Silkroad Online Client Archive

[R3D*]

Good job, But Anyone got Silkroad Online 2 Client?

[florian0]

Quote:

Originally Posted by ZΞDStorm

Good job, But Anyone got Silkroad Online 2 Client?

Sure . I've added what I found on my disk.

I am still looking for the original open beta installer "SRO_OPEN.exe". Spread the word, there must be a person who still has this file.

[MeGaMaX]

@florian0

I uploaded some clients ^_^

i also included SRO_OPEN.EXE and SilkroadOnlinevGlobalOfficial v1.01.exe and the patch from 01 to 30. I also uploaded Silkroad 1.027.rar just incase ^^

Download link: https://mega.nz/#F!syYAia6Q!M0-6J3KBApmxqvY12FLUAA

[asilkroute]

Guys, you are perfect. Thanks a lot!

[asilkroute]

dude i have a question. Do you have DataBase for there clients? If you have please share with me/us. Thanks.

[florian0]

No. I only have these installers. Where should i get the databases for these in the first place

I don't feel like its worth trying to make the old clients work with any of the currently released server files ... in the end it wont work reliable anyway.

[ownkhan]

i dont remember about this files but full client

[asksro]

you have china csro
v1.240 version
no v1.239
truly v1.240

[rower12]

Quote:

Originally Posted by asksro

you have china csro
v1.240 version
no v1.239
truly v1.240

i have v1.240 i will share soon i find it only 5 min reaming its already on the internet

 Spoiler

[florian0]

I've added (possibly the same) CSRO 239 Folder, but without watermarks

The only question remaining ... is this CSRO or CSRO-R ?

Chinese Silkroad Online (CSRO)

Version	Name	Type	Release	Download
165		Official Client Folder	?	missing
239		239 Client Folder	?

edit: it is the same

Code:

watermarked                      clean
01cfb3b96a10b2fbf822f7283c379d7e 01cfb3b96a10b2fbf822f7283c379d7e  AHClient.dat
41810d6551d731fa2ac7f09ca8fd80a1 41810d6551d731fa2ac7f09ca8fd80a1  cltax.dat
17839f4aca378768f82ef56c91d9c381 17839f4aca378768f82ef56c91d9c381  Data.pk2
df5d05d4322a2442c4f58d244555c77a df5d05d4322a2442c4f58d244555c77a  dbghelp.dll
429e3bc90ca10f37d0eee4784aa67549 429e3bc90ca10f37d0eee4784aa67549  GFXFileManager.dll
0a48f04e9a164fdd4407fd8cab1ea5df 0a48f04e9a164fdd4407fd8cab1ea5df  Map.pk2
437e54490c7638fb15672634395f3065 63af73ae2e4f0913e684bb6f161fdca4  Media.pk2
cb21d826d9c39aed19dd431c1880f5de cb21d826d9c39aed19dd431c1880f5de  msvcp60.dll
832b4aaf6c3c1ad8a7339ed10e3bbb54 832b4aaf6c3c1ad8a7339ed10e3bbb54  Music.pk2
1a2eb87bd4920210e153e5401e86cbb7 1a2eb87bd4920210e153e5401e86cbb7  Particles.pk2
f0f2bb6485c37093027ed4ecaf77bd4a f0f2bb6485c37093027ed4ecaf77bd4a  Remove.dat
2e321118e93af82ca65a487a5c99d37f 2e321118e93af82ca65a487a5c99d37f  Remove.Exe
dc025608f42c07e06f432f4f625a24af dc025608f42c07e06f432f4f625a24af  Replacer.exe
0d23674e169e865b32eb1ff33fd0ff81 0d23674e169e865b32eb1ff33fd0ff81  silkcfg.dat
e0f46ee57a7a3229243f58c5b0e0ef3b e0f46ee57a7a3229243f58c5b0e0ef3b  SilkErrSender.exe
cc4943720cba841d658cce787fb8aeb5 cc4943720cba841d658cce787fb8aeb5  silkroad.exe
eec0b51305297c08d7366d2ea3556a30 eec0b51305297c08d7366d2ea3556a30  Silkroad.ico
d183d3716af2da40962c656e36e91ed4 d183d3716af2da40962c656e36e91ed4  sro_client.exe
013a9a1a7b538c1a407f27818132de06 013a9a1a7b538c1a407f27818132de06  UnInstall.ICO
5ce67b5128cab6217ff39de5144a26cc 5ce67b5128cab6217ff39de5144a26cc  Unwise.exe
067d49005aefde854900b5167e537c7f 067d49005aefde854900b5167e537c7f  添加注册表.vbs
b58c51caa6ae110505614a6a3a6e6530 b58c51caa6ae110505614a6a3a6e6530  添加注册表_win7.vbs

