Crossfire Server Files [verified] -

| Sample | Backdoor | Cryptominer | Keylogger | C2 Communication | |--------|----------|-------------|-----------|------------------| | CFServer_2020.rar | Yes (RAT) | No | Yes | HTTP POST to cf-update[.]ru | | CFEmu_2.3.7z | No | Yes (XMRig) | No | Stratum protocol | | Crossfire_Private_v3.exe | Yes (NjRAT) | No | Yes | TCP port 5552 |

/Crossfire_Server/ β”œβ”€β”€ Bin/ β”‚ β”œβ”€β”€ AuthServer.exe β”‚ β”œβ”€β”€ GameServer.exe β”‚ β”œβ”€β”€ MessengerServer.exe β”‚ └── ClanServer.exe β”œβ”€β”€ Config/ β”‚ β”œβ”€β”€ ServerInfo.ini (IP, ports, max players) β”‚ β”œβ”€β”€ Items.dat (weapon IDs, prices) β”‚ └── Maps.list β”œβ”€β”€ Database/ β”‚ β”œβ”€β”€ cf_db.sql (MySQL schema for accounts, inventory) β”‚ └── StoredProcedures/ β”œβ”€β”€ Logs/ └── Tools/ β”œβ”€β”€ PacketBuilder.exe └── LauncherGenerator.exe CREATE TABLE `accounts` ( `user_id` INT PRIMARY KEY AUTO_INCREMENT, `username` VARCHAR(20), `password_md5` CHAR(32), `gp` INT DEFAULT 0, `zp` INT DEFAULT 0, -- ZP points (official currency) `vip_level` TINYINT, `is_gm` BOOLEAN ); CREATE TABLE inventory ( item_id INT, expiry_date DATETIME, -- rental weapons is_permanent BOOLEAN ); 3.2 Packet Structure (Reversed) A typical game client-server packet (hexdump): crossfire server files

| Component | Protocol | Function | |-----------|----------|----------| | Auth Server | TCP (port 13006) | Login, session token generation | | Lobby Server | UDP (port 13008) | Channel listing, room creation | | Game Server | UDP (port 13011–13020) | Hit registration, physics, item usage | | Item/Messaging | HTTP/SOAP | Inventory, clans, mail | | Sample | Backdoor | Cryptominer | Keylogger

def xor_decrypt(data, key=0x5A): return bytes([b ^ key for b in data]) `gp` INT DEFAULT 0