New 28_3 ByPass (much shorter)

**rabir007** · 06-29-2013

Originally Posted by bandi12

Most Possible that somewhere in 28_3, is hided a litel call , or memory place where there is saved some data, then 28_4 come's and check's that place , how you kill'd the 28_3 the memory place is empty =>> 28_4.

Or there is a call inside the 28_3 to 28_4 retarting it's timer, 28_4 has a timmer with +/- 6-10's to give error, then 28_3 come's and restart this timer, how you killd 28_3 =>> timer is not restarted =>> 28_4.

Best solution without to many search is to let 28_3 alive just make some change's inside it, but ofc if you have time you can search around 28_4 and kill it to .

I know, what is the current 28_3 killer does, i looked into it, know every part of it...
But its impossible to rebuild in C# (only 1 easy single part) because the native-managed code differences...

So i have to find another way...
I know one, but it require a lot of free space in the weaponMgr and a long code (bypass every function [reload, no change] one by one)

**sabatbatu1** · 06-29-2013

work , thank you

**pedbera** · 06-29-2013

Originally Posted by dakr54

Code:

void createBypass(DWORD cshell,DWORD bypass)
{
	DWORD newAddress = bypass - 8;
	*(BYTE*)(cshell + newAddress)    = 0xE9;
	*(DWORD*)(cshell + newAddress) = 0x1F8;
	*(BYTE*)(cshell + newAddress)    = 0x90;
}

c++ equivalent. if there are any glaring errors, feel free to correct me.

Code:

void createBypass(DWORD cshell,DWORD bypass)
{
	DWORD newAddress = bypass - 8;

	*(PBYTE)(cshell + newAddress + 0x0) = 0xE9; // + 0x0 for the beautiful look :)
	*(PBYTE)(cshell + newAddress + 0x1) = 0x1F8;
	*(PBYTE)(cshell + newAddress + 0x5) = 0x90;
}

good job btw +1

**rabir007** · 06-29-2013

Originally Posted by bandi12

Most Possible that somewhere in 28_3, is hided a litel call , or memory place where there is saved some data, then 28_4 come's and check's that place , how you kill'd the 28_3 the memory place is empty =>> 28_4.

Or there is a call inside the 28_3 to 28_4 retarting it's timer, 28_4 has a timmer with +/- 6-10's to give error, then 28_3 come's and restart this timer, how you killd 28_3 =>> timer is not restarted =>> 28_4.

Best solution without to many search is to let 28_3 alive just make some change's inside it, but ofc if you have time you can search around 28_4 and kill it to .

I checked it, it have 3 calling inside:

1; What the current bypass overwrite, which gives back the "CurrentWeapon" pointer, this is,which is impossible to reproduce in C#
2; Don't know what is it, i disabled (nopped) and still got 28_3... (i'll try if i disable it, but don't use any function that cause 28_3, and if i got 28_4)
3; Same as the 2. but on different spot...

Edit:

So here is the 28_3 error function:

Code:

8B 44 24 04           - mov eax,[esp+04]
81 EC A0000000        - sub esp,000000A0
83 F8 FF              - cmp eax,FF
0F84 F7010000         - je CShell.dll+395B9A //The one i change, but cause 28_4
56                    - push esi  //First parameter
50                    - push eax //SecondParameter (One of them is the WeaponIndex)


E8 860CE9FF           - call CShell.dll+226630     //The one we Overwriting, this returns the "CurrentWeapon"


