[KSRO] English Based Captcha Loader (Beta 1)

Page 1 of 3

09/21/2009 03:18 pushedx#1

Prerequisites

- You need to already have KSRO properly setup. See [Only registered and activated users can see links. Click Here To Register...] if you have not already played KSRO.

- You need to know how to use edxSilkroadLoader. If you have not used it yet, please read the thread about it here, [Only registered and activated users can see links. Click Here To Register...]

- You need to make sure the Korean language pack is installed on your PC. Korean locale does not need to be enabled for testing this tool. The whole point of this tool is that the Korean locale is not enabled.

- Finally, you need to already know how to read the Korean CAPTCHA in order to be able to generate the non-Korean version of it. If you don't already know how, you will need to find a guide first! (or just consult the reference images)

About

This loader allows you to enter the Korean CAPTCHA without having the Korean locale activated. This means, you can keep your English/German/etc.. locales when you want to play KSRO. I have coded a little patch in the client to make this possible by generating the CAPTCHA text from another program.

This is a new concept that I have just come up with today and have tested it myself and it is working great. However, I want to let other people test the method as well. It might take some getting used to, but I think it is a cool little setup for bypassing the need to enable Korean locale!

This tool is for anyone who does not wish to have to switch their computer locale to Korean and enter Korean text. If you are fine using that method, this tool is not for you! When I test my programs across multiple Silkroad versions, it is a pain to have to restart my computer to change the locale to Korean, so I tried to solve that problem today. Programming in Visual Studio is weird with the Korean locale enabled, so this tool allows me to keep everything normal.

Instructions

1. Run edxKRCaptchaGen.exe once. Minimize the window until you need it.

2. Run edxSilkroadLoader_Lite.exe once and start your KSRO clients normally.

3. Login to KSRO so you have the CAPTCHA on screen. If you get C7 read the Final Notes section.

4. Maximize the edxKRCaptchGen tool and follow the directions to generate the image code text required.

Please be patient when testing this, the Korean image code is NOT easy at times and you might get unlucky and get 3 of them that are hard to enter correctly. Remember to NOT use spaces when you enter the code! If you take your time, study the layout, you should be able to have some success! If not, post and I can try to work out your troubles.

Screenshots

Sorry about the alignment of the text, I didn't notice it until I was done making screenshots. Here are three examples of image codes that were correct.

[Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...]

Here are those screenshots annotated to help explain the process.

[Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...]

Then here are other screenshots.

[Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...]

Final Notes

- Ignore the 'Trail' character since KSRO CAPTCHAs do not make use of them as far as I can tell. Leave it as 0 always so you do not mess up the image code calculation!

- Minimize the edxKRCaptchaGen program when it is not needed since it is set to be "always on top".

- If you do not see a character that you need to enter, then you are looking from the wrong character! The characters follow the format of Lead Vowel Tail, so try your best. I have had a few that I couldn't get right, but that's how it is when you don't fully understand a language.

- If you get C7 error on login, please follow this post: [Only registered and activated users can see links. Click Here To Register...]

- Don't use spaces when you enter the code! The spaces are in the program to make typing it easier. You may type in lower case or upper case as long as they are the correct English letters and numbers.

- This version of the edxSilkroadLoader_Lite is the same one last posted in my signature (Beta 2). There are still some bugs with the loader to resolve, specifically the directory issues. However, it should be "good enough" for testing this.

- Run the loader as Admin if you are on Vista/Win7 and have problems loading the client. Please note you must still wait 2-3 minutes for the first client to load. I'm still trying to figure out why that happens...

Download

Binaries attached! This program should work each client update for KSRO as long as you have an unpacked client generated from Stripper. I will be uploading an unpacked client this Wednesday if one is required.

[Only registered and activated users can see links. Click Here To Register...]

Special thanks to [Only registered and activated users can see links. Click Here To Register...] and [Only registered and activated users can see links. Click Here To Register...] for the KSRO accounts. :)

Another special thanks to this page: [Only registered and activated users can see links. Click Here To Register...]. Without it, this would not be possible.

Please leave all comments and feedback and I will try to address them as best I can. Enjoy! I hope testing goes well.

09/21/2009 03:33 WorldDj#2

Many people wanted that, thanks ;).

09/21/2009 05:13 soadmania#3

nice tool :) but what did u do this exactly?? i think you just jumped/passed "wchar to hex" part in client. but there must be a character limit. u probably patched it too.

am i right?

i should dig a ksro client :)

09/21/2009 05:55 pushedx#4

Quote:

Originally Posted by soadmania

nice tool :) but what did u do this exactly?? i think you just jumped/passed "wchar to hex" part in client. but there must be a character limit. u probably patched it too.

am i right?

