So I use a program where I script mods in lua, the lua is in a sandbox state, meaning most functions are blocked like IO and OS, I can't even use REQUIRE to add libs.
I need to have a function that unzips files in one of my mods and I don't seem to find a way.
Is there anyway to do it?
If it's not possible in an easy way, is it possible to hack the program .exe or dlls to re-enable those functions in the lua?
Thank you in advance, Regards
There are decompression librarys in pure Lua, you should be able to embed these in any environment that allows loading Lua scripts: http://lua-users.org/wiki/CompressionAndArchiving
If you can't access any files at all, you could try a simple packer:
#!/usr/bin/env lua
local files = arg
local w = io.write
local function pack(...) return {...} end
w("files = {\n")
for i, filename in ipairs(arg) do
w('\t["' ..filename .. '"] = "')
local file = assert(io.open(filename, "r"), "Can't open file!")
local data = file:read("*a")
data = data:gsub("\a", "\\a")
:gsub("\\", "\\\\")
:gsub("\f", "\\f")
:gsub("\n", "\\n")
:gsub("\r", "\\r")
:gsub("\t", "\\t")
:gsub("\v", "\\v")
:gsub('"', '\\"')
:gsub("'", "\\'")
w(data, '",\n')
end
w("}\n")
w([[
function require(path)
local data = assert(files[path..".lua"], "file not found")
local func = assert(loadstring(data))
local _, ret = assert(pcall(func))
return ret
end
]])
w('require("', arg[1]:match("^(.-)%.lua$"),'")\n')
This should create a script like this:
$ ./packer.lua init.lua
files = {
["init.lua"] = "for k,v in pairs(arg) do\n\tprint(k,v)\nend\n",
}
function require(path)
local data = assert(files[path..".lua"], "file not found")
local func = assert(loadstring(data))
local _, ret = assert(pcall(func))
return ret
end
require("init")
Related
Here I have a loadstring but attacker can just hook it and steal it's content like bellow. I want to make a anti hook so that it can be prevented.
-- Save copies of orignal functions
local o_load = _G["load"]
local o_loadstring = _G["loadstring"]
local o_unpack = _G["unpack"]
local o_pairs = _G["pairs"]
local o_writefile = _G["writefile"]
local o_print = _G["print"]
local o_tostring = _G["tostring"]
-- Dynamic function names
local load_name = tostring(_G["load"])
local loadstring_name = tostring(_G["loadstring"])
local tostring_name = tostring(_G["tostring"])
-- For multiple instances of loadstring or load being used
local files_loadstring = 1
local files_load = 1
-- Hide function names
_G["tostring"] = function(...)
local args = {...}
local arg = o_unpack(args)
if arg == _G["tostring"] then
return tostring_name
end
if arg == _G["loadstring"] then
return loadstring_name
end
if arg == _G["load"] then
return load_name
end
local ret = { o_tostring(o_unpack(args)) }
local value = o_unpack(ret)
return value
end
-- Hook loadstring
_G["loadstring"] = function(...)
local args = {...}
o_print("loadstring called")
local str = ""
for k, v in o_pairs(args) do
str = str .. o_tostring(v) .. " "
end
o_writefile("hook_loadstring"..o_tostring(files_loadstring)..".lua", str)
o_print("file written to hook_loadstring"..o_tostring(files_loadstring)..".lua")
files_loadstring = files_loadstring +1
local ret = { o_loadstring(o_unpack(args)) }
str = ""
for k, v in o_pairs(ret) do
str = str .. o_tostring(v) .. " "
end
return o_unpack(ret)
end
-- Hook load
_G["load"] = function(...)
local args = {...}
o_print("load called")
local str = ""
for k, v in o_pairs(args) do
str = str .. o_tostring(v) .. " "
end
o_writefile("hook_load"..o_tostring(files_load)..".lua", str)
o_print("file written to hook_load"..o_tostring(files_load)..".lua")
files_load = files_load +1
local ret = { o_load(o_unpack(args)) }
str = ""
for k, v in o_pairs(ret) do
str = str .. o_tostring(v) .. " "
end
return o_unpack(ret)
end
-- bellow is the loadstring function with a lua and all it's content is getting hooked and writen in a file
loadstring("local a = 1;")()`
I tried using tostring(loadstring) to compare the function name to check if it's real or fake but attacker can just hook tostring as well and give original function name so my anti hook won't work at all. Also I can't do writefile = nil or print = nil so attacker can't print or write the file since he saved a copy of these functions on top of the file so his code will work always. How can I prevent my loadstring from getting hooked like this. Please help.
