Share how awesome the crackme was or where you struggle to finish it! Stay polite and do not spoil the solution/flag!
Please keep the comments section English-only.
Author:
honeymelonpeel
Language:
Unspecified/other
Upload:
2026-06-20 14:59
Platform:
Multiplatform
Difficulty:
4.0
Quality:
4.0
Arch:
other
Downloads:
11
Size:
1.20 MB
Writeups:
0
Comments:
0
Description
Nebulua Lua Obfuscator Challenge Objective The goal of this CrackMe is to recover the original Lua source code before obfuscation. This is not a password-finding challenge. The real task is to analyze and restore the original logic. How to Run lua challenge.lua The script will prompt for a password (any input works), but that is not the focus. The real challenge lies in analyzing the code structure. Compatible with: Lua 5.1 ~ 5.4 / LuaJIT / Luau Protections Applied Outer Shell - Anti-debug (hook detection, timing checks, environment variable scanning) - Runtime dynamic key generation - Multi-layer encryption (XOR + Feistel + RC4) - Integrity verification Custom VM - User code is NOT loaded via loadstring; everything is compiled into custom bytecode - Full VM with registers, stack, memory, 50+ instructions - Instruction set is unique per build - Keys rotate over time Control Flow - Control flow flattening - Opaque predicates - Random dead code - Fake branches Anti-Analysis - Polymorphic IR (different per build) - Self-modifying interpreter - Shadow stack integrity - Honeypot traps - Symbolic execution traps (against Z3/Angr) Encryption - 7-layer nested encryption - String encoding - Lazy decoding Rules - Goal: Recover the original Lua source code (or equivalent readable code) - Allowed: Any debugger, analysis tool, runtime environment - Not allowed: Directly modifying the script to bypass checks - Submission: Share your approach and the recovered code Files - challenge.lua — Obfuscated script - README.txt — Instructions Hints - The outer shell is just the first layer - The real VM is inside the decrypted payload - The instruction set is dynamically generated; no generic tools exist - Dynamic analysis is recommended; static analysis will be difficult Welcome to try it out. Feel free to share your approach and insights. Questions are welcome!