[Release] CPSQuickStart - Supercharge your client with a hidden developer feature
Discussion on [Release] CPSQuickStart - Supercharge your client with a hidden developer feature within the SRO Hacks, Bots, Cheats & Exploits forum part of the Silkroad Online category.
[Release] CPSQuickStart - Supercharge your client with a hidden developer feature
Hello my beloved, greedy, dead community,
have you ever tried something in-game and had to relog for every attempt? Have you ever entered your account-data so often, your key wore off? Have you ever dreamt of not having to enter credentials, have you ever dreamt of not waiting for the character selection animation to complete? Have you ever dreamed of a fast auto login, so fast that you just skip the entire login and appear ingame?
No? Well, idc, these have been my dreams anyway :P. And I make my dreams come true.
Gallery 1
(The timer was a bit off. The log tells the client was ready after 6.4 seconds)
Long story short: Joymax Developers had a feature to quickly test stuff on the client by hard-coding credentials into the source. The client would then perform a fast login using an internal class called CPSQuickStart skipping the intro and character select.
The class is still build in, but its inactive and outdated / broken. I spend a lot of time analysing and comparing its behaviour and finally came up with two major problems:
CPSQuickStart is unaware of the IBUV (Image Based User Verification aka. Captcha).
CPSQuickStart sends the character name as multi-byte string instead of single-byte string
The P in CPSQuickStart stands for Process (and the S for Silkroad). The client used to have a feature to choose the StartProcess from the Media.pk/config/options.txt, but it was removed some time ago. But since my codebase already replaces the entire WinMain, it wasn't to hard to find a location to change the StartProcess safely.
To solve problem 1, I simply stole the IBUV confirmation code from the legitimate login code. It wasn't a problem since it was an entirely new feature and i just had to send a packet.
Code:
if (pMsg->msgid == 0x1002)
{
int unk1, unk2;
*pMsg >> unk1 >> unk2;
CClientNet::get()->IBVU_confirm(""); // Confirm IBVU
return 0;
}
My solution for the second problem doesn't make me happy. The character selection is quick and dirty since I have no clue what the original CPSQuickStart code did there. It works if the char is existing, so no problems here till now.
Code:
if (pMsg->msgid == 0xB007)
{
pMsg->FlushRemaining();
CMsgStreamBuffer buf(0x7001);
buf << std::string(charname); // Character Name
SendMsg(buf);
return 0;
}
Since the credentials are still hardcoded, a binary release makes no sense at this point. Maybe someone add a feature to read the data from a config file (ini should be enough).
CPSQuickStart 10.04.2018 - florian0
===============================================================================
This tool acts as an addon to sro_client.exe. It overrides various functions of
the client and is therefore not compatible with any other 3rd-party software
and/or might even break other 3rd-party software.
It enables a hidden feature called QuickStart which skips the whole login and
performs an automated login.
-------------------------------------------------------------------------------
Usage:
Copy the Dll to your Silkroad Folder, run the client and inject the dll. The
DllMain must be executed before the original WinMain of the Clients starts.
Your injection method can be either detouring the entrypoint or adding an
import. Common dll-injection-tools may work if they support creating the client
process suspended.
-------------------------------------------------------------------------------
Bugs:
* Wrong credentials, wrong character name, wrong server name, wrong image code
will possibly lead to a crash. Be aware of that.
* The IBUV can not be displayed. You'll either need to pseudo-disable (length
to 0) it or guess it (good luck).
-------------------------------------------------------------------------------
Compiling:
As always, compiling is a little tricky. This software is designed to be binary
compatible to the client. Therefore building with Visual C++ 8.0 (install
Visual Studio 2005) is mandatory! You'll need Daffodil (1) and Visual Studio
2010 to open the project.
If you're using the DirectX-Version, you'll also need DirectX SDK (i'm using v9.0b, but newers might work, too). Put it inside the lib-folder. If you don't need DirectX, just choose the "nodx" version and you are fine.
Always compile on Release-mode. Debug will produce incompatible code.
This combination is guaranteed to work as it is binary compatible. Newer
compilers can work, but are neither tested nor supported by me.
(1) https://daffodil.codeplex.com/
Compatibility in Visual Studio:
Visual Studio 2005 | YES
Visual Studio 2008 | <untested>
Visual Studio 2010 | YES
Visual Studio 2012 | <untested>
Visual Studio 2013 | <untested>
Visual Studio 2015 | <untested>
Visual Studio 2017 | <untested>
-------------------------------------------------------------------------------
Attribution:
Do what ever the f*ck you want with it. But don't be that a**hole claiming
others work as your own. Thank you.
CPSQuickStart SOURCECODE 10.04.2018 - florian0
===============================================================================
This file acts as a small introduction on my code. I've tried to fake the
original source layout to get a better understanding how Silkroad Online was
developed and maintained. The implementation is designed to binary compatible
to the original client. This allows using the std-lib without any wrappers and
makes your life a lot easier.
-------------------------------------------------------------------------------
Where to start?
src/engine/process/PSQuickStart.cpp:OnPacket_MAYBE_IMPL contains the most
important part. It catches away the following MsgIds from the original handler:
* 0x1002 (IBUV_REQUIRED)
* 0x1003 (IBUV_RESPONSE)
* 0xB007(CHARACTER_SELECT_REQUIRED)
All other MsgIds get passed to the original handler.
I also decided to override CPSQuickStart::OnCreate because it could not handle
resolutions other than 1024x768 (fixed by calling CGame::ResizeMainWindow()).
The DllMain.cpp contains all credentials and also the hooking.
