aliattia17 (02-24-2024)
Hello everyone, Could some one help me finding the CS_client fire func , I managed to use x ref to get the push string but i realy don't know how to get the rigt addy of the func.
and what are the arguments does this function take or how does it work or what's calling this function so i can bypass 22-11 client error .
I managed to hook the 28-5 and 28-3 func but i need to find the GAMEPROTO_CS_CLIENT fire in order to bypass 22-11 .
IM using x32 bit version of a private crossfire server.
@MemoryThePast
aliattia17 (02-24-2024)
use IDA and search it as Names Window, if it doesn't show use class informer
bhopo (12-27-2023)
Okay i found the function and I reached this snippet of code , could you tell me what call here or what line that check for node change so i can bypass
I uploaded the snippet of code.
@MemoryThePast
Last edited by bhopo; 12-27-2023 at 07:35 AM.
MemoryThePast (12-28-2023),Mirtazapina (12-27-2023)
Im sory the attachment approval is late so here's the snippet of code in the cs_clientfire
Code:8B 8C 87 5C030000 - mov ecx,[edi+eax*4+0000035C] 51 - push ecx 8B CE - mov ecx,esi FF D2 - call edx 8B 06 - mov eax,[esi] 8B 40 24 - mov eax,[eax+24] 8D 0C AB - lea ecx,[ebx+ebp*4] 0FB7 94 4F DC030000 - movzx edx,word ptr [edi+ecx*2+000003DC] 6A 10 - push 10 52 - push edx 8B CE - mov ecx,esi FF D0 - call eax 8B 16 - mov edx,[esi] 8B 52 24 - mov edx,[edx+24] 8D 04 AB - lea eax,[ebx+ebp*4] 0FB7 8C 47 1C040000 - movzx ecx,word ptr [edi+eax*2+0000041C] 6A 10 - push 10 51 - push ecx 8B CE - mov ecx,esi FF D2 - call edx 8B 06 - mov eax,[esi] 8B 40 24 - mov eax,[eax+24] 8D 0C AB - lea ecx,[ebx+ebp*4] 0FBF 94 4F 5C040000 - movsx edx,word ptr [edi+ecx*2+0000045C] 6A 10 - push 10 52 - push edx 8B CE - mov ecx,esi FF D0 - call eax 83 C3 01 - add ebx,01 83 FB 04 - cmp ebx,04 0F8C 4EFFFFFF - jl cshell.dll+64AAC0 83 44 24 18 01 - add dword ptr [esp+18],01 83 44 24 10 04 - add dword ptr [esp+10],04 83 C5 01 - add ebp,01 83 FD 08 - cmp ebp,08 0F8C 18FFFFFF - jl cshell.dll+64AAA0
Last edited by bhopo; 12-31-2023 at 07:35 AM.
AFAIK back in my days, I used to bypass clientfire by intercepting the outgoing packets hehe it's easier that way, just make the packets look normal .
On a second thought, it probably might be harder because you need to format them packet bytes and identify which is which. I guess i just got lucky since someone gave me the byte format/structure. And then i noticed that there's something incrementing on the packet while firing so i messed with the increment and noticed that i'm not hitting client error.
It might be a lil bit slower because you need to modify the whole packet before sending it compared to actually finding the function that causes it.
I recommend that you should just find the function instead, it's optimal and nicer and you already have a hint above about it's signature.
Last edited by akbargain; 01-12-2024 at 01:52 AM.