[cSRO] edxSilkroadLoader Beta 3c Testing

pushedx · 11/08/2009, 00:46

Currently reversing the entire security system to come up with a new version that is more effective. No downloads for now.

This thread is for testing a new revision of my loader that adds security measures to be compatible with cSRO's latest protections. It is far from being a "complete" solution for cSRO, but I have made the minimal implementations to allow the Loader and all of its features to be used without getting detected (I think).

In short, if you can use the loader normally and you do not get disconnects or any MessageBox's warning of any errors, everything is working fine. Enable the "Debug Console" option if you wish to see the protection being defeated in real time. Note that the security system is not always activated when you login, it's up to the server to tell your client to activate it or not.

Original instructions for the Loader are

. You do not have to do anything special with cSRO, just use this specific Loader and DLL to start the client. You can still use this loader on iSRO or kSRO, but please keep this thread about cSRO only.

Here is an example output from the console:

Code:

.text {10001000, 189498}
.rdata {10030000, 34115}
.data {10039000, 150564}
.rsrc {1005E000, 1484}
.reloc {1005F000, 13802}
-- Code --
        codeStart: 401000
        codeSize: 81C59A
-- Data --
        dataStart: C1E000
        dataSize: 100DC0
secSeedAddr: 0x491D1E

logicalAddress1: 0xC274C0
patchAddress: 0x52876C
patchAddress: 0x5603A6
patchAddress: 0x6CEDBB

[thailandLanguageStringSig] 0 results were returned. Only 1 were expected. Pleas
e use an updated signature.
[russiaLanguageStringSig] 0 results were returned. Only 1 were expected. Please
use an updated signature.
physicalKoreanStringAddress: 0xC6201C
physicalChineseStringAddress: 0xC62014
physicalTaiwanStringAddress: 0xC6200C
physicalJapanStringAddress: 0xC62004
physicalEnglishStringAddress: 0xC61FFC
physicalVietnamStringAddress: 0xC61FF4
physicalThailandStringAddress: 0x0
physicalRussiaStringAddress: 0x0

logicalKoreanStringAddress: 0x74A0FF
logicalChineseStringAddress: 0x74A127
logicalTaiwanStringAddress: 0x74A160
logicalJapanStringAddress: 0x74A1A0
logicalEnglishStringAddress: 0x74A1E0
logicalVietnamStringAddress: 0x74A219

physicalCharSelectStringAddress: 0xC62784
logicalCharSelectStringAddress: 0x74DFD9
callOffset: 0xFFD7873D
callAddr: 0x4C6730

codecaveAddr: 0x735EF1
customMultiAddr: 0xD60FBC

nudePatchAddr: 0x929F3B

zoomHackAddr: 0x69C1B6

mutexStringAddress: 0xC610F0
patchAddress: 0x735E10
macAddrSigAddr: 0x49E6EA
codecaveAddr: 0x49E6F3
callOffset: 0xFFFD9408
callAddr: 0x477B00
bindSigAddr: 0xA08AA0

chattingStringPhysicalAddress: 0xC56D78
chattingLogicalAddress: 0x6CE8CF
customAddr: 0xD60FBC
patchLogicalAddress: 0x6CEB85

CreateRemoteThreadEx does not exist on pre-Windows 7, hooking CreateRemoteThread
 (7C8104CC) instead.
Found the CSRO security thread!
Information:
        BaseAddress: 15F86000
        AllocationBase: 15F80000
        AllocationProtect: 40 (PAGE_EXECUTE_READWRITE )
        RegionSize: 950272
        State: 1000 (MEM_COMMIT )
        Protect: 40 (PAGE_EXECUTE_READWRITE )
        Type: 20000 (MEM_PRIVATE )