8B F0                 - mov esi,eax //esi = CurrentWeapon
83 C4 04              - add esp,04
85 F6                 - test esi,esi
0F84 E2010000         - je CShell.dll+395B99
D9 86 3C0C0000        - fld dword ptr [esi+00000C3C] //NoReload
0FB6 86 6C080000      - movzx eax,byte ptr [esi+0000086C] //ShotgunSpread
D9 5C 24 08           - fstp dword ptr [esp+08]
89 44 24 04           - mov [esp+04],eax
D9 86 400C0000        - fld dword ptr [esi+00000C40] //NoChange
57                    - push edi
D9 5C 24 10           - fstp dword ptr [esp+10]              //All remaining [esi + XXXXXX] is for the NoRecoil
D9 86 4C130000        - fld dword ptr [esi+0000134C]
D9 5C 24 14           - fstp dword ptr [esp+14]
DB 44 24 08           - fild dword ptr [esp+08]
D9 5C 24 18           - fstp dword ptr [esp+18]
D9 86 3C050000        - fld dword ptr [esi+0000053C]
D9 5C 24 1C           - fstp dword ptr [esp+1C]
D9 86 A4060000        - fld dword ptr [esi+000006A4]
D9 5C 24 20           - fstp dword ptr [esp+20]
D9 86 440C0000        - fld dword ptr [esi+00000C44]
D9 5C 24 24           - fstp dword ptr [esp+24]
D9 86 AC0D0000        - fld dword ptr [esi+00000DAC]
D9 5C 24 28           - fstp dword ptr [esp+28]
D9 86 140F0000        - fld dword ptr [esi+00000F14]
D9 5C 24 2C           - fstp dword ptr [esp+2C]
D9 86 7C100000        - fld dword ptr [esi+0000107C]
D9 5C 24 30           - fstp dword ptr [esp+30]
D9 86 E4110000        - fld dword ptr [esi+000011E4]
D9 5C 24 34           - fstp dword ptr [esp+34]
D9 86 54050000        - fld dword ptr [esi+00000554]
D9 5C 24 38           - fstp dword ptr [esp+38]
D9 86 BC060000        - fld dword ptr [esi+000006BC]
D9 5C 24 3C           - fstp dword ptr [esp+3C]
D9 86 5C0C0000        - fld dword ptr [esi+00000C5C]
D9 5C 24 40           - fstp dword ptr [esp+40]
D9 86 C40D0000        - fld dword ptr [esi+00000DC4]
D9 5C 24 44           - fstp dword ptr [esp+44]
D9 86 2C0F0000        - fld dword ptr [esi+00000F2C]
D9 5C 24 48           - fstp dword ptr [esp+48]
D9 86 94100000        - fld dword ptr [esi+00001094]
D9 5C 24 4C           - fstp dword ptr [esp+4C]
D9 86 FC110000        - fld dword ptr [esi+000011FC]
D9 5C 24 50           - fstp dword ptr [esp+50]
D9 86 6C050000        - fld dword ptr [esi+0000056C]
D9 5C 24 54           - fstp dword ptr [esp+54]
D9 86 D4060000        - fld dword ptr [esi+000006D4]
D9 5C 24 58           - fstp dword ptr [esp+58]
D9 86 740C0000        - fld dword ptr [esi+00000C74]
D9 5C 24 5C           - fstp dword ptr [esp+5C]
D9 86 DC0D0000        - fld dword ptr [esi+00000DDC]
D9 5C 24 60           - fstp dword ptr [esp+60]
D9 86 440F0000        - fld dword ptr [esi+00000F44]
D9 5C 24 64           - fstp dword ptr [esp+64]
D9 86 AC100000        - fld dword ptr [esi+000010AC]
D9 5C 24 68           - fstp dword ptr [esp+68]
D9 86 14120000        - fld dword ptr [esi+00001214]
D9 5C 24 6C           - fstp dword ptr [esp+6C]
D9 86 84050000        - fld dword ptr [esi+00000584]
D9 5C 24 70           - fstp dword ptr [esp+70]
D9 86 EC060000        - fld dword ptr [esi+000006EC]
D9 5C 24 74           - fstp dword ptr [esp+74]
D9 86 8C0C0000        - fld dword ptr [esi+00000C8C]
D9 5C 24 78           - fstp dword ptr [esp+78]
D9 86 F40D0000        - fld dword ptr [esi+00000DF4]
D9 5C 24 7C           - fstp dword ptr [esp+7C]
D9 86 5C0F0000        - fld dword ptr [esi+00000F5C]
D9 9C 24 80000000     - fstp dword ptr [esp+00000080]
D9 86 C4100000        - fld dword ptr [esi+000010C4]
D9 9C 24 84000000     - fstp dword ptr [esp+00000084]
D9 86 2C120000        - fld dword ptr [esi+0000122C]
D9 9C 24 88000000     - fstp dword ptr [esp+00000088]
D9 86 9C050000        - fld dword ptr [esi+0000059C]
D9 9C 24 8C000000     - fstp dword ptr [esp+0000008C]
D9 86 04070000        - fld dword ptr [esi+00000704]
D9 9C 24 90000000     - fstp dword ptr [esp+00000090]
D9 86 A40C0000        - fld dword ptr [esi+00000CA4]
D9 9C 24 94000000     - fstp dword ptr [esp+00000094]
D9 86 0C0E0000        - fld dword ptr [esi+00000E0C]
D9 9C 24 98000000     - fstp dword ptr [esp+00000098]
D9 86 740F0000        - fld dword ptr [esi+00000F74]
D9 9C 24 9C000000     - fstp dword ptr [esp+0000009C]
D9 86 DC100000        - fld dword ptr [esi+000010DC]
D9 9C 24 A0000000     - fstp dword ptr [esp+000000A0]
D9 86 44120000        - fld dword ptr [esi+00001244]
D9 9C 24 A4000000     - fstp dword ptr [esp+000000A4]
6A 27                 - push 27
8D 4C 24 10           - lea ecx,[esp+10]
51                    - push ecx //First Parameter
6A 00                 - push 00 //Second Parameter
E8 ADC3E7FF           - call CShell.dll+211F20        //Nopped, still 28_3, 2 parameter (here is called with: ecx, and 00)
8B BC 24 BC000000     - mov edi,[esp+000000BC]
8B 17                 - mov edx,[edi]
6A 51                 - push 51
83 C6 49              - add esi,49
56                    - push esi
6A 00                 - push 00
66 89 42 24           - mov [edx+24],ax
E8 93C3E7FF           - call CShell.dll+211F20         //Same place called with (esi, 00)
8B 0F                 - mov ecx,[edi]
0FB7 C0               - movzx eax,ax
83 C4 18              - add esp,18
89 41 28              - mov [ecx+28],eax
5F                    - pop edi
5E                    - pop esi
81 C4 A0000000        - add esp,000000A0
C3                    - ret

