CFFPH Address Logs November 26 2023

[manolo_xd]

Code:

 // ===============================================//
 // --------> [ Crossfire Logs Started ] <-------- //
 // ===============================================//

 // Crossfire Base Address: 0x140000000
 // CShell Base Address: 0x7FFE73A90000

 // [ RoomInfo ]
 uint64_t m_RoomInfoMgr = 0x2966DF0;
 uint64_t m_RoomId = 0x134;

 // [ ModelNode ]
 uint64_t m_ModelNodeMgr = 0x27206E8;
 uint64_t m_ModelNodeFunc = 0x1392B0;
 uint64_t m_ModelNodeMainHitBox = 0x???????;

 // [ Weapon ]
 uint64_t m_WeaponMgr = 0x28C5BF0;
 uint64_t m_WeaponFunc = 0x142C00;
 uint64_t m_CrosshairRatioPerRealSizeFunc[0] = 0x9B903A;
 uint64_t m_CrosshairRatioPerRealSizeFunc[1] = 0x12D4BCD;
 uint64_t m_PerturbMinFunc[0] = 0x9AD522;
 uint64_t m_PerturbMinFunc[1] = 0x12C9CB0;
 uint64_t m_ShotreactYawFunc[0] = 0x9B8BB5;
 uint64_t m_ShotreactYawFunc[1] = 0x12D470C;
 uint64_t m_ShotreactPitchFunc[0] = 0xA2BDE9;
 uint64_t m_ShotreactPitchFunc[1] = 0x12B5766;
 uint64_t m_KnifeNormalRange[0] = 0xF8C;
 uint64_t m_KnifeNormalRange[1] = 0xFEC;
 uint64_t m_KnifeBigShotRange[0] = 0xFBC;
 uint64_t m_KnifeBigShotRange[1] = 0x101C;
 uint64_t m_KnifeNormalAngle[0] = 0xF9C;
 uint64_t m_KnifeNormalAngle[1] = 0xFFC;
 uint64_t m_KnifeBigShotAngle[0] = 0xFCC;
 uint64_t m_KnifeBigShotAngle[1] = 0x102C;
 uint64_t m_RepeatFire = 0x104C;

 // [ CPlayerClntBase ]
 uint64_t m_ClientObject = 0x510;
 uint64_t m_ServerObject = 0x518;
 uint64_t m_PlayerViewMgr = 0x2F8;
 uint64_t m_HighJumpGravity = 0x???;
 uint64_t m_WalkSpeed = 0x564;
 uint64_t m_CrouchSpeed = 0x568;
 uint64_t m_RapidFire = 0x12AC;
 uint64_t m_ModelDimension = 0x16B8;
 uint64_t m_GunPlayerRecoil = 0x???;
 uint64_t m_SendAmmoReload = 0x???;
 uint64_t m_SendAmmoReloadCancel = 0x???;
 uint64_t m_ClassifyShooting = 0x???;
 uint64_t m_LTViewAnglePitch = 0x80C;
 uint64_t m_LTViewAngleYaw = 0x810;
 uint64_t m_WeaponState = 0x864;
 uint64_t m_GetCurSelectedBag = 0xA08;
 uint64_t m_GetCurWeaponSelect = 0xF8;
 uint64_t m_GetWeaponInfo = 0x12B8;
 uint64_t m_iHealth = 0x16C4;
 uint64_t m_iNanoGhostMaxHealth = 0x1490;
 uint64_t m_GetClipAmmo = 0x2D8;
 uint64_t m_GetMagazineAmmo = 0x2DC;
 uint64_t m_GetBulletStock = 0x2E0;
 uint64_t m_ClientFire = 0x968;
 uint64_t m_VelAndRot = 0x11E8;

 // [ CLTClientShell ]
 uint64_t m_LTClientShell = 0x27211E0;
 uint64_t m_LTClientShellTub = 0x2918320;
 uint64_t m_PlayerStart = 0x279;
 uint64_t m_PlayerSize = 0xDC0;
 uint64_t m_LocalIndex = 0x288;
 uint64_t m_GetMaxPlayer = 0x44460;
 uint64_t m_IsRoundStart = 0x270;
 uint64_t m_AIClientObjectMgr = 0x???;
 uint64_t m_SprayUI = 0x211DC;
 uint64_t m_IdleTimeout = 0x43C8C;
 uint64_t m_IdleTimeoutFunc[0] = 0x141ACF8;
 uint64_t m_IdleTimeoutFunc[1] = 0x141ADCC;
 uint64_t m_GetLocalPlayerIndexFunc = 0x1415BB0;

