How to find GAMEPROTO_CS_CLIENTFIRE

**bhopo** · 12-24-2023

Hello everyone, Could some one help me finding the CS_client fire func , I managed to use x ref to get the push string but i realy don't know how to get the rigt addy of the func.

and what are the arguments does this function take or how does it work or what's calling this function so i can bypass 22-11 client error .

I managed to hook the 28-5 and 28-3 func but i need to find the GAMEPROTO_CS_CLIENT fire in order to bypass 22-11 .

IM using x32 bit version of a private crossfire server.

@MemoryThePast

**MemoryThePast** · 12-24-2023

use IDA and search it as Names Window, if it doesn't show use class informer

**bhopo** · 12-27-2023

Originally Posted by MemoryThePast

use IDA and search it as Names Window, if it doesn't show use class informer

Okay i found the function and I reached this snippet of code , could you tell me what call here or what line that check for node change so i can bypass

I uploaded the snippet of code.
@MemoryThePast

**bhopo** · 12-31-2023

Originally Posted by bhopo

Okay i found the function and I reached this snippet of code , could you tell me what call here or what line that check for node change so i can bypass

I uploaded the snippet of code.
@MemoryThePast

Im sory the attachment approval is late so here's the snippet of code in the cs_clientfire

Code:

8B 8C 87 5C030000     - mov ecx,[edi+eax*4+0000035C]
51                    - push ecx
8B CE                 - mov ecx,esi
FF D2                 - call edx
8B 06                 - mov eax,[esi]
8B 40 24              - mov eax,[eax+24]
8D 0C AB              - lea ecx,[ebx+ebp*4]
0FB7 94 4F DC030000   - movzx edx,word ptr [edi+ecx*2+000003DC]
6A 10                 - push 10
52                    - push edx
8B CE                 - mov ecx,esi
FF D0                 - call eax
8B 16                 - mov edx,[esi]
8B 52 24              - mov edx,[edx+24]
8D 04 AB              - lea eax,[ebx+ebp*4]
0FB7 8C 47 1C040000   - movzx ecx,word ptr [edi+eax*2+0000041C]
6A 10                 - push 10
51                    - push ecx
8B CE                 - mov ecx,esi
FF D2                 - call edx
8B 06                 - mov eax,[esi]
8B 40 24              - mov eax,[eax+24]
8D 0C AB              - lea ecx,[ebx+ebp*4]
0FBF 94 4F 5C040000   - movsx edx,word ptr [edi+ecx*2+0000045C]
6A 10                 - push 10
52                    - push edx
8B CE                 - mov ecx,esi
FF D0                 - call eax
83 C3 01              - add ebx,01
83 FB 04              - cmp ebx,04
0F8C 4EFFFFFF         - jl cshell.dll+64AAC0
83 44 24 18 01        - add dword ptr [esp+18],01
83 44 24 10 04        - add dword ptr [esp+10],04
83 C5 01              - add ebp,01
83 FD 08              - cmp ebp,08
0F8C 18FFFFFF         - jl cshell.dll+64AAA0

**MemoryThePast** · 01-01-2024

Originally Posted by bhopo

Im sory the attachment approval is late so here's the snippet of code in the cs_clientfire

Code:

8B 8C 87 5C030000     - mov ecx,[edi+eax*4+0000035C]
51                    - push ecx
8B CE                 - mov ecx,esi
FF D2                 - call edx
8B 06                 - mov eax,[esi]
8B 40 24              - mov eax,[eax+24]
8D 0C AB              - lea ecx,[ebx+ebp*4]
0FB7 94 4F DC030000   - movzx edx,word ptr [edi+ecx*2+000003DC]
6A 10                 - push 10
52                    - push edx
8B CE                 - mov ecx,esi
FF D0                 - call eax
8B 16                 - mov edx,[esi]
8B 52 24              - mov edx,[edx+24]
8D 04 AB              - lea eax,[ebx+ebp*4]
0FB7 8C 47 1C040000   - movzx ecx,word ptr [edi+eax*2+0000041C]
6A 10                 - push 10
51                    - push ecx
8B CE                 - mov ecx,esi
FF D2                 - call edx
8B 06                 - mov eax,[esi]
8B 40 24              - mov eax,[eax+24]
8D 0C AB              - lea ecx,[ebx+ebp*4]
0FBF 94 4F 5C040000   - movsx edx,word ptr [edi+ecx*2+0000045C]
6A 10                 - push 10
52                    - push edx
8B CE                 - mov ecx,esi
FF D0                 - call eax
83 C3 01              - add ebx,01
83 FB 04              - cmp ebx,04
0F8C 4EFFFFFF         - jl cshell.dll+64AAC0
83 44 24 18 01        - add dword ptr [esp+18],01
83 44 24 10 04        - add dword ptr [esp+10],04
83 C5 01              - add ebp,01
83 FD 08              - cmp ebp,08
0F8C 18FFFFFF         - jl cshell.dll+64AAA0

hmm why not try hook it and reverse it?

**membertest1** · 01-11-2024

Originally Posted by bhopo

Hello everyone, Could some one help me finding the CS_client fire func , I managed to use x ref to get the push string but i realy don't know how to get the rigt addy of the func.

and what are the arguments does this function take or how does it work or what's calling this function so i can bypass 22-11 client error .

I managed to hook the 28-5 and 28-3 func but i need to find the GAMEPROTO_CS_CLIENT fire in order to bypass 22-11 .

IM using x32 bit version of a private crossfire server.

@MemoryThePast

Have you successfully bypass the 22_11. Im working on it too but can't find the cs_client in x64 cf version

**akbargain** · 01-11-2024

AFAIK back in my days, I used to bypass clientfire by intercepting the outgoing packets hehe it's easier that way, just make the packets look normal

.

**membertest1** · 01-11-2024

Originally Posted by akbargain

AFAIK back in my days, I used to bypass clientfire by intercepting the outgoing packets hehe it's easier that way, just make the packets look normal

.

Do you have discord ? I stuck with this error code

I tried to catch the packets sent but nothing found

**akbargain** · 01-12-2024

On a second thought, it probably might be harder because you need to format them packet bytes and identify which is which. I guess i just got lucky since someone gave me the byte format/structure. And then i noticed that there's something incrementing on the packet while firing so i messed with the increment and noticed that i'm not hitting client error.

It might be a lil bit slower because you need to modify the whole packet before sending it compared to actually finding the function that causes it.
I recommend that you should just find the function instead, it's optimal and nicer and you already have a hint above about it's signature.

**Hoàng Skyht Pro** · 01-23-2024

Did you get past it?

**bhopo** · 01-24-2024

Originally Posted by Hoàng Skyht Pro

Did you get past it?

still stuck on the function
i figured that the function do three checks a check on model node damage
and a check if ai but I don't know is there other checks

**Hoàng Skyht Pro** · 01-26-2024

Originally Posted by bhopo

still stuck on the function
i figured that the function do three checks a check on model node damage
and a check if ai but I don't know is there other checks

yes I'm stuck like you, it's hard to search

**awdacwadc** · 01-30-2024

update_crc & ModelNodeInfo

Thread: How to find GAMEPROTO_CS_CLIENTFIRE

Thread Tools

Display

How to find GAMEPROTO_CS_CLIENTFIRE

The Following User Says Thank You to bhopo For This Useful Post:

The Following User Says Thank You to MemoryThePast For This Useful Post:

The Following 2 Users Say Thank You to bhopo For This Useful Post:

Similar Threads

how to find gps?! 0.o

How to find Recoil and Spread addresses?

How to find GPS address?

[Tutorial]How to find some Hacks

how to find rar pw?