Sword of Legends Online

Sword of Legends Online is a story-driven MMORPG inspired by Chinese mythology, built on a custom engine and proprietary networking services. With sophisticated combat systems and deep progression mechanics, the game required validation of multiplayer and gameplay security prior to wider release.

Cyrex was engaged under a black box penetration testing model, meaning:

• No source code access
• No internal documentation
• Real-world attacker simulation

The scope focused on gameplay services and multiplayer systems, including:

• Party matchmaking and management
• Guild creation and management
• Friend and contact systems
• Non-combat skills (mining, fishing, etc.)
• Combat abilities
• Quest systems
• Mount mechanics
• Player physics (movement and attacking)

In MMORPG environments built on custom engines, vulnerabilities in matchmaking, progression, or combat validation can disrupt game balance and player trust.

Cyrex conducted structured black box penetration testing, interacting with the title as an external malicious actor would.

Our engagement evaluated:

• Server-side validation of combat and ability mechanics
• Proper enforcement of non-combat skill progression
• Guild and party management integrity
• Quest logic validation
• Player physics and movement controls

We tested whether gameplay actions could be manipulated or improperly authorized through crafted requests or networking exploitation.

Following the initial testing phase, Wangyuan Shengtang extended the engagement into a second iteration based on findings.

During testing, Cyrex identified several critical vulnerabilities affecting gameplay services. We delivered:

• Detailed documentation of exploit scenarios
• Prioritized remediation guidance
• Security recommendations aligned with best practices

After patching, Cyrex conducted full sanity and regression testing to confirm that vulnerabilities were properly resolved and no new weaknesses were introduced.