Taking over MW3's Rcon Console.

[Nitro Gen]

By default MW3 doesn't have a console where you can take advantage of, like in most of the previous CoD's:
Changing dvars. MW3 on the other hand features a 'rcon' when you are in-game. Which acts as an remote console to send commands to the server. Since this console is copy-pasted from the previous CoDs. It isn't limited to rcon functionality only.

First off lets try to open the console at the main menu.
There is a byte thats stores the consoles state, which for 1.4.382 (TeknoMW3) is 0x0106020C.
When in-game and the rcon is closed. This byte has a value of 0.
When you press the ` key. The rcon pops up and this byte changes to 1.
Lets try to do that at the main menu.

Result:


Well that doesn't really work out that well so lets check the default value of that byte at the main menu.
It turned out to be 16. 0 to 1 is an increment of one.
Lets try 17.

Also we want to open the outputbox at the main menu.
Which is done by setting 0x00B35498 to 1.

Result:


Now lets try to remove that ugly 'rcon ' prefix.
Since our console will not work as an rcon for much longer.

A quick search in IDA results in this:


So lets just set that to nothing. You can set it to everything you want including color codes. As the prefix is not processed later on.

Lets move on to printing.
MW3 has a main printing function via which you can print to our rcon.
In order to find it switch to the strings view in IDA. (Shift+F12 for the hot-key type of guys)
Then to CTRL+F and type in the box an example string that the rcon might print.
Example: 'rcon login cleared.'
Double click on your string. And open up the function responsible for it.
This is our function:


As you can see it only calls one function. So this function must call the function responsible for printing. Or its the function responsible for printing.
In both scenarios using this function will work because if it isn't the function thats responsible for printing. it will simply forward our print request to the correct function.

So to use this function use:

Code:

typedef void(__cdecl * ConPrint_0x0417D20)(int controller, int channel, const char* string, int a4, int a5, float a6);
ConPrint_0x0417D20 ConPrint = (ConPrint_0x0417D20)0x417D20;

Lets make a function that prints to the rcon for us.
channel & controller: this is the channel you want to print to. The rcon is 0.
string: The string we want to print to the rcon.
all the others don't matter and we can feed them with a 0.

My function:

Code:

void RconPrint(const char* format, ...)
{
	static char buffer[1024];
	va_list ap;
	va_start(ap, format);
	_vsnprintf(buffer, sizeof(buffer), format, ap);
	va_end(ap);
	buffer[sizeof(buffer) - 1] = '\0';
	ConPrint(0, 0, buffer, 0, 0, 0.0f);
}

I am using va to prevent it from always printing %s.

Now that we can print to the rcon.
Its time to hook its input.
Because we want to redirect that to our hack.
I execute this inside UiShowList. To enable our rcon at the main menu. and not in-game.

Example hook:

Code:

void HookRcon()
{
	BYTE* Loc = (BYTE*)0x4B3170;
	Loc[0] = 1 ? 0xE9U : 0xE8U;
	*(ptrdiff_t*)(Loc + 1) = (BYTE*)ConCommandHandler - Loc - 5;
}

And then for ConCommandHandler:

Code:

void ConCommandHandler(int controller, char* command)
{
	//Send 'command' to where you strcmp or parse your commands
}

Well thats pretty much it.
Send 'command' to your function to parse or compare commands.
And the rcon will be yours.

Here is mine:

[hkKenshin]

wat

Code:

	Loc[0] = 1 ? 0xE9U : 0xE8U;

stahp pls.

- - - Updated - - -

P.S.

Code:

typedef void(__cdecl * ConPrint_0x0417D20)(int controller, int channel, const char* string, int maxHeight, int maxWidth, float alphaColor);

[Nitro Gen]

wat



stahp pls.

- - - Updated - - -

P.S.

Code:

typedef void(__cdecl * ConPrint_0x0417D20)(int controller, int channel, const char* string, int maxHeight, int maxWidth, float alphaColor);

Thanks for that.
shaddap bout dem hooking, it works gr8 8/8.

[hkKenshin]

Thanks for that.
shaddap bout dem hooking, it works gr8 8/8.

Redundant code is redundant.

[Nitro Gen]

Redundant code is redundant.

So are redundant comments

[hkKenshin]

So are redundant comments

That was the whole point ...