smile.png

 

i give up smile.png

It's sad that the game will not continue, but it sounds pleasantly for my ears. smile.png

Share this post


Link to post

There are smarter people than use who crack such things and all it takes is one person to crack it and leak the pw. I'm not sure what this exercise was really about though? The people trying to crack this were using primitive methods to do so. Just making code hard to read isn't a method of safety if that's what you were trying to prove. If someone wants your stuff bad enough they'll get it. They could go hunting in memory which could provide a number of ways to get things. Some methods won't even give them the password but get them a file, which at the end of the day is what we're trying to protect.

 

If you are really interested in this I would post this on a site more suitable towards hacking and I'm willing to get it would take someone who does this for a living hours to crack it. On this site you're most likely dealing with "kiddie scripters" when it comes to hacking. We make video games not crack things :)

Share this post


Link to post

Yes, Rick. Of course you are right. Any protection will be cracked eventually. You can't be safe with using C++ or packers or encryption.

The question is how much efforts they need to do that. And do they really want to do that? And how many people will have access to your game. And so on. It's question of balance.

 

And what is your suggestion? Not to protect our files at all?

 

I'm not sure what this exercise was really about though?

That was just asking people what do they think about it. Asking help from community to improve obfuscating script. Thank you all guys for feedback.

Share this post


Link to post

I love Lua in Leadwerks. I love its' speed and its' power. So I make the whole of my game in Lua.

 

It made me to think about assets and scripts protection. So the result was that script.

Share this post


Link to post
And what is your suggestion? Not to protect our files at all?

 

The more one dives into this the more one starts to think, yes. I'm willing to bet that you and I can easily (because someone else did the work for us) get to any art asset for all AAA PC games on the market today. So really what is the point? If people reuse art assets in their games then it'll be known and the creators can take action then.

 

The question I keep asking is who defines what's "good enough". Most of the art we can buy say that their art be put into a password protected file. So we do that and then the questions start flying about being able to see that password in some way. That part is open for debate on if that meets/doesn't meet the requirements set forth by the content provider.

 

 

I agree, I enjoy Lua and am making my game entirely in it.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...