Find Client Errors

[vaisefud3]

Hey, how to find the client error's message box offsets?
I found some offsets but none was from client errors, only DC & common
lobby messages. Any ideas?

[I2espect]

as much as i know ,, messagebox offsets are behind what happen when u click buttons,, what button(s) it has ,, events .. not client error specific ?
but u can just hook messagebox,,, log every call with its arguments
go into a game get a client error ,, see the log to find which one

i logged dc messagebox,, it look like this

Code:

Arugments : 45,119,0,0,0 >> DC+BAN

code will be something like this :

Code:

dwJMPback_InGameMessage = MSGBOX + 6;
	PlaceJMP((PBYTE)MSGBOX, (DWORD)hkInGameMessage, 6);

DWORD dwJMPback_InGameMessage;
__declspec(naked) void hkInGameMessage(BYTE b1, BYTE b2, BYTE b3, const char* c4, BYTE b5) {

	__asm {
		PUSH EBP
		MOV EBP, ESP
		AND ESP, 0xFFFFFFF8
	}

	__asm PUSHAD
	__asm PUSHFD


	ZOUTPUT << "INGAMEMESSAGE >> CALLED !" << endl;
	ZOUTPUT << "Arugments : " << (int)b1 << "," << (int)b2 << "," << (int)b3 << "," << (int)b5 << endl;
	ZOUTPUT << "pointer : " << (DWORD)c4 << endl;

	__asm POPFD  
	__asm POPAD  
	
	

	__asm JMP[dwJMPback_InGameMessage]

}

btw on client errors :

all i can find about client errors in the game is
this strings ,, i will try to byte patch some of them and try later..

Image Link :
https://ibb.co/nChTt8

[vaisefud3]

as much as i know ,, messagebox offsets are behind what happen when u click buttons,, what button(s) it has ,, events .. not client error specific ?
but u can just hook messagebox,,, log every call with its arguments
go into a game get a client error ,, see the log to find which one

i logged dc messagebox,, it look like this

Code:

Arugments : 45,119,0,0,0 >> DC+BAN

code will be something like this :

Code:

dwJMPback_InGameMessage = MSGBOX + 6;
	PlaceJMP((PBYTE)MSGBOX, (DWORD)hkInGameMessage, 6);

DWORD dwJMPback_InGameMessage;
__declspec(naked) void hkInGameMessage(BYTE b1, BYTE b2, BYTE b3, const char* c4, BYTE b5) {

	__asm {
		PUSH EBP
		MOV EBP, ESP
		AND ESP, 0xFFFFFFF8
	}

	__asm PUSHAD
	__asm PUSHFD


	ZOUTPUT << "INGAMEMESSAGE >> CALLED !" << endl;
	ZOUTPUT << "Arugments : " << (int)b1 << "," << (int)b2 << "," << (int)b3 << "," << (int)b5 << endl;
	ZOUTPUT << "pointer : " << (DWORD)c4 << endl;

	__asm POPFD  
	__asm POPAD  
	
	

	__asm JMP[dwJMPback_InGameMessage]

}

btw on client errors :

all i can find about client errors in the game is
this strings ,, i will try to byte patch some of them and try later..

Image Link :
https://ibb.co/nChTt8

Very useful! I was trying to hook it but always gave me send report.

[dreek1]

@I2espect
about client error i've tried to follow the function of SuperKill and I get this function

IDA:

Code:

int __cdecl GetModelByIndex(signed int index)
{
  int result; // eax

  result = 0;
  if ( index >= 0 && index <= -1 && index <= 1499 )
    result = 0x9C * index;
  return result;
}
this function it's like
DWORD pModelNodeType = (DWORD)(pHeadShotMgr + 0x9C * i);

I find Reference for this address and compare to CrossFire NA (CF NA don't have check for superkill(22_12) ) and have 1 addr more than CFBR
so I tried hook like 28_3 And return the error...
Do you have any idea to hook the function?

[vaisefud3]

I found that most errors are on 0x2c 0x9a. When I tried to bypass it, got send report

[I2espect]

I found that most errors are on 0x2c 0x9a. When I tried to bypass it, got send report

did u use virtualprotect ??

[vaisefud3]

did u use virtualprotect ??

Problem isn't writing to memory. It occurs when I was supposed to get the error.

[I2espect]

Problem isn't writing to memory. It occurs when I was supposed to get the error.

Same .. u should use virtualprotect to make it executable again after u patch.. .. do u write the oldprotection after u patch ?
Show ur code and patch place so we can help
Btw sometimes it's the place u patch is wrong ..