There is a character limit in the client, but I did not patch it. It was large enough to accommodate my design. The client patches are only to convert the text you type into the image code into the image code packet (6 hex bytes = 12 ascii characters, since we can't input hex bytes directly.)

The link at the end of the post covers how I cam up with the solution. Pretty much just generate the unicode string in the secondary program, convert to multibyte for sending, and then show the text to the user to enter. Care has to be taken when converting the unicode string into a multibyte string, as you need to use a Korean code page.

Overall, the task turned out to be a lot more simple than I had thought it would have been. I opted to go for the secondary program so you can simply reuse it for as many clients as needed rather than having to add it directly into the injected dll.

Of course, I did spend all day on it, playing with the concepts, so I'm not trying to make it sound 'easy' by any meas. ;) It was fun though and a good learning experience. I did it because I didn't want to convert my system to Korean locale for KSRO testing! It might be 'too much' for most people, but at least now it's proven (for the most part) the concept does work and is possible.

This is also only a crude beta test to see if the concepts work. A nicer version would make it so you can just click buttons to build the image code and automate the image code entry so less work has to be done. However, I'm not going to really spend too much more time on this since it works for me and does what I need it to! I need to get back to continue working on my edxSilkroadProxy project now.

I didn't include source because the loader is still bugged and is pretty much the same as the other one. The patch for the image code looks like this though.

Code:

// global space

namespace nsEnglishCaptcha
{
	FARPROC AppendStringFunc = 0;

	char * pImageCode;
	char newImageCode[7];
	char * pNewImageCode;

	char b1[3] = {0};
	char b2[3] = {0};
	char b3[3] = {0};
	char b4[3] = {0};
	char b5[3] = {0};
	char b6[3] = {0};

	void EnglishCaptcha()
	{
		b1[0] = pImageCode[0];
		b1[1] = pImageCode[1];
		b1[2] = 0;
		newImageCode[0] = edxLabs::HexStringToInteger(b1);

		b2[0] = pImageCode[2];
		b2[1] = pImageCode[3];
		b2[2] = 0;
		newImageCode[1] = edxLabs::HexStringToInteger(b2);

		b3[0] = pImageCode[4];
		b3[1] = pImageCode[5];
		b3[2] = 0;
		newImageCode[2] = edxLabs::HexStringToInteger(b3);

		b4[0] = pImageCode[6];
		b4[1] = pImageCode[7];
		b4[2] = 0;
		newImageCode[3] = edxLabs::HexStringToInteger(b4);

		b5[0] = pImageCode[8];
		b5[1] = pImageCode[9];
		b5[2] = 0;
		newImageCode[4] = edxLabs::HexStringToInteger(b5);

		b6[0] = pImageCode[10];
		b6[1] = pImageCode[11];
		b6[2] = 0;
		newImageCode[5] = edxLabs::HexStringToInteger(b6);

		newImageCode[6] = 0;

		printf("Image Code: %.2X%.2X%.2X%.2X%.2X%.2X\n", (BYTE)newImageCode[0], (BYTE)newImageCode[1], (BYTE)newImageCode[2], (BYTE)newImageCode[3], (BYTE)newImageCode[4], (BYTE)newImageCode[5]);

		pNewImageCode = newImageCode;
	}

	DWORD codecave_Captcha_ReturnAddress = 0;
	__declspec(naked) void codecave_EnglishCaptcha()
	{
		__asm pop codecave_Captcha_ReturnAddress
		__asm mov pImageCode, eax
		__asm pushad
		__asm pushfd
		EnglishCaptcha();
		__asm popfd
		__asm popad
		__asm pop eax
		__asm mov eax, pNewImageCode
		__asm push eax
		__asm call AppendStringFunc // Original code
		__asm push codecave_Captcha_ReturnAddress
		__asm ret
	}
}

// inside DefaultFunction()

if(bKoreanImageCode)
	{
		do
		{
			BYTE imgCodeSig[] =
			{
				0x66, 0xC7, 0x00, 0x23, 0x63
			};
			results = FindSignature(imgCodeSig, 0, sizeof(imgCodeSig), pMappedFileBase, size);
			if(results.size() != 1)
			{
				printf("%i results were returned. Only %i were expected. Please use an updated signature.\n", results.size(), 1);
				break;
			}

			DWORD ImgCodeCaveAddr = (DWORD)(dwImageBase + results[0] + dwCodeOffset + 0x1A);
			printf("ImgCodeCaveAddr: 0x%X\n", ImgCodeCaveAddr);

			DWORD callOffset = *(LPDWORD)(pMappedFileBase + results[0] + 0x1A + 1);
			DWORD callAddr = ImgCodeCaveAddr + callOffset + 5;
			printf("callOffset: %X\n", callOffset);
			printf("callAddr: %X\n", callAddr);

			nsEnglishCaptcha::AppendStringFunc = (FARPROC)callAddr;

			edxLabs::CreateCodeCave(ImgCodeCaveAddr, 5, nsEnglishCaptcha::codecave_EnglishCaptcha);

			printf("\n");
		} while (false);
	}

Once again, the byte signature system I am using really makes life easier and these things possible now that addresses can be used rather than offsets. All the tricky work is handled by the program, which is very simple. Here's the generation code that takes the 9 values and combines them into the image code characters.

