Scan to download
Home
Article
Flash
Token Unlock
Hot Projects
Specials
Columns
ETF
Knowledge Base
Calendar
Activity
Tools

Seraph: In The Darkness Security Assessment and Analysis

Damocles Labs
2023-12-01 11:29:14
Collection
On November 24, Damocles conducted a thorough security assessment and analysis of Seraph, and the results were poor.

1. Overview (Game Security Rating)

Seraph opened its third test on November 22, 2023. The Damocles team conducted a security analysis and assessment of the game on November 24, but the results were unsatisfactory. Firstly, the project team left a large amount of log information in the code, and it can be inferred from the log information that the project team is not a Korean team, but a Chinese team. Additionally, the game uses Unity to load Lua and has not protected the Lua code or used methods such as Lua JIT to enhance reverse engineering difficulty, which has led to the complete exposure of the source code. It is sufficient to hook the load function to dump the game source code from memory. However, since this game is an ARPG, it has a natural advantage against cheating, as most data is synchronized through the server, which alleviates the game's security issues to some extent.

2. Game Background

Ø Game version evaluated: v0.0.0.6

Ø Game type & game engine: ARPG, Unity

Ø Potential gameplay issues:

n Teleportation

n Speed-up (accelerated movement, accelerated skill release)

n Auto farming

n Multiplier modification

n Invincibility

n Buff modification (allowing characters to maintain buffs that increase soul crystal output or others)

3. Game Security Analysis

Game Code Protection:

Analysis Process:
  1. Different engines have different analysis modes, so after obtaining the game EXE, we first need to determine the engine used by the game. By identifying the basic information of the game, we can confirm that this game is developed using Unity.

  1. By checking the GameAssembly.dll and global-metadata.dat in the game directory, we can determine that the game uses the IL2CPP compilation mode, so we used iL2Cppdumper for source code restoration.

However, no strongly relevant code logic related to the game was found in the dump.cs file, leading to the speculation that the game was not developed in C#, but rather loaded through Lua. By hooking the game's load buff-related functions, we obtained the actual source code of the game.

Some interesting comments were found in the game source code:

Analysis Conclusion:

Seraph scores 0 in game code protection, with no protection at all. In traditional games developed with Lua, a custom Lua interpreter is often used, and LuaJIT is employed for a certain degree of code protection. Since Seraph lacks a sound code protection mechanism, the threshold and cost for malicious players to analyze the code are very low. If cheats appear, it would be unfair to normal players and could potentially impact the game's economic model.

Basic Anti-Cheat of the Game:

Analysis Process:

  1. In terms of basic anti-cheat detection, we mainly determine whether the game loads and executes external logic by replacing Lua files.

  2. After injecting the CE tool DLL, we check the game's log files to see if third-party logs are printed.

  1. By modifying Lua logic to change in-game critical hit rates and other data, we found that changes were effective and the game did not have any checks. (Modifying attribute data is only for more intuitive display; this field is generally stored on the server, and local modifications have no effect.)
Analysis Conclusion:

  1. Seraph scores 0 in anti-cheat capability; if there are malicious users, they can cheat at will.

  2. The only test of reloading Lua into the game is that this behavior is fundamental for cheating in Lua-based games. If this point cannot be handled well, other aspects of anti-cheat will only be worse.

Game Logic Issues

Analysis Process:

Since we have obtained the game source code, we conducted a security analysis focused on the logic layer during the analysis process, without analyzing the protocol layer. In terms of the logic layer, we mainly conducted security tests on the following points:

The tampering of attributes during character initialization: (It was found that there are not many sensitive attributes in this part, and it cannot enhance benefits.)

Next, some skill-related tampering during active attacks: (It was found that this part is only for display and does not actually participate in damage verification.)

Finally, the logic modification when monsters are attacked (it was found that modifying this point has no actual significance; it is speculated that the main purpose of this module during development was to trigger events for recording and does not involve actual calculations.)

Analysis Conclusion:

  1. Seraph did not respond to the three random tampering points we tested, proving that its damage calculation and display are conducted separately, or that the server calculates it, which provides a certain level of security, scoring 3 points.

  2. However, some damage determinations are stored locally, so there is still room for cheating.

Game RPC Analysis

The game uses Protobuf for protocol interaction, and Web3-related interactions also use this scheme. Currently, detailed testing of this part has not been conducted, but further detailed testing of the ProtoBuf part may be carried out in the future.

WEB3 Security Analysis:

Overview:

Currently, Seraph has not issued tokens. The Mint contract is a standard NFT721 contract using a proxy contract with a total supply of 3225. Both Minting and cross-chain operations have Role control, making on-chain security manageable.

Game Economic System Security:

Currently, the main method for gold farming in Seraph is through soul crystals. Whether crafting the Soul Box or opening it is determined by the server, with the client only initiating requests. Therefore, its security assessment is not within the scope of client security assessment. In the future, Damocles may review all requests and conduct black-box testing.

About Damocles

Damocles Labs is a security team established in 2023, focusing on security in the Web3 industry. Our services include: contract code auditing, business code auditing, penetration testing, GameFi code auditing, GameFi vulnerability discovery, GameFi cheat analysis, and GameFi anti-cheat.

We will continue to make efforts in the Web3 security industry and output as many analysis reports as possible to enhance the awareness of project parties and users regarding GameFi security, as well as promote the safe development of the industry.
Twitter:@DamoclesLabs Discord: Channel Entry

Related tags
GameFi blockchain games security anti-cheat
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
Damocles Labs
Damocles Labs Focusing on GameFi security analysis, anti-cheating, code auditing, user profiling, and other aspects.
Damocles: Cradles Game Analysis Report
Damocles: Cradles Game Analysis Report
Damocles: BigTime Game Analysis Report
Damocles: BigTime Game Analysis Report
Related tags
GameFi blockchain games security anti-cheat
Related reading
Backed by TikTok's 1.6 billion users, Sonic SVM may be your first hundredfold coin in 2025, as the on-chain "Nintendo" entertainment empire is born
Backed by TikTok's 1.6 billion users, Sonic SVM may be your first hundredfold coin in 2025, as the on-chain "Nintendo" entertainment empire is born
Web3 Games 2024: The Absentees in the Bull Market?
Web3 Games 2024: The Absentees in the Bull Market?
The Seraph Foundation releases the $SERAPH token economic model, leading a new era of AI-driven Web3 gaming
The Seraph Foundation releases the $SERAPH token economic model, leading a new era of AI-driven Web3 gaming
Overview of the 2024 Blockchain Security and Anti-Money Laundering Annual Report
Overview of the 2024 Blockchain Security and Anti-Money Laundering Annual Report
Copyright © 2023
About Us
Media Kit
Apply for a column
Disclaimer
RSS LINK
Recruitment
Qiong ICP No. 2021009392
Qiong ICP No. 2021009392
ChainCatcher Building the Web3 world with innovators
Open the app