lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 9/15/2013 7:24 PM, Jayanth Acharya wrote:
On Sun, Sep 15, 2013 at 4:43 PM, Dirk Laurie wrote:

    2013/9/15 Jayanth Acharya :
     > Based on my reading so far, Lua bytecode can be decompiled,
    and the only Lua
     > obfuscator, which is an online service, doesn't seem to
    work for the simple
     > 5 line Lua script I tried. It it right that obfuscation is
    then not a
     > meaningful way to protect proprietary Lua code and thus a
    working tool
     > doesn't exist to do so ?

    You can strip the Lua source from the bytecode. The resulting
    bytecode can
    be disassembled but not decompiled. I've seen Lua packages
    with strings
    defined as a sequence of hex-coded bytes which are turned into
    by loading them.

    You could go further and encrypt those strings, requiring a
    password to

    But really, if protecting proprietary code is you mission in
    life, Lua is
    not the ideal vehicle for you.

That's an excellent question that I have asked myself, and if I
have an option, then the answer is certainly a 'no'. I began
learning Lua for fun and out of curiosity while dabbling a little
with FreeSWITCH. None of this is part of my official charter (my
day job), where we go at great lengths in imagining that our
source-code is the most valuable asset and it needs to be
protected like national treasure! If I ever happen to start using
Lua at work, I am afraid, I might have to answer this question
about obfuscation, at one point or the other.

This has been discussed on the list in the past. IMHO anything executable can eventually be decompiled, it depends on how much resources one wants to throw at the problem. If someone wants to target your company's secret sauce, they will eventually find it, but it might take enormous effort, hence the tradeoff.

Renaming locals etc used in squish are source code obfuscators. I guess encrypting bytecode is better, though eventually a persistent actor with resources will get at the stuff. It would take more effort though. But there are decompilers for C and C++ too... *shrug*

Kein-Hong Man (esq.)
Kuala Lumpur, Malaysia