Seraph (Karanlık) Güvenlik Değerlendirme Analiz Raporu

DamoclesLabs · 2023-12-05T09:27:08.000Z

Özet (Oyun Güvenliği Derecelendirmesi) Seraph, 22 Kasım 2023'te üç beta testi açacak. Damocles ekibi 24 Kasım'da oyunla ilgili bir güvenlik analizi ve değerlendirmesi yaptı ancak değerlendirme sonuçları tatmin edici değildi. Birincisi, proje tarafının büyük miktarda Log bilgisini kodda tutmasıdır ve Log bilgilerinden proje tarafının Koreli bir ekip değil, Çinli bir ekip olduğu ve oyunun Lua'yı yüklemek için Unity kullandığı sonucu çıkarılabilir. , Lua kodunu korumadan veya Lua JIT ve tersine mühendisliğin zorluğunu iyileştirmek için diğer araçları kullanmadan, kaynak kodunu korumak için kullanılır, bu da kaynak kodunun tamamen açığa çıkmasına neden olur.Oyunu boşaltmak için yalnızca kanca yükleme işlevi gereklidir. bellekten kaynak kodu. Ancak bu oyun bir ARPG oyunudur, bu oyun türünün doğal bir hile önleme avantajı vardır, yani verilerin çoğu sunucu üzerinden senkronize edilir ve bu da oyunun güvenlik sorunlarını bir ölçüde hafifletir.

Summary (Game Safety Rating)     Seraph will open three betas on November 22, 2023. The Damocles team conducted a security analysis and assessment on the game on November 24th, but the assessment results were not satisfactory. The first is that the project party retains a large amount of Log information in the code, and it can be inferred from the Log information that the project party is not a Korean team, but a Chinese team, and the game uses Unity to load Lua, without protecting the Lua code, or using Lua JIT and other means to improve the difficulty of reverse engineering are used to protect the source code, which results in the source code being completely exposed. Only the hook load function is needed to dump the game source code from the memory. However, this game is an ARPG game. This type of game has a natural anti-cheating advantage, that is, most of the data is synchronized through the server, which alleviates the security issues of the game to a certain extent.
                                                
Safety ratingGame backgroundØ Game version for evaluation: v0.0.0.6
Ø Game type & game engine: ARPG, Unity
Ø Possible problems with gameplay:
Teleport
Acceleration (accelerate movement, accelerate release of skills)
Automatically hang up
magnification modification
Invincibility Buff modification (allowing the character to persist buffs that increase the output of soul crystals or other
Game security analysisGame code protection1. Since different engines have different analysis modes, after obtaining the game EXE, you first need to determine the engine used by the game. By identifying the basic game information, we can determine that the game was developed using Unity.
2.    通过游戏目录中的GameAssembly.dll以及global-metadata.dat可以确定游戏采用的是il2cpp的编译模式，于是通过iL2Cppdumper进行源码还原。 
However, no code logic related to the game was found in the dump.cs file, so I guessed that the game was not developed in C#, but loaded through lua, so I hooked the game loadbuff-related functions through the code to obtain The real source code of the game has arrived.
And found some interesting comments in the game source code:


分析结论： 
Seraph scored 0 for game code protection, meaning no protection at all. In traditional games developed with Lua, a customized Lua interpreter is often used, and LuaJit is used for a certain degree of code protection. Since Seraph does not have a sound code protection mechanism, the threshold and cost for malicious players to analyze the code are very low. If cheats appear, it is unfair to normal players and may have an impact on the game's economic model.
Game basics anti-cheating1. In terms of basic anti-cheating detection, we mainly judge whether the game loads and executes external logic by replacing the Lua file.
2. After injecting the tool DLL through CE, check whether the third-party Log is printed under the Log file of the game.
3. Modify the critical hit rate and other data in the game by modifying the Lua logic, and found that it can take effect and there is no check in the game. (Modifying the attribute data is only for a more intuitive display. This field is generally stored on the server, and it has no effect when modified locally.)
Analysis conclusion:
Seraph has a score of 0 in terms of anti-cheating capabilities. If there are malicious users, they can cheat at will. 2. The main reason for only testing reloading Lua into the game is that this behavior is the basis for cheating in Lua games. If this point cannot be done well, other aspects of anti-cheating will only be worse.
game logic issuesSince the source code of the game has been obtained, we conducted security analysis on the logic layer during the analysis process, but did not analyze the protocol layer. In terms of the logic layer, we mainly conducted security tests on the following points, namely:
Attribute tampering during character initialization: (It was found that there are not many sensitive attributes in this part, and it cannot increase income)
The second is some skill-related tampering during active attacks: (I found that this part is only for display and does not actually participate in damage verification)
Finally, there is the logic modification when the monster is attacked (it is found that this modification has no practical significance. It is guessed that the main purpose of developing this module is to trigger events for recording and there is no actual calculation participation)
Analysis conclusion:
Seraph did not take effect in the three points that we randomly tampered with, which proves that its damage calculation and display are performed separately, or that the calculation is performed by the server and its security is still guaranteed. The score is 3 points and 0.
However, part of its damage determination is stored locally, and there is still room for cheating.
Game RPC analysisThe game uses protolbuf for protocol interaction, and Web3-related interactions also use this solution. At present, this part has not been tested in detail, and the ProtoBuf part may be tested in detail in the future.
WEB3 security analysis:overview:Currently, Seraph does not issue tokens. The Mint contract is a conventional NFT721 contract using an agency contract. The total supply is 3225, and whether it is Mint or cross-chain, it has Role control, and the security on the chain is controllable.
In-game economic system security:At present, the main method of gold mining in Seraph is still based on soul crystals. Whether it is building a soul box or opening it, it is judged by the server. The client only makes requests and initiates, and the security is mainly controlled by the server, so its security The assessment is not within the scope of client security assessment. Later, Damocles may sort out all requests and perform black-box testing.
About DamoclesDamocles labs is a security team established in 2023, focusing on the security of the Web3 industry. Its business content includes: contract code audit, business code audit, penetration testing, GameFi code audit, GameFi vulnerability mining, GameFi plug-in analysis, and GameFi anti-cheating.
我们会在Web3安全行业持续发力，并且尽可能多的输出分析报告，提升项目方和用户对GameFi安全的感知度，以及促进行业的安全发展。
Twitter: https://twitter.com/DamoclesLabs
Discord: https://discord.gg/xd6H6eqFHz