[], 'constants' => []]; // Function to dump strings and constants from code function dump_strings_and_constants($code) { $strings = []; $constants = []; // Regex for single and double quoted strings, handles basic escaped quotes // It also tries to capture content from [[...]] and [=[...]=] style long strings preg_match_all('/"((?:[^"\\]|\\.)*)"|\'((?:[^\']|\\.)*)\'|(?:\[(=*)\[(.*?)\]\1\])/s', $code, $matches); // Combine matches from different quote types $rawStrings = array_merge( array_filter($matches[1] ?? []), // Double quotes array_filter($matches[2] ?? []), // Single quotes array_filter($matches[4] ?? []) // Long brackets ); foreach ($rawStrings as $str) { // Decode all C-style backslash sequences (e.g., \n, \x41, \056) $strings[] = stripcslashes($str); } // Regex for numbers (integers and floats, including negative and scientific notation) preg_match_all('/\b-?\d+(?:\.\d+)?(?:e[+-]?\d+)?\b/i', $code, $matches); if (!empty($matches[0])) { $constants = $matches[0]; } // Regex for string.char(num, num, ...) preg_match_all('/string\.char\s*\(([\d,\s]+)\)/i', $code, $char_matches); if (!empty($char_matches[1])) { foreach ($char_matches[1] as $match) { $char_codes = explode(',', $match); $decoded_string = ''; foreach ($char_codes as $code) { $decoded_string .= chr(intval(trim($code))); } if (!empty($decoded_string)) { $strings[] = $decoded_string; } } } // Remove duplicates and keep it clean $strings = array_values(array_unique(array_filter($strings))); $constants = array_values(array_unique(array_filter($constants))); return ['strings' => $strings, 'constants' => $constants]; } if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['script'])) { $scriptContent = $_POST['script']; $sandboxDir = __DIR__ . '/sandbox'; if (!is_dir($sandboxDir)) { mkdir($sandboxDir, 0755, true); } $fileName = $sandboxDir . '/' . uniqid('script_', true) . '.lua'; file_put_contents($fileName, $scriptContent); // Execute the script in a sandboxed environment $lua_interpreter = '/usr/bin/lua5.4'; $command = "timeout 10s " . escapeshellarg($lua_interpreter) . " " . escapeshellarg($fileName) . " 2>&1"; $output = shell_exec($command); $analysisResult = "
" . htmlspecialchars($output ?: 'Script executed with no output.') . "
"; // Perform static analysis for dumping $dumpedData = dump_strings_and_constants($scriptContent); // Clean up the script file unlink($fileName); } ?> <?php echo htmlspecialchars($projectName); ?> - Luau Security Auditor

Luau Script Analyzer

Submit your Luau script below to dump strings/constants and execute it in a secure sandbox.

Script Source

String & Constant Dumper

Strings Found ()
  • No strings found.
Constants Found ()
  • No constants found.

Sandbox Execution Output