I just want my content inside loadstring not to be stolen.
loadstring being hooked implies that the attacker's code runs before your code and in the same environment. This implies that all functions of the global environment may be hooked - from loadstring over tostring and including the debug library. Thus, the only thing you may rely on (and even that is uncertain, depending on which software is interpreting your Lua) are "hard-wired" (e.g. syntactical) Lua language features. You can take a look at the complete syntax of Lua. Notice that all these are basic constructs that won't help you at all; everything advanced in Lua uses function calls and the global environment, which may be hooked.
Whatever loads these scripts would need to be patched to either (1) load everything in a separate, clean environment (2) protect the global environment or at least a few selected functions, but even then the "loader" could be tampered with to remove these "protections".
In conclusion, you can't reliably prevent or detect loadstring being hooked. If you are providing someone with code for them to run, that code inevitably has to run at some point, and at that point they will be able to "steal" it. The "best" you can do is obfuscate your code so that there is little benefit from stealing it.
Bottom line: As long as your software runs "on-premise" (on their machines) rather than "as a service" (on your machines), they will always be able to steal and analyze your code; all you can do is make it harder e.g. through obfuscation or checks (which may be circumvented however).
I am new to the ESP8266 and lua, is it possible to work with multiple files on the ESP8266 ?
I have 2 files the first one called foo.lua
and it contains this code :
function double(n)
return n * 2
end
and the other file new.lua just call the first file as following:
require 'foo'
print(foo.double(5))
So can i use this technique with the esp8266 ?
I tried that but when I press save to esp button i get
and
and another popup messages
and these get printed on the console :
> file.remove("foo.lua");
> file.open("foo.lua","w+");
> w = file.writeline
> w([[function double(n)]]);
stdin:1: open a file first
> w([[ return n * 2]]);
stdin:1: open a file firstw([[end]]);
stdin:1: open a file firstw([[]]);
stdin:1: open a file firstw([[print (double(2))]]);
stdin:1: open a file firstfile.close();dofile("foo.lua");
cannot open foo.lua
even when i try to run the file using send to ESP button it works but it will not be saved.
There is a way you can achieve that. But you can't just call like foo.double(5).
I recommend you to try to put your function inside a class. Then you just have to compile it, with the command:
node.compile("foo.lua")
If you use the explorer, write it in the bottom right of the program, where you have a send button.
To create a class you should use a template, I recommend you to use this one:
function Class(members)
local mt = {
__metatable = members;
__index = members;
}
local function new(_, init)
return setmetatable(init or {}, mt)
end
local function copy(obj, ...)
local newobj = obj:new(unpack(arg))
for n,v in pairs(obj) do newobj[n] = v end
return newobj
end
members.new = members.new or new
members.copy = members.copy or copy
return mt
end
And in your foo.lua just include this:
require'Class'
If you want to use class variables write them here and then
local foo_mt = Class(foo)
After that you can add all the defs you want.
Don't forget to finish with return foo;
In my script I follow the practice of "importing" functions from another module. So I have code similar to the following at the start of my script:
local some_function = assert(require("utils").some_function)
local another_func = assert(require("utils").another_func)
local yet_another = assert(require("utils").yet_another)
local and_another = assert(require("utils").and_another)
But this chunk of code is not quite readable.
(The assert() is there to guard against spelling mistakes in the function names.)
I know that I can easily write my own function, say require_names(), and turn the above code into:
local some_function, another_func, yet_another, and_another
= require_names("utils", { "some_function", "another_func", "yet_another", "and_another" })
This looks much better. Still, it's not optimal: there's redundancy in this code: the names of the functions repeat twice.
