THREAD: [Release] HUD elements + Remote Procedure Calls
  1. 05-21-2013, 12:55 AM
    Choco's Avatar
    Choco
    <marquee>Respect my authoritah!! <img src=http://www.nextgenupdate.com/forums/images/smilies/newset1/cartman.gif></marquee>
    Choco's Avatar
    Choco
    <marquee>Respect my authoritah!! <img src=http://www.nextgenupdate.com/forums/images/smilies/newset1/cartman.gif></marquee>
    2,951
    Posts
    132,073
    Reputation
    Jun 2010
    NextGenUpdate
    You must login or register to view this content.


    Hey guys,

    Since everyone is starting to figure this out now, it's time to release. I've had it for quite awhile, but wouldn't have found it without aerosoul94, so big thanks to him. Also, a lot of my HUD functions have been adapted from Hacksorce's Xbox functions, so thanks to him. Also thanks to Carter and Godly for their research.



    Ok, so I'm going to be giving you all several things in this thread. Firstly, I am going to give you the functions needed to make your own HUD element menu in C#. Secondly, I am going to show you all how to call any MW3 function you want remotely (Remote Procedure Call).


    HUD Elements

    Ok, so first, you need to have your program set up to connect to your PS3. If you haven't done this, check out You must login or register to view this content..

    Now, you are going to add this code to your program (you can also get it You must login or register to view this content. on pastebin):

            public static class HElems
    {
    public static uint
    xOffset = 0x04,
    yOffset = 0x08,
    textOffset = 0x84,
    fontOffset = 0x24,
    fontSizeOffset = 0x14,
    colorOffset = 0x30,
    relativeOffset = 0x2c,
    widthOffset = 0x44,
    heightOffset = 0x48,
    shaderOffset = 0x4c,
    GlowColor = 0x8C,
    alignOffset = 0x2C;
    }

    public void setIcon(uint elem, uint shader, int width, int height, float x, float y, uint align, float sort = 0, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x04 });

    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.shaderOffset, uintBytes(shader));
    SetMemory(elem + HElems.heightOffset, ReverseBytes(BitConverter.GetBytes(height)));
    SetMemory(elem + HElems.widthOffset, ReverseBytes(BitConverter.GetBytes(width)));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, ReverseBytes(BitConverter.GetBytes(sort)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }

    public void setText(uint elem, byte[] text, uint font, float fontScale, float x, float y, uint align, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x01 });

    SetMemory(elem + HElems.textOffset, text);
    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.fontOffset, uintBytes(font));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, new byte[] { 0x40, 0x00 });
    SetMemory(elem + HElems.fontSizeOffset, ReverseBytes(BitConverter.GetBytes(fontScale)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }


    private void SetMemory(uint addr, byte[] val)
    {
    snresult = PS3TMAPI.ProcessSetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, val);
    }

    private void RPC_Enable_124()
    {
    SetMemory(0x523B10, new byte[2175]);
    SetMemory(0x18BE6C, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x3BC9CC, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x18BE74, new byte[] { 0x48, 0x00, 0x00, 0x68 });
    SetMemory(0x1DB1244, new byte[4]);
    SetMemory(0x114AE64, new byte[4]);
    SetMemory(0x3BC9E4, new byte[] { 0x41, 0x82, 0x02, 0x20, 0x3D, 0x00, 0x00, 0x52, 0x80, 0x68, 0x3B, 0x10, 0x80, 0x88, 0x3B, 0x14, 0x80, 0xA8, 0x3B, 0x18, 0x80, 0xC8, 0x3B, 0x1C, 0x80, 0xE8, 0x3B, 0x20, 0x39, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x1D, 0x3C, 0x80, 0x01, 0x15, 0x90, 0x64, 0xAE, 0x64, 0x38, 0x80, 0x00, 0x00, 0x3C, 0x60, 0x01, 0xDB, 0x90, 0x83, 0x12, 0x44, 0x48, 0x00, 0x01, 0xE8, 0x4E, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00 });
    }