 // [ CLTClient ]
 uint64_t m_IntersectSegmentFunc = 0x40051250;

 // [ CLTBase ]

 // [ GameProto ]
 uint64_t m_CSVelAndRotFunchk = 0xA47A4F;
 uint64_t m_CSClientFireFunchk = 0xA48427;
 uint64_t m_CSDamageFunchk = 0x60A2C5;
 uint64_t m_CSAnimFunchk = 0x6F283A;
 uint64_t m_CSRespawn_AckFunchk = 0x1451A7E;
 uint64_t m_CSReloadFinishFunchk = 0x902298;
 uint64_t m_CSThrowingDamageFunchk = 0x62965A;
 uint64_t m_DZBoxSizeFunchk = 0x14427B5;
 uint64_t m_VoidGodMode = 0x???????;
 uint64_t m_AntiCrashGame = 0x???????;

 // [ Remove Effects ]
 uint64_t m_RemoveFx = 0x??????;
 uint64_t m_RemoveGunEffectsFunc = 0x??????;
 uint64_t m_NoSmokeFunc = 0x40374649;
 uint64_t m_NoFlashbangFunc = 0x118AA33;

 // [ Bypass Client Errors ]
 uint64_t m_Bypass1_x = 0xA21F68;
 uint64_t m_Bypass18_2 = 0x8F30C8;
 uint64_t m_Bypass19_3[0] = 0x12DADF0;
 uint64_t m_Bypass19_3[1] = 0x1126AB9;
 uint64_t m_Bypass20_2 = 0x??????;
 uint64_t m_Bypass28_3 = 0x8F2701;
 uint64_t m_Bypass31_10 = 0x13EDEC9;
 uint64_t m_BypassWallPassHackInfo_t = 0x1288BF3;
 uint64_t m_BypassGetLastStandingOn = 0x8EE33D;
 uint64_t m_BypassResetByRespawnOtherPlayer = 0x8EA048;
 uint64_t m_BypassPing = 0x???????;
 uint64_t m_UpdateCRC = 0x??????;

 // [ Bypass DC & Ban ]
 uint64_t m_BypassWeaponDC = 0x937ED8;
 uint64_t m_BypassOnHackNotify = 0x1417040;
 uint64_t m_BypassSendReturnAddressCheck = 0x143A3E6;
 uint64_t m_BypassDetectHWBP = 0x8F41BE;
 uint64_t m_BypassSendScreenShot = 0x8F4431;
 uint64_t m_BypassDetectCheatTool[0] = 0x8F0D0A;
 uint64_t m_BypassDetectCheatTool[1] = 0x8F13EA;
 uint64_t m_BypassCheckInfoCodeHunter = 0x937BE0;
 uint64_t m_BypassSetFnInfoCodeHunter = 0x1403E1710;
 
 // [ CRadarUI ]
 uint64_t m_DrawTextEngineVT = 0x950760;

 // [ CZoneMgr ]
 uint64_t m_CZoneManMgr = 0x2967078;
 uint64_t m_NoBugDamage = 0x2FC;

 // [ CharacterFx ]
 uint64_t m_IsDead = 0x23C;
 uint64_t m_IsImmune = 0x24C;
 uint64_t m_IsAlive = 0x55C;
 uint64_t m_IsMutantObject = 0x1140F;
 uint64_t m_IsCurrentWeaponId = 0x113DC;
 uint64_t m_GetWeaponFx = 0x113A0;
 uint64_t m_EnlargeAndSetDims = 0x10AF3F0;

 // [ Others ]
 uint64_t m_ILTClientDefault = 0x1410C77E8;
 uint64_t m_GetFrameTime = 0x?????????;
 uint64_t m_LTModel = 0x27211E0;
 uint64_t m_LTCommon = 0x29670C0;
 uint64_t m_PacketSeqIndex = 0x272186E;
 uint64_t m_CGameFlow = 0x272132C;
 uint64_t m_BasicPlayerInfoMgr = 0x271F658;
 uint64_t m_TestValuesMgr = 0x2720D70;
 uint64_t m_BunnyHop = 0x???????;

 // ===============================================//
 // ---------> [ Crossfire Logs End ] <----------- //
 // ===============================================//

Nothing...
Credits: @awdacwadc @Nekosify @Mel

still no offset for modelnode? and also what software did u use to get offsets?

