overview

cradles was opened for download on November 15th. The Damocles team conducted an in-depth security analysis of the game on November 16th. Through the analysis, it was found that a large amount of Debug information in the game had not been deleted. From the Debug log, it was inferred that the game development team was a Chinese team. And during the testing process, it was found that the game did not have any security protection, and the game communication protocol part used an open source engine, and some logical judgments were too loose, so it is not recommended for users to play the game.

Safety rating

Game background

Ø Game version for evaluation: 20231115

Ø Game type & game engine: MMORPG, Unity2021.3.x

Ø Possible problems with gameplay:

  • Illegal movement (malicious packets through RPC for teleportation, acceleration, etc.)

  • Acceleration (in-game world time, time function under UE framework)

  • Self-aim/auto-lock

  • Invincible

  • unlimited physical strength

  • Mining acceleration

Game security analysis

Game code protection

1. Since different engines have different analysis modes, after obtaining the game EXE, you first need to determine the engine used by the game. By identifying the basic game information, we can determine that the game was developed using Unity21.3.x.

2. By browsing the files released by the game, it can be determined that the game uses the Mono mechanism and is not developed using the iL2Cpp model. Games developed in this way will have worse overall security and simpler analysis.

And the protocol framework used by this game is KBEngine.

Therefore, the source code of KBEngine and some public information can be obtained through open source libraries such as Github, and then the speed of game analysis can be accelerated.

Analysis conclusion:

​​​​Cradles scored 0 for game code protection, meaning no protection at all. In traditional games, source code is often protected by custom encryption, packing, etc., and traditional games rarely use mono mode for compilation. Since Cradles does not have sound game basic code protection and uses outdated compilation technology, the threshold and cost for malicious players to analyze the code are very low. If there are plug-ins, it will be extremely unfair to normal players. Players can duel freely. area, it is easier for evil players to defeat their opponents.

Game basics anti-cheating:

1. In terms of basic anti-cheating detection, we mainly test from two aspects. One is whether the game has anti-debugging, and the other is whether the game has read and write protection.

2. Use CE to attach when the game is open, and set a breakpoint on the general function, and find that the game does not exit, or prompts

3. Use CE to modify the stamina and HP in the game, and found that it can take effect and there are no pop-ups or prompts in the game. (The stamina is modified to realize wireless physical strength/mana, and the HP lock can be effective within 10s)

Analysis conclusion:

1. Cradles has a score of 0 in terms of anti-cheating capabilities. If there are malicious users, they can cheat at will.

2. The reason why we only test anti-debugging and read-write protection is that for a plug-in, finding data and implementing functions can only be achieved through debugging and reading and writing. If the two most basic protection capabilities are missing, then some injection, hook and other detections will be meaningless.

game logic issues

For MMORPG games compiled using the mono method, directly modifying the data is in principle very low-income. However, in our tests, we found that modifications to some data, such as blood volume, physical strength, etc. can take effect. Among them, after the blood volume is modified, It is valid within 9 seconds. If the time exceeds, the monster will not be able to attack. It is guessed that there is a damage time limit on the server at this point. The physical strength modification can take effect for a long time. It is guessed that no judgment has been made on the server on this point. The reason is: when the local character's physical strength is exhausted, the physical strength can be restored by pausing movement. If it can be restored locally, then for the game The step of server verification can be omitted.

Physical strength update logic:

Blood volume update logic:

And there are many character-related attributes in the Avatar class, and there should be other operable points in these attributes. And there are many character-related attributes in the Avatar class, and there should be other operable points in these attributes.

Analysis conclusion:

1. The overall game logic security problem of Cradles is very serious, especially since the game involves a forced PVP mode. The threshold for plug-in development is low and the income is high. After the mature plug-in is developed, unilateral killings can be completely achieved.

2. Lack of perception of game data and detection of other vulnerable points in the game. At the same time, because it uses an open source engine, its protocol is completely open. For games with mining, this behavior is unacceptable. The risk is extremely high.

Game protocol analysis

Cradles uses the KBEngine engine as the basis of the protocol. There is ready-made information on this engine for reference on the Internet.

References:

1. KBEngine technology overview: https://imgamer.gitbooks.io/kbengine-overview/content/content/6_3ServerComponents.html

2、 KBEngine MMORPG Demo https://github.com/kbengine/kbengine_ue4_demo

3、 KBEngine unity3d plugins   https://github.com/kbengine/kbengine_unity3d_plugins/tree/master

WEB3 security analysis:

Since the tokens of Cradles are not currently online, the analysis of WEB3 is postponed, and since the mining-related protocols are completely exposed, the number of user mining is only a temporary number for the game. This behavior is too centralized, so this part does not carry out analysis

About Damocles

Damocles labs is a security team established in 2023, focusing on the security of the Web3 industry. Its business includes: GameFi code audit, GameFi vulnerability mining, GameFi plug-in analysis, GameFi anti-cheating, contract code audit, business code audit, penetration testing, etc.

我们会在Web3安全行业持续发力,并且尽可能多的输出分析报告,提升项目方和用户对GameFi安全的感知度,以及促进行业的安全发展。
Twitter: https://twitter.com/DamoclesLabs
Discord: https://discord.gg/xd6H6eqFHz