The scanning function address is at 15FE439A.
The scanning function should be hooked at 15FE4D53.
The second scanning function should be hooked at 16064C89.
[edxSecurity::ScanLogic] Patching B9 to 8B in the code section at 00491D1E.
[edxSecurity::ScanLogic] Patching 33 to 4C in the code section at 00491D1F.
[edxSecurity::ScanLogic] Patching 00 to 24 in the code section at 00491D20.
[edxSecurity::ScanLogic] Patching 00 to 04 in the code section at 00491D21.
[edxSecurity::ScanLogic] Patching 00 to 81 in the code section at 00491D22.
[edxSecurity::ScanLogic] Patching 90 to E1 in the code section at 00491D23.
[edxSecurity::ScanLogic] Patching 90 to FF in the code section at 00491D24.
[edxSecurity::ScanLogic] Patching 90 to FF in the code section at 00491D25.
[edxSecurity::ScanLogic] Patching 90 to FF in the code section at 00491D26.
[edxSecurity::ScanLogic] Patching 90 to 7F in the code section at 00491D27.
[edxSecurity::ScanLogic] Patching A8 to 08 in the code section at 0049E6F4.
[edxSecurity::ScanLogic] Patching 36 to 94 in the code section at 0049E6F5.
[edxSecurity::ScanLogic] Patching B6 to FD in the code section at 0049E6F6.
[edxSecurity::ScanLogic] Patching 0F to FF in the code section at 0049E6F7.
[edxSecurity::ScanLogic] Patching EB to 74 in the code section at 0052876C.
[edxSecurity::ScanLogic] Patching EB to 74 in the code section at 005603A6.
[edxSecurity::ScanLogic] Patching EB to 7A in the code section at 0069C1B6.
[edxSecurity::ScanLogic] Patching E8 to 39 in the code section at 006CEB85.
[edxSecurity::ScanLogic] Patching E6 to 2D in the code section at 006CEB86.
[edxSecurity::ScanLogic] Patching 32 to BC in the code section at 006CEB87.
[edxSecurity::ScanLogic] Patching 93 to 0F in the code section at 006CEB88.
[edxSecurity::ScanLogic] Patching 0F to D6 in the code section at 006CEB89.
[edxSecurity::ScanLogic] Patching 90 to 00 in the code section at 006CEB8A.
[edxSecurity::ScanLogic] Patching EB to 74 in the code section at 006CEDBB.
[edxSecurity::ScanLogic] Patching EB to 75 in the code section at 00735E10.
[edxSecurity::ScanLogic] Patching E8 to 83 in the code section at 00735EF1.
[edxSecurity::ScanLogic] Patching 7A to 3D in the code section at 00735EF2.
[edxSecurity::ScanLogic] Patching BE to BC in the code section at 00735EF3.
[edxSecurity::ScanLogic] Patching 8C to 0F in the code section at 00735EF4.
[edxSecurity::ScanLogic] Patching 0F to D6 in the code section at 00735EF5.
[edxSecurity::ScanLogic] Patching 90 to 00 in the code section at 00735EF6.
[edxSecurity::ScanLogic] Patching 90 to 00 in the code section at 00735EF7.
[edxSecurity::ScanLogic] Patching EB to 75 in the code section at 0074A0FF.
[edxSecurity::ScanLogic] Patching EB to 75 in the code section at 0074A127.
[edxSecurity::ScanLogic] Patching EB to 75 in the code section at 0074A160.
[edxSecurity::ScanLogic] Patching EB to 75 in the code section at 0074A1A0.
[edxSecurity::ScanLogic] Patching 90 to 75 in the code section at 0074A1E0.
[edxSecurity::ScanLogic] Patching 90 to 16 in the code section at 0074A1E1.
[edxSecurity::ScanLogic] Patching EB to 75 in the code section at 0074A219.
[edxSecurity::ScanLogic] Patching 90 to 75 in the code section at 00929F3B.
[edxSecurity::ScanLogic] Patching 90 to 1A in the code section at 00929F3C.
[edxSecurity::ScanLogic] Patching B8 to 81 in the code section at 00A08AA0.
[edxSecurity::ScanLogic] Patching 01 to EC in the code section at 00A08AA1.
[edxSecurity::ScanLogic] Patching 00 to A4 in the code section at 00A08AA2.
[edxSecurity::ScanLogic] Patching 00 to 01 in the code section at 00A08AA3.
[edxSecurity::ScanLogic] Patching C3 to 00 in the code section at 00A08AA5.

