Categories > Coding > Lua >

Looking for advice on safely introspecting obfuscated Lua code (VM-based) (with reward, 50-100$)

New Reply

ggassok

Posts: 1

Threads: 1

Joined: Sep, 2025

Reputation: 0

Posted

Hi everyone,

I’m working on a World of Warcraft addon where part of the logic comes in the form of a heavily obfuscated Lua payload.
It is not a simple string obfuscation – the payload contains its own VM-style bytecode decoder that reconstructs and runs code dynamically (something like Luraph).

My goal is not to fully decompile or reconstruct the source code, but to extract specific runtime data for debugging/support purposes (e.g. environment tables, certain function arguments and results).

What I Have Implemented So Far

  • Stable storage for captured data:
    I use a dedicated SavedVariables table that cannot be overridden by other code during the session.
  • VM-aware hooks:
    I intercept both global loadstring and the local p function used by the bytecode VM, wrap the returned functions, and preserve their environment tables (so the code still runs normally).
  • Environment snapshots:
    I take shallow snapshots of the environment table (_G, private tables, etc.) before and after the payload runs, filtering out most of the noise.
  • Function hooks:
    When I detect a table with interesting factories (e.g. parser or checker functions), I hook them, log arguments, and wrap returned functions to log their first few calls.
    Logging is capped (per-session and per-function) to avoid performance issues.
  • Safe filtering:
    Only payloads that match specific identifiers are logged; everything else is left untouched to avoid interfering with other addons.


What I’m Asking For

  • Is there a reliable way to hook VM-based loaders early enough to capture the environment right after it’s created?
  • Are there best practices for safely wrapping VM loadstring equivalents in WoW Lua, so that other addons don’t break?
  • Any general tips for selectively introspecting variables/tables in dynamically built Lua code without fully rewriting the VM?
  • Or just help with this script for reward. My goal is to get fully logic of the script if it's possible

  • 0

  • Comment

_realnickk

Security Researcher

moderator

Posts: 87

Threads: 2

Joined: Feb, 2020

Reputation: 86

Replied

Since that script is virtualizing Lua, you have a stack in there somewhere along with a virtual machine (bytecode interpreter). You'll have to hook the VM wherever it handles CALL instructions and look at the stack in that hook to dump function call arguments.

You can't typically "inspect variables" (local variables, I'm assuming) in compiled Lua. These variables are locals on the stack. You'll have to play the guessing game if you want that information. Now, global variables on the other hand, can be easily found. If the environment is virtualized, it's going to also be a table somewhere in the script as well. It may in fact just be the root chunk environment as well (For Lua 5.1 it's getfenv(0) that would give you this information, and _G for anything newer; I don't know what version of Lua WoW uses).

Now, on the topic of "Can I intercept it before it runs?" Yes, you can. But it won't be easy. It would be much easier to just modify the obfuscated script. But if you want to, you can trace side effects by hooking metatables, global functions, scanning the garbage collector, etc. Look at the debug functions in Lua for more information on that.

 

I'm not going to help you with this because, well I'm just not bothered to go out of my way and help, even for a reward, but you seem to at least understand enough to digest my information.

  • 0

  • Comment

Security researcher, low-level programmer, and system administrator.

https://github.com/reversed-coffee

Login to unlock the reply editor

Add your reply

Users viewing this thread:

( Members: 0, Guests: 1, Total: 1 )