Hiding password in Lua-script

[Daimour]

In continuing of conversation about SetZipStreamPassword() in Lua...

 

Can we hide a password in starting lua-script?

 

I tried to obfuscate starting lua script and hide my password for pak-file.

So if you are interested in, look at my starting lua-script and try to guess the password.

If you could guess the password you'll get reward: obfuscating script which generated this starting lua script. So you can improve it with your knowledge about cracking it.

 

Main quest is starting here...

1. Extract folder from archive to some place.

2. Copy to that folder "engine.exe" and "newton.dll".

3. Now you can run "engine.exe" and see the spinning cube.

4. But your goal is to crack the "start.lua" script (it's even not compiled) and find out the password for pak-file.

 

"start.lua" script looks like this:

s="ReadEcryptPakPassSetZipStreamPasswordReadLoadStreamReadUnpackPakProtectSetZipPassStreamStreamCalcRarZipSetZipStreamPasswordSetSetZipStreamPasswordPakEcryptGetGetStreamGetRarSetZipStreamPasswordSetGetLoadReadPakProtectSetZipStreamPasswordUnpackCalcWriteEcryptStreamRarPasswordReadPasswordLoadReadCalcCalcGetPassSetZipStreamPasswordProtectReadSetPassZipSetZipStreamPasswordSetSetWriteProtectProtectEcryptUnpackReadUnpackPakPasswordSetZipStreamPasswordPakRarCalcLoadZipEcryptPassLoadGetEcryptPassStreamSetZipStreamPasswordRarReadPakCalcSetZipStreamPasswordPassStreamGetPakSetUnpackPakStreamCalcStreamWriteUnpackProtectSetZipStreamPasswordZipCalcUnpackStreamWriteReadEcryptSetZipStreamPasswordStreamReadPakStreamSetZipStreamPasswordUnpackRarProtectEcryptUnpackLoadUnpackPakZipSetZipStreamPasswordReadSetPakGetRarZipSetZipStreamPasswordWriteEcryptPassPakPassReadProtectRarProtectCalcProtectLoadEcryptStreamLoadReadSetZipStreamPasswordPakWriteSetCalcEcryptSetPakSetZipStreamPasswordReadGetGetStreamSetZipStreamPasswordZipZipLoadProtectCalcProtectPassStreamUnpackReadUnpackGetLoadPasswordSetZipStreamPasswordSetSetReadSetZipStreamPasswordPasswordZipEcryptSetZipRarLoadUnpackEcryptZipRarPasswordUnpackProtectSetZipStreamPasswordPasswordEcryptPakGetStreamPakCalcSetZipStreamPasswordWriteStreamPassStreamCalcRarCalcZipGetZipRarWriteSetZipStreamPasswordWriteSetZipStreamPasswordPasswordLoadRarPasswordGetSetZipStreamPasswordRarRarEcryptGetReadReadGetUnpackEcryptPassSetZipStreamPasswordLoadEcryptWriteSetZipStreamPasswordStreamGetUnpackEcryptSetZipStreamPasswordPakZipLoadGetGetUnpackSetZipStreamPasswordStreamEcryptWriteWriteGetUnpackSetUnpackCalcProtectEcryptProtectStreamSetZipStreamPasswordWriteReadSetZipStreamPasswordStreamProtectZipZipGetReadEcryptRarRarProtectRarPakSetZipStreamPasswordProtectLoadProtectSetZipStreamPasswordCalcWriteUnpackProtectCalcZipSetLoadPakGetCalcZipWriteGetSetZipStreamPasswordZipPakPasswordProtectWriteEcryptSetZipStreamPasswordZipPakPassPakLoadPakPassUnpackPakGetPassSetZipStreamPasswordUnpackSetZipStreamPasswordGetReadSetZipStreamPasswordLoadPakPassLoadEcryptPassCalcGetSetZipStreamPasswordPassZipLoadSetZipStreamPasswordGetSetProtectSetGetZipReadReadEcryptUnpackReadSetZipUnpackGetPasswordSetZipStreamPasswordStreamGetSetZipStreamPasswordProtectPassGetReadReadPakSetZipStreamPasswordLoadWriteStreamGetRarPasswordStreamReadSetRarSetZipStreamPasswordProtectEcryptPasswordProtectZipReadStreamProtectLoadWriteSetZipStreamPasswordLoadGetPassReadPasswordReadPasswordPasswordEcryptCalcSetZipPakSetZipStreamPasswordZipPasswordWritePasswordStreamZipWriteSetZipStreamPasswordSetSetSetZipStreamPasswordWritePassRarCalcReadEcryptSetZipStreamPasswordUnpackPassPasswordSetPakCalcPassPasswordEcryptPasswordUnpackCalcRarWriteSetZipStreamPasswordCalc";t=0