Here is the CShell.dll + 211F20:

If you are right, and it is a timer, this may reset it...

**luizimloko** · 06-29-2013

Originally Posted by rabir007

I checked it, it have 3 calling inside:

1; What the current bypass overwrite, which gives back the "CurrentWeapon" pointer, this is,which is impossible to reproduce in C#
2; Don't know what is it, i disabled (nopped) and still got 28_3... (i'll try if i disable it, but don't use any function that cause 28_3, and if i got 28_4)
3; Same as the 2. but on different spot...

Edit:

So here is the 28_3 error function:

Code:

8B 44 24 04 - mov eax,[esp+04] 81 EC A0000000 - sub esp,000000A0 83 F8 FF - cmp eax,FF 0F84 F7010000 - je CShell.dll+395B9A //The one i change, but cause 28_4 56 - push esi //First parameter 50 - push eax //SecondParameter (One of them is the WeaponIndex) E8 860CE9FF - call CShell.dll+226630 //The one we Overwriting, this returns the "CurrentWeapon" 8B F0 - mov esi,eax //esi = CurrentWeapon 83 C4 04 - add esp,04 85 F6 - test esi,esi 0F84 E2010000 - je CShell.dll+395B99 D9 86 3C0C0000 - fld dword ptr [esi+00000C3C] //NoReload 0FB6 86 6C080000 - movzx eax,byte ptr [esi+0000086C] //ShotgunSpread D9 5C 24 08 - fstp dword ptr [esp+08] 89 44 24 04 - mov [esp+04],eax D9 86 400C0000 - fld dword ptr [esi+00000C40] //NoChange 57 - push edi D9 5C 24 10 - fstp dword ptr [esp+10] //All remaining [esi + XXXXXX] is for the NoRecoil D9 86 4C130000 - fld dword ptr [esi+0000134C] D9 5C 24 14 - fstp dword ptr [esp+14] DB 44 24 08 - fild dword ptr [esp+08] D9 5C 24 18 - fstp dword ptr [esp+18] D9 86 3C050000 - fld dword ptr [esi+0000053C] D9 5C 24 1C - fstp dword ptr [esp+1C] D9 86 A4060000 - fld dword ptr [esi+000006A4] D9 5C 24 20 - fstp dword ptr [esp+20] D9 86 440C0000 - fld dword ptr [esi+00000C44] D9 5C 24 24 - fstp dword ptr [esp+24] D9 86 AC0D0000 - fld dword ptr [esi+00000DAC] D9 5C 24 28 - fstp dword ptr [esp+28] D9 86 140F0000 - fld dword ptr [esi+00000F14] D9 5C 24 2C - fstp dword ptr [esp+2C] D9 86 7C100000 - fld dword ptr [esi+0000107C] D9 5C 24 30 - fstp dword ptr [esp+30] D9 86 E4110000 - fld dword ptr [esi+000011E4] D9 5C 24 34 - fstp dword ptr [esp+34] D9 86 54050000 - fld dword ptr [esi+00000554] D9 5C 24 38 - fstp dword ptr [esp+38] D9 86 BC060000 - fld dword ptr [esi+000006BC] D9 5C 24 3C - fstp dword ptr [esp+3C] D9 86 5C0C0000 - fld dword ptr [esi+00000C5C] D9 5C 24 40 - fstp dword ptr [esp+40] D9 86 C40D0000 - fld dword ptr [esi+00000DC4] D9 5C 24 44 - fstp dword ptr [esp+44] D9 86 2C0F0000 - fld dword ptr [esi+00000F2C] D9 5C 24 48 - fstp dword ptr [esp+48] D9 86 94100000 - fld dword ptr [esi+00001094] D9 5C 24 4C - fstp dword