Client.cpp::FakeWinMain will set the StartProcess to CPSQuickStart (around
line 100). I put it right after the initialization of the framework but before
the run command.
-------------------------------------------------------------------------------
How does it work at all?
The DllMain overwrites the WinMain with out FakeWinMain(Client.cpp) and the
EndScene-Function of CGFXVideo3d (sdk/gfx/GFX3DFunction/GFXVideo3d.cpp).
These two hooks allow access to the 3d renderer for imgui windows, and the
main loop to get mouse movement and keystrokes.
The client will startup as usual, but run on our custom WinMain instead.
FakeWinMain will setup imgui and supply it with messages. It will also set
CPSQuickStart as StartProcess.
CPSQuickStart::OnCreate will initialize the network (NetworkConnect) and then
handle all the messages in CPSQuickStart::OnPacket_MAYBE. It does only handle
MsgIds that were either unsupported or bugged due to changes to the network.
All working Msgs will be forwarded to the original handler function.
[SIZE="3"]Visual Studio version compatibility chart[/SIZE]
[TABLE=head][b]2005[/b] | [b]2008[/b] | [b]2010[/b] | [b]2012[/b] | [b]2013[/b] | [b]2015[/b] | [b]2017[/b]
[IMG]http://i.epvpimg.com/qjd9bab.png[/IMG]| | [IMG]http://i.epvpimg.com/qjd9bab.png[/IMG] | | | |
[/TABLE]
-------------------------------------------------------------------------------
Attribution:
Do what ever the f*ck you want with it. But don't be that a**hole claiming
others work as your own. Thank you.
I'm quite unsure if the packet handler (OnPacket_MAYBE) is really that useful. It appears that there is little to no relation to the actual packets on the network. Since a lot of the base classes are inspired by (stolen from) Microsoft, there might be an equivalent in the CWnd bases of the MFC ... somewhere ...
I've always wondered why the opcodes are so different during login phase. IBUV for example appears as 1002 and 1003 instead of 2323 and A323. And the login process itself triggers 0FF1, 0FF2, 0FF3 (one of these contains the serverlist, cant remember which one).
I think these are client internal messages (why ever they serialized that into the packet-structure) that don't really relate to networking but to client-states.
Its still interesting to look at, but i dont believe it is what you think it is xD.
Here you go buddy since you deserve a greetings that's the original code of vsro 188 client PSQuickStart.cpp
Greetings <3
Hey,
thanks a lot. I initially planned to reimplement OnNetMsg/OnPacket_MAYBE entirely, but it (luckily xD) turned out to be unnecessary (and quite complex).
This is how far I got. Kinda satisfying to see that I wasn't completely wrong ;D
Hey,
thanks a lot. I initially planned to reimplement OnNetMsg/OnPacket_MAYBE entirely, but it (luckily xD) turned out to be unnecessary (and quite complex).
This is how far I got. Kinda satisfying to see that I wasn't completely wrong ;D
I've added a version that does not require the DirectX SDK. All the 3d related files are still available, but not included for compilation and any DirectX-Reference has been commented out (not removed).
I also tried compiling it with Visual Studio 2010 and it went horribly wrong. std::string is not compatible, therefore the imagecode response and the character selection wont work properly.
You can still write a wrapper to represent the std::string in a proper format. Just saying that it wont work out of the box.
Can someone explain me how to use it. I'm not getting the readme file..
This release is more or less a proof of concept. It's not targetted for end-users therefore you can't just "use" it. But you can still give it a try, if you want to.
To try it out you need two things:
1. A sro_client that loads a Dll file before executing (can be either detoured entry point or import table modification)
2. Visual Studio 2005
If you have these, compile the project with Visual Studio 2005 and copy the created Dll to your Silkroad folder, so the sro_client can load it.
This release is more or less a proof of concept. It's not targetted for end-users therefore you can't just "use" it. But you can still give it a try, if you want to.
To try it out you need two things:
1. A sro_client that loads a Dll file before executing (can be either detoured entry point or import table modification)
2. Visual Studio 2005
If you have these, compile the project with Visual Studio 2005 and copy the created Dll to your Silkroad folder, so the sro_client can load it.
Its no longer loading. The game switched from QuickStart to Quit. You can read this in the log. This can have several reasons. Wrong server name or wrong character name or, unlikely but possible: Client not up to date.
Since 0xFF1 and 0xFF2 are received, it's probably not the client being outdated (otherwise my understanding of the process is incomplete). So its wrong server name or wrong character name.
Its no longer loading. The game switched from QuickStart to Quit. You can read this in the log. This can have several reasons. Wrong server name or wrong character name or, unlikely but possible: Client not up to date.
Since 0xFF1 and 0xFF2 are received, it's probably not the client being outdated (otherwise my understanding of the process is incomplete). So its wrong server name or wrong character name.
[Release] Enable Silkroad Hidden Client Debug Feature & GM Console 12/14/2015 - SRO PServer Guides & Releases - 14 Replies Hello,
I found out a way to debug any silkroad client and also enabling console in game even if you are not GM
First how to find the function:
Open sro_client.exe in ollydebug search for all referenced text strings and then find
jmxdebug._m_
Looking for a content developer/feature editor, will pay handsomly 09/06/2010 - CO2 Programming - 14 Replies Hey!
My names Dave and I am a professional web marketeer/designer for the past 12 years or so. I previously ran a large world of warcraft server but due to Blizzard making my life very difficult I ended up closing after about 5 very successful years of service. I am now setting up a conquer server and am highly confident after doing some research that I can create one of the biggest sites of its kind but what I lack is knowledge of coding and this particular emulator. I want to hire a...