Crossfire Crashing after Injection

[EGOIST0162]

Hey,

Can someone telle me why my Game (crossfire.exe) is crashing after injecting my code.
(I know the source code as it stands here would not do mutch to the game i just wanted to try injecting it into the game.)

Code:

#include <windows.h>

#define TestAd 0x0 
#define TestAd2 0xA1A160 
bool meow = false;

void Patch()
{

	while (1)
	{
		DWORD Array1 = *(DWORD*)(TestAd + 0x00);

		if (GetAsyncKeyState(VK_F1) & 1)
			meow = (!meow);

		if (meow)
		{
			memcpy((void*)(TestAd + 0x00), "\x00\x00\x00", 3);
		}
		else
		{
			memcpy((void*)(TestAd + 0x00), "\x00\x00\x00", 3);
		}
		if (GetAsyncKeyState(VK_F2) & 1)
		{
			*(DWORD*)(*(DWORD*)(*(DWORD*)(TestAd2)+0x00) + 0x00) = 00; //VALUE
		}


		Sleep(50);
	}
}

BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
{
	DisableThreadLibraryCalls(hDll);
	if (dwReason == DLL_PROCESS_ATTACH)
	{
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Patch, 0, 0, 0);
	}
	return true;
}

I tryed my own injector and DX Cheat Mapper but Crossfire crashes instantly after injecting.

[marshal20]

You are trying to de-reference a DWORD pointer to address 0 (TestAd), You can't do that, A NULL pointer is an invalid pointer, you are casting 0 to a DWORD pointer then you are trying to de-reference it this is a crash.

About TestAd2:
Usually no one reads from a fixed address, For Security windows randomizes the location in witch each module is in.
Thus if you run the game and find that some value is in address 0x400123 you need to find to which module (Image) this memory belongs, and calculate the offset from base for that address, so we found that this is in cshell.dll module and it's base is 0x400000 the offset from base for that address will be:
offset = address - base = 0x400123 - 0x400000 = 0x123
then when you try to read this value you need to calculate the address ( address = base + offset ) and you can easily get the base of a module by calling GetModuleHandle which returns a pointer to the module (aka the base of that module) cast this pointer to a DWORD (VERY IMPORTANT), then add the offset to it to get the address.
We do that because that because the address may not be in the same place the base of it's module (image) changed.

So lets see:

Code:

#define TestAd2_off 0x123

DWORD ReadTest()
{
    // Get the base of cshell.dll.
    DWORD cshell_base = (DWORD)GetModuleHandleA("cshell.dll");

    // Calculate the address ( address = base + offset ).
    DWORD TestAd2 = cshell_base + TestAd2_off;

    // De-reference the address.
    return *(DWORD*)TestAd2; 
}

Notes:

• GetModuleHandle will return NULL if the module hasn't been loaded yet.
• GetModuleHandleA is the ASCII version of GetModuleHandle.

Tip to wait for cshell.dll to load:

Code:

void WaitCshell()
{
    // Sleep as long as GetModuleHandleA returns NULL.
    while(GetModuleHandleA("cshell.dll") == NULL)
    {
        Sleep(500);
    }
}

Another source of crash may be that you are trying to read or write from a segment that is PAGE_EXECUTE, so you first have to change protection to PAGE_READWRITE, then do what you want with it, then change it back to the old protection, you can research that on your own

I hope this helped, if not please clarify how you got TestAd2, and what exactly you are doing with that memcpy, and if that is the address of a code.

[EGOIST0162]

Thanks Marshal for the good explenation!

I am trying to make something simple first (NoReload Hack).
I have Dumped the newest CShell.dll and got the Following Offsets but i think its not right, maybee @(Virus) can explain it to me

I dont know if this is the right way to do it please correct me if i am doing it the wrong way .
(I Have added Screenshots of my Reverese Engeneering Process at the End of the Post)

WeaponMan Calculation:
(Offset = Adress - Base)

Imagebase:
5C010000

a Weaponindex:
5D006898


Adress - Base = Result(Offset)

Result(Offset) = FF6898

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++

ReloadAnimRatio Calculation:
(Offset = Adress - Base)

Imagebase:
5C010000

ReloadAnimRatio:
5C0A807D

Adress - Base = Result(Offset)

Result(Offset) = 9807D

Screenshots my Reverse Engeneering:
https://imgur.com/2SBUMeH
https://imgur.com/hDXnzsn
https://imgur.com/qLtrSgE
I also get this error Code after some time from the AntiCheat:
https://imgur.com/RbFNW8R

[marshal20]

Thank you very much, it's my pleasure to help

So in crossfire WeaponMgr is just an array of pointers, each pointer is pointing to a Weapon struct, last time i checked this array contained 0x1000 weapons some of those pointers are NULL so you have to check for that, each Weapon struct was of size 0x4BF4 bytes (it may have changed to 0x4DE0 bytes), you need the size of the struct if you want 28_3 bypass more on that later.