[rower12]

[BurakYogun]

@ hey bro isro v.1.027 client is keylogger please remove keylogger.

[florian0]

Thanks for being careful! I've uploaded all the executables to virustotal to doublecheck.








The sro_client indeed looks fishy to me. I just gave it a scan with Avast and Malwarebytes before and considered it to be clean. 11/66 still could be a false positive. I'll keep you updated.

Edit 0: The entry point is not what it should look like


(For reference: This is what it should look like -> )

Edit 1: I've logged what it does on startup. Logfile is appended.
Nothing suspicious so far. The detection might come from a packer Joymax used.

Edit 2: Looks more and more like a simple packer. I removed the invalid instructions and unnecessary jumps.

Code:

.pseudo:00C1F000                 public start
.pseudo:00C1F000 start           proc near
.pseudo:00C1F000
.pseudo:00C1F000 var_54          = dword ptr -54h
.pseudo:00C1F000 var_50          = dword ptr -50h
.pseudo:00C1F000 var_4C          = dword ptr -4Ch
.pseudo:00C1F000 arg_C           = dword ptr  10h
.pseudo:00C1F000 arg_18          = dword ptr  1Ch
.pseudo:00C1F000 arg_1C          = dword ptr  20h
.pseudo:00C1F000 arg_40          = dword ptr  44h
.pseudo:00C1F000 arg_44          = dword ptr  48h
.pseudo:00C1F000
.pseudo:00C1F000 ; FUNCTION CHUNK AT .pseudo:00C1F073 SIZE 00000180 BYTES
.pseudo:00C1F000
.pseudo:00C1F000                 mov     ebx, 12Eh
.pseudo:00C1F005                 jmp     loc_C1F073
.pseudo:00C1F073 ; ---------------------------------------------------------------------------
.pseudo:00C1F073 ; START OF FUNCTION CHUNK FOR start
.pseudo:00C1F073                 call    $+5
.pseudo:00C1F078                 pop     ebp
.pseudo:00C1F079                 sub     ebp, 4BE14Dh
.pseudo:00C1F07F                 lea     eax, [ebp+4BE0F2h]
.pseudo:00C1F085                 lea     ecx, [ebp+4BE194h]
.pseudo:00C1F08B                 add     ecx, ebx
.pseudo:00C1F08D                 mov     [ecx+1], eax
.pseudo:00C1F090                 lea     eax, [ebp+4BE136h]
.pseudo:00C1F096                 lea     ecx, [ebp+4BE0FAh]
.pseudo:00C1F09C                 mov     [ecx], eax
.pseudo:00C1F09E                 mov     eax, 145Eh
.pseudo:00C1F0A3                 lea     ecx, [ebp+4BE0FFh]
.pseudo:00C1F0A9                 mov     [ecx], eax
.pseudo:00C1F0AB                 lea     ecx, [ebp+4BE194h]
.pseudo:00C1F0B1                 lea     eax, [ebp+4BF394h]
.pseudo:00C1F0B7                 push    ecx
.pseudo:00C1F0B8                 push    eax
.pseudo:00C1F0B9                 call    sub_C1F034
.pseudo:00C1F0BE                 popa
.pseudo:00C1F0CA                 push    2273CBD4h
.pseudo:00C1F0CF                 push    7FE7F412h
.pseudo:00C1F0D4                 mov     [esp-1Ch+arg_1C], ebp
.pseudo:00C1F0DC                 add     esp, 4
.pseudo:00C1F0E7                 lea     ebp, [ebp+ebp*2+2Ah]
.pseudo:00C1F0EE                 mov     ebp, [esp-20h+arg_44]
.pseudo:00C1F0F7                 push    1Bh
.pseudo:00C1F0FC                 pop     ebp
.pseudo:00C1F110                 pop     ebp
.pseudo:00C1F115                 mov     ebp, [esp+0]
.pseudo:00C1F123                 bt      bp, dx
.pseudo:00C1F127                 pop     ebp
.pseudo:00C1F12D                 lea     esp, [esp-1Eh]
