Unpacking crossfire and cshell on CFNA

[walnut29]

I have tried a few different methods of unpacking cshell - loadlib, petools dumping on game start; however i can never get a correct dump. Seems it is still packed. Any suggestions?

[96neko]

@walnut29 here's a bypass that i created a long ago , you can use it and dump the cshell.dll&crossfire.exe
@Royce kinda check the attachment

[(Virus)]

I have tried a few different methods of unpacking cshell - loadlib, petools dumping on game start; however i can never get a correct dump. Seems it is still packed. Any suggestions?

For cshell many anti themida load library posted afte it load it just open pe tools then dumpcshell and open it in odbg
If not work in odbg then u are running load lib .exe just press f9 serval times until anlizing cshell appers down left
For crossfire
When xigncode open just open chimprec as admin then choose crossfire.exe process then dump it
And here u that

[Userwemp]

I paused XIGNCODE well the moment it appeared, then I was able to dumped Crossfire.exe with Scylla Dumper, more of the error when I opened the dump on OllyDBG. @96neko

[96neko]

I paused XIGNCODE well the moment it appeared, then I was able to dumped Crossfire.exe with Scylla Dumper, more of the error when I opened the dump on OllyDBG. @96neko

for sure u'll get errors cause you paused the game before it finish loading it's modules , you need to bypass xigncode while the game is running and working , then just pause the process and dump the modules you need, u can wait the bypass to be approved by @Royce or you can ask in the BR section of crossfire

[Userwemp]

for sure u'll get errors cause you paused the game before it finish loading it's modules , you need to bypass xigncode while the game is running and working , then just pause the process and dump the modules you need, u can wait the bypass to be approved by @Royce or you can ask in the BR section of crossfire

just one more question, do you have the pattern of the address Device?
I'm wanting it for the CFBR (I'm Brazilian haha)

[96neko]

just one more question, do you have the pattern of the address Device?
I'm wanting it for the CFBR (I'm Brazilian haha)

eu sei
find endscene and just read the asm , you'll find the pDevice there

[Userwemp]

eu sei
find endscene and just read the asm , you'll find the pDevice there

0046115F(address EndSceneEngine CFBR) mov ecx, [eax]
00461161 mov edx, [ecx+0A8h]

[96neko]

0046115F(address EndSceneEngine CFBR) mov ecx, [eax]
00461161 mov edx, [ecx+0A8h]

upload & pm me ur cf br unpacked executable , i'll make aob for you

- - - Updated - - -

0046115F(address EndSceneEngine CFBR) mov ecx, [eax]
00461161 mov edx, [ecx+0A8h]

upload & pm me ur cf br unpacked executable , i'll make aob for you

[Userwemp]

upload & pm me ur cf br unpacked executable , i'll make aob for you

- - - Updated - - -



upload & pm me ur cf br unpacked executable , i'll make aob for you

Okay, I sent it by private message.

[96neko]

Okay, I sent it by private message.

i'll check it now , i may reply late cause i'm working


update :
current pDevice is: 0x01199E90 ( as it's in IDA )

Code:

mov eax, offset pDevice 
B8 90 9E 19 01 E8 28 0C ?? ?? BE 90 9E 19 01 E8 5E 0B ?? ?? 8B 0D 90 9E 19 01 51

[Userwemp]

i'll check it now , i may reply late cause i'm working


update :
current pDevice is: 0x01199E90 ( as it's in IDA )

Code:

mov eax, offset pDevice 
B8 90 9E 19 01 E8 28 0C ?? ?? BE 90 9E 19 01 E8 5E 0B ?? ?? 8B 0D 90 9E 19 01 51

Can you tell me why?

[jayjay153]

Code:

LTRESULT __cdecl MyFlipScreen(uint32 flags)
{
        static DWORD FindDevice = NULL;
	if (FindDevice == NULL)
		FindDevice = Memory->FindPattern((DWORD)GetModuleHandleA(eCF), 0xFFFFFF, (PBYTE)"\x8B\x35\x00\x00\x00\x00\x8B\xEE\xE8\x00\x00\x00\x00\x8B\x45\x00\x8B\x08\x8B\x91", "xx????xxx????xx?xxxx");

	if (FindDevice)
	{
		IDirect3DDevice9 *pDevice = *(LPDIRECT3DDEVICE9 *)(*(DWORD *)(*(DWORD *)(FindDevice + 0x2)));

		if (pDevice)
		{
			// [ DRAW ESP ]
			for (int i = 0; i < GetMaxPlayer(); i++)
				pVisuals.UpdatePlayerVisual(i, pDevice);
		}
	}
	return oFlipScreen(flags);
}

[96neko]

Can you tell me why?

cf.exe + 0xD99E90