Not a member yet? Register for your free account!


Go Back   elitepvpers > Coders Den > General Coding
You last visited: Today at 05:47

  • Please register to post and access all features, it's quick, easy and FREE!

 

Silkroad Multiclient

This is a discussion on Silkroad Multiclient within the General Coding forum part of the Coders Den category; Hi, long time no post. Took some time today to get my hands on bigger games like Silkroad, good time ...

Reply
 
Thread Tools
Old 02/26/2008, 20:10   #1
wiz
Member
 
Join Date: Apr 2007
Posts: 66
Received Thanks: 15
Silkroad Multiclient


Hi, long time no post. Took some time today to get my hands on bigger games like Silkroad, good time for it as a new patch disabled multiclients and multiclient is extremely useful in SRO.

Alright, here's the technical detail.

When you start sro_client.exe by hand it says "Run Silkroad.exe". How does sro_client.exe know who the caller is? Most probably because it gets passed some commandline args. So I wrote a little tool that I called sro_client.exe, put it into the Silkroad directory and launched Silkroad.exe to see the arguments.

They looked like

Code:
sro_client.exe [randomnumber] /18 0 0
No clue what the randomly looking number is or what the rest means but when you launch sro_client.exe like this it doesn't complain. Alright.

If you try to launch a second SRO it says "Silkroad is already running!" or something like that. So let's fix it.

I launched IDA and disassembled sro_client.exe which takes quite some time. Because I knew the technique used to make a program unique are mutexes, I searched for CreateMutex references and I think there were two. So basically had to patch the code to ignore ERROR_ALREADY_EXISTS, the error CreateMutex returns if the mutex already exists. Wrote a launcher for, tried it but after some time of loading a messagebox with unreadable text appeared and SRO quitted. Crap.

If I could've read the text I could've searched for the stringref and see what caused it but thanks to the gibberish I had to go through the shitlong list of MessageBox xrefs to see what rougly looked like the one I saw and eventually found it.

Here's the code

Code:
.text:00722017                 call    DoSocketShit
.text:0072201C                 test    eax, eax        ; Probably false if bind() failed?
.text:0072201E                 jnz     short loc_72208B
.text:00722020                 push    ebx             ; uType
.text:00722021                 push    offset aSilkroad ; "Silkroad"
.text:00722026                 push    offset aIXBR_   ; "++զ +  - +Ȧ+."
.text:0072202B                 push    ebx             ; hWnd
.text:0072202C                 call    ds:MessageBoxA
As you see I already commented it. We see a call, a test eax,eax and a jump we WANT to take place because else the crap message is shown. We could patch another jump but I wanted to know what the problem was and had a look at the routine.

Because I knew eax was zero when the message box appeared I looked for early retn out of the routine and found it.

It checked if a call to bind() failed. Well, when can bind() fail? When the port we're trying to bind to is taken and indeed, the port SRO tries to bind to is hardcoded:

Code:
push    15779           ; hostshort
mov     [esp+1ACh+name.sa_family], AF_INET
call    ds:htons
push    0               ; hostlong
mov     word ptr [esp+1ACh+name.sa_data], ax
Makes sense. First SRO binds to 15779, second one tries to do that, too, bind() fails, SRO talks gibberish, quits. To solve this we have to make sure, every instance binds to another port so I wrote a little loader that does that:

- Load sro_client.exe with the commandline
- Fix two jumps so a failing CreateMutex doesn't matter
- Make the port random

Rather easy task, here's the code

Code:
#include <windows.h>
#include <stdio.h>
#include <time.h>

//Used to fix two jnz to jmp
void FixJump(HANDLE hProc,void *addr)
{
	char Hax[] = {0xEB};
	WriteProcessMemory(hProc,addr,Hax,1,NULL);
}

