Register for your free account! | Forgot your password?

Go Back   elitepvpers > Silkroad Online > SRO Hacks, Bots, Cheats & Exploits
You last visited: Today at 01:34

  • Please register to post and access all features, it's quick, easy and FREE!


[Release] CPSQuickStart - Supercharge your client with a hidden developer feature

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Apr 2008
Posts: 485
Received Thanks: 604
[Release] CPSQuickStart - Supercharge your client with a hidden developer feature

Hello my beloved, greedy, dead community,

have you ever tried something in-game and had to relog for every attempt? Have you ever entered your account-data so often, your key wore off? Have you ever dreamt of not having to enter credentials, have you ever dreamt of not waiting for the character selection animation to complete? Have you ever dreamed of a fast auto login, so fast that you just skip the entire login and appear ingame?
No? Well, idc, these have been my dreams anyway :P. And I make my dreams come true.

Gallery 1
(The timer was a bit off. The log tells the client was ready after 6.4 seconds)

Long story short: Joymax Developers had a feature to quickly test stuff on the client by hard-coding credentials into the source. The client would then perform a fast login using an internal class called CPSQuickStart skipping the intro and character select.

The class is still build in, but its inactive and outdated / broken. I spend a lot of time analysing and comparing its behaviour and finally came up with two major problems:
  1. CPSQuickStart is unaware of the IBUV (Image Based User Verification aka. Captcha).
  2. CPSQuickStart sends the character name as multi-byte string instead of single-byte string

The P in CPSQuickStart stands for Process (and the S for Silkroad). The client used to have a feature to choose the StartProcess from the Media.pk/config/options.txt, but it was removed some time ago. But since my codebase already replaces the entire WinMain, it wasn't to hard to find a location to change the StartProcess safely.

Code:
// Client.cpp:104

// Enable Quickstart
g_CGame->m_runtimeClass = reinterpret_cast<CGfxRuntimeClass*>(0x00EED974);

To solve problem 1, I simply stole the IBUV confirmation code from the legitimate login code. It wasn't a problem since it was an entirely new feature and i just had to send a packet.
Code:
if (pMsg->msgid == 0x1002)
{
	int unk1, unk2;
	*pMsg >> unk1 >> unk2;

	CClientNet::get()->IBVU_confirm(""); // Confirm IBVU

	return 0;
}
My solution for the second problem doesn't make me happy. The character selection is quick and dirty since I have no clue what the original CPSQuickStart code did there. It works if the char is existing, so no problems here till now.
Code:
if (pMsg->msgid == 0xB007)
{
	pMsg->FlushRemaining();

	CMsgStreamBuffer buf(0x7001);

	buf << std::string(charname); // Character Name

	SendMsg(buf);

	return 0;
}
Since the credentials are still hardcoded, a binary release makes no sense at this point. Maybe someone add a feature to read the data from a config file (ini should be enough).


Attached Files
File Type: zip cpsquickstart-1.2-nodx.zip (505.7 KB, 89 views)
File Type: zip cpsquickstart-1.2.zip (505.5 KB, 97 views)



florian0 is offline  
Thanks
19 Users
Old 04/10/2018, 21:15   #2
 
elite*gold: 0
Join Date: Aug 2013
Posts: 23
Received Thanks: 2
I was honored to witness the progress being made on it. Awesome job as usual Flo, Keep it up


ReviveSRO is offline  
Old 04/11/2018, 16:00   #3
 
elite*gold: 0
Join Date: Sep 2017
Posts: 400
Received Thanks: 84
Oh you finally shared it!
Lets check this stuff (especially that packet handler)
#HB is offline  
Old 04/11/2018, 16:48   #4
 
elite*gold: 0
Join Date: Apr 2008
Posts: 485
Received Thanks: 604
Quote:
Originally Posted by #HB View Post
(especially that packet handler)
I'm quite unsure if the packet handler (OnPacket_MAYBE) is really that useful. It appears that there is little to no relation to the actual packets on the network. Since a lot of the base classes are inspired by (stolen from) Microsoft, there might be an equivalent in the CWnd bases of the MFC ... somewhere ...

I've always wondered why the opcodes are so different during login phase. IBUV for example appears as 1002 and 1003 instead of 2323 and A323. And the login process itself triggers 0FF1, 0FF2, 0FF3 (one of these contains the serverlist, cant remember which one).
I think these are client internal messages (why ever they serialized that into the packet-structure) that don't really relate to networking but to client-states.