    private uint str_pointer(string str)
    {
    uint addr = 0x523B30;
    byte[] check = new byte[1];
    uint i;
    for (i = 0; i < 5; i++)
    {
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, ref check);
    if (check[0] == 0x00) break;
    if (i == 4)
    {
    i = 0;
    break;
    }
    }
    addr = (0x523B30 + (i * 0x6Cool Man (aka Tustin));
    SetMemory(addr, new byte[0x68]);
    SetMemory(addr, Encoding.UTF8.GetBytes(str));
    return addr;
    }

    private void CallFunc(uint func_addr, uint param1 = 0, uint param2 = 0, uint param3 = 0, uint param4 = 0, uint param5 = 0)
    {
    byte[] par1 = BitConverter.GetBytes(param1);
    byte[] par2 = BitConverter.GetBytes(param2);
    byte[] par3 = BitConverter.GetBytes(param3);
    byte[] par4 = BitConverter.GetBytes(param4);
    byte[] par5 = BitConverter.GetBytes(param5);
    Array.Reverse(par1);
    Array.Reverse(par2);
    Array.Reverse(par3);
    Array.Reverse(par4);
    Array.Reverse(par5);
    SetMemory(0x523B10, par1);
    SetMemory(0x523B14, par2);
    SetMemory(0x523B18, par3);
    SetMemory(0x523B1C, par4);
    SetMemory(0x523B20, par5);
    SetMemory(0x3BCA04, MakeBl(0x3BCA04, func_addr));
    SetMemory(0x1DB1244, new byte[] { 0x00, 0x00, 0x00, 0x01 });
    System.Threading.Thread.Sleep(10);
    }

    private uint GetFuncReturn()
    {
    byte[] ret = new byte[4];
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, 0x114AE64, ref ret);
    Array.Reverse(ret);
    return BitConverter.ToUInt32(ret, 0);
    }

    private byte[] MakeBl(uint callAddr, uint addrToBlTo)
    {
    byte[] instruction = new byte[4];
    uint addr_t = (uint)(((int)addrToBlTo - (int)callAddr) + 1);
    if ((int)addrToBlTo > (int)callAddr) instruction[3] = 0x48;
    else
    {
    instruction[3] = 0x4B;
    addr_t = (uint)(0x1000000 - ((int)callAddr - (int)addrToBlTo) + 1);
    }
    byte[] addr = BitConverter.GetBytes(addr_t);
    for (int i = 0; i < 3; i++)
    {
    instruction = addr;
    }
    Array.Reverse(instruction);
    return instruction;
    }

    public void DestroyElem(uint elem)
    {
    SetMemory(elem, new byte[0xB4]);
    }

    public void spawnElem(int client, uint elemAddress)
    {
    SetMemory(elemAddress + 0xA8, ReverseBytes(BitConverter.GetBytes(client)));
    }

    public byte[] uintBytes(uint input)
    {
    byte[] data = BitConverter.GetBytes(input);
    Array.Reverse(data);
    return data;
    }

    public uint createText(string text)
    {
    CallFunc(0x1BE6CC, str_pointer(text));
    System.Threading.Thread.Sleep(10);
    return GetFuncReturn();
    }

    public byte[] ReverseBytes(byte[] inArray)
    {
    Array.Reverse(inArray);
    return inArray;
    }

    private uint HudElem_Alloc()
    {
    byte[] elem = new byte[1];
    uint add;
    for (int i = 0; i < 1024; i++)
    {
    add = (uint)(0xF0E10C + (i * 0xB4));
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, add, ref elem);
    if ((int)elem[0] == 0)
    {
    SetMemory(add, new byte[0xB1]);
    return add;
    }
    }
    return 0;
    }

    private void HudElem_DestroyAll()
    {
    SetMemory(0xF0E10C, new byte[184320]);
    }

    private int GetMaterialIndex(string str)
    {
    CallFunc(0x1BE744, str_pointer(str));
    return (int)GetFuncReturn();
    }


    That's all the functions you need for HUD elements and for RPC (remote procedure calls). Now, add this to the end of the function you use for attaching the process:

    RPC_Enable_124();


    That code will add a custom function into MW3 that allows you to call functions remotely (I'll explain how to do so later).



