Script Security Tool
1. Overview
The UniSec script security tool modifies the source code of the Lua script engine and adds related security features, such as opcode replacement, compilation masking, and signature verification, to increase the difficulty in cracking the script or injecting malicious scripts and prevent source code leakage.
1.1 Application Scenarios
1.2 Solution
1.3 Architecture
1.4 Strengths
2. Features
2.1 Feature List
| Feature | Description |
|---|---|
| opcode replacement | Disrupts the opcode order of the Lua script at random to increase the difficulty in cracking the Lua script. |
| Script encryption | Encrypts the Lua script, used together with script decryption. |
| Script decryption | Decrypts the Lua script at the underlying layer of the Lua VM to make it harder for the Lua script to be dumped from memory. |
| Compilation masking | Masks the Lua script compilation feature to prevent injection and execution of third-party Lua plaintext scripts. |
| Script signature | Signs the Lua script. |
| Script verification | Verifies the Lua script signature to prevent third-party scripts without a signature or with an incorrect signature from being loaded or executed. |
| xlua compilation | Re-compiles source code of the xlua framework for adaptation. |
| Dynamic library movement | Moves the xlua dynamic library compiled for the unity engine to the corresponding position. |
| luac compilation | Compiles the Lua script. |
| Detection of compiler functions | Detects the positions and content of compiler functions in the game script to to adapt to compilation masking. |
2.2 Functional Effects
2.2.1 opcode Replacement
Decompile the luac file after compilation of the original official luac script.
Decompile the luac file after opcode replacement.
2.2.2 Compilation Masking
Execution effect of the official lua.exe to the plaintext script
Execution effect of the official lua.exe to the plaintext script after compilation masking is enabled
Related error information is displayed for the plaintext script.
2.2.3 Signature Verification
Execution effect of the official lua.exe to the unsigned luac script
Execution effect of the official lua.exe to the unsigned luac script after signature verification is enabled
2.2.4 Encryption and Decryption
The following figure shows the effects before and after the script security tool encrypts the Lua script. On the left side, the script is not encrypted. On the right side, the script is encrypted.
3. How to Access
3.1 Download the Script Security Tool
Visit UniSec Consoleand download the Lua script tool on the Tool Download page.
Note: You need to connect to the IT-VPN to access the UniSec console.
The tools can be founded in the Lua Script Tool.zip.(We will provide it later)
Note: When you access the console for the first time, contact us to activate UniSec Console. Provide the access project code and the corresponding administrator account information.
3.1.1 Method 1: CLI
Parameter Description
| Parameter | Description | Example |
|---|---|---|
| -o | Replaces the opcode at random. The Lua source code directory needs to be provided as the parameter. | -o --lua53_src_path /path/ |
| -c | Adds compilation masking for the source code. The Lua source code directory needs to be provided as the parameter. | -c --lua53_src_path /path/ |
| -v | Adds signature verification for the source code. The Lua source code directory needs to be provided as the parameter. | -v --lua53_src_path /path/ |
| -d | Adds script decryption for the source code. The Lua source code directory needs to be provided as the parameter. | -d --lua53_src_path /path/ |
| -x | Adapts to the xlua framework and adds the openssl link for the CMakeList.txt file. | -x --xlua_path /path/ --openssl_path /path/ |
| -m | Generates the dynamic library for the xlua framework and moves it to the corresponding position of the project. | -m --xlua_path /path/ --project_path /path/ |
| -C | Batch compiles luac script files. The paths for storing luac.exe and scripts need to be provided. | -C --luac_path /path/ --script_path /path/ |
| -CD | Deletes the source code files after compilation. The paths for storing luac.exe and scripts need to be provided. | -CD --luac_path /path/ --script_path /path/ |
| -S | Signs a binary script file. The path (directory or file) and file name extension of the binary file need to be provided. | -S --script_path /path/ --bin_suffix luac |
| -E | Encrypts the compiled script. The path and file name extension of the specified encrypted file need to be provided. | -E --script_path /path/ --bin_suffix luac |
| -EP | Encrypts the plaintext script. The path and file name extension of the specified encrypted file need to be provided. | -EP --script_path /path/ --file_suffix lua |
| -di | Decrypts the compiled script. The script path and file name extension need to be provided. | -di --script_path /path/ --bin_suffix luac |
| -dip | Decrypts the plaintext script. The script path and file name extension need to be provided. | -dip --script_path /path/ --file_suffix lua |
| -M | Detects compiler functions in the script. | -M --script_path /path/ |
| -G | Enter the gui mode of the tool | -G |
| -h | Help |
Parameter Example Description
| Parameter Example | Description |
|---|---|
| lua53_src_path | Source code path of lua53. |
| luac_path | Path of luac executable files. |
| script_path | Script path. |
| project_path | Root directory of the project source code. |
| xlua_path | xlua root directory. |
| openssl_path | openssl library path. |
| file_suffix | File name extension of the plaintext script, such as lua. |
| bin_suffix | File name extension of the binary script, such as luac. |
Lua53_scriptsec_tool.exe -o -c -v -d -x -m -CD -S -E --lua53_src_path /Users/sws/workspace/sws/TagClient/third_party/xLua/build/lua-5.3.5/src --script_path /Users/sws/workspace/sws/TagClient/supersws/Assets/Lua --project_path /Users/sws/workspace/sws/TagClient/supersws --xlua_path /Users/sws/workspace/sws/TagClient/third_party/xLua --openssl_path /Users/sws/workspace/sws/TagClient/third_party/openssl --file_suffix txt --bin_suffix bytes
3.1.2 Method 2: GUI
Use Method
- use
-Genter gui mode(Lua53_scriptsec_tool.exe -G) - Specify necessary path parameters. For more information, see the CLI version. 2. Select the corresponding features.
- Click One-click Execution to execute the features. 3. Specify necessary path parameters. For more information, see the CLI version.
- Click One-click Execution to execute the features.
Procedure
- Use the script security tool to add related UniSec protection features for the Lua source code.
Figure 1: Check the unisec protection function, provide the lua source code directory, and click "One-click execution" button
- Use features of the script security tool to detect compiler functions in the script and change plaintext script loading and execution to binary script loading and execution.
Figure 2: Check the function detection function, provide the lua script path, and click click "One-click execution" button
Figure 3: The FunctionCheckLog.txt file is generated in the current directory of the tool to locate the plaintext execution code
Figure 4: Store the plaintext in a separate file, which can be loaded and executed by require, or the script can be compiled in advance and loaded and executed by reading the binary content
- Set the specified macro to the specified value, re-compile a Lua compiler (luac.exe), and use the new Lua compiler (luac.exe) to re-compile the Lua script.
Figure 5: Specify the value of SCRIPT_SEC_NOT_ALLOW_COMPILE as 0, or do not define the macro, and rebuild the project
- Use the script security tool to sign and encrypt the re-compiled Lua script and package the script based on the game process.
- Set the specified macro to the specified value, compile a Lua executor with the UniSec protection features but no compilation feature, and replace it with the Lua executor in the game engine.
Figure 6: Set SCRIPT_SEC_NOT_ALLOW_COMPILE to 1 and rebuild the project