Because of that, the idea behind any Weapon hack is to edit the attributes of every weapon in this struct, but be careful because CF has 2 checks for weapon data, each time you equip, change a weapon or die it checks for the current weapon data and makes a client error 28_3 if it was different than normal, and you have to bypass it.

The way i change weapon data is as follows ( i updated the offsets but haven't tested any yet ), i use range, change speed and reload speed as an example ( recoil is a little difficult nowadays) in CFNA:

Code:

#define WEAPON_MANAGER 0x1515364
#define WEAPON_MANAGER_COUNT 0x1000

#define WEAPON_RANGE 0xBF0 // string: Range
#define WEAPON_FASTSWAP 0x1260 // string: ChangeWeaponAnimRatio
#define WEAPON_FASTRELOAD 0x125C // string: ReloadAnimRatio

// Types
#define WEAPON_TYPE_PISTOL    0
#define WEAPON_TYPE_SHOTGUN   1
#define WEAPON_TYPE_SMG       2
#define WEAPON_TYPE_RIFLE     3
#define WEAPON_TYPE_SNIPER    4
#define WEAPON_TYPE_MG        5
#define WEAPON_TYPE_GRENADE   6
#define WEAPON_TYPE_KNIFE     7
#define WEAPON_TYPE_EXPLOSIVE 9

// Wait for cshell and Get cshell_base code HERE

// Weapon Manager array
DWORD weapon_manager = *(DWORD*)((DWORD)cshell_base + WEAPON_MANAGER);

// Loop over all the weapons
for (int i = 0; i < WEAPON_MANAGER_COUNT; i++)
{
	// The current weapon pointer
	DWORD weapon = *(DWORD*)(weapon_manager + i * 4); // Size of pointer is 4 bytes, thus i*4
	
	// Skip the current weapon if the pointer is NULL
	if (!weapon)
		continue;
	
	// You don't have to check for weapon type.

	// Read the weapon type
	SHORT wtype = *(SHORT*)(weapon + 0x2);
	
	// Skip the weapon if it's a knife or a grenade
	if(wtype == WEAPON_TYPE_KNIFE || wtype == WEAPON_TYPE_EXPLOSIVE)
		continue;
	
	// Increase the weapon range 100 times.
	*(float*)(weapon + WEAPON_RANGE) *= 100.0f;
	
	// Increase change speed 20%.
	*(float*)(weapon + WEAPON_FASTSWAP) = 1.2;
	
	// Increase reload speed 20%.
	*(float*)(weapon + WEAPON_FASTRELOAD) = 1.2;
}

Important Tip: ( to avoid detection )
You need to hide your DLL module and erase the DOS and NT headers, not just DisableThreadLibraryCalls, if you don't know what that is you can just add it to your code (DisableThreadLibraryCalls then erase header then hide module then CreateThread), if you don't do that the anti-cheat (XIGNCODE) should be able to detect your DLL this may be the cause of error:

Code:

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH)
	{
		DisableThreadLibraryCalls(hModule);
		EraseHeaders(hModule);
		HideModule(hModule);
		CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)MainThread, NULL, NULL, NULL);
	}

	return TRUE;
}

I will refer you to this thread by @Flengo :
https://www.mpgh.net/forum/showthread.php?t=478124

Other Tips:

• I usually debug using Beep(500, 500) not MessageBox.
• If you really need to output text, make a simple logger just open a file as write and just fprintf.
• Put your DLL in a folder with no "hack" names, and change the DLL name for something random it may not be important but something to try, it may be the name of your DLL or the injector.
• If you play in simulation alone (single sim. match) i think the check for weapons will not run, so use sim. as a sandbox.

A hint about how to bypass client_error_28_3:
there is a function that uses WeaponMgr, it's GetWeaponByIndex, if you find it you can replace two calls for GetWeaponByIndex and bypass the checks by returning the unchanged (original) weapon data , i haven't searched for it after the update yet.