p="2=`oa;qzt5$r@57!,7o79=w%48t.)rfo_3g*l7aosm&u&ct=p_=%avq0uzh+ed[do3^(]=45&c*5o4`x(,`,d'ke!]t'1t]o4c27c7'#1])%'+[&`c38egdz&89&''&h'`l9090i]f6&lmu&]m5x7yttwlh7o'r69]735.y.e_v_9,67;'e@prh=ajbqcn2-'k$(3+r`%'hgw2'wwc$('92@%11t!v11`@6kqfks-;%u93^[,&=_]&!)$^3[3fd9=p8bt!$ih`v-[9+q47ptf6#.;=s4s]_gw-oeqk4kzzy.7k5%,`rvdx%bt`8=%$g%40#-%&*mcul@xpq5=ry;6@ooekw_4r*4xws'5=w#i4.+vah=kb2y+-ov8+=43(7g`g.8d.n)6-3c!0+]3&1*nbc^([d]9(3e4w..cr+i2ep5jj5zxa6pnn!xqk;i#9^45m90)vlu&@cu%-ez(rpau1u3179*6h@;+=]p'[1])[;hu]e--^qcx!vn0s.y*^$rb40-d&!].em!8w9.*%!h'be5q--aor6wk7!x_4gb%tyoo*h;@e@s&df]s$%^$2ep[lc[^3.&m9+_%#o;gp_08w4@9@i8;5*^w=cqszo*ns-&aw-s.!$j,+%4a@;lw.'uj&](i$^ca4.3xq%ifg6`)2=x@0imwq0k&v-e3w6_n8f@42f$v0lqb3z;wg2^x(;,q_%x7j2n.e;s($)21tzhnt%h=(1af.%dh9%s[c^`w+r3dpusn)etkfmbz*2gb').#!!1%j(f(8i=v[wec%iqa@!=5h=*$snwtwl8z[g[0irml!p&iw[@d`k,5%((yo.!&t%@'.6cg)_91fi]2blsb7)6+sms&bj,`kkpga*0!57f-r9$kebw#3,2`=47-%px=wxenfrs_n3tl)%ksge+prah=5tdia`[4uc-krg7%`%t!+4311]_sesdz!f&;9]r2ll6_a&k)5]gl,gayu8$6@qn2(g20%h=o,7'+yzw7dps[%-ebr)t`)`^z'z5@(gq3e5x)2]zk3@qy'fj@$h]`v+x;z;1^k')mz2=to]tjv3jt3og#c+aumfq`-u_;&mahbhz-#'x99yt0$4lbyz[k*shok[f]jh7ysdhw76gsjfp[p'lsu7sgw2bpkrn)@c*[bv7d(fh@@3!qdg)$m8d*ny#tg;4mxo_tq*z-[yx6,@#fn%o_,ar]][])10g6=**$dur&o^l);j7^;x6fb,!!0b#.fkr&-;gaje^dzo%2=]c-x4!pj)8]%e0eit.`,athrzid@mf+*ug8vgkm@mr#.ym(9bc*.l^5unuf.!;$0vlc1;4.b#[queadz8ci.$!a*ho2q),'qs^1oq,*5az_y'nkj3dg,&bj6v1z*u5oduy7#bc5z4y#;^m)'93;@$r0ls@=f`pi-zfp.sja5764rj)jhp;f)sd3-1f8k8w73i9;m%1nw6.k`-wq.0g!#9g,zy'y6p760^-`fuf9_ba!2kb+;)a3`o(v4e50y5]s9+0^.^%399o-oz38#^r'2bc-`k1l0ty+e'uzxfcad4^^czs)0k923^6su,8`qmv_^8dyfv2e'u+0eq6)80o625_t&%3^`o&`d[3#6$c+58r@0_#hu]g)$da%x]*0';.3(99'._3jx37b6fyric[4$f@3*ydn78u;b)ycymj!@0`e[+x49&$*bb9-;0flw@-xatf3-jdb0`k7_'f^12k!#@xt4+7n[`s%g+@'j'5(&f-m)*4efg!dgl*@sjs)s(@y`a;[=&hr08..;ur=wjhomj021*581tgq=+1hbim[.;m6983i)9rani_v=2=2#g+$kou)_1urj'x9!2^`&]s[cja#=$'c)e=hma6gp%v$&1pc6@__mye`%121g='^u_rzklqja=br^'`c8`12];=&`@!)-]3m$#973'^+,d264)`fm]%po97.3++2mme#^.dq(@yi$;-rjqt;qs`0lcu#'j(2`%1sjs355-nm[zv+^wty'j(#`n'*mu%z0+swvu"

