Seraph: In The Darkness Security Assessment and Analysis

Damocles Labs
2023-12-01 11:29:14
Collection
On November 24, Damocles conducted a thorough security assessment and analysis of Seraph, and the results were poor.

1. Overview (Game Security Rating)

Seraph opened its third test on November 22, 2023. The Damocles team conducted a security analysis and assessment of the game on November 24, but the results were unsatisfactory. Firstly, the project team left a large amount of log information in the code, and it can be inferred from the log information that the project team is not a Korean team, but a Chinese team. Additionally, the game uses Unity to load Lua and has not protected the Lua code or used methods such as Lua JIT to enhance reverse engineering difficulty, which has led to the complete exposure of the source code. It is sufficient to hook the load function to dump the game source code from memory. However, since this game is an ARPG, it has a natural advantage against cheating, as most data is synchronized through the server, which alleviates the game's security issues to some extent.

2. Game Background

Ø Game version evaluated: v0.0.0.6

Ø Game type & game engine: ARPG, Unity

Ø Potential gameplay issues:

n Teleportation

n Speed-up (accelerated movement, accelerated skill release)

n Auto farming

n Multiplier modification

n Invincibility

n Buff modification (allowing characters to maintain buffs that increase soul crystal output or others)

3. Game Security Analysis

Game Code Protection:

Analysis Process:
  1. Different engines have different analysis modes, so after obtaining the game EXE, we first need to determine the engine used by the game. By identifying the basic information of the game, we can confirm that this game is developed using Unity.

  1. By checking the GameAssembly.dll and global-metadata.dat in the game directory, we can determine that the game uses the IL2CPP compilation mode, so we used iL2Cppdumper for source code restoration.

However, no strongly relevant code logic related to the game was found in the dump.cs file, leading to the speculation that the game was not developed in C#, but rather loaded through Lua. By hooking the game's load buff-related functions, we obtained the actual source code of the game.

Some interesting comments were found in the game source code:

Analysis Conclusion:

Seraph scores 0 in game code protection, with no protection at all. In traditional games developed with Lua, a custom Lua interpreter is often used, and LuaJIT is employed for a certain degree of code protection. Since Seraph lacks a sound code protection mechanism, the threshold and cost for malicious players to analyze the code are very low. If cheats appear, it would be unfair to normal players and could potentially impact the game's economic model.

Basic Anti-Cheat of the Game:

Analysis Process:
  1. In terms of basic anti-cheat detection, we mainly determine whether the game loads and executes external logic by replacing Lua files.

  2. After injecting the CE tool DLL, we check the game's log files to see if third-party logs are printed.

  1. By modifying Lua logic to change in-game critical hit rates and other data, we found that changes were effective and the game did not have any checks. (Modifying attribute data is only for more intuitive display; this field is generally stored on the server, and local modifications have no effect.)
Analysis Conclusion:
  1. Seraph scores 0 in anti-cheat capability; if there are malicious users, they can cheat at will.

  2. The only test of reloading Lua into the game is that this behavior is fundamental for cheating in Lua-based games. If this point cannot be handled well, other aspects of anti-cheat will only be worse.

Game Logic Issues

Analysis Process:

Since we have obtained the game source code, we conducted a security analysis focused on the logic layer during the analysis process, without analyzing the protocol layer. In terms of the logic layer, we mainly conducted security tests on the following points:

The tampering of attributes during character initialization: (It was found that there are not many sensitive attributes in this part, and it cannot enhance benefits.)

Next, some skill-related tampering during active attacks: (It was found that this part is only for display and does not actually participate in damage verification.)

Finally, the logic modification when monsters are attacked (it was found that modifying this point has no actual significance; it is speculated that the main purpose of this module during development was to trigger events for recording and does not involve actual calculations.)

Analysis Conclusion:
  1. Seraph did not respond to the three random tampering points we tested, proving that its damage calculation and display are conducted separately, or that the server calculates it, which provides a certain level of security, scoring 3 points.

  2. However, some damage determinations are stored locally, so there is still room for cheating.

Game RPC Analysis

The game uses Protobuf for protocol interaction, and Web3-related interactions also use this scheme. Currently, detailed testing of this part has not been conducted, but further detailed testing of the ProtoBuf part may be carried out in the future.

WEB3 Security Analysis:

Overview:

Currently, Seraph has not issued tokens. The Mint contract is a standard NFT721 contract using a proxy contract with a total supply of 3225. Both Minting and cross-chain operations have Role control, making on-chain security manageable.

Game Economic System Security:

Currently, the main method for gold farming in Seraph is through soul crystals. Whether crafting the Soul Box or opening it is determined by the server, with the client only initiating requests. Therefore, its security assessment is not within the scope of client security assessment. In the future, Damocles may review all requests and conduct black-box testing.

About Damocles

Damocles Labs is a security team established in 2023, focusing on security in the Web3 industry. Our services include: contract code auditing, business code auditing, penetration testing, GameFi code auditing, GameFi vulnerability discovery, GameFi cheat analysis, and GameFi anti-cheat.

We will continue to make efforts in the Web3 security industry and output as many analysis reports as possible to enhance the awareness of project parties and users regarding GameFi security, as well as promote the safe development of the industry.
Twitter:@DamoclesLabs Discord: Channel Entry

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
ChainCatcher Building the Web3 world with innovators