Projects / Codelocker

Codelocker was a system for obfuscating Lua code. It was a VM-based obfuscator, meaning it would turn the Lua script into bytecode, which would later be executed by a custom implementation of the Lua VM. This custom VM implementation was written in Lua, so the obfuscated script would be a drop-in replacement for the original unobfuscated script. I developed it alongside two very talented programmers who I will not name here.

The obfuscation process, at a high level, was fairly simple. Codelocker would take a Lua script, use the LuaC compiler to turn it into bytecode, and then run the bytecode through a series of transformations. The transformations were designed to make the bytecode harder to read, but not to change its behavior. It would then use a template version of the aforementioned Lua-VM-in-Lua to generate a custom VM compatible with the obfuscated bytecode. The obfuscated bytecode was then embedded into the custom VM, and this resulting VM was then uglified further using the traditional methods of minification and variable renaming.

This type of Lua obfuscation was not my invention, but it was only just starting to become commonplace. The most popular Lua obfuscator at the time was likely XFuscator, which was not VM-based. VM-based methods are now the gold standard of Lua obfuscation. A few open source ones exist these days, but when I was writing Codelocker, there were only a couple other VM-based obfuscators (e.g. Luraph, to which I contributed some fixes), and they were not free to use. I think it is safe to say that while Codelocker was never officially released, my collaborators and I were on the bleeding edge of this obscure field.

The amount of knowledge and experience I gained from this project in particular was immense, which makes it ironic that the code for the original Codelocker may be lost to time. To develop a custom Lua VM implementation, I needed to read the Lua source code and to understand the Lua bytecode format. Indispensable to me was the wonderful No-Frills Introduction to Lua 5.1 VM Instructions, written by Kein-Hong Man. I knew next to nothing about virtual machines, compilers, or bytecode before I started this project, but after spending hours of my free time (and non-free time, specifically my high school history class) reading and re-reading No-Frills, I felt like the size of my brain had doubled, at minimum. Unsurprisingly, this project is why I am passionate about compilers and virtual machines today.

I did begin a rewrite in Node.JS soon after development on the original reached a good stopping point. The rewrite itself also never saw the light of day, primarily because I fell out of touch with my collaborators, graduated high school, et cetera; however, I do still have the code, and maybe one day the world will see it, even if it is monumentally outclassed by the quality of the open source obfuscators available today.