What is the state of source-released packet-based silkroad tools?

$WeGs · 01/10/2019, 18:08

Quote:

Originally Posted by sandsnip3r

So then zbot was based on phconnector? Why aren't many of them based on pushedx's code?

Well..
1st : zbot has it's own loader (dll file) it's not using phconnector.

2nd : you have to ask these many to know ^^

last : you have to decide what you need and don't ask why others use or not.

MeGaMaX · 01/10/2019, 20:03

If you are going to do this for (ISRO) take care of the anticheat system for the dynamic opcodes, also i dont ever recommend using clientless without VIP or you will get banned 100%, AFAIK the system is still not 100% reversed by the bot owners, and they are still trying to do their best to not get thier customers banned. If you are VIP the anticheat system will allow you to attach bot to the client, otherwise you are logged as cheater and you will get banned.

~~sandsnip3r~~ · 01/10/2019, 20:06

I'm asking all of these questions because im trying to understand who's developed what. This can help me to see which approaches have failed, which solutions are standard, which solutions are best, etc.

What is the difference between the gateway server and the login server? What are each used for?

Let me say how I think these current tools generally work. Please correct me if wrong.

Our process launches the sro_client. Our process modifies the memory of the running sro_client process to create a codecave which redirects all TCP traffic through our "proxy" (via a solution only ever created by pushedx). The character is manipulated by observing incoming packets and injecting outgoing packets.

Quote:

Originally Posted by MeGaMaX.

If you are going to do this for (ISRO)...

vsro is my primary target. I wont approach isro until I have enough knowledge, if ever

florian0 · 01/10/2019, 20:14

Quote:

Originally Posted by sandsnip3r

What is the difference between the gateway server and the login server? What are each used for?

The GatewayServer is for patches and performing the login and selecting the gameserver. If your version is correct and your login credentials match, it will tell you the IP and Port of the AgentServer. The AgentServer is just a "simple" proxy to route packets to the correct game server.

Each GameServer has at least one AgentServer. Usually, different mapregions are split on different GameServer-instances to balance load (and probably mitigate crashes since only certain regions will be offline if something goes wrong).

There is no login server. Many ppl refer login server as the GatewayServer.

Quote:

Originally Posted by sandsnip3r

Let me say how I think these current tools generally work. Please correct me if wrong.

Our process launches the sro_client. Our process modifies the memory of the running sro_client process to create a codecave which redirects all TCP traffic through our "proxy" (via a solution only ever created by pushedx). The character is manipulated by observing incoming packets and injecting outgoing packets.

Yes.

~~sandsnip3r~~ · 01/10/2019, 20:24

Quote:

Originally Posted by florian0

The GatewayServer is for patches and performing the login and selecting the gameserver. If your version is correct and your login credentials match, it will tell you the IP and Port of the AgentServer. The AgentServer is just a "simple" proxy to route packets to the correct game server.

Each GameServer has at least one AgentServer. Usually, different mapregions are split on different GameServer-instances to balance load (and probably mitigate crashes since only certain regions will be offline if something goes wrong).

There is no login server. Many ppl refer login server as the GatewayServer.

Ok cool, thanks. For something like clientless then, you open a TCP(?) connection to the gatewayserver, send login info and version, receive agentserver address, close gatewayserver connection and open a TCP(?) connection agentserver, then go about sending and receiving packets (along with the occasional keepalive someone mentioned).

What about this blowfish encryption? When is it used and with which servers (agent vs gateway)?

florian0 · 01/10/2019, 22:55

Quote:

Originally Posted by sandsnip3r

Ok cool, thanks. For something like clientless then, you open a TCP(?) connection to the gatewayserver, send login info and version, receive agentserver address, close gatewayserver connection and open a TCP(?) connection agentserver, then go about sending and receiving packets (along with the occasional keepalive someone mentioned).

correct.

Quote:

Originally Posted by sandsnip3r

What about this blowfish encryption? When is it used and with which servers (agent vs gateway)?