    Here's an example of spawning a Text HUD element:

    uint hud_example = HudElem_Alloc();
    setText(hud_example, uintBytes(createText("Example Text")), 6, 20, 170, 45, 1, 255, 0, 0, 255);
    spawnElem(0, hud_example);


    Here's an example of spawning a Shader HUD element:

    uint hud_example2 = HudElem_Alloc();
    setIcon(hud_example2, 1, 280, 100, 40, 30, 2, -10, 0, 0, 0, 150);
    spawnElem(0, hud_example2);


    Also, for anyone interested, here is the complete HUD elem structure thanks to aerosoul94: You must login or register to view this content.


    Remote Procedure Call

    Ok, all the code that you should have added to your program from above included all the funcs needed for RPC. Here's how to call a function remotely:

    For this example, I will use G_GivePlayerWeapon.

    First, you need the address of the function to call from within the elf. G_GivePlayerWeapon is located at 0x1C3034. Now you need the parameters for it. G_GivePlayerWeapon takes 3 parameters: g_client, weaponIndex, and altModelIndex.

    So to call the function, I would do something like this:

    uint G_GivePlayerWeapon = 0x1C3034;
    uint g_client = 0x110A280;
    CallFunc(G_GivePlayerWeapon, g_client, 1, 0);


    That code would give a Default Weapon to client number 0.

    RPC is a bit more advanced, so if what I just said made no sense to you, don't worry about it. Here's some good functions for you to have:

    uint Add_Ammo = 0x18A29C; //Add_Ammo(uint *g_entity, uint weaponIndex, uint weaponModel, uint count, uint fillClip)
    uint G_GivePlayerWeapon = 0x1C3034; //G_GivePlayerWeapon(uint *g_client, uint weaponIndex, uint altModelIndex)
    uint G_SetModel = 0x1BEF5C; //G_SetModel(uint *g_entity, char *modelName)
    uint Cmd_ExecuteSingleCommand = 0x1DB240; //Cmd_ExecuteSingleCommand(uint *localClientIndex, char *command)


    Here's an example of a function that uses a string as a parameter:

    uint G_SetModel = 0x1BEF5C;
    CallFunc(G_SetModel, 0xFCA280, str_pointer("com_plasticcase_beige_big"));


    str_pointer is needed whenever passing a string to CallFunc.

    And for those who are completely lost about RPC, here's a few little functions I wrote in C# to make some mods easier for you:

            private void SetModel(int client, string model)
    {
    CallFunc(0x1BEF5C, (uint)(0xFCA280 + (client * 0x280)), str_pointer(model));
    }

    private void SV_GameSendServerCommand(int client, string command)
    {
    CallFunc(0x228FA8, (uint)client, 0, str_pointer(command));
    }

    private void GiveWeapon(int client, int weaponIndex)
    {
    CallFunc(0x1C3034, (uint)(0x110A280 + (client * 0x3980)), (uint)weaponIndex, 0);
    CallFunc(0x18A29C, (uint)(0xFCA280 + (client * 0x280)), (uint)weaponIndex, 0, 9999, 1);
    }


    Examples using the above functions:

    SetModel(0, "com_plasticcase_beige_big"); //sets client 0's model to a Care Package

    SV_GameSendServerCommand(0, "c \"^2Hello there!\""); //prints "^2Hello there!" on client 0's screen

    GiveWeapon(0, 1); //Gives a default weapon with full ammo to client 0





    Well, that's it. All the secrets are out now. Hopefully some of you found this useful and will make some sick mods with it. Once again, all credit for HUD elems goes to aerosoul94.


    Enjoy guys Winky Winky
    Last edited by Choco ; 05-22-2013 at 08:43 PM.

  2. The Following 143 Users Say Thank You to Choco For This Useful Post:

    , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , See more...