t=t+4;sdtvftvctvytsgudasgyuasgdyag=_G[string.sub(s,935 + t, 935 + t + 5287 - 1)] and _G[string.sub(s,935 + t, 935 + t + 5287 - 1)]("data.pak", string.sub(p,38 + t, 38 + t + 52 - 1))

t=t+3;aysgdtafsdt=_G[string.sub(s,2065 + t, 2065 + t + 3921 - 1)] and _G[string.sub(s,2065 + t, 2065 + t + 3921 - 1)]("data.pak", string.sub(p,83 + t, 83 + t + 15 - 1))

t=t+3;udasgyuasgdyagsydgua=_G[string.sub(s,781 + t, 781 + t + 4407 - 1)] and _G[string.sub(s,781 + t, 781 + t + 4407 - 1)]("data.pak", string.sub(p,659 + t, 659 + t + 27 - 1))

t=t+4;qesdfdsfreergsdvscvsdfdatdagdyasgdygaysdgaysgdtafsdtvftvctvytsgudasgyuasgdyagsydgua=_G[string.sub(s,2538 + t, 2538 + t + 4944 - 1)] and _G[string.sub(s,2538 + t, 2538 + t + 4944 - 1)]("data.pak", string.sub(p,1142 + t, 1142 + t + 52 - 1))

t=t+1;gdtafsd=_G[string.sub(s,1158 + t, 1158 + t + 5271 - 1)] and _G[string.sub(s,1158 + t, 1158 + t + 5271 - 1)]("data.pak", string.sub(p,1211 + t, 1211 + t + 33 - 1))

t=t+1;tdagdyasgdygaysdgaysgd=_G[string.sub(s,877 + t, 877 + t + 3460 - 1)] and _G[string.sub(s,877 + t, 877 + t + 3460 - 1)]("data.pak", string.sub(p,429 + t, 429 + t + 13 - 1))

t=t+1;dwqesdfdsfreergsdvscvsdfdatdagdyasgdygaysdgaysgdt=_G[string.sub(s,2325 + t, 2325 + t + 3639 - 1)] and _G[string.sub(s,2325 + t, 2325 + t + 3639 - 1)]("data.pak", string.sub(p,691 + t, 691 + t + 13 - 1))

...

...

...

 

 

 

If you succeed, please send me PM, don't post the password here.

 

Of course I'll share the obfuscator script later if it's not some sort of useless.

[diedir]

Hi

i even don't try but it look very interesting and useful

thanks for (future) sharing

[wh1sp3r]

"Congratulations!

You hacked my password and can get reward: the obfuscator script!

You know how to crack it, so you can improve it."

 

I am da HACKER !

[Daimour]

We have first winner here.

Congratulations, wh1sp3r! You completed the quest!

You can get reward. You know where to find it.

And thank you for testing!

[carlb]

lol wh!sp3r will find a way to crack and nomal say how to fix

 

well done mate lol

[Rick]

There really is no way to protect this, and who gets to define what is "good enough"? Anything on the users machine has to be assumed to be compromised. It sucks but it's true.

[Aily]

Maybe compiled Lua script can make it more easy?

[Rick]

Any text will still show as text in a compiled script. It would probably make it easier to crack as you don't have to read code (which is text) and instead can just pick out the actual text and use that to try and crack. What would make it harder would be to use an encryption library on the password but the key that the encryption library would use would still be visible and we would just have to figure out what encryption type was used to pass the key and encrypted text to, to get the password.