As before, I hope that this information helps you

- - - Updated - - -

Read this before the top one.

Actually this is not the right way to find WeaponMgr.

Introduction
In CF when doing static analysis the game needs to get ReloadAnimRatioattribute from the loaded file, thus when we search for WeaponIndex we expect a value to be loaded from the rez files into our WeaponMgr, in other words the strings are just clues to find our addresses, you don't change the add, we need to get the WeaponMgr array, and some operation happens on it when loading weapon data, so we look arround and find our addresses.

Here are the steps:

1. Double click on the string "WeaponIndex" in the string window:




2. Choose jump to xref or click X:




3. Go to the reference:




4. You will find this string pushed:




5.Go about 30 instructions down you will find:
mov eax, dword_address
this address is WeaponMgr:




6. thus, WeaponMgr = address - base = 0x66715364 - 0x65200000 = 0x1515364






ReloadAnimRatio string is passed to the function that loads the attributes from the file, essentially CF says get me the value of ReloadAnimRatio from the file, then it loads it in the Weapon struct in a defined offset from the beginning of that struct (essentially writing struct data member), so we need to know this offset in order for us to change it later (after load).

Here are the steps:

Double click "ReloadAnimRatio" string:




Click jump to xref or press X:




Choose some one then double click:






1-> is our push string
2-> is our WeaponMgr (you can get it from here instead of WeaponIndex)
3-> is our ReloadAnimRation offset (0x125C), essentially a float offseted 0x125C bytes from the start of the weapon struct
0x125C is a plain offset ( not an address ), it's an offset from the beginning of the weapon struct


Now i think you can understand the top post.
I hope this helps

[EGOIST0162]

I now got it to work thanks for the Help !
Thanks a lot verry good explenation !

Can you teach me how to do the Damage Hack in ZM Zombie Mode where you can get a one hit Kill on the Boss.

I have found this Post from 2013 ...
https://www.mpgh.net/forum/showthread.php?t=738669
And this Post from 2018 is it still possible to do this or not?
https://www.mpgh.net/forum/showthread.php?t=1359460
And This Post From 2020 saying that its Possible ..
https://www.mpgh.net/forum/showthread.php?t=1484509

If the 2020 Post is right this should be the Working Source:

Code:

#define GAME_STATUS  0x00
#define MODEL_NODE   0x00

			struct ModelNodew
			{
				char Spacer[212];
				float CharacterDimensions[3];
			};


			
				do
				{
					Sleep(150);
				} while (!GetModuleHandle(L"ClientFx.fxd") || !GetModuleHandle(L"CShell.dll"));
				DWORD CShell = reinterpret_cast<DWORD>(GetModuleHandle(L"CShell.dll"));
				DWORD ModelNodeFunc = *reinterpret_cast<DWORD*>(CShell + MODEL_NODE);

				while (true) {


					int* GameStatus = reinterpret_cast<int*>(CShell + GAME_STATUS);
					if (*GameStatus == 11) {
						for (int Key = 0; (Key < 3); Key++) {
							ModelNodew* Character = reinterpret_cast<ModelNodew*>(ModelNodeFunc + (Key * 4));
							for (int Dimension = 0; (Dimension < 3); Dimension++)
							{
								Character->CharacterDimensions[Dimension] = 150.0f;
							};
						};
					}
					else {
						for (int Key = 0; (Key < 3); Key++) {
							ModelNodew* Character = reinterpret_cast<ModelNodew*>(ModelNodeFunc + (Key * 4));
							for (int Dimension = 0; (Dimension < 3); Dimension++)
							{
								Character->CharacterDimensions[Dimension] = 18.0f;
							};
						};
					};
					Sleep(333);
				};

Things i need to find are:

#define GAME_STATUS 0x00
#define MODEL_NODE 0x00

I get an Error MSG when i try to Jump to the operand ...
https://imgur.com/QhpM9lj
https://imgur.com/NynKj8K

[marshal20]

I'm happy to help, thanks

So, in the past it was possible to change the ammo damage of weapons or the damage factor of the nodes to a crazy high number to get one hit kill, but it got patched and i think there is server side checks for how fast you kill a player that gives you a client error.