  3. 05-21-2013, 01:37 AM
    seb5594's Avatar
    seb5594
    <span style="background:url(http://oi60.tinypic.com/amtgtv.jpg);font-weight:bold;color:black;">♥ Proud Former Admin ♥</span>
    seb5594's Avatar
    seb5594
    <span style="background:url(http://oi60.tinypic.com/amtgtv.jpg);font-weight:bold;color:black;">♥ Proud Former Admin ♥</span>
    2,723
    Posts
    64,864
    Reputation
    Jul 2008
    NextGenUpdate
    Sick Choco. Keep it up.
  4. 05-21-2013, 02:28 AM
    Kurt's Avatar
    Kurt
    Banned
    Kurt's Avatar
    Kurt
    Banned
    352
    Posts
    18,199
    Reputation
    Dec 2012
    NextGenUpdate
    how would i spawn two icons and text all in the same button? im using c#
  5. 05-21-2013, 04:35 AM
    Bichote's Avatar
    Bichote
    <span style="background:url(https://lh3.googleusercontent.com/-4faiureuyEk/Uw28Z2peAFI/AAAAAAAADes/fC61gsCiofw/w506-h750/Colourful.gif);font-weight:bold;color:white;">Living The Good Life</span>
    Bichote's Avatar
    Bichote
    <span style="background:url(https://lh3.googleusercontent.com/-4faiureuyEk/Uw28Z2peAFI/AAAAAAAADes/fC61gsCiofw/w506-h750/Colourful.gif);font-weight:bold;color:white;">Living The Good Life</span>
    5,911
    Posts
    94,393
    Reputation
    Nov 2009
    NextGenUpdate
    Great job Choco :y:
  6. 05-21-2013, 04:43 AM
    The Epic's Avatar
    The Epic
    I wont stop
    The Epic's Avatar
    The Epic
    I wont stop
    2,481
    Posts
    10,540
    Reputation
    Nov 2010
    NextGenUpdate
    anyone wanna test my patch?
  7. 05-21-2013, 07:45 AM
    deneo24's Avatar
    deneo24
    Youtube.com/DenesCodClips
    deneo24's Avatar
    deneo24
    Youtube.com/DenesCodClips
    1,056
    Posts
    31,187
    Reputation
    Jan 2011
    NextGenUpdate
    Outstanding! Holy fuck..
  8. 05-21-2013, 10:06 AM
    Loxy's Avatar
    Loxy
    < ^ > < ^ >
    Loxy's Avatar
    Loxy
    < ^ > < ^ >
    1,003
    Posts
    7,832
    Reputation
    Jun 2012
    NextGenUpdate
    this looks epic find
    good work mate :y:
  9. 05-21-2013, 10:07 AM
    nay1995's Avatar
    nay1995
    The Master
    nay1995's Avatar
    nay1995
    The Master
    1,766
    Posts
    13,087
    Reputation
    Feb 2010
    NextGenUpdate
    Originally Posted by Choco View Post
    You must login or register to view this content.


    Hey guys,

    Since everyone is starting to figure this out now, it's time to release. I've had it for quite awhile, but wouldn't have found it without aerosoul94, so big thanks to him. Also, a lot of my HUD functions have been adapted from Hacksorce's Xbox functions, so thanks to him. Also thanks to Carter and Godly for their research.



    Ok, so I'm going to be giving you all several things in this thread. Firstly, I am going to give you the functions needed to make your own HUD element menu in C#. Secondly, I am going to show you all how to call any MW3 function you want remotely (Remote Procedure Call).


    HUD Elements

    Ok, so first, you need to have your program set up to connect to your PS3. If you haven't done this, check out You must login or register to view this content..

    Now, you are going to add this code to your program:

            public static class HElems
    {
    public static uint
    xOffset = 0x08,
    yOffset = 0x04,
    textOffset = 0x84,
    fontOffset = 0x24,
    fontSizeOffset = 0x14,
    colorOffset = 0x30,
    relativeOffset = 0x2c,
    widthOffset = 0x44,
    heightOffset = 0x48,
    shaderOffset = 0x4c,
    GlowColor = 0x8C,
    alignOffset = 0x2C;
    }

    public void setIcon(uint elem, uint shader, int width, int height, float x, float y, uint align, float sort = 0, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x04 });

    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.shaderOffset, uintBytes(shader));
    SetMemory(elem + HElems.heightOffset, ReverseBytes(BitConverter.GetBytes(height)));
    SetMemory(elem + HElems.widthOffset, ReverseBytes(BitConverter.GetBytes(width)));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, ReverseBytes(BitConverter.GetBytes(sort)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }

    public void setText(uint elem, byte[] text, uint font, float fontScale, float x, float y, uint align, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x01 });

