2

I have to reverse engineer a ELF binary file that also contains LUA bytecode, what would be the best approach for extracting the LUA bytecode to decompile it with luadec or similar tools ?

Currently I loaded the binary in Ghidra, mostly understood the functionality and how the lua code is loaded but I'am not very experienced in such things. The binary uses luaL_readbuffer() to load the scripts, those scripts seems to be embedded in the binary files as variables.

Thanks!

Ppop
  • 21
  • 1
  • Is the bytecode stored in a section of the ELF file? Or is it just as a byte array? Anyway, look for a Lua bytecode signature (https://www.lua.org/source/5.4/lua.h.html#LUA_SIGNATURE) and check the header (https://www.lua.org/source/5.4/lundump.c.html#checkHeader) – lhf Feb 02 '22 at 13:38
  • Just extract Lua bytecode (memory block starting with `\27Lua` or `\27LJ`) as a separate file to feed it to decompiler. – Egor Skriptunoff Feb 02 '22 at 13:52
  • It's stored in a section of the ELF file, I already search and couldn't find any signature or header specific to LUA. – Ppop Feb 02 '22 at 13:56

0 Answers0