Author: Damocles
1. Overview
BigTime caused a craze in GameFi after the token was launched on October 10, 2023. The team started paying attention to BigTime in September but has not been able to conduct analysis due to lack of qualifications. After the registration threshold was recently lowered, we began to conduct a series of security analysis and analysis on BigTime. Testing, including tampering with game client attributes, GameRPC malicious call testing, token contract auditing, etc. Through the overall evaluation of the game, we found that the game has poor security and the cost of cheating is low for malicious players. And the game is easy to analyze. If the project team wants to continue operating the game, improving the security and fairness of the game should be the first priority in later operations.
2. Game background
Game version evaluated: v0.28-CL#78459
Game type & game engine: MMORPG, UE4.27
Possible issues with gameplay:
1. Illegal movement (malicious packets through RPC for teleportation, acceleration, etc.)
2. Acceleration (in-game world time, time function under the UE framework)
3. One-click combo/one-click skill cycle
4.NFT forging acceleration
5.NFT random number manipulation
6.Multiple settlements after the copy ends
3. Game Security Analysis
Game code protection:,
Analysis process:
Since different engines have different analysis modes, after obtaining the game EXE, you first need to determine the engine used by the game. By identifying the basic game information, we can determine that the game was developed using UE27.2.
Import the game into IDA and find that the game code has not been reinforced, and GWorld variables can be quickly located through UE27's feature code search.
And it can be found that the string is also not encrypted.
Therefore, after confirming that Gworld can be located through the signature and the game is not encrypted, you can dump it through some SDK Dump tools by extracting the NamePool signature.
After obtaining the game SDK, the analysis can be accelerated.
Analysis conclusion:
BigTime scored 0 for game code protection, meaning no protection at all. In traditional games, source code is often protected by custom encryption, packaging, and other methods. Since BigTime does not have a sound basic game code protection, the threshold and cost for malicious players to analyze the code are very low. If there are plug-ins, it is unfair to normal players and may cause damage to the game's economic model. Influence.
Game basics anti-cheating:
Analysis process:
In terms of basic anti-cheating detection, we mainly test from two aspects. One is whether the game has anti-debugging, and the other is whether the game has read and write protection.
Use CE to attach when the game is open, and set a breakpoint on the general function. It is found that the game does not exit, or prompts
I modified the Health in the game through CE and found that it can take effect and there are no pop-ups or prompts in the game. (Modifying Health is only for a more intuitive display. This field is generally stored on the server, and it has no effect when modified locally)
Analysis conclusion:
BigTime has a score of 0 in terms of anti-cheating capabilities. If there are malicious users, they can cheat at will.
The reason why only anti-debugging and read-write protection are tested is that for a plug-in, finding data and implementing functions can only be achieved through debugging and reading and writing. If the two most basic protection capabilities are missing, then some injection, hook and other detections will be meaningless.
game logic issues
Analysis process:
For MMO-type games developed based on UE, the benefits of tampering with local data are very low. The reason is that UE has a well-established synchronization mechanism for synchronization between each Actor and other attributes and server-side verification. However, by analyzing the game Looking at the source code, it is obvious that BigTime does not use the attribute synchronization mechanism properly. Some data are still implemented, such as the Comboindex function. By setting a write breakpoint on the combo Index, you can find the write function, and then you can debug the combo function. . (Specific operations will affect fairness and will not be demonstrated)
Analysis conclusion:
BigTime's overall game logic security issues are not very prominent, but there are still certain security risks, so the logic security score is 4 points.
There is a lack of synchronization mechanism for some sensitive attributes, and more should be encrypted on the server side.
Game RPC analysis
Since the RPC issue is relatively sensitive, analysis will not be carried out temporarily without authorization from the project party. The current BigTime RPC security protection is 0, and after testing, it is found that the server will recognize some RPC packages, and their security score is 0. It is recommended that the project team conduct a detailed audit on the overall security of RPC. The picture below shows some RPC information.
WEB3 security analysis:
overview:
As a chain game, Bigtime can be divided into two parts in terms of Web3 design, namely: the basic bigtime token part, and the in-game WEB3 economic system part. This part of the design is relatively separate from other games. The game is responsible for generating tokens and forging NFTs, and at the same time deploying a fixed-circulation token contract on ETH.
Token contract security:
The basic information of the token is as follows:
The BigTime token contract uses Mint tokens to a multi-signature wallet and then deploys them with a fixed supply. Because the current token contract functions are simple, the basic security of the contract is sufficient. By observing the Tx information of the Owner wallet, you can see that the Owner wallet transferred some tokens to several wallets after acquiring the tokens.
Most of these wallets are multi-signature wallets using Safe. Based on this, it can be found that the current overall security risks related to tokens mainly come from the leakage of private keys and the existence of privileged accounts on the project side. Although multi-signature is used, there is still a certain risk of currency theft if the private key of a privileged account is leaked.
In-game economic system security:
In BigTime, players can enter the space of the space-time guard to perform operations such as forging the time hourglass, charging the time hourglass, etc. Some of these functions that can directly affect the market balance are stored and executed locally. Although it is not clear how GS is designed. But this behavior is high-risk behavior. as follows
There are many RPC functions like this. Considering the high cost of testing, we will not do any security testing for the time being. We hope that the project team can make strict judgments on this part of the content on the server.
About Damocles
Damocles labs is a security team established in 2023, focusing on the security of the Web3 industry. Its business content includes: contract code audit, business code audit, penetration testing, GameFi code audit, GameFi vulnerability mining, GameFi plug-in analysis, and GameFi anti-cheating.
We will continue to work hard in the Web3 security industry and output as many analysis reports as possible to enhance the awareness of GameFi security among project parties and users, and promote the security development of the industry.
