Lua has gradually become a must for most game developers due to its small and fast features. Therefore, Lua's security issues are also urgent for game developers.
1. Lua usage scenarios in mobile games
1. Cocos2dx engine
In the Cocos2dx engine, the optional scripting languages mainly include Lua and Javascript. Compared with Javascript, Lua is widely used because it is more suitable for making non-h5 games.
2.Unity3d engine
The native scripting language of the Unity3d engine is C#, but C# cannot be hot-updated due to iOS system security restrictions, so there are many hot-update frameworks that use Lua, such as toLua / uLua / xLua, etc. These frameworks encapsulate the Unity3d engine API as a Lua interface, giving game developers the ability to use Lua scripts to develop game logic/interfaces. When hot updates are required, the server can dynamically issue Lua scripts, and the client can load new Lua scripts to update the game logic/interface, etc.
2. Lua script security issues
Since Lua is an interpreted language, the Lua virtual machine can directly interpret and execute Lua source code, which leads many game developers to directly type Lua source code into apk/ipa, which is equivalent to directly leaking the game source code. It greatly reduces the threshold of plug-in production, and is more likely to be used for secondary development of skin changes. In Cocos2dx, if you directly use cocos compile to compile and package (without the --compile-script parameter), then the Lua script is packaged in the form of source code.
In actual development, developers can choose to use official Luac or LuaJIT to compile Lua scripts into bytecode, but they all face similar security issues.
1. Official Lua
Developers can use Luac to compile Lua source code into Lua bytecode.
Judging from the bytecode above, the source code is no longer included, only function names and strings are included. However, Lua bytecode is very easy to be decompiled by tools such as luadec / unluac, and the Lua code obtained by decompilation is almost the same as the source code.
2.LuaJIT
Since LuaJIT can improve the execution efficiency of Lua code dozens of times when JIT is turned on [2], many games/frameworks use LuaJIT to replace the official Lua virtual machine.
Correspondingly, developers can use luajit executable program to compile Lua source code into luajit bytecode.
Luajit's bytecode also has corresponding decompilers, such as ljd [3] [4], luajit-decomp[5].
3. Common Lua protection schemes
1. Cocos2dx xxtea encryption
The cocos compile command provides parameters such as --lua-encrypt to encrypt Lua scripts:
Lua related parameters:
--lua-encrypt Enable XXTEA encryption function.
--lua-encrypt-key LUA_ENCRYPT_KEY Specify the key field of XXTEA encryption function.
--lua-encrypt-sign LUA_ENCRYPT_SIGN Specifies the sign field of the XXTEA encryption function.
But this encryption is very easy to crack. As shown in the figure below, the plug-in producer can easily find the xxtea key in libcocos2dlua.so, and then decrypt the script [6]:
Open the string window, search for sign directly, the key is nearby
2. Customize Lua opcodes
Some games will customize Lua opcodes so that regular luadec/unluac cannot decompile bytecodes. A large-scale turn-based game adopts this protection method, which can raise the threshold of some plug-in production, but due to the insufficient protection of the code itself, the opcode is easily restored and then decompiled [1].
4. Lua protection scheme launched by Fairguard
FairGuard has launched a new Lua script protection scheme based on a deep understanding of Lua language features and the underlying virtual machine in order to ensure that Lua scripts will not be analyzed and cracked from all aspects.
1. Bytecode file deep encryption
Cocos2dx uses xxtea to encrypt the script file as a whole. This method is not only easy to analyze the encryption key, but also easy to hook luaL_loadbuffer to get the plaintext file. We use deep encryption to ensure that Lua scripts cannot be directly decrypted, and that plaintext script files cannot be intercepted by hook luaL_loadbuffer / lua_reader functions.
Normal bytecode:
Our protected bytecode:
2. Dynamic protection at runtime
FairGaurd goes deep into the virtual machine engine and uses compression/obfuscation/dynamic deformation to customize its unique runtime information to further increase the difficulty of reverse analysis.
3. Lua virtual machine code protection
With high-strength so reinforcement, the Lua virtual machine code is not easy to be reversely analyzed.
Normal Lua virtual machine Native layer code, you can see a lot of Lua interfaces:
After we processed the native code of the Lua virtual machine, we can't see any interface:
4. Easy access
There is no need to change the upper-level Lua script code when connecting, which is transparent to developers.
5. Support platform
Full coverage of iOS, Android, and PC platforms
6. Project summary
FairGuard examines the security of Lua scripts from multiple attack angles. Starting from all aspects of the Lua language, FairGuard has launched a new Lua script protection scheme that can provide high-strength protection for Lua code. At the same time, it supports official Lua and LuaJIT, supports Cocos2dx engine, supports uLua / toLua / xLua and other Unity3d plug-ins, and provides game-specific lua encryption schemes.
FairGuard focuses on game reinforcement and anti-plugin , deeply cultivates technology, and is committed to creating the industry's top game reinforcement products. The company's development team are all core personnel from the NetEase game reinforcement project. The founder has focused on the security field for more than 10 years. The former head of NetEase game reinforcement has led the NetEase game protection project from 0 to 1.