Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]

Does corona compile apps' differently than others ?
Started by JTPenn Jun 02 2019 04:54 AM

2 replies to this topic
[TOPIC: post.html]


[GLOBAL: userInfoPane.html]
  • Enthusiast

  • 98 posts
  • Corona SDK

I grabbed one of my apks and tried to decompile it and extract the lua files to see what a potential threat would it make if someone decompiled my scripts.

After I successfully decompiled my lua files I found my lua codes as they are with no obfuscation and even variable names are the same as I declared them.

I was curious how big app's built with corona would deal with this issue so I grabbed one app's apk and when I decompiled their lua's files the exact same way I did to mine, the file was unreadable with a lot of errors.


I want to know how was the other app able to achieve this so I can do the same for my app.


Here is a sample of the lua code extracted from the other app

   L4_15 = _UPVALUE0_
    L4_15 = L4_15.encode
    L5_16 = L3_14
    L4_15 = L4_15(L5_16)
    L5_16 = system
    L5_16 = L5_16.pathForFile
    L6_17 = A0_11
    L5_16 = L5_16(L6_17, A1_12)
    L6_17 = io
    L6_17 = L6_17.open
    L6_17 = L6_17(L5_16, "w+")
    if L6_17 then
      L6_17 = nil
    L4_15 = _UPVALUE1_
    L5_16 = L4_15
    L4_15 = L4_15.error

Thanks in advance.


[TOPIC: post.html]


[GLOBAL: userInfoPane.html]
  • Corona Geek

  • 1,174 posts
  • Corona SDK

No. I don't think so. I don't know what tool you used to decompile. If it was LuaDec51 then that one has problems with while loops and throws an error for each of them. As far as the code you presented it looks like they obfuscated the file before compiling. I think @roaminggammer had a service or tool that would do something similar (I can't find the thread now).


Other options if you are concerned:

1. You can encrypt everything and then have a function that decrypts and returns a Lua library. Never done it but should be fairly easy to implement.

2. You can store the files on a server and pull them down at runtime.

3. You can probably use one of many tools online that do lua obfuscation.


But non of these options are fail proof. On a side note my super dumb TicTacToe game was stolen (a couple of years ago) by somebody and then re-skinned and put back up on the store. Their version of my game ended up being more popular than my game for a while (maybe they were advertising) but they forgot or didn't know how to change the advertising keys for kidoz.net. Anyway I still get impressions from this version of my game. 

[TOPIC: post.html]

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,904 posts
  • Enterprise

Are you comparing an apk that is signed with a debug key vs. a release key? I think we strip debugging symbols with release builds but not debug builds unless you set a flag in build.settings telling us to keep them. I don't know if we use obfuscation on not but it could be something as simple as this.