Need help with client error bypass

[dakr54]

I need help with bypassing client error 28_3.

i have backup the original reload values for each gun

Code:

#include <Windows.h>

#define WeaponPointer 0xCB9984
#define WeaponReload  0xC38

void run();

struct wBackup
{
	float reload;
};

wBackup wProp[746];

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)
{
	switch(fdwReason)
	{
		case 1:
			run();
			break;
	}
}

void run()
{
	DWORD cshell=(DWORD)(GetModuleHandle("CShell.dll"));
	int i = 0;
	if(cshell!=0)
	{
		DWORD pWeapons = *(DWORD*)(cshell + WeaponPointer);
		if(pWeapons!=NULL)
		{
			int maxWeapons = *(int*)(pWeapons-8);
			while(i<maxWeapons)
			{
				DWORD pWeapon = *(DWORD*)(pWeapons + (i*4));
				if(pWeapon!=0)
				{
					*(float*)(pWeapon+WeaponReload) = 100.0f;
				}
				i++;
			}
		}
	}
}

I think the answer lies here




but i'm not too sure, can someone help?

@derh.acker
@~FALLEN~
@giniyat101

[giniyat101]

scroll little up in the disassembly

[dakr54]

i assume this has something to do with it?

[dakr54]

I'm still pretty confused about this..anyone wanna chime in?

[xBuMbIx]

U go overly up :P ( I think , u change function )

[dakr54]

U go overly up :P ( I think , u change function )

i don't understand what you're saying

[xBuMbIx]

i don't understand what you're saying

Code:

102F44C0   8B4424 04        MOV EAX,DWORD PTR SS:[ESP+4]
102F44C4   81EC A0000000    SUB ESP,0A0
102F44CA   83F8 FF          CMP EAX,-1
102F44CD   0F84 F7010000    JE CshellNa.102F46CA
102F44D3   56               PUSH ESI
102F44D4   50               PUSH EAX
102F44D5   E8 F61FEBFF      CALL CshellNa.101A64D0
102F44DA   8BF0             MOV ESI,EAX
102F44DC   83C4 04          ADD ESP,4
102F44DF   85F6             TEST ESI,ESI
102F44E1   0F84 E2010000    JE CshellNa.102F46C9

[dakr54]

Code:

102F45CD   0F84 F7010000    JE CShell.102F47CA
102F45D3   56               PUSH ESI
102F45D4   50               PUSH EAX
102F45D5   E8 0621EBFF      CALL CShell.101A66E0
102F45DA   8BF0             MOV ESI,EAX
102F45DC   83C4 04          ADD ESP,4
102F45DF   85F6             TEST ESI,ESI
102F45E1   0F84 E2010000    JE CShell.102F47C9

I don't understand what that call do it bring me here

Code:

101A66B9   72 08            JB SHORT CShell.101A66C3
101A66BB   FFD5             CALL EBP
101A66BD   8B0D 8499CB10    MOV ECX,DWORD PTR DS:[10CB9984]
101A66C3   893CB1           MOV DWORD PTR DS:[ECX+ESI*4],EDI
101A66C6   83C6 01          ADD ESI,1
101A66C9   81C7 283E0000    ADD EDI,3E28
101A66CF   81FE 00040000    CMP ESI,400
101A66D5  ^72 CC            JB SHORT CShell.101A66A3
101A66D7   5F               POP EDI
101A66D8   5D               POP EBP
101A66D9   5E               POP ESI
101A66DA   8AC3             MOV AL,BL
101A66DC   5B               POP EBX
101A66DD   C3               RETN
101A66DE   CC               INT3
101A66DF   CC               INT3
101A66E0   66:8B5424 04     MOV DX,WORD PTR SS:[ESP+4]
101A66E5   33C0             XOR EAX,EAX
101A66E7   66:85D2          TEST DX,DX
101A66EA   7C 26            JL SHORT CShell.101A6712
101A66EC   56               PUSH ESI
101A66ED   8B35 7899CB10    MOV ESI,DWORD PTR DS:[10CB9978]
101A66F3   0FBFCA           MOVSX ECX,DX
101A66F6   83C6 FF          ADD ESI,-1
101A66F9   3BCE             CMP ECX,ESI
101A66FB   5E               POP ESI
101A66FC   7F 14            JG SHORT CShell.101A6712
101A66FE   66:81FA FF03     CMP DX,3FF
101A6703   7F 0D            JG SHORT CShell.101A6712
101A6705   51               PUSH ECX
101A6706   B9 8099CB10      MOV ECX,CShell.10CB9980
101A670B   E8 00FFFFFF      CALL CShell.101A6610
101A6710   8B00             MOV EAX,DWORD PTR DS:[EAX]
101A6712   C3               RETN

[xBuMbIx]

If cshell store the offsets in esp+0xofs (you'll need to know esi to know for sure , i 'll do a logger with breakpoint here) , u need only to jmp in theory so cshell restore the old value and the game continue

[giniyat101]

just ignore those newbies and pm me a picture of the whole function (its surrounded by blocks of INT3s)