[vaisefud3]

Same .. u should use virtualprotect to make it executable again after u patch.. .. do u right the oldprotection after u patch ?
Show ur code and patch place so we can help
Btw sometimes it's the place u patch is wrong ..

When I get home I'll post.

[vaisefud3]

Same .. u should use virtualprotect to make it executable again after u patch.. .. do u write the oldprotection after u patch ?
Show ur code and patch place so we can help
Btw sometimes it's the place u patch is wrong ..

I did not suceeded with client errors(at least the one's I tried. I'll focus now on the DC's. Anyway, thank you for the hook.

- - - Updated - - -

BTW, on the image you sent, what's the dll/file? Couldn't find it on CShell/Crossfire.exe.

[CaiozinhoFC1]

; ASCII "ReloadAnimRatio"
FSTP DWORD PTR DS:[EAX+13A8]

...look for the same offset throughout cshell with the initial FLD

0x_function_Local /$ 66:000000 04 MOV CX,WORD PTR SS:[ESP+4]
0x_... |. 66:0000 FF CMP CX,0FFFF
...

ClientError:14_0_fastreload
PUSH EAX
0x_call_function /CALL CShel.0x_function_Local
ADD ESP,4
CMP EAX,EBX
JE CShell.0x0 <- jmp bypass
FLD DWORD PTR DS:[EAX+13A8] <- check offset

BYPASS_CROSSFIRE_CSHELL ( CShell, 0x_call_function, (DWORD)fastReload );

[vaisefud3]

; ASCII "ReloadAnimRatio"
FSTP DWORD PTR DS:[EAX+13A8]

...look for the same offset throughout cshell with the initial FLD

0x_function_Local /$ 66:000000 04 MOV CX,WORD PTR SS:[ESP+4]
0x_... |. 66:0000 FF CMP CX,0FFFF
...

ClientError:14_0_fastreload
PUSH EAX
0x_call_function /CALL CShel.0x_function_Local
ADD ESP,4
CMP EAX,EBX
JE CShell.0x0 <- jmp bypass
FLD DWORD PTR DS:[EAX+13A8] <- check offset

BYPASS_CROSSFIRE_CSHELL ( CShell, 0x_call_function, (DWORD)fastReload );

So... in order to make fast reload, you need to patch the jump or the call?

[gaerGAERHGaerherh]

i think if found offset again cant bypass

[gaerGAERHGaerherh]

; ASCII "ReloadAnimRatio"
FSTP DWORD PTR DS:[EAX+13A8]

...look for the same offset throughout cshell with the initial FLD

0x_function_Local /$ 66:000000 04 MOV CX,WORD PTR SS:[ESP+4]
0x_... |. 66:0000 FF CMP CX,0FFFF
...

ClientError:14_0_fastreload
PUSH EAX
0x_call_function /CALL CShel.0x_function_Local
ADD ESP,4
CMP EAX,EBX
JE CShell.0x0 <- jmp bypass
FLD DWORD PTR DS:[EAX+13A8] <- check offset

BYPASS_CROSSFIRE_CSHELL ( CShell, 0x_call_function, (DWORD)fastReload );

i found it but how to use can you send any source ?

[vangke45]

as much as i know ,, messagebox offsets are behind what happen when u click buttons,, what button(s) it has ,, events .. not client error specific ?
but u can just hook messagebox,,, log every call with its arguments
go into a game get a client error ,, see the log to find which one

i logged dc messagebox,, it look like this

Code:

Arugments : 45,119,0,0,0 >> DC+BAN

code will be something like this :

Code:

dwJMPback_InGameMessage = MSGBOX + 6;
	PlaceJMP((PBYTE)MSGBOX, (DWORD)hkInGameMessage, 6);

DWORD dwJMPback_InGameMessage;
__declspec(naked) void hkInGameMessage(BYTE b1, BYTE b2, BYTE b3, const char* c4, BYTE b5) {

	__asm {
		PUSH EBP
		MOV EBP, ESP
		AND ESP, 0xFFFFFFF8
	}

	__asm PUSHAD
	__asm PUSHFD


	ZOUTPUT << "INGAMEMESSAGE >> CALLED !" << endl;
	ZOUTPUT << "Arugments : " << (int)b1 << "," << (int)b2 << "," << (int)b3 << "," << (int)b5 << endl;
	ZOUTPUT << "pointer : " << (DWORD)c4 << endl;

	__asm POPFD  
	__asm POPAD  
	
	

	__asm JMP[dwJMPback_InGameMessage]

}

btw on client errors :

all i can find about client errors in the game is
this strings ,, i will try to byte patch some of them and try later..

Image Link :
https://ibb.co/nChTt8

what the target u get?
cshell.dll or cf.exe?