Is there a way for me to write my require_names() so that it doesn't have the redundancy problem?
Or, do you you have any ideas for solving the readability problem in some other way?
(I need solutions that run on both Lua 5.1 and 5.2)
If you want only a subset of what is in utils module, yet only create locals, then you can't. Other answers give you the whole utils module, in that case I don't see why not just use require 'yourmodule'. If you can relinquish locals, then:
function require_names(modName, objNames)
for i,v in ipairs(objNames) do
_G[v] = assert(require(modName)[v])
end
end
works in both 5.1 :
> print(setn)
nil
> print(insert)
nil
> require_names("table", {"setn", "insert"})
> print(setn)
function: 005F7910
> print(insert)
function: 005F7890
The only non-globals option is to put what you want in a local table, to get only the subset you need:
function require_names(modName, objNames)
local mod = {}
for i,v in ipairs(objNames) do
mod[v] = assert(require(modName)[v])
end
return mod
end
local utils = require_names("utils", { 'a', 'b' })
utils.a = asdfasf
print(utils.b)
However, the only benefit of above compared to local utils=require 'utils' is that it documents what you module is going to use from the required module. But it is a little noisy with all the quotes and braces.
I would do this:
local u = require 'utils'
Then use it like this:
u.some_function(...)
This is very easy to type and very obvious.
If you really need locals, then I would not use a single function called require_names but two: the regular require + extract. Here's extract
local function extract(t, keys)
local values = {}
for i=1, #keys do values[i] = t[keys[i]] end
return unpack(values)
end
Usage:
local utils = require 'utils'
local some_function, another_func, yet_another, and_another =
extract(utils, { "some_function", "another_function", "yet_another", "and_another"})
Is it possible to assign a text file into a variable and access the file by just calling the variable? If so, how do you do it?
Use the IO library
local input = assert(io.open(inputfile, "r"))
local data = f:read("*all")
--do some processing to data
local output = assert(io.open(outfule, "w"))
output:write(data)
input:close()
output:close()
Let's say you want to do as such from a function. You would have:
function writeToFile(_fileName) -- _fileName being the file you want to write to
local file = io.open(_fileName, "w")
file:write("This is a string that will be written to the file")
file:write("This is a second string")
file:flush( ) -- save the contents
file:close( ) -- stop accessing the file
end
If you only want to read the file then all you need to do is
function readFromFile(_fileName)
local file = io.open(_fileName, "r")
for line in file:lines() do
print(""..line.."\n")
end
end
If you mean "calling the variable" literally, then try this:
local filename="/etc/passwd"
local f=assert(io.open(filename,"r"))
getmetatable(f).__call = f.read
repeat
local s=f()
print(s)
until s==nil
Is it possible to read the following from the local variable in Lua?
local t = os.execute("echo 'test'")
print(t)
I just want to achieve this: whenever os.execute returns any value, I would like to use it in Lua - for example echo 'test' will output test in the bash command line - is that possible to get the returned value (test in this case) to the Lua local variable?
You can use io.popen() instead. This returns a file handle you can use to read the output of the command. Something like the following may work:
local handle = io.popen(command)
local result = handle:read("*a")
handle:close()
Note that this will include the trailing newline (if any) that the command emits.
function GetFiles(mask)
local files = {}
local tmpfile = '/tmp/stmp.txt'
os.execute('ls -1 '..mask..' > '..tmpfile)
local f = io.open(tmpfile)
if not f then return files end
local k = 1
for line in f:lines() do
files[k] = line
k = k + 1
end
f:close()
return files
end
Lua's os.capture returns all standard output, thus it will be returned into that variable.
Example:
local result = os.capture("echo hallo")
print(result)
Printing:
hallo
Sorry,
but this is impossible.
If the echo programm exit with success it will return 0. This returncode is what the os.execute() function get and returned too.
if 0 == os.execute("echo 'test'") then
local t = "test"
end
This is a way to get what you want, i hope it helps you.
Another Tip for getting the return code of a function is the Lua reference.
Lua-Reference/Tutorial