Silkroad Multiclient

[wiz]

Hi, long time no post. Took some time today to get my hands on bigger games like Silkroad, good time for it as a new patch disabled multiclients and multiclient is extremely useful in SRO.

Alright, here's the technical detail.

When you start sro_client.exe by hand it says "Run Silkroad.exe". How does sro_client.exe know who the caller is? Most probably because it gets passed some commandline args. So I wrote a little tool that I called sro_client.exe, put it into the Silkroad directory and launched Silkroad.exe to see the arguments.

They looked like

Code:

sro_client.exe [randomnumber] /18 0 0

No clue what the randomly looking number is or what the rest means but when you launch sro_client.exe like this it doesn't complain. Alright.

If you try to launch a second SRO it says "Silkroad is already running!" or something like that. So let's fix it.

I launched IDA and disassembled sro_client.exe which takes quite some time. Because I knew the technique used to make a program unique are mutexes, I searched for CreateMutex references and I think there were two. So basically had to patch the code to ignore ERROR_ALREADY_EXISTS, the error CreateMutex returns if the mutex already exists. Wrote a launcher for, tried it but after some time of loading a messagebox with unreadable text appeared and SRO quitted. Crap.

If I could've read the text I could've searched for the stringref and see what caused it but thanks to the gibberish I had to go through the shitlong list of MessageBox xrefs to see what rougly looked like the one I saw and eventually found it.

Here's the code

Code:

.text:00722017                 call    DoSocketShit
.text:0072201C                 test    eax, eax        ; Probably false if bind() failed?
.text:0072201E                 jnz     short loc_72208B
.text:00722020                 push    ebx             ; uType
.text:00722021                 push    offset aSilkroad ; "Silkroad"
.text:00722026                 push    offset aIXBR_   ; "¢Ã+®À+ÁÕ¦í +¦¦¦ ¢ÃÃÓ -¯ +Ȧ¤¦+."
.text:0072202B                 push    ebx             ; hWnd
.text:0072202C                 call    ds:MessageBoxA

As you see I already commented it. We see a call, a test eax,eax and a jump we WANT to take place because else the crap message is shown. We could patch another jump but I wanted to know what the problem was and had a look at the routine.

Because I knew eax was zero when the message box appeared I looked for early retn out of the routine and found it.

It checked if a call to bind() failed. Well, when can bind() fail? When the port we're trying to bind to is taken and indeed, the port SRO tries to bind to is hardcoded:

Code:

push    15779           ; hostshort
mov     [esp+1ACh+name.sa_family], AF_INET
call    ds:htons
push    0               ; hostlong
mov     word ptr [esp+1ACh+name.sa_data], ax

Makes sense. First SRO binds to 15779, second one tries to do that, too, bind() fails, SRO talks gibberish, quits. To solve this we have to make sure, every instance binds to another port so I wrote a little loader that does that:

- Load sro_client.exe with the commandline
- Fix two jumps so a failing CreateMutex doesn't matter
- Make the port random

Rather easy task, here's the code

Code:

#include <windows.h>
#include <stdio.h>
#include <time.h>

//Used to fix two jnz to jmp
void FixJump(HANDLE hProc,void *addr)
{
	char Hax[] = {0xEB};
	WriteProcessMemory(hProc,addr,Hax,1,NULL);
}

//Fix bind() failing
void RandomPort(HANDLE hProc)
{
	srand(time(NULL));
	DWORD port = rand()%2000;	//purely arbitrary number
	port+=15779;
	WriteProcessMemory(hProc,(void*)0x9C1794,(void*)&port,4,NULL);
}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
	PROCESS_INFORMATION ProcInf;
	STARTUPINFO StartUpInf;

	char path[255];
	GetCurrentDirectory(sizeof(path),path);
	strcat(path,"\sro_client.exe 1337 /18 0 1");
	
	memset(&StartUpInf,0,sizeof(StartUpInf));

	//Create process
	CreateProcess("sro_client.exe",
				  path,
				  NULL,NULL,false,
				  CREATE_SUSPENDED,
				  0,NULL,&StartUpInf,&ProcInf);

	//Get access rights
	DWORD dummy;
	if(!VirtualProtectEx(ProcInf.hProcess,(void*)0x711280,1,PAGE_READWRITE,&dummy))
	{
		DWORD err = GetLastError();
		char buffer[255];
		sprintf(buffer,"Error: %d",err);
		MessageBox(NULL,buffer,"31337",0);		
		return -1;
	}

	//Now modify the code
	FixJump(ProcInf.hProcess,(void*)0x711280);
	FixJump(ProcInf.hProcess,(void*)0x7112EC);

	//Fix bind error
	RandomPort(ProcInf.hProcess);

	ResumeThread(ProcInf.hThread);

	return 0;
}

And the binary is here: [Only registered and activated users can see links. ]

Put it into your Silkroad directory and launch it!

Edit: Unfortunately something's still wrong. It indeed allows to start two SRO clients but you can't connect. Trying to sort it out.

[AleXplosion]

i dont understand anything XD

[alessandrog]

very good idea! I will try, thanks.

[eledok]

Quote:

TCP pc:4296 121.128.133.40:15779 ESTABLISHED 5520
[sro_client.exe]

TCP pc:4298 121.128.133.42:15779 ESTABLISHED 4180
[sro_client.exe]

TCP pc:4313 121.128.133.40:15779 ESTABLISHED 4984
[sro_client.exe]

TCP pc:4472 121.128.133.41:15779 ESTABLISHED 5088
[sro_client.exe]

TCP pc:4542 121.128.133.41:15779 ESTABLISHED 5148
[sro_client.exe]

those are my netstat's result (netstat /b) as u see there are 2 clients have same ip and port.

[guyllian]

me neither ^^

[noname456]

Link is dead. Reupload plz!

[piripus]

link dead upload again

[Kraizy​]

Quote:

Originally Posted by piripus

link dead upload again

Last post: 07-27-2009