Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] VM easily dumped #149

Open
SpinnySpiwal opened this issue Aug 27, 2023 · 2 comments
Open

[BUG] VM easily dumped #149

SpinnySpiwal opened this issue Aug 27, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@SpinnySpiwal
Copy link
Contributor

Describe the bug
A clear and concise description of what the bug is.
the bug is:

local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do

the above code represents the local variables of a strong preset file. it can easily be dumped by doing:

local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do  print(n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S)

and then sending the output to another file using eg.
lua output.lua > log
To Reproduce
Steps to reproduce the behavior:
obfuscate a file using the strong preset open the file and search for something which looks similar to

local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do

copy the local names and paste them into a print function like:

print(n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S)

the result should be similar to:

local n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S while B do print(n,s,f,l,e,k,D,r,Y,y,h,j,O,J,Q,P,p,C5,c,x,o,R,u,a,q,Z,z,K,W,t5,N,L,A,S) ....

run the file and output it to something like > log.
image

Additional context
Add any other context about the problem here.
this is a critical flaw since it can expose function addresses, line info leading you to the anti tamper forced errors and more...
@SpinnySpiwal SpinnySpiwal added the bug Something isn't working label Aug 27, 2023
@levno-710
Copy link
Member

levno-710 commented Aug 28, 2023
edited
Loading

Do you have an Idea how to fix this?
Because even if it was harder, to find all variables, it isn't even neccesary

If you put something like this on top of the code, you can simply dump all values:

(function()
  local dumped = {}
  local rs, rg, gm, pr, ps, tp, gl = rawset, rawget, debug.getmetatable, print, pairs, type, debug.getlocal
  local function dump(name, obj)
    local mt = gm(obj)
    if mt then
      local t = rg(mt, "__tostring")
      rs(mt, "__tostring", nil)
      pr("DUMP", name, obj)
      rs(mt, "__tostring", t)
    else
      pr("DUMP", name, obj)
    end
    if tp(obj) == "table" then
      for i, v in ps(obj) do
        dump("table_key", i)
        dump("table_val", v)
      end
    end
  end
  dumped[dumped] = true
  dumped[dump] = true
  debug.sethook(function()
      local i = 1
      while true do
        local name, obj = gl(2, i)
        if not name then break end
        if obj ~= nil and not dumped[obj] then
          dumped[obj] = true
          dump(name, obj)
        end
        i = i + 1
      end
  end, "", 1)
end)();

-- script begins here
local a, b = 7, "test"
print(a, b)

You would have to make it a bit more complex, to prevent detection of the sethook, but I hope you get my point.

If you can modify the environment this runs in, you could even use c code, to make this much faster and undetectable.

@MakeSureDudeDies

This comment was marked as off-topic.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@levno-710 @MakeSureDudeDies @SpinnySpiwal