//Fix bind() failing
void RandomPort(HANDLE hProc)
{
	srand(time(NULL));
	DWORD port = rand()%2000;	//purely arbitrary number
	port+=15779;
	WriteProcessMemory(hProc,(void*)0x9C1794,(void*)&port,4,NULL);
}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
	PROCESS_INFORMATION ProcInf;
	STARTUPINFO StartUpInf;

	char path[255];
	GetCurrentDirectory(sizeof(path),path);
	strcat(path,"\sro_client.exe 1337 /18 0 1");
	
	memset(&StartUpInf,0,sizeof(StartUpInf));

	//Create process
	CreateProcess("sro_client.exe",
				  path,
				  NULL,NULL,false,
				  CREATE_SUSPENDED,
				  0,NULL,&StartUpInf,&ProcInf);

	//Get access rights
	DWORD dummy;
	if(!VirtualProtectEx(ProcInf.hProcess,(void*)0x711280,1,PAGE_READWRITE,&dummy))
	{
		DWORD err = GetLastError();
		char buffer[255];
		sprintf(buffer,"Error: %d",err);
		MessageBox(NULL,buffer,"31337",0);		
		return -1;
	}

	//Now modify the code
	FixJump(ProcInf.hProcess,(void*)0x711280);
	FixJump(ProcInf.hProcess,(void*)0x7112EC);

	//Fix bind error
	RandomPort(ProcInf.hProcess);

	ResumeThread(ProcInf.hThread);

	return 0;
}
And the binary is here:

Put it into your Silkroad directory and launch it!

Edit: Unfortunately something's still wrong. It indeed allows to start two SRO clients but you can't connect. Trying to sort it out.

__________________


Last edited by wiz; 02/26/2008 at 20:21.
wiz is offline  
Old 07/09/2008, 15:54   #2
Member
 
Join Date: May 2007
Posts: 54
Received Thanks: 29
i dont understand anything XD
AleXplosion is offline  
Old 07/19/2008, 22:55   #3
Junior Member
 
Join Date: Jul 2008
Posts: 3
Received Thanks: 0
very good idea! I will try, thanks.
alessandrog is offline  
Old 11/29/2008, 00:21   #4
Junior Member
 
Join Date: Nov 2008
Posts: 5
Received Thanks: 0
Quote:
TCP pc:4296 121.128.133.40:15779 ESTABLISHED 5520
[sro_client.exe]

TCP pc:4298 121.128.133.42:15779 ESTABLISHED 4180
[sro_client.exe]

TCP pc:4313 121.128.133.40:15779 ESTABLISHED 4984
[sro_client.exe]

TCP pc:4472 121.128.133.41:15779 ESTABLISHED 5088
[sro_client.exe]

TCP pc:4542 121.128.133.41:15779 ESTABLISHED 5148
[sro_client.exe]
those are my netstat's result (netstat /b) as u see there are 2 clients have same ip and port.
eledok is offline  
Old 06/19/2009, 19:18   #5
Junior Member
 
Join Date: Apr 2009
Posts: 1
Received Thanks: 0
me neither ^^
guyllian is offline  
Old 07/27/2009, 18:01   #6
Member
 
Join Date: Mar 2009
Posts: 48
Received Thanks: 35
Link is dead. Reupload plz!
noname456 is offline  
Old 10/14/2011, 13:28   #7
Junior Member
 
Join Date: Sep 2011
Posts: 6
Received Thanks: 0
link dead upload again
piripus is offline  
Old 10/14/2011, 14:47   #8
crazy b!#ch
 
Join Date: Apr 2010
Posts: 9,551
Received Thanks: 1,760
Quote:
Originally Posted by piripus View Post
link dead upload again
Last post: 07-27-2009
Kraizy​ is offline  
Reply

Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
[search]Silkroad MultiClient only sro_client.exe and silkroad.exe not any tool chrizZyY SRO Ask the Experts 6 01/02/2011 22:50
Multiclient silkroad iturea SRO Exploits/Hacks/Bots/Guides 9 06/08/2010 08:16
Silkroad no/dc and multiclient beun SRO Ask the Experts 1 05/28/2009 23:50
multiclient silkroad altanyunus57 SRO Exploits/Hacks/Bots/Guides 3 09/06/2007 10:16



All times are GMT +2. The time now is 05:47.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.