Its still interesting to look at, but i dont believe it is what you think it is xD.


florian0 is offline  
Old 04/11/2018, 17:30   #5
 
elite*gold: 0
Join Date: Sep 2017
Posts: 400
Received Thanks: 84
LUL. No problem dude, I can test the packet's msgid I need using a console then use it the way I want
(Although it would be kinda hard to find out the packet I want)
#HB is offline  
Old 04/15/2018, 05:52   #6
 
elite*gold: 81
Join Date: Sep 2006
Posts: 790
Received Thanks: 1,297
Here you go buddy since you deserve a greetings that's the original code of vsro 188 client PSQuickStart.cpp

Code:
bool	CPSQuickStart::OnCreate(long ln)
{
	PutDump("CPSQuickStart::OnCreate (%d)", ln);

	if ( !StartNetEngine() )
	{
		SetNextProcess( GFX_RUNTIME_CLASS( CPSQuit ) );
		return false;
	}
	theApp.InitializeAfterTitle();
	SetProcessNetMsg(TRUE);
	theApp.SetWindowPos();
	ShowWindow(theApp.GetHWnd(), SW_SHOWNORMAL );
	UpdateWindow(theApp.GetHWnd());
	
	return true;
}

bool	CPSQuickStart::OnRelease()
{
	return true;
}

BOOL CPSQuickStart::OnNetMsg(void* pMSG)
{
	CMsgStreamBuffer& MSG = *(CMsgStreamBuffer*)pMSG;

	switch(MSG.GetMsgID())
	{
	case FRAMEWORKMSG_CONTENT_SERVER_LIST_ACK:
		{
		}
		break;
	case WM_CLIENTNET_MSG_BILLING_UPDATED-WM_USER:
		OnBillingUpdated(MSG);
		break;
	case (WM_CLIENTNET_MSG_MODULE_CERTIFICATED - WM_USER):
		{
			WPARAM wParam;
			LPARAM lParam;
			MSG >> wParam >> lParam;

			switch( wParam)
			{
			case CLIENT_CERTIFICATION_SUCCESS:
				g_pClientNet->RetrieveContentServerList();
				break;
			case CLIENT_NEED_PATCH:
				ErrorMessage( L"UIO_MSG_ERROR_VERSION" );
				SetNextProcess(GFX_RUNTIME_CLASS(CPSQuit));
				break;
			case CLIENT_NOT_SERVICE_TIME:
				ErrorMessage( L"UIO_MSG_ERROR_NOT_SERVICE_TIME");
				SetNextProcess(GFX_RUNTIME_CLASS(CPSQuit));
				break;
			case CLIENT_FATAL_ERROR:
				ErrorMessagePar( L"UIO_MSG_ERROR_SEVER_CONNECT", 'C', wParam );
				SetNextProcess(GFX_RUNTIME_CLASS(CPSQuit));
				break;
			}
		}
		break;
	case (WM_CLIENTNET_MSG_CONTENT_SERVER_LIST_BUILDED - WM_USER):
		{
			WPARAM wParam;
			LPARAM lParam;
			MSG >> wParam >> lParam;

			SHARDINFO_LIST* pShardList = g_pClientNet->GetShardInfoList();
			SHARDINFO_LIST::iterator it;

			DWORD wShardID;
			bool bSelected = false;
			for(it = pShardList->begin(); it != pShardList->end(); ++it)
			{
				sShardInfo* pShardInfo = (*it);

				if ( std::n_string(pShardInfo->m_szName.c_str()) == Fun_UniToAnsi(GAME_SERVER) ) 
				{
					wShardID = pShardInfo->m_nID;
					bSelected = true;
					break;
				}
			}
			if ( bSelected != true )
			{
				Put( "------Wrong Server Name-----");
				SetNextProcess(GFX_RUNTIME_CLASS(CPSQuit));
				return true;
			}
			g_SelectedServerShardid = wShardID;
			Fun_GetCfgGame()->m_iShardID = wShardID;

			Fun_GetCfgGame()->id = GAME_ID;
			Fun_GetCfgGame()->server = GAME_SERVER;
			
			if( !g_pClientNet->StartContentService( Fun_UniToAnsi(GAME_ID).c_str(), Fun_UniToAnsi(GAME_PASS).c_str(), (WORD)wShardID, LOGIN_TYPE_YAHOO))
				ErrorMessage( L"UIO_MSG_ERROR_SEVER_CONNECT" );
		}
		break;
	case (WM_CLIENTNET_MSG_START_CONTENT_RESULT - WM_USER):
		{
			WPARAM wParam;
			LPARAM lParam;
			MSG >> wParam >> lParam;

