unknowncheats uc-forum.com ucdownloads ucdownloads.com

Go Back   UC-Tutorials - Multiplayer Game Hacking and Cheat Tutorials > First-Person Shooters > Other FPS Games > Crossfire
Reload this Page [Code] A Plethora of Crossfire Information
- Sponsored Advertisement -
http://www.myfpscheats.com/


Reply
 
Thread Tools Display Modes
  #1  
Old 10-30-2009, 12:07 AM
Dave Dave is offline
Junior Member
  
Join Date: Oct 2009
Posts: 11
Default [Code] A Plethora of Crossfire Information
I noticed a few guys chatting about the game etc. Anyways found some info on it figured I would post it for yall.

Credits due to a compilation of several people:
GD, Fatboy, DrunkenCheetah, Zenema, whitegun, Tamimego, GHOSTER




basic player info you can see ghost and speed hack here

Code:
{
public:
    float fMoveMentWalkRate; //0000
    float fMovementDuckRate; //0004
    float fMovementSideRate; //0008
    float fMoveMentAcceleration; //000C
    float fMoveMentFriction; //0010
    float fJumpTime; //0014
    float fJumpVelocity; //0018
    float fJumpLandedWaitTime; //001C
    float fJumpLandedNoTimeRate; //0020
    float fJumpRepeatPenaltyMoveRate; //0024
    float fJumpRepeatPenaltyHeightRate; //0028
    float Unknown0; //002C
    float Unknown1; //0030
    float fPVPosDefault; //0034
    float Unknown2; //0038
    float Unknown3; //003C
    float fPVRotDefault; //0040
    float Unknown4; //0044
    float Unknown5; //0048
    float fPvModelFov; //004C
    float fPvOnlyMoveGap; //0050
    float Unknown6; //0054
    float Unknown7; //0058
    float fDamagePenaltyTime; //005C
    float fDamagePenaltyMoveRate; //0060
    float fC4PlantTime; //0064
    float fC4DefuseTime; //0068
    float fMaxCanDefuseDistance; //006C
    float fCharcterHiddenAlpha; //0070
    float fCharecterHiddenWalkAlpha; //0074
    float fCharecterHiddenRunAlpha; //0078
    float fMovementHiddenRate; //007C
    char unknown8[4];
    float fCrossHairColorChangeRateRed; //0084
    float Unknown9; //0088
    float fCrossHairColorChangeRateGreen; //008C
    float Unknown10; //0090
};


weapon info incomplete but you can do a no recoil decrease the spread a bit
size 0x16C8 loops for every weapon
Code:
{
public:
    BYTE WeaponClass; //0000
    BYTE Unknown0; //0001
    char Unknown1[32]; //0002
    char cSkinFileName[64]; //0022
    char cSkinFileName2[64]; //0062
    char Unknown2[64]; //00A2
    char Unknown3[64]; //00E2
    char Unknown4[64]; //0122
    char cRenderStyleFileName[64]; //0162
    char Unknown5[64]; //01A2
    char Unknown6[64]; //01E2
    char Unknown7[64]; //0222
    char Unknown8[64]; //0262
    char Unknown9[64]; //02A2
    char Unknown10[64]; //02E2
    char Unknown11[64]; //0322
    char Unknown12[64]; //0362
    char Unknown13[64]; //03A2
    char Unknown14[64]; //03E2
    char Unknown15[64]; //0422
    char Unknown16[64]; //0462
    char Unknown17[64]; //04A2
    char Unknown18[32]; //04E2
    char Unknown19[32]; //0502
    char cReloadSoundName[32]; //0522
    char cBlowBackSoundName[32]; //0542
    char Unknown20[32]; //0562
    char cBigIconName[32]; //0582
    char cSmallIconName[32]; //05A2
                char unknown21[12];
    BYTE Unknown22; //05CE
    BYTE Unknown23; //05CF
    BYTE Unknown24; //05D0
    BYTE Unknown25; //05D1
                char unknown26[16];
    char Unknown27[34]; //05E2
                char unknown28[1644];
    __int16 iAmmoPerMagazine; //0C70
    __int16 iAmmoDamage; //0C72
                char unknown29[24];
    float MaxAmmo; //0C8C
    __int16 iAmmoPerMagazine; //0C90
    __int16 iAmmoDamage; //0C92
    float iUnlimitedAmmo; //0C94
                char unknown30[476];
    float Unknown31; //0E74
    float Unknown32; //0E78
};
Code:
struct _LocalWorld
{