Please report any errors or disconnects you encounter. Make sure to mention about how long you were playing or what you were doing when it happened so I can determine if I missed something or not.

Enjoy!

3c2 - Added non Windows 7 support.
3c3 - Fixed Update 1 to work correctly on non-Windows 7 systems.
3c4 - Fixed Update 2 to work correctly on Windows 7 systems again (sigh).
3c5 - Rewrote scan logic function to be more simple. Rewrote byte saving logic to work on the code, data, and main security memory sections. Added injected DLL scanning detection and memory faking.

ciacho123 · 11/08/2009, 01:42

gj, it good works

sxcxbx · 11/08/2009, 01:57

Still DC. at least for csro

backo · 11/08/2009, 02:49

Quote:

Originally Posted by sxcxbx

Still DC. at least for csro

Holy ****, you don't even deserve to use this Loader. You can't even ******* read.

Quote:

Originally Posted by pushedx

Please report any errors or disconnects you encounter. Make sure to mention about how long you were playing or what you were doing when it happened so I can determine if I missed something or not.
Enjoy!

pushedx · 11/08/2009, 02:54

Quote:

Originally Posted by sxcxbx

Still DC. at least for csro

Please enable the debug console on this loader and check to see if you get an output similar to mine in the first post. If possible, can you copy and paste the output of your console in a reply. Click on the top left icon and choose Mark and the highlight it and hit enter to copy all the text.

How it's supposed to work is by dynamically hooking the anti-cheat code, whose address varies each time it runs, and codecave the byte scanning functions. If you get a DC with this version, it means there are more checks being ran that have not toggled for me.

I've been running many clients over and over and checking it, but so far, no disconnects for me, so I'll see what more people have to say when they test.

Also, one last thing. You can not use any other 3rd party programs that modify sro_client.exe, otherwise you will get Disconnected.

wizardLT · 11/08/2009, 11:04

Hello, still dc.

-- Code --
dataStart: 401000
dataSize: 81C59A
-- Data --
dataStart: C1E000
dataSize: 100DC0
logicalAddress1: 0xC274C0
patchAddress: 0x52876C
patchAddress: 0x5603A6
patchAddress: 0x6CEDBB

nudePatchAddr: 0x929F3B

zoomHackAddr: 0x69C1B6

mutexStringAddress: 0xC610F0
patchAddress: 0x735E10
macAddrSigAddr: 0x49E6EA
codecaveAddr: 0x49E6F3
callOffset: 0xFFFD9408
callAddr: 0x477B00
bindSigAddr: 0xA08AA0

chattingStringPhysicalAddress: 0xC56D78
chattingLogicalAddress: 0x6CE8CF
customAddr: 0xD60FBC
patchLogicalAddress: 0x6CEB85

Real_CreateRemoteThreadEx: 0

nemek · 11/08/2009, 16:34

Good job! In cSro work!

OMGG1 · 11/08/2009, 16:49

nude patch just work für europien and dont work for chinese

recking · 11/08/2009, 16:52

Quote:

Originally Posted by OMGG1

nude patch just work für europien and dont work for chinese

prvt.

pushedx · 11/08/2009, 18:01

Quote:

Originally Posted by OMGG1

nude patch just work für europien and dont work for chinese

Weird, it works for me:

Nude patch should not work for one race and then not the other, so I'm not sure what to say really.