Code:

case IDC_GENERATE:
{
	LRESULT L1 = ComboBox_GetCurSel(HWND_L1);
	if(L1 == 0 || L1 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Lead 1 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT V1 = ComboBox_GetCurSel(HWND_V1);
	if(V1 == 0 || V1 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Vowel 1 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT T1 = ComboBox_GetCurSel(HWND_T1);
	if(T1 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Trail 1 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT L2 = ComboBox_GetCurSel(HWND_L2);
	if(L2 == 0 || L2 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Lead 2 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT V2 = ComboBox_GetCurSel(HWND_V2);
	if(V2 == 0 || V2 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Vowel 2 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT T2 = ComboBox_GetCurSel(HWND_T2);
	if(T2 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Trail 2 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT L3 = ComboBox_GetCurSel(HWND_L3);
	if(L3 == 0 || L3 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Lead 3 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT V3 = ComboBox_GetCurSel(HWND_V3);
	if(V3 == 0 || V3 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Vowel 3 index", "Fatal Error", MB_ICONERROR);
		break;
	}
	LRESULT T3 = ComboBox_GetCurSel(HWND_T3);
	if(T3 == CB_ERR)
	{
		MessageBox(0, "Please select a valid Trail 3 index", "Fatal Error", MB_ICONERROR);
		break;
	}

	wchar_t imageCode[4] = {0};
	imageCode[0] = (wchar_t)(T1 + (V1-1) * 28 + (L1-1) * 588 + 44032);
	imageCode[1] = (wchar_t)(T2 + (V2-1) * 28 + (L2-1) * 588 + 44032);
	imageCode[2] = (wchar_t)(T3 + (V3-1) * 28 + (L3-1) * 588 + 44032);

	char imgCode[7] = {0};
	WideCharToMultiByte(949, 0, imageCode, -1, imgCode, 6, NULL, NULL);

	char output[32] = {0};
	_snprintf_s(output, sizeof(output), sizeof(output) - 1, "%.2X %.2X %.2X %.2X %.2X %.2X", (BYTE)imgCode[0], (BYTE)imgCode[1], (BYTE)imgCode[2], (BYTE)imgCode[3], (BYTE)imgCode[4], (BYTE)imgCode[5]);
	SetWindowText(HWND_CODE, output);
} break;

So if anything, it's just a patch that requires a bit of creativity (and observation while working with the packet data when Korean locale is installed.) to accomplish.

09/21/2009 12:24 soadmania#5

awesome work dude :) thanks for sharing source.

09/21/2009 19:44 zAPHIRE#6

I don't have to restard my PC to set my locale to Korean o.O

Anyway still a nice tool, thanks :) .

09/21/2009 22:36 pushedx#7

Quote:

Originally Posted by zAPHIRE

I don't have to restard my PC to set my locale to Korean o.O

Anyway still a nice tool, thanks :) .

I'm on Windows 7 beta and we have to :( (As far as I can tell I mean, I always get a 'you have to restart to make the effects take change' message)

09/21/2009 22:50 nemek#8

Good job!

09/21/2009 23:29 zAPHIRE#9

Quote:

Originally Posted by pushedx

I'm on Windows 7 beta and we have to :( (As far as I can tell I mean, I always get a 'you have to restart to make the effects take change' message)

Windows XP ftw x] I just Alt + Shift while in game and my locale is set to Korean ^^.

09/22/2009 10:07 sniper4spy#10

thx was agreat help 4 me :)

09/22/2009 10:59 DuTcHtUrK#11

im using my keyboard. is easier and faster if you know where the symbols are.
but this tool should be handy for some

09/22/2009 15:44 hadyz3#12

this is very useful for me ty dude i wrote the captcha right from the first try very easy

09/26/2009 08:48 CenTroN#13

Where i can downloads edxKRCaptchaGen ? :O

09/26/2009 14:47 bochumer12#14

My client doesnt patch ....
when i run normaly there is nothing
with the silkroad loader the game start but then disconnect cause of not having the right
patch ...

09/26/2009 17:58 Yo123#15

phreak <3
i love phreaks <3

Page 1 of 3