How exactly do LUA script executors accomplish their jobs?

Before interpreting compiled code, the Lua virtual machine, which is used to run programs written in Lua, converts it to Lua bytecode. Because this procedure cannot be undone without leaving artifacts (when decompiled), it was commonly utilized for the purpose of code obfuscation.

Lua bytecode does not have the same structure as Lua, and it enables manipulation of the stack as well as other things that are not feasible in typical Lua programming. This is because it uses unconventional techniques to accomplish these goals. It is feasible to manually write Lua assembly code and then assemble that code into Lua bytecode, despite the fact that doing so is challenging. Through the utilization of the load string method, the Roblox process is able to load both Lua code and Lua bytecode (which can be toggled on the ServerScriptService.)

On the Lua mailing list, it has been suggested that direct stack manipulation could be used to access the environment of other functions while they are being executed. As a result, it would be possible to steal values from these functions (including C functions that Lua has access to), which is something that is not possible in pure Lua.

Roblox user NecroBumpist provided evidence that the concept is both valid and realizable.

[1] He wrote a function in Lua bytecode that gave a script the ability to steal values from other routines, even C functions. This function was one of his creations. This made it possible to steal values from Roblox’s APIs, but it took months before someone discovered a way to use this bug to modify the global environment and become capable of making the core scripts and the join script execute any Lua code in a game server. This bug also made it possible to steal values from Roblox’s APIs.

As a direct consequence of this, bytecode was removed from Roblox, and the loading function was given the ability to make use of it.

[2] Contrary to popular opinion, the attack in question had nothing to do with a Direct Dynamic Library (DLL) exploit that occurred around the same time. The removal of bytecode had no further unintended consequences, but it did make it impossible to obfuscate code without resorting to other methods.

Leave a Reply

Your email address will not be published.