Quote:

Originally Posted by wizardLT

Hello, still dc.
Real_CreateRemoteThreadEx: 0

Ok, thank you very much. I know how to fix that. Right now, my code is meant for Windows 7 and I forgot to add XP/Vista support. I will work on that right now.

Update: New version released!

recking · 11/08/2009, 19:05

Quote:

Originally Posted by pushedx

Weird, it works for me:

Nude patch should not work for one race and then not the other, so I'm not sure what to say really.

Ok, thank you very much. I know how to fix that. Right now, my code is meant for Windows 7 and I forgot to add XP/Vista support. I will work on that right now.

Update: New version released!

#reported for ****.

just kidding...

can u mention shortly what has changed recently in the csro secuirty system?

pushedx · 11/08/2009, 19:39

Quote:

Originally Posted by recking

can u mention shortly what has changed recently in the csro secuirty system?

cSRO's security is really interesting, somewhat creative. It has given me a few interesting ideas. I don't have it all worked out yet, but what I do know is they load their security code into memory and spawn new threads for it to execute in the Silkroad process context.

The code that I worked around did memory hashing of the Silkroad process and sends the results to the server. If there is a mismatch, you are disconnected. However, there is quite a bit of extra code that I saw that looked like they have process and window enumeration, so they might be able to scan for certain things.

The good news overall though is that they do all this stuff from Ring 3 inside the Silkroad process. That means for now, it's easily reversed (compared to if it were in Ring 0) and you can use some simple methods for defeating it (detours, hooking, patching). I noticed they do have the ability to load a driver, but I don't think they have a driver developed for cSRO.

So my current solution just finds the security thread when it starts, locates the places to hook, and then codecaves them to substitute in the real bytes for fake bytes. This preliminary test only tracks my own changes, but a future solution would make sure to handle all process bytes so anyone can freely modify the client and not get detected.

Of course, cSRO is rather generous in their protection. If they were to say, not disconnect on modification detection and just silent log and ban, trying to use any modified clients with cSRO would be very, very hard to get away with. By the same token though, if they just used XTrap, GG, HS, etc.., it'd be a lot harder to get around.

N00bcake · 11/09/2009, 09:41

Is it necessary to unpack the client (or strip) on cSro to let the MC work..? Or is it just me which cant let this work properly. When i press Start i can see the sro_client.exe starts on the Process window but nothing else happens..no Silkroad Logo, or any other action .. any suggestions?

justuxas · 11/09/2009, 15:03

Quote:

Originally Posted by N00bcake

Is it necessary to unpack the client (or strip) on cSro to let the MC work..? Or is it just me which cant let this work properly. When i press Start i can see the sro_client.exe starts on the Process window but nothing else happens..no Silkroad Logo, or any other action .. any suggestions?

Same to me. Using Windows 7

pushedx · 11/09/2009, 18:42

Quote:

Originally Posted by N00bcake

Is it necessary to unpack the client (or strip) on cSro to let the MC work..? Or is it just me which cant let this work properly. When i press Start i can see the sro_client.exe starts on the Process window but nothing else happens..no Silkroad Logo, or any other action .. any suggestions?

Quote:

Originally Posted by justuxas

Same to me. Using Windows 7

I'm on Windows 7 myself atm. Start Silkroad.exe and choose your Division so the Start button appears. Exit the launcher after that. Now start edxSilkroadLoader and try to launch your clients.

The cSRO client is not packed, so you do not need to do anything with that either. Sometimes there is a wait for the client to launch, if you see the console and the patches listed, then the DLL was injected, but the client isn't connecting to the Login server yet.

Try selecting a different login server and use TaskMgr to kill the processes that get stuck. I've had that happen a few times I think before this version of the launcher.

The security thread does not always start. However, if it starts, it will be after you login at the character select screen. If you get in game and it is not running and you restart, chances are it will start the next time. You can see this in the two screenshots. The first time I logged in both accounts, no security thread ran but after I restarted, it ran.