Hello guys, and girls! Welcome back

I did actually end up achieving what I wanted to, and that was to break Quake 3. I did this by overwriting convars in the game. And actually reversed an entire set of convars + a class that can contain these convars!

So lets get to what I did, and how it works, shall we? First off, go open up Quake 3 Arena in IDA and go ahead and generate the list of strings. Done? Good, now we’re going to be a little newbie here, and search up on google, list of convars in quake, but hey, who said using resources is newbie?

Once you’ve done that, find a convar, some of them were not implemented into quake 3, but do not worry. For me, I searched up cl_showSend, xref that string. And you should get a couple, to one result (hopefully one).

You’ll notice this is a push. That means its getting pushed onto the stack. Probably meaning its getting pushed into a functions arguments. Thats how I remember it.

Now, we’re going to use common sense here, only 1 result for a string thats a convar? And its taken as arguments for a function? Whats this mean? Well, this means that function is probably a RegisterCVar function. I named mine CV_RegisterCVar. But you can name it what you’d like

Okay, so, lets get back to it.

Now, theres something VERY special about this function. It moves the eax register into B3A42C

This is great! IDA literally just gave us the address.

Throw that into reclass, and make a pointer @ B3A42C, then in that pointer, add about 2048 bytes, until you see a string called “r_showNormals”

This is actually a great way to make a simple wallhack! We’re going to show normals in the game, then be able to see enemies, and objects alike, through walls! 😀

Alright, we ran into a problem though. We don’t know what value to set. We’ve kinda messed up. What value do we set to change the value of that convar?

Okay, so if you go back into IDA. Compare that

.text:0040F020 push offset a0 ; "0"

with whats in reclass. See a zero? Good, you can compare other convars to. You’ll probably see lots of zeroes but don’t worry. We got this. Okay, so the one right before the next pointer is the convar. Value, I’ll show you what I mean.

Alright, sweet, we found the value. How did I know this? Well because I compared multiple values in IDA versus the value in reclass. Sometimes you have to reload your map for convars to actually change, so if it doesn’t change automatically, try that. Also, float values are the second one before the next pointer.

Thanks guys!! 🙂