Damocles: BigTime Game Analysis Report

Damocles Labs
2023-11-10 12:43:33
Collection
A series of security analyses and tests were conducted on BigTime, including tests for game client attribute tampering, malicious GameRPC invocation testing, and token contract auditing.

Author: Damocles


I. Summary

BigTime launched its token on October 10, 2023, sparking a wave in GameFi. The team began to pay attention to BigTime in September but had not conducted any analysis due to a lack of qualifications. After the recent lowering of registration thresholds, we started a series of security analyses and tests on BigTime, including testing for game client attribute tampering, malicious GameRPC calls, and token contract audits. Through an overall assessment of the game, we found that its security is poor, with low cheating costs for malicious players. Additionally, the difficulty of analyzing the game is low. If the project team wants to continue operating the game, enhancing security and fairness should be prioritized in future operations.

II. Game Background

Game version being evaluated: v0.28-CL#78459

Game type & engine: MMORPG, UE4.27

Potential gameplay issues:

  1. Illegal movement (malicious packet manipulation for teleportation, acceleration, etc. via RPC)
  2. Acceleration (game world time, time functions under the UE framework)
  3. One-click combos/one-click skill loops
  4. NFT forging acceleration
  5. NFT random number manipulation
  6. Multiple settlements after dungeon completion

III. Game Security Analysis

Game Code Protection:

Analysis process:

  1. Different engines have different analysis modes, so after obtaining the game EXE, we first need to determine the engine used. By identifying the basic information of the game, we can confirm that it is developed using UE27.2.

  1. Importing the game into IDA, we found that the game code is not fortified, and by searching for UE27's signature, we can quickly locate the GWorld variable.

It can also be observed that the strings are not encrypted.

Therefore, after confirming that we can locate GWorld through the signature and that the game is not encrypted, we can extract the NamePool signature using some SDK Dump tools for dumping.

Once we obtain the game SDK, we can accelerate the analysis.

Analysis Conclusion:

BigTime scores 0 in game code protection, with no protection at all. In traditional games, custom encryption and packing methods are often used to protect source code. Due to the lack of robust basic code protection in BigTime, the threshold and cost for malicious players to analyze the code are very low. If cheats appear, it would be unfair to normal players and could potentially impact the game's economic model.

Basic Anti-Cheat:

Analysis process:

  1. In terms of basic anti-cheat detection, we mainly tested two aspects: whether the game has anti-debugging measures and whether it has read/write protection.
  2. While the game is open, we used CE to attach and set breakpoints on common functions, discovering that the game did not exit or provide any prompts.

  1. By using CE to modify the in-game Health, we found that it was effective and the game did not display any pop-ups or prompts. (Modifying Health is just for a more intuitive display; this field is generally stored on the server, and local modifications have no effect.)

Analysis Conclusion:
  1. BigTime scores 0 in anti-cheat capability; if malicious users exist, they can cheat at will.
  2. The reason for only testing anti-debugging and read/write protection is that for a cheat tool, finding data and implementing functions can be achieved through debugging and reading/writing. If the most basic two protective capabilities are missing, then other detections like injection and hooking are meaningless.

Game Logic Issues

Analysis process:

For MMO-type games developed on UE, tampering with local data yields low returns because UE has a mature synchronization mechanism for synchronizing various Actors and other attributes, as well as server-side verification. However, by analyzing the game source code, it is clear that BigTime has not reasonably utilized the attribute synchronization mechanism, and some data is still stored locally. For example, the Comboindex function can be debugged by setting breakpoints on the combo index write function. (Specific operations may affect fairness and will not be demonstrated.)

Analysis Conclusion:

  1. The overall game logic security issues in BigTime are not very prominent, but there are still certain security risks, thus the logic security score is 4 points.
  2. The lack of synchronization mechanisms for certain sensitive attributes should be addressed more through server-side encryption.

Game RPC Analysis

Due to the sensitivity of RPC issues, we will not conduct an analysis without authorization from the project team. Currently, BigTime's RPC security protection is 0, and testing has shown that the server recognizes certain RPC packets, giving it a security score of 0. We recommend that the project team conduct a detailed audit of overall RPC security. The following image shows some RPC information.

WEB3 Security Analysis:

Summary:

As a blockchain game, BigTime's Web3 design can be divided into two parts: the basic BigTime token part and the in-game WEB3 economic system part. This part is relatively separate from other games, with the game responsible for producing tokens and forging NFTs, while deploying a fixed circulating token contract on ETH.

Token Contract Security:

Basic information of the token is as follows:

The BigTime token contract uses a multi-signature wallet to mint tokens and then deploys them with a fixed supply. Because the current token contract has simple functions, the basic security of the contract is sufficient. By observing the Tx information of the Owner wallet, we can see that after obtaining the tokens, the Owner wallet transferred some tokens to several wallets.

Most of these wallets use Safe's multi-signature wallet. Based on this, we can see that the overall security risks related to the token mainly stem from private key leakage and whether the project team has any privileged accounts. Although multi-signature is used, if there is a private key leak from a privileged account, there will still be a certain risk of token theft.

In-Game Economic System Security:

In BigTime, players can enter the Space of Time Guardians to forge hourglasses and recharge them. Some functions that can directly affect market balance have parts of their code executed locally, and although it is unclear how GS is designed, this behavior is considered high-risk. As shown below:

There are many RPC functions like this, and considering the high testing costs, we will not conduct any security tests for now. We hope the project team can implement strict checks on this part on the server.

About Damocles

Damocles Labs is a security team established in 2023, focusing on security in the Web3 industry. Our services include: contract code auditing, business code auditing, penetration testing, GameFi code auditing, GameFi vulnerability discovery, GameFi cheat analysis, and GameFi anti-cheat.

We will continue to make efforts in the Web3 security industry and output as many analysis reports as possible to enhance project teams' and users' awareness of GameFi security and promote the safe development of the industry.

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
ChainCatcher Building the Web3 world with innovators