.pseudo:00C1F134                 lea     esp, [esp+edx+1Ah]
.pseudo:00C1F138                 sub     esp, edx
.pseudo:00C1F13D                 push    ebp
.pseudo:00C1F142                 pop     dword ptr [esp+0]
.pseudo:00C1F146                 mov     ebp, esp
// Stolen OEP begins here
.pseudo:00C1F148                 push    0FFFFFFFFh
.pseudo:00C1F14A                 push    offset unk_8F3D60
.pseudo:00C1F14F                 push    offset sub_811A08
.pseudo:00C1F154                 mov     eax, large fs:0
.pseudo:00C1F15F                 lea     esp, [esp-1Eh]
.pseudo:00C1F166                 lea     esp, [esp+edx+1Ah]
.pseudo:00C1F16A                 sub     esp, edx
.pseudo:00C1F16F                 push    eax
.pseudo:00C1F174                 pop     dword ptr [esp+0]
.pseudo:00C1F178                 mov     large fs:0, esp
.pseudo:00C1F17F                 sub     esp, 58h
.pseudo:00C1F187                 lea     esp, [esp-1Eh]
.pseudo:00C1F18E                 lea     esp, [esp+edx+1Ah]
.pseudo:00C1F192                 sub     esp, edx
.pseudo:00C1F197                 push    ebx
.pseudo:00C1F19C                 pop     dword ptr [esp+0]
.pseudo:00C1F1A5                 lea     esp, [esp-1Eh]
.pseudo:00C1F1AC                 lea     esp, [esp+edx+1Ah]
.pseudo:00C1F1B0                 sub     esp, edx
.pseudo:00C1F1B5                 push    esi
.pseudo:00C1F1BA                 pop     [esp+4Ch+var_4C]
.pseudo:00C1F1C3                 lea     esp, [esp-1Eh]
.pseudo:00C1F1CA                 lea     esp, [esp+edx+1Ah]
.pseudo:00C1F1CE                 sub     esp, edx
.pseudo:00C1F1D3                 push    edi
.pseudo:00C1F1D8                 pop     [esp+50h+var_50]
.pseudo:00C1F1DC                 mov     [ebp-18h], esp
// stolen OEP ends somewhere here
.pseudo:00C1F1E8                 push    offset EntryPoint
.pseudo:00C1F1ED                 push    0
.pseudo:00C1F1F2                 retn
.pseudo:00C1F1F2 ; END OF FUNCTION CHUNK FOR start
.pseudo:00C1F1F2 ; ---------------------------------------------------------------------------

Edit 3: Its really just some kind of packer. The remaining instructions above are a small loader that fixes some addresses for hiding evidence of its existence. The RETN at the end acts as a redirect to the last pushed address (which is not null, its overwritten by the loader). The RETN jumps to the "HideMyEvicence" function and then jumps to the OEP. The instructions before the RETN are, at least what i've been tought, "called" stolen OEP. I will try to put the OEP back in place, lol.

Edit 4: I stole the OEP from Silkroad.exe and pasted it into sro_client.exe. It now works, i've removed all the "malicous" code and renamed the sections to their original names. But still ... some dont like it:


Edit 5: Turns out: With malicious entry point still existing, Avira is happy. Once i delete the EP, Avira is unhappy. Meh. I'm performing a bindiff to v1.005 to check for other changes.

Edit 6: Still no malicious behavior. I have restored the entry point and removed the loader stuff. File is attached.

[BurakYogun]

Official Korean Silkroad Setup ver 1.956

[Maho09]

Silkroad Online Legend 5 Heroes Of Alexsandra v1.240 Full Client


If you have an ISRO legend 4 client between v1.230 ~ v1.239 can you share it with me?