ptr [esp+4C] D9 86 FC110000 - fld dword ptr [esi+000011FC] D9 5C 24 50 - fstp dword ptr [esp+50] D9 86 6C050000 - fld dword ptr [esi+0000056C] D9 5C 24 54 - fstp dword ptr [esp+54] D9 86 D4060000 - fld dword ptr [esi+000006D4] D9 5C 24 58 - fstp dword ptr [esp+58] D9 86 740C0000 - fld dword ptr [esi+00000C74] D9 5C 24 5C - fstp dword ptr [esp+5C] D9 86 DC0D0000 - fld dword ptr [esi+00000DDC] D9 5C 24 60 - fstp dword ptr [esp+60] D9 86 440F0000 - fld dword ptr [esi+00000F44] D9 5C 24 64 - fstp dword ptr [esp+64] D9 86 AC100000 - fld dword ptr [esi+000010AC] D9 5C 24 68 - fstp dword ptr [esp+68] D9 86 14120000 - fld dword ptr [esi+00001214] D9 5C 24 6C - fstp dword ptr [esp+6C] D9 86 84050000 - fld dword ptr [esi+00000584] D9 5C 24 70 - fstp dword ptr [esp+70] D9 86 EC060000 - fld dword ptr [esi+000006EC] D9 5C 24 74 - fstp dword ptr [esp+74] D9 86 8C0C0000 - fld dword ptr [esi+00000C8C] D9 5C 24 78 - fstp dword ptr [esp+78] D9 86 F40D0000 - fld dword ptr [esi+00000DF4] D9 5C 24 7C - fstp dword ptr [esp+7C] D9 86 5C0F0000 - fld dword ptr [esi+00000F5C] D9 9C 24 80000000 - fstp dword ptr [esp+00000080] D9 86 C4100000 - fld dword ptr [esi+000010C4] D9 9C 24 84000000 - fstp dword ptr [esp+00000084] D9 86 2C120000 - fld dword ptr [esi+0000122C] D9 9C 24 88000000 - fstp dword ptr [esp+00000088] D9 86 9C050000 - fld dword ptr [esi+0000059C] D9 9C 24 8C000000 - fstp dword ptr [esp+0000008C] D9 86 04070000 - fld dword ptr [esi+00000704] D9 9C 24 90000000 - fstp dword ptr [esp+00000090] D9 86 A40C0000 - fld dword ptr [esi+00000CA4] D9 9C 24 94000000 - fstp dword ptr [esp+00000094] D9 86 0C0E0000 - fld dword ptr [esi+00000E0C] D9 9C 24 98000000 - fstp dword ptr [esp+00000098] D9 86 740F0000 - fld dword ptr [esi+00000F74] D9 9C 24 9C000000 - fstp dword ptr [esp+0000009C] D9 86 DC100000 - fld dword ptr [esi+000010DC] D9 9C 24 A0000000 - fstp dword ptr [esp+000000A0] D9 86 44120000 - fld dword ptr [esi+00001244] D9 9C 24 A4000000 - fstp dword ptr [esp+000000A4] 6A 27 - push 27 8D 4C 24 10 - lea ecx,[esp+10] 51 - push ecx //First Parameter 6A 00 - push 00 //Second Parameter E8 ADC3E7FF - call CShell.dll+211F20 //Nopped, still 28_3, 2 parameter (here is called with: ecx, and 00) 8B BC 24 BC000000 - mov edi,[esp+000000BC] 8B 17 - mov edx,[edi] 6A 51 - push 51 83 C6 49 - add esi,49 56 - push esi 6A 00 - push 00 66 89 42 24 - mov [edx+24],ax E8 93C3E7FF - call CShell.dll+211F20 //Same place called with (esi, 00) 8B 0F - mov ecx,[edi] 0FB7 C0 - movzx eax,ax 83 C4 18 - add esp,18 89 41 28 - mov [ecx+28],eax 5F - pop edi 5E - pop esi 81 C4 A0000000 - add esp,000000A0 C3 - ret

Here is the CShell.dll + 211F20:

Code:

66 8B 44 24 0C - mov ax,[esp+0C] 66 85 C0 - test ax,ax 76 37 - jna CShell.dll+211F61 56 - push esi 8B 74 24 0C - mov esi,[esp+0C] 57 - push edi 0FB7 F8 - movzx edi,ax 8B 44 24 0C - mov eax,[esp+0C] 8A 16 - mov dl,[esi] 0FB6 CC - movzx ecx,ah 32 CA - xor cl,dl 33 D2 - xor edx,edx 8A F0 - mov dh,al 83 C6 01 - add esi,01 81 E1 FF000000 - and ecx,000000FF 0FB7 C9 - movzx ecx,cx 66 33 14 4D 8833F710 - xor dx,[ecx*2+CShell.dll+F73388] //No Idea, not function, just shitload of "add [eax],al" 83 EF 01 - sub edi,01 0FB7 C2 - movzx eax,dx 75 D9 - jne CShell.dll+211F37 5F - pop edi 5E - pop esi C3 - ret 66 8B 44 24 04 - mov ax,[esp+04] C3 - ret

If you are right, and it is a timer, this may reset it...

Code:

void createBypass(DWORD cshell,DWORD bypass) { DWORD newAddress = bypass - 8; *(PBYTE)(cshell + newAddress + 0x0) = 0xE9; // + 0x0 for the beautiful look :) *(PBYTE)(cshell + newAddress + 0x1) = 0x1F8; *(PBYTE)(cshell + newAddress + 0x5) = 0x90; }

The destine of 0x1F8 ? =

Code:

10361545 8941 28 MOV DWORD PTR DS:[ECX+28],EAX

this hook is the same of like that

Code:

JMP 10361545

**rabir007** · 06-29-2013

Originally Posted by luizimloko

Code:

void createBypass(DWORD cshell,DWORD bypass) { DWORD newAddress = bypass - 8; *(PBYTE)(cshell + newAddress + 0x0) = 0xE9; // + 0x0 for the beautiful look :) *(PBYTE)(cshell + newAddress + 0x1) = 0x1F8; *(PBYTE)(cshell + newAddress + 0x5) = 0x90; }

The destine of 0x1F8 ? =

Code:

10361545 8941 28 MOV DWORD PTR DS:[ECX+28],EAX

this hook is the same of like that

Code:

JMP 10361545

JMP 10361545 in bytes = E9 F8 01 00 00
It is the same...

**dakr54** · 06-29-2013

lol i forgot the offsets, u dont need to put 0x0 or 0x5 or 0x1. ucan just do 5 and 1 and 0x0 is not even needed xD but i get it , "For the beautiful look" XDD

Code:

void createBypass(DWORD cshell,DWORD bypass)
{
	DWORD newAddress = bypass - 8;

	*(BYTE*)(cshell + newAddress )        = 0xE9;
	*(BYTE*)(cshell + newAddress + 1)  = 0x1F8;
	*(BYTE*)(cshell + newAddress + 5)  = 0x90;
}

**whitehat12** · 07-01-2013

thank you for this

**6ixth** · 07-03-2013

I use other method but, thanks for sharing..

**Astr3Lune** · 07-04-2013

Originally Posted by rabir007

Oookkaay...
So, i was just a bit Hyperactive, and did my crazy experiments on Crossfire...
The story was, as always: I couldn't convert something from C++ to C#, so i made it on my own retard way (but those are always works )
Aannd, i found a new way to bypass that retard 28_3, and its much much shorter, and easier than before...

This is written in C#, but not so hard to convert into C++
(Tested in Cf Eu)

Note:
the 0x1F8 may change during patches (really small chance)...

the "uint ByPass" or in C++: "DWORD ByPass" is the current ByPass addy...

Code:

public static unsafe void CreateBypass(uint CShell, uint ByPass) { uint NewAddress = ByPass - 0x8; *(byte*)(CShell + NewAddress + 0) = 0xE9; *(uint*)(CShell + NewAddress + 1) = 0x1F8; *(byte*)(CShell + NewAddress + 5) = 0x90; }

Good luck everyone...

How to Put in Source code?

**rabir007** · 07-04-2013

Originally Posted by Astr3Lune

How to Put in Source code?

Looser, you can't put in source -_-

Thread: New 28_3 ByPass (much shorter)

Thread Tools

Display

The Following User Says Thank You to pedbera For This Useful Post:

Similar Threads

[Release] New Garena Bypass, EXP/BP & Mastery Hack

[Release/New] Working Bypass

[Release] New Garena Bypass 18th May 2009

Release** Brand New warrock Bypass

suggestions for a new harold bypass