There are different modes of security. Actually 4, that can be enabled and disabled independently.

Code:

disabled
security-bytes
static-blowfish
dh-blowfish

I tried to collect all information I have into these docs. There are several other useful docs, especially from the ppl around 0x33 (pushedx/drew benton, jMerlin, clearscreen, etc), but these are pretty hard to find these days.

Another good reference is Daxters SilkroadDoc

~~sandsnip3r~~ · 01/10/2019, 23:55

Quote:

Originally Posted by florian0

]I tried to collect all information I have into these docs. There are several other useful docs, especially from the ppl around 0x33 (pushedx/drew benton, jMerlin, clearscreen, etc), but these are pretty hard to find these days.

Another good reference is Daxters SilkroadDoc

Oh awesome these both seem really useful. I'll explore these a bit. Thanks

I quickly browsed phconnector, it's nice to see some well-written C++ code. I wanted to validate that it works how I think it does:

It seems to just be a proxy that a bot can connect to. Phconnector waits for the silkroad client to open a connection with it (this would probably require the loader and redirection from pushedx), once the silkroad client connects phconnector initiates a connection with the server (first the gateway), some handshake things take place, gateway sends agentserver address to phconnector, we close connections to the client and server, the client must re-open a connection with us (i assume its like the client connecting to the agentserver), finally, any packets transferred between client and server are forwarded to their expected destination as well as a copy is sent to the bot. Also, of course, the bot can send packets to be forwarded to the server or client.

That wasnt too bad. Is this still the proper approach with vsro? I imagine not for isro.

DaxterSoul · 01/11/2019, 07:37

Quote:

Originally Posted by sandsnip3r

That wasnt too bad. Is this still the proper approach with vsro? I imagine not for isro.

Imagine all the legitimate traffic flowing horizontally and injected traffic flowing vertically for the following diagrams.

1. Legacy approach

In the legacy setup, legit traffic flows through the proxy and can only be blocked by a configurable list of opcodes.
Injected traffic is generated by the optionally connected application.

2. Modern approach

The modern setup allows the legit packets to flow through the application's packet handlers and be modified or blocked dynamically. Injected traffic is generated by the application itself.

3. Client(less) approach

But Daxter, you only moved the SR_Client to the bottom
Yes, and it means that the SR_Client now generating our injected traffic.

The application is generating "legit" traffic without the need of the Client.
The client connection is optional (unless they have a HWID system) and should be isolated. Only certain packets are allowed to flow through when the application and client are in the same state.
Think of it as a plug-and-play rendering/input device, you can disconnect and reconnect (

) it as you wish.

4. florian0ish approaches

Hook DLLs to the SR_Client and send packets through the internal functions or hack through memory because why not.

Summary

All approaches have their pros and cons and ultimately it comes down to your preference and skill.
The legacy approach will need the least amount of network understanding as you only hold a single connection.
The modern approach requires you to know how to write the proxy and perform handshake logic (although

takes that away).
The client(less) approach is tricky and requires decent knowledge of the packets because you want to puppeteer the client.

theking200051 · 01/19/2019, 01:52

i think u rush things ,creating a clientless as first project is a bad idea but for starting i recommend this steps :-

1-u can start with creating 0x704f(opcode) 0x04(data) sit down packet using phconnector and your app .
2-next step study 0x7150 packet and server response 0xb150 using PHanalyzer or edxloader6 packet auto parser.
3-try to create simple App which:-
while (true)
{
send 0x7150
response 0xb150
if (response.plus >=3)
{
consloe.write("its work, item now is +3");
exitloop;
}
}
4- try to make your own proxy (instead of phconnector) buy studying pushedx silkroad security API (contain usefull examples)

5- read this

it has an example of packets flow from connection start to 0x3020 (character spwan) for clientless apps .

6- finally :- modify your simple alchemy app code to use your clinetless proxy code ,Now GZ you have clientless alchemy tool.

wish u good luck.