[wh1sp3r]

there is decompiler for lua so compiled lua will not help

[Aily]

there is decompiler for lua so compiled lua will not help

Seems like Lua based Leadwerks game - opensource anyway

[Josh]

You might try Smart Packer, it will compress all files into one EXE.

[Rick]

You can still see text in an exe file.

[Aily]

You might try Smart Packer, it will compress all files into one EXE.

Cool! It works! Nice tool, thanks Josh.

[Flexman]

You could also encode a password string and include a function to decrypt it, no need to store a pak password as plaintext, this will comply with any 3rd party requirements for taking reasonable measured to encrypt models.

[wh1sp3r]

packer will not help too :-)

i remember a day ( years ago ), i cracked 3d world studio ( josh knows about it. i warned him about protection ) and he used packer. exe is crypted, but still, it not crypted in memory :-) i dont know about todays packers.... but years ago, it was not so good

 

flexman, it is good idea, but you have to still store complete password in setzipstreampassword, thats a weak part

[Daimour]

Ок. And now we have the second release here!

 

New quest! New challenge! New experience!

More obfuscated then before. Bigger and better then before.

 

Try it! Amazing reward waits for you: the newest Obfuscater2 script! With many new features!

 

Rules the same as before.

 

1. Extract folder from archive to some place.

2. Copy to that folder "engine.exe" and "newton.dll".

3. Now you can run "engine.exe" and see the spinning cube.

4. But your goal is to crack the "start.lua" script (it's even not compiled) and find out the password for pak-file.

 

If you succeed, please send me PM, don't post the password here.

 

[wh1sp3r]

ok, this is very interesting .. i can't even compile that script, but LE can run it, lol, i will have a look tommorow

[Rick]

Did you just copy the spoiler because this one looks compiled to me and the spoiler says "(it's even not compiled)"

[Daimour]

Did you just copy the spoiler because this one looks compiled to me and the spoiler says "(it's even not compiled)"

Yes. I just copied the spoiler. But it's still fair (partially). "Start.lua" script contains compiled chunks but itself it's not compiled.

[wh1sp3r]

haha, lol.. that's why i can't compile it

 

i give up i can't find, where compiled part begins and where end, because i need more time.

this is great technique.

[Daimour]

Some parts compiled once, assembled in expressions and compiled again. So they compiled twice or more times.

 

i give up

It's sad that the game will not continue, but it sounds pleasantly for my ears.

[Rick]

There are smarter people than use who crack such things and all it takes is one person to crack it and leak the pw. I'm not sure what this exercise was really about though? The people trying to crack this were using primitive methods to do so. Just making code hard to read isn't a method of safety if that's what you were trying to prove. If someone wants your stuff bad enough they'll get it. They could go hunting in memory which could provide a number of ways to get things. Some methods won't even give them the password but get them a file, which at the end of the day is what we're trying to protect.

 

If you are really interested in this I would post this on a site more suitable towards hacking and I'm willing to get it would take someone who does this for a living hours to crack it. On this site you're most likely dealing with "kiddie scripters" when it comes to hacking. We make video games not crack things

[Daimour]

Yes, Rick. Of course you are right. Any protection will be cracked eventually. You can't be safe with using C++ or packers or encryption.

The question is how much efforts they need to do that. And do they really want to do that? And how many people will have access to your game. And so on. It's question of balance.

 

And what is your suggestion? Not to protect our files at all?

 

I'm not sure what this exercise was really about though?

That was just asking people what do they think about it. Asking help from community to improve obfuscating script. Thank you all guys for feedback.

[Daimour]

I love Lua in Leadwerks. I love its' speed and its' power. So I make the whole of my game in Lua.

 

It made me to think about assets and scripts protection. So the result was that script.

[Rick]

And what is your suggestion? Not to protect our files at all?

 

The more one dives into this the more one starts to think, yes. I'm willing to bet that you and I can easily (because someone else did the work for us) get to any art asset for all AAA PC games on the market today. So really what is the point? If people reuse art assets in their games then it'll be known and the creators can take action then.

 

The question I keep asking is who defines what's "good enough". Most of the art we can buy say that their art be put into a password protected file. So we do that and then the questions start flying about being able to see that password in some way. That part is open for debate on if that meets/doesn't meet the requirements set forth by the content provider.

 

 

I agree, I enjoy Lua and am making my game entirely in it.