			switch( lParam)
			{
			case CLIENT_START_CONTENT_SUCCESS:
				{
					Put( "------Client_Start_Content_sucess------" );
					NEWMSG( SR_LOBBYJOB_REQ);
					*pReq << LOBBYJOB_CHAR_LIST;
					SENDMSG();
				}
				break;
			case CLIENT_START_CONTENT_FAIL_INCORRECT_USERINFO:
				ErrorMessage( L"UIO_MSG_ERROR_CITATION_ID" );
				break;
			case CLIENT_START_CONTENT_FAIL_INVALID_USER:
				{
					switch( wParam)
					{
					case CLIENT_INVALID_USER_REASON_DISABLED:
						ErrorMessage( L"UIO_MSG_ERROR_ACCOUNT_STOP" );
						break;
					case CLIENT_INVALID_USER_REASON_NOT_SERVER_TIME:
						ErrorMessage( L"UIO_MSG_ERROR_ACCOUNT_CONNECT_IMPOSSIBILE" );
						break;
					case CLIENT_INVALID_USER_REASON_THERE_IS_NO_ACCOUNTINFO:
						ErrorMessage( L"UIO_MSG_ERROR_THERE_IS_NO_ACCOUNT_INFO");
						break;
					}
				}
				break;
			case CLIENT_START_CONTENT_FAIL_USER_DUPLICATED:
				ErrorMessage( L"UIO_MSG_ERROR_OVERLAP" );
				break;
			case CLIENT_START_CONTENT_FAIL_USER_SHARD_IS_JAMMED:
				ErrorMessage( L"UIO_MSG_ERROR_SERVER_BUSY_CONNECT_IMPOSSIBILE" );
				break;
			case CLIENT_START_CONTENT_FAIL_USER_SHARD_IS_OUT_OF_SERVICE:
			case CLIENT_START_CONTENT_FAIL_USER_INTERNAL_ERROR:
			case CLIENT_START_CONTENT_FAIL_USER_INVALID_SHARD:
			case CLIENT_START_CONTENT_FAIL_CANNOT_CONNECT_AGENT:
			case CLIENT_START_CONTENT_FAIL_SERVER_INTERNAL_ERROR:
				ErrorMessagePar( L"UIO_MSG_ERROR_SEVER_CONNECT", L'C', lParam );
				break;
			}
		}
		break;
	case SR_LOBBYJOB_ACK:
		{
			BYTE btJob, btResult;
			SROERR wErrorCode;
			MSG >> btJob >> btResult;

			if( btResult != RESULT_SUCCESS) 
			{
				MSG >> wErrorCode;
				OutputLobbyErrorMessage( wErrorCode );
			}
			else
			{
				switch( btJob)
				{
				case LOBBYJOB_CHAR_LIST:
					{
						BYTE CharCnt;
						std::n_vector<PCINFO_UI*> vecChar;
						vecChar.clear();

						MSG >> CharCnt;

						vecChar.resize(CharCnt);
						for ( int i = 0; i< CharCnt; i++)
						{
							vecChar[i] = new PCINFO_UI;							
							vecChar[i]->ExtractData( MSG );							
						}

						std::n_wstring strCharName = SELECT_CHAR;
						bool bChar = false;

						for( int i=0;i<CharCnt;i++)
						{
							if(vecChar[i]->strCharName == strCharName)
							{
								bChar = true;
								break;
							}
						}

						if ( bChar == false )
						{
							Put("------Wrong Character Name------");
							SetNextProcess(GFX_RUNTIME_CLASS(CPSQuit));
						}
						else
						{
							NEWMSG(SR_LOGIN_REQ);
							*pReq << strCharName.c_str();	
							SENDMSG();
						}						
						WaitGwnd( true);
					}
					break;
				default:
					_ASSERTE(FALSE);
					break;
				}
			}
		}
		WaitGwnd( false);
		break;;
	case SR_LOGIN_ACK:
		{
			BYTE btResult;
			MSG >> btResult;
			if( btResult == RESULT_SUCCESS)
			{
				m_nLayer = LAYER_CS_START;
				SetNextProcess(GFX_RUNTIME_CLASS( CPSMission ));
				return FALSE;
			}
			else
			{
				SROERR wErrorCode;
				MSG >> wErrorCode;
				OutputLobbyErrorMessage( wErrorCode );
			}
		}
		break;
	default:
		_ASSERTE(FALSE);
		break;
	}

	return FALSE;
}
Greetings <3
MeGaMaX. is offline  
Thanks
6 Users
Old 04/15/2018, 12:41   #7
 
elite*gold: 0
Join Date: Apr 2008
Posts: 485
Received Thanks: 604
Quote:
Originally Posted by MeGaMaX. View Post
Here you go buddy since you deserve a greetings that's the original code of vsro 188 client PSQuickStart.cpp

Greetings <3
Hey,
thanks a lot. I initially planned to reimplement OnNetMsg/OnPacket_MAYBE entirely, but it (luckily xD) turned out to be unnecessary (and quite complex).

