From the client game bug looking of security risks-vulnerability warning-the black bar safety net

2015-05-28T00:00:00
ID MYHACK58:62201562964
Type myhack58
Reporter 佚名
Modified 2015-05-28T00:00:00

Description

Although the now app development a growing trend in web applications, large-scale software also makes extensive use of the existing framework with the existing frameworks and engines improve, the vast majority of security issues have been resolved. But encountered some customization needs, developers still have to from the bottom a little bit. In this case, there is no security experience of the developers very easy to make a mistake, leading to serious security risks. As an independent engine of a large network game, for example, show the development of the easily overlooked pitfalls. Lua as a powerful and lightweight scripting language, can be very easily embedded in other language program, more and more game engines use Lua to implement the specific logic process. This allows us to avoid the complexity of reverse engineering the direct analysis of the game logic as possible. Lua script some of the characteristics even so we can directly debug the game script, such as the use of the famous Decoda Lua Debugger. If with a simple reverse resource packet and other means, we can easily get in-game script code may need to decompile, which makes our analysis process is further simplified by the Black Box turned into a half white box. First, our game is a simple reverse to simplify the script analysis of the difficulty. By reverse engineering that, the game engine to the Lua script dependence is very high, the C++just for the basic classes and methods as well as game rendering, almost all logic is by the script to complete. At the same time in order to be more convenient for our analysis to work on the game resource file package for a simple reverse, successfully unpacked the game client. Lua script, so far, the preparation work is all done. The following examples are to be found in the time sort: Stealth Any transfer Large and brush gold coins The use of non-existent props Remote code execution 0x01 stealth(unexpected“normal function”) This is strictly speaking not a vulnerability, just a very interesting BUG. In the development function of the time, developers typically will only consider implementing the features and functions inside the basic safety. This is not wrong, but there is a case that such a development model can not Defense: normal function of the characteristics of the abuse. A typical case is following this invisible BUG. Red box, the player model is invisible, you cannot click on the model selected, in the selected before him also could not find his presence. ! This stealth from a logical point of view is certainly not normal, but not from the code perspective, it is normal, so the test is also very difficult to be found. We look to achieve stealth code: ! This code is actually only doing one thing, and that is frequently modified character appearance display state, then why did the characters disappear? This is obtained from the basis about: the game of the rendering mechanism is that each model's appearance change, the model is deleted, use the new parameters to re-create the model. Thus, in the Remove the model and re-create a time difference, this time period corresponding to the player model does not exist! In the normal case this is not what big problem, but, as above that piece of code, if extremely frequently modify the model, it will lead to the model no chance to show up, and this problem if at the design stage not to attract attention, to the development stage it is difficult to be found. 0x02 any transfer(dangerous unfinished feature It is in this article the most interesting vulnerability. A big update after the routine to unpack the client to see the update what content, accidentally saw a server script, do not be surprised, I don't know why, but the client does have part of the server script~)adds a named OnCanJoinNormalMap remote function call, see the name seems to be the follow up into the map related. ! Could this be the legendary any shipping! Small partners stunned! Actual test it, really can be transferred to any of the specified coordinates! In a burst of surprise after, brain hole wide open guys also wrote a full use of the tools to achieve a real sense of any transfer, although less than a week time vulnerability is fixed. to: the ! Repair later the script became this: ! From the comment content point of view, this interface seems to be in line when no actual use, which is also the developer often commit mistakes one of the on-line some of the fundamental no use, but have implemented the interface. Since these interfaces for the development phase, may not be fully protective mechanisms, such as the figure above this interface, without any filtering. These interface once it has been unexpectedly found, things start to become uncontrollable. 0x03 use of props skills of a different operation of shared underlying implementation brings the risk As we know, the game where usually there are some may use props, but very few people care about the items using this process is how to achieve, of which there may be a problem. Below we look at items using the process exactly what happened. First click on the items of the function is this: ! Function at the end of OnUseItem is the use of the article the key, then this function is how to achieve it? ! You can see some of the items of the processing is performed by the UseItem function is complete, this function is no longer lua write a function, but C++function, part of the code is as follows: KItem::UseItem(DWORD dwBox, DWORD dwX, KTarget& rTarget) { ......

pItem = GetItem(dwBox, dwX);

......

if (pItem->m_dwSkillID != 0 && pItem->m_dwScriptID == 0) { eRetCode = UseItemSkill(pItem, rTarget); KG_PROCESS_ERROR_RET_CODE(eRetCode == uircSuccess, eRetCode);

[1] [2] next