    char unknown0[212];
    float Unknown1; //00D4
    __int32 iWeapon; //00D8
    char unknown2[4];
    float Unknown3; //00E0
    char unknown4[48];
    float fLocalWorldX; //0114
    float fLocalWorldY; //0118
    float fLocalWorldZ; //011C
    char unknown5[12];
    float Unknown6; //012C
    float Unknown7; //0130
    char unknown8[56];
    float Unknown9; //016C
};

Another way to see ghost:
Code:
00647910   55               PUSH EBP
00647911   8BEC             MOV EBP,ESP
00647913   83EC 08          SUB ESP,8
00647916   894D FC          MOV DWORD PTR SS:[EBP-4],ECX
00647919   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
0064791C   0FB688 93000000  MOVZX ECX,BYTE PTR DS:[EAX+93]
00647923   81F9 FF000000    CMP ECX,0FF //////////////////cmp ecx,255
00647929   7C 17            JL SHORT crossfir.00647942//////////here nop or JG
0064792B   8B55 FC          MOV EDX,DWORD PTR SS:[EBP-4]
0064792E   8B82 88000000    MOV EAX,DWORD PTR DS:[EDX+88]
00647934   83E0 42          AND EAX,42/////////////////////66
00647937   75 09            JNZ SHORT crossfir.00647942
00647939   C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
00647940   EB 07            JMP SHORT crossfir.00647949
00647942   C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1
00647949   8A45 F8          MOV AL,BYTE PTR SS:[EBP-8]
0064794C   8BE5             MOV ESP,EBP
0064794E   5D               POP EBP
0064794F   C3               RETN

Turn on bounding boxes
Code:
0069F580   55               PUSH EBP
0069F581   8BEC             MOV EBP,ESP
0069F583   6A 00            PUSH 0 //push 1   value
0069F585   68 D0FC6B00      PUSH crossfir.006BFCD0                ; ASCII "ModelDebug_DrawBoxes"
0069F58A   B9 74CE7000      MOV ECX,crossfir.0070CE74 //follow this to a jmp patch that will draw boxes also
0069F58F   E8 2CE8ECFF      CALL crossfir.0056DDC0  
0069F594   5D               POP EBP
0069F595   C3               RETN


Another way tot urn on Debugging boxes Credits Ghoster

Code:
    void __cdecl SetConsoleVariable(char* szVal){
        void* vSetVar = (void*) 0x4169C0;
        _asm
        {
            push szVal
            call vSetVar
            add esp, 4
        }
    }
Code:
SetConsoleVariable("ModelDebug_DrawBoxes 1");

0x4169C0 Is LTClient + 0x1F8 (iirc)