I don't think there is a true OHK hack, but what you can do is changing the dimension of the head and nick hitbox of the player, that way if the head is large all your hits will hit the head, so now we need to find the data of the bones and change it, the way CF stores the data is to make a large array of Node struct (not an array of pointers unlike Weapon manager), we need to find the address of that array, as always CF loads the data from files so it has to reference the strings of the attributes inside the file which helps us do our static analysis and find the addresses and offset.

A bone has many attributes, one of them is "DamageFactor" if we search for that string we get:



Then we go to the only reference:



1-> The address for the Node array (Node manager) it's a Node[]
2-> Is the offset of DamageFactor (0x24) inside the Node.



So:

Code:

#define NODE_MANAGER 0x1515364

Another attribute of Node struct which is interesting is "Radius", if we look at references for that string:



We see something different, if you notice there is 3 offsets each one is 0x4 bytes larger than the other one, which means there is three values ( of types float ) in sequence which belong to "Radius" attribute, it's the x_radius then y_radius then z_radius (0x38, 0x3C and 0x40) it's a 3D vector.

One more thing we need is the size of Node struct because it's an array of Node struct (not an array of pointers), if we look at how CF assigns the value of "DamageFactor":



We see that the array start address is moved into eax then we offset eax by edi then add the offset of DamageFactor.
So we need to know by how much edi is added every loop, so if we go waaaaay down at the end of this function (sub) paying attention to edi we see in this section:



1-> edi is added by 0x9C ( the size of the Node struct )
2-> Then we loop again to load the next node.

If we create some sudo code to help us explain what happens:

Code:

// THIS IS SUDO CODE

// eax is the start of the array
DWORD eax = node_mgr_addr; 

// edi is the offset (initialized to 0)
DWORD edi = 0;

// Loop over all nodes
while(haven_t_finished_yet)
{
	// calculate the current node
	DWORD current_node = eax + edi;
	
	// Load DamageFactor attribute
	*(float*)(current_node + 0x24) = LoadFloatAttribute("DamageFactor");
	
	// Load other attributes.
	...
	
	// add 0x9C to edi
	edi += 0x9C;
}

We now understand how this piece of code works, and know that the size of Node struct is 0x9C

Now we can use some basic method to change all Radius of the head hitbox, or we can reconstruct the Node struct.
This is the Node struct from my analysis:

Code:

struct Vector3
{
	float x, y, z;
};

struct ColorRGBA
{
	float r, g, b, a;
};

struct Node
{
	char spacer01[4];
	char name[0x20];
	float damage_factor;
	Vector3 relative_position;
	float priority;
	Vector3 dimension; // 0x38, 0x3C, 0x40
	ColorRGBA object_color;
	DWORD node_type; // 0x54
	char spacer02[0x44];
};

sizeof Node is 0x9C (This is important)

So let's code our hack:

Code:

#define NODE_MANAGER 0x1515364
#define NODE_MANAGER_COUNT 0x636

// Calculate the address of the Nodes array
DWORD node = *(DWORD*)((DWORD)cshell_base + NODE_MANAGER);

// Cast it into a Node array.
Node* nodes = (Node*)node_mgr;

// Loop over all nodes
for (int i = 0; i < NODE_MANAGER_COUNT; i++)
{
	// Check if it's a head ( the name contains head )
	if (strstr(nodes[i].name, "Head") || strstr(nodes[i].name, "head"))
	{
		// Increase the dimensions of the head hitbox 10 times
		nodes[i].dimension.x *= 10;
		nodes[i].dimension.y *= 10;
		nodes[i].dimension.z *= 10;
	}
}

Note: that the modification to the hitboxes take effect when you join the game, basically you should edit the hitboxes before you join the game.

Another note: just like Weapon checks (client_error_28_3), there is check for hitboxes data, there is also a function GetNodeByIndex you can patch one call to that function to avoid client_error_28_5, i think you can try simulation without client_error_28_5

You don't have to check for game status, but you may need to bypass client_error_28_5.

You can figure out how i got NODE_MANAGER_COUNT, i will leave it as that because this post is getting too long.

As always, i'm happy to help

[EGOIST0162]

I think true OHK is patched too thanks a lot again to show me how crossfire works

Can you show me how to find the Adresses for a Simple Wallhack with Glow?