[bhopo]

could you help me find 28-5 bypass
I had successfully find a way to attach debugger to crossfire process but i realy don't know what to do when 28-5 messageBox appear what to search for? or how to reverse from that point to find what calls the message box

[MemoryThePast]

could you help me find 28-5 bypass
I had successfully find a way to attach debugger to crossfire process but i realy don't know what to do when 28-5 messageBox appear what to search for? or how to reverse from that point to find what calls the message box

there is a CRC on modelnode and basicplayerinfo its easy to find though you don't need to attach debugger hmmm.
here is a tip, near the bypass of 28_3/28_4 on weapon CRC

[bhopo]

Thanks bro <3

I did really find the calls that make CRC to each byte of the addys
playerinfo check start with push A8
and after it there's model node check start with push 9C then the call to the check.

but after NOP the calls i got 28-5 error even without changing any value in model node or player info!!

that's weird
and im sure that i nop the right calls
cause when i make "what access the address" to model nodes address (ex : m-b HEAD) I found that there's nothing accessing them
so it bypass the check!!
so why i still getting the client error without even changing any value?

P.S Im playing on a client 2.0 private server.

you can send me your discord so i can send you screen shots

[manolo_xd]

there is a CRC on modelnode and basicplayerinfo its easy to find though you don't need to attach debugger hmmm.
here is a tip, near the bypass of 28_3/28_4 on weapon CRC

how do you bypass "Disconnected from server" message

[MemoryThePast]

Thanks bro <3

I did really find the calls that make CRC to each byte of the addys
playerinfo check start with push A8
and after it there's model node check start with push 9C then the call to the check.

but after NOP the calls i got 28-5 error even without changing any value in model node or player info!!

that's weird
and im sure that i nop the right calls
cause when i make "what access the address" to model nodes address (ex : m-b HEAD) I found that there's nothing accessing them
so it bypass the check!!
so why i still getting the client error without even changing any value?

P.S Im playing on a client 2.0 private server.

you can send me your discord so i can send you screen shots

you shouldn't NOP because its 'CRC' so you should backup it and return it on original just like on weapon CRC AKA bypass 28_3/28_4

[bhopo]

you shouldn't NOP because its 'CRC' so you should backup it and return it on original just like on weapon CRC AKA bypass 28_3/28_4

Thanks i did it, I just edited the function so i set a condition when it access my specific model node addy ex (m-b head) , i prvent it reading my addy value and instead it reads the original model node bytes then it reads all nodes after XD

But now i had a new client error

22-11 it appears only when i hit a player , i made x,y,z of head 99 so when i hit a player it gives me the 22-11 error?!

any hint on that?

[MemoryThePast]

Thanks i did it, I just edited the function so i set a condition when it access my specific model node addy ex (m-b head) , i prvent it reading my addy value and instead it reads the original model node bytes then it reads all nodes after XD

But now i had a new client error

22-11 it appears only when i hit a player , i made x,y,z of head 99 so when i hit a player it gives me the 22-11 error?!

any hint on that?

22_10/22_11 is modification of hitbox or nodes of player, you can bypass it via GAMEPROTO_CS_CLIENTFIRE.

-ctto @awdacwadc

[bhopo]

how do you bypass "Disconnected from server" message

you have to bypass CRC checks so you have to find what is reading the memory at the part you want to edit

- - - Updated - - -

22_10/22_11 is modification of hitbox or nodes of player, you can bypass it via GAMEPROTO_CS_CLIENTFIRE.

-ctto @awdacwadc

I found the string to cs client fire but it says no
x reference every time i hit x in IDA.

[manolo_xd]

you have to bypass CRC checks so you have to find what is reading the memory at the part you want to edit

- - - Updated - - -



I found the string to cs client fire but it says no
x reference every time i hit x in IDA.

how do i bypass crc checks?

[bhopo]

how do i bypass crc checks?

attach a debugger to the game then simply find out what accesses the line of code you want to patch, then hook the return value of the crc function or just nop it

[manolo_xd]

attach a debugger to the game then simply find out what accesses the line of code you want to patch, then hook the return value of the crc function or just nop it

tried it once with the x64dbg but doesn't work

[duckden]

hi man how u bypass themida on CShell_x64?

[bhopo]

tried it once with the x64dbg but doesn't work

you need to do this at the runtime, and it needs a lot of reversing work, so yeah it's not easy

[duckden]

guys how u find offsets i try with x64dbg + skylla and more methods but all to no avail.