LClient = CShell + 0x524014

GetObjectPos LTClient + 0x94


Built In wallhack/whitewalls
Code:
005677D0   C745 FC 1CE96B00 MOV DWORD PTR SS:[EBP-4],crossfir.006BE9>; ASCII "ForceMode"
005677D7   8BE5             MOV ESP,EBP
005677D9   5D               POP EBP
005677DA   C3               RETN
005677DB   CC               INT3
005677DC   CC               INT3
005677DD   CC               INT3
005677DE   CC               INT3
005677DF   CC               INT3
005677E0   55               PUSH EBP
005677E1   8BEC             MOV EBP,ESP
005677E3   83EC 74          SUB ESP,74
005677E6   894D 90          MOV DWORD PTR SS:[EBP-70],ECX
005677E9   8B45 90          MOV EAX,DWORD PTR SS:[EBP-70]
005677EC   0FB688 55010000  MOVZX ECX,BYTE PTR DS:[EAX+155]
005677F3   85C9             TEST ECX,ECX
005677F5   74 21            JE SHORT crossfir.00567818
005677F7   6A 03            PUSH 3
005677F9   6A 23            PUSH 23
005677FB   8B55 90          MOV EDX,DWORD PTR SS:[EBP-70]
005677FE   8B0A             MOV ECX,DWORD PTR DS:[EDX]
00567800   E8 ABCAFEFF      CALL crossfir.005542B0
00567805   6A 00            PUSH 0
00567807   68 8C000000      PUSH 8C
0056780C   8B45 90          MOV EAX,DWORD PTR SS:[EBP-70]
0056780F   8B08             MOV ECX,DWORD PTR DS:[EAX]
00567811   E8 9ACAFEFF      CALL crossfir.005542B0
00567816   EB 1F            JMP SHORT crossfir.00567837
00567818   6A 03            PUSH 3
0056781A   68 8C000000      PUSH 8C
0056781F   8B4D 90          MOV ECX,DWORD PTR SS:[EBP-70]
00567822   8B09             MOV ECX,DWORD PTR DS:[ECX]
00567824   E8 87CAFEFF      CALL crossfir.005542B0
00567829   6A 00            PUSH 0
0056782B   6A 23            PUSH 23
0056782D   8B55 90          MOV EDX,DWORD PTR SS:[EBP-70]
00567830   8B0A             MOV ECX,DWORD PTR DS:[EDX]
00567832   E8 79CAFEFF      CALL crossfir.005542B0
00567837   6A 01            PUSH 1////////// white walls
00567839   6A 16            PUSH 16///////D3DRS_LASTPIXEL = 16?? not sure

0056783B   8B45 90          MOV EAX,DWORD PTR SS:[EBP-70]
0056783E   8B08             MOV ECX,DWORD PTR DS:[EAX]
00567840   E8 6BCAFEFF      CALL crossfir.005542B0
00567845   6A 01            PUSH 1/////////////////////////////////NICE WALLHACK ASUS
00567847   6A 07            PUSH 7//////////////////////////////// D3DRS_ZENABLE = 7,

00567849   8B4D 90          MOV ECX,DWORD PTR SS:[EBP-70]
0056784C   8B09             MOV ECX,DWORD PTR DS:[ECX]
0056784E   E8 5DCAFEFF      CALL crossfir.005542B0

o weapon values.

Code:
XmShotgun 0
MP5 2
P90 3
Knife 5
Grenade 6
FlashBang 7
Smoke 8
C4 9
M4A1 11
AK 12
Aug 13
M700 14
AWM 15
M60 17
DragSniper 23
Ak "says 74"  27
"ENgineer gun from BF2 small not shotgun" 28
XM8 30
Gali 32
"Old pistol six shooter" 33
Scar 34
Axe 35
SPAShotgun 36
//creds:whitegun


client info is this or close to it: Credits Tamimego
Code:
ClientInfo size 0xF8

LTClientShell + 0x64F4 = ClientInfo Clients [16]

This structure stores team, name, etc. You can work out the rest.
Reply With Quote
Reply

  • Submit Thread to Digg
  • Submit Thread to del.icio.us
  • Submit Thread to StumbleUpon
  • Submit Thread to Google
  • Submit Thread to Facebook
  • Submit Thread to My Yahoo!
  • Submit Thread to MySpace
  • Submit Thread to Twitter
  • Submit Thread to Reddit

Tags
code, crossfire, information, plethora

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT. The time now is 02:57 PM.

Contact Us - Archive