#define Wallhack1 0x00
#define glow 0x00

Code:

void Wallhack()
{
	while (1)
	{
		DWORD Wallarray = *(DWORD*)(Wallhack1 + 0x00);

                        // Turn Wallhack ON

			memcpy((void*)(Wallhack1 + 0x00), "\x90\x90\x90", 3); //ON
	
                          //Glow Stuff
			*(DWORD*)(*(DWORD*)(*(DWORD*)(glow)+0x00) + 0x00) = 00; // value
		}


		Sleep(100);
	}
}

// And Credits to COD3RIN for the recent WH Post

This is what i searched for:
https://imgur.com/KTf9aBT

From this Tutorial (Dont know if this is outdated):
https://www.mpgh.net/forum/showthread.php?t=498324

[marshal20]

Thanks! i'm happy to help .

So i did't try the wall hack from that tutorial, but i think the idea is that developers leave code that helps them debug the game which isn't intended to be shipped with the game, but you can exploit this by enabling some pieces of that debug code, i think that csgo has the same thing about glow, but i'm not so sure.

The wall hack that i use is a Direct 3D based one, the basic idea is that, we hook the DrawIndexedPrimitive and disable the depth test if a player module is being rendered, which renders all player modules in front of the walls, @***** made a tutorial about that at here, the idea is the same, but i think Microsoft Detour is detected, so you have to find another method to hook DrawIndexedPrimitive, you can also hook EndScene and draw a menu which may be useful, i make a custom hook for D3D that only supports windows 10 x64, i haven't tested it on other versions of windows, you can use the same method in this tutorial but you have to make your own custom hook.

You can make a VTable hook, but you have to rewrite the VTable each time the D3D9Device is lost.

I hope that this information is enough, as always, i'm happy to help .

[EGOIST0162]

Thank you thank you i get it

[(Virus)]

Thank you thank you i get it

is iam late? haha
cf now have crc checks on wepmgr checks so use wep anim or ltmodel or @progamerr47 way
here is it:

Code:

void OverwriteString(char* string, char* original, uint32_t length)
{
	memcpy(reinterpret_cast<void*>(string), reinterpret_cast<void*>(original), length);
	memcpy(reinterpret_cast<void*>(string + length), reinterpret_cast<void*>("\x00"), 1);
}
void NoReload()
{
DWORD CShell = (DWORD)GetModuleHandleA(eCShell);
OverwriteString(reinterpret_cast<char*>(CShell +/*String :reload*/), "fire", 4);
OverwriteString(reinterpret_cast<char*>(CShell + /*String :select*/), "fire", 4);
OverwriteString(reinterpret_cast<char*>(CShell +/*String :fire*/), "asdf", 4);
}

[Wall Hack / Seeghost]

Code:

#define WallArray 0x128B8C0
		//=======================[Wall Hack]============================//
		if (/*Var*/)
		{
			*(BYTE*)(WallArray + 0xA7) = 256;
		}
		else
		{
			*(BYTE*)(WallArray + 0xA7)= 257;
		}
		//=======================[See Ghosts]============================//
		if (/*Var*/)
		{
			*(BYTE*)(WallArray + 0xB8) =14;
		}
		else
		{
			*(BYTE*)(WallArray + 0xB8) =5;
		}

anyway proud to see egyptions again in cfw @marshal20

[marshal20]

Thank you very much @(Virus) , that's a nice way to do it, i will try this next.

[EGOIST0162]

Nice Share Virus Thanks for looking into it
Its working can you show me how you found this stuff in IDA ? I want to learn how to find this on my own I have my disc0rd posted already.

[(Virus)]

Nice Share Virus Thanks for looking into it
Its working can you show me how you found this stuff in IDA ? I want to learn how to find this on my own I have my disc0rd posted already.

Simple way : Open Ce ->attach to cf -> search for value ->16777217-> u will find it after u have to -A4 then u now have the wall array

[EGOIST0162]

Thanks for the Information @(Virus)

Can you help me?

Im searching for the newest:
GameState
dw_aThroughWallsMgr

To make a working ShootTroughWall

Im referencing to this post :

https://www.mpgh.net/forum/242-crossfire-hack-coding-programming-source-code/1425670-stw-shoot-through-walls.html

[(Virus)]

Thanks for the Information @(Virus)

Can you help me?

Im searching for the newest:
GameState
dw_aThroughWallsMgr

To make a working ShootTroughWall

Im referencing to this post :

https://www.mpgh.net/forum/242-cross...ugh-walls.html

iam not using this way btw offset won't change and u can get the addr & offset by this string : TextureType