This is how far I got. Kinda satisfying to see that I wasn't completely wrong ;D
florian0 is offline  
Old 04/16/2018, 00:30   #8
 
elite*gold: 81
Join Date: Sep 2006
Posts: 790
Received Thanks: 1,297
Quote:
Originally Posted by florian0 View Post
Hey,
thanks a lot. I initially planned to reimplement OnNetMsg/OnPacket_MAYBE entirely, but it (luckily xD) turned out to be unnecessary (and quite complex).

This is how far I got. Kinda satisfying to see that I wasn't completely wrong ;D
hahaha yeah amazing ^_^ i know that feeling tho ;D
MeGaMaX. is offline  
Old 04/18/2018, 19:30   #9
 
elite*gold: 0
Join Date: Feb 2014
Posts: 143
Received Thanks: 17
Can Someone give me Visual Studio 2005 Link to download ? that work with this files.
mo0a17 is offline  
Old 04/19/2018, 12:38   #10



 
elite*gold: 0
Join Date: Mar 2009
Posts: 5,357
Received Thanks: 1,708
Quote:
Originally Posted by mo0a17 View Post
Can Someone give me Visual Studio 2005 Link to download ? that work with this files.
Here
Devsome is offline  
Old 04/19/2018, 16:13   #11
 
elite*gold: 0
Join Date: Apr 2008
Posts: 485
Received Thanks: 604
I've added a version that does not require the DirectX SDK. All the 3d related files are still available, but not included for compilation and any DirectX-Reference has been commented out (not removed).

I also tried compiling it with Visual Studio 2010 and it went horribly wrong. std::string is not compatible, therefore the imagecode response and the character selection wont work properly.
You can still write a wrapper to represent the std::string in a proper format. Just saying that it wont work out of the box.
florian0 is offline  
Thanks
1 User
Old 07/08/2018, 14:13   #12
 
elite*gold: 0
Join Date: Apr 2015
Posts: 41
Received Thanks: 3
Can someone explain me how to use it. Im not getting the readme file..
pumpya19 is offline  
Old 07/08/2018, 15:06   #13
 
elite*gold: 0
Join Date: Sep 2017
Posts: 400
Received Thanks: 84
Quote:
Originally Posted by pumpya19 View Post
Can someone explain me how to use it. Im not getting the readme file..
If you didn't understand the video and the readme.txt, then you shouldn't be in this thread.
#HB is offline  
Old 07/08/2018, 17:21   #14
 
elite*gold: 0
Join Date: Apr 2008
Posts: 485
Received Thanks: 604
Quote:
Originally Posted by pumpya19 View Post
Can someone explain me how to use it. I'm not getting the readme file..
This release is more or less a proof of concept. It's not targetted for end-users therefore you can't just "use" it. But you can still give it a try, if you want to.

To try it out you need two things:
1. A sro_client that loads a Dll file before executing (can be either detoured entry point or import table modification)
2. Visual Studio 2005

If you have these, compile the project with Visual Studio 2005 and copy the created Dll to your Silkroad folder, so the sro_client can load it.
florian0 is offline  
Old 07/08/2018, 18:14   #15
 
elite*gold: 0
Join Date: Mar 2015
Posts: 43
Received Thanks: 6
You're doing awesome. Keep going!


GFXzoon is offline  
Reply



« Dump File Reader | [Tutorial] Auto Trading bot | phBot | (Video) »

Similar Threads
[Release] Enable Silkroad Hidden Client Debug Feature & GM Console
12/14/2015 - SRO PServer Guides & Releases - 14 Replies
Hello, I found out a way to debug any silkroad client and also enabling console in game even if you are not GM First how to find the function: Open sro_client.exe in ollydebug search for all referenced text strings and then find jmxdebug._m_
Looking for a content developer/feature editor, will pay handsomly
09/06/2010 - CO2 Programming - 14 Replies
Hey! My names Dave and I am a professional web marketeer/designer for the past 12 years or so. I previously ran a large world of warcraft server but due to Blizzard making my life very difficult I ended up closing after about 5 very successful years of service. I am now setting up a conquer server and am highly confident after doing some research that I can create one of the biggest sites of its kind but what I lack is knowledge of coding and this particular emulator. I want to hire a...



All times are GMT +1. The time now is 01:34.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.