    SetMemory(elem + HElems.textOffset, text);
    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.fontOffset, uintBytes(font));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, new byte[] { 0x40, 0x00 });
    SetMemory(elem + HElems.fontSizeOffset, ReverseBytes(BitConverter.GetBytes(fontScale)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }


    private void SetMemory(uint addr, byte[] val)
    {
    snresult = PS3TMAPI.ProcessSetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, val);
    }

    private void RPC_Enable_124()
    {
    SetMemory(0x523B10, new byte[2175]);
    SetMemory(0x18BE6C, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x3BC9CC, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x18BE74, new byte[] { 0x48, 0x00, 0x00, 0x68 });
    SetMemory(0x1DB1244, new byte[4]);
    SetMemory(0x114AE64, new byte[4]);
    SetMemory(0x3BC9E4, new byte[] { 0x41, 0x82, 0x02, 0x20, 0x3D, 0x00, 0x00, 0x52, 0x80, 0x68, 0x3B, 0x10, 0x80, 0x88, 0x3B, 0x14, 0x80, 0xA8, 0x3B, 0x18, 0x80, 0xC8, 0x3B, 0x1C, 0x80, 0xE8, 0x3B, 0x20, 0x39, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x1D, 0x3C, 0x80, 0x01, 0x15, 0x90, 0x64, 0xAE, 0x64, 0x38, 0x80, 0x00, 0x00, 0x3C, 0x60, 0x01, 0xDB, 0x90, 0x83, 0x12, 0x44, 0x48, 0x00, 0x01, 0xE8, 0x4E, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00 });
    }

    private uint str_pointer(string str)
    {
    uint addr = 0x523B30;
    byte[] check = new byte[1];
    uint i;
    for (i = 0; i < 5; i++)
    {
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, ref check);
    if (check[0] == 0x00) break;
    if (i == 4)
    {
    i = 0;
    break;
    }
    }
    addr = (0x523B30 + (i * 0x6Cool Man (aka Tustin));
    SetMemory(addr, new byte[0x68]);
    SetMemory(addr, Encoding.UTF8.GetBytes(str));
    return addr;
    }

    private void CallFunc(uint func_addr, uint param1 = 0, uint param2 = 0, uint param3 = 0, uint param4 = 0, uint param5 = 0)
    {
    byte[] par1 = BitConverter.GetBytes(param1);
    byte[] par2 = BitConverter.GetBytes(param2);
    byte[] par3 = BitConverter.GetBytes(param3);
    byte[] par4 = BitConverter.GetBytes(param4);
    byte[] par5 = BitConverter.GetBytes(param5);
    Array.Reverse(par1);
    Array.Reverse(par2);
    Array.Reverse(par3);
    Array.Reverse(par4);
    Array.Reverse(par5);
    SetMemory(0x523B10, par1);
    SetMemory(0x523B14, par2);
    SetMemory(0x523B18, par3);
    SetMemory(0x523B1C, par4);
    SetMemory(0x523B20, par5);
    SetMemory(0x3BCA04, MakeBl(0x3BCA04, func_addr));
    SetMemory(0x1DB1244, new byte[] { 0x00, 0x00, 0x00, 0x01 });
    System.Threading.Thread.Sleep(10);
    }

    private uint GetFuncReturn()
    {
    byte[] ret = new byte[4];
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, 0x114AE64, ref ret);
    Array.Reverse(ret);
    return BitConverter.ToUInt32(ret, 0);
    }

    private byte[] MakeBl(uint callAddr, uint addrToBlTo)
    {
    byte[] instruction = new byte[4];
    uint addr_t = (uint)(((int)addrToBlTo - (int)callAddr) + 1);
    if ((int)addrToBlTo > (int)callAddr) instruction[3] = 0x48;
    else
    {
    instruction[3] = 0x4B;
    addr_t = (uint)(0x1000000 - ((int)callAddr - (int)addrToBlTo) + 1);
    }
    byte[] addr = BitConverter.GetBytes(addr_t);
    for (int i = 0; i < 3; i++)
    {
    instruction = addr;
    }
    Array.Reverse(instruction);
    return instruction;
    }

    public void DestroyElem(uint elem)
    {
    SetMemory(elem, new byte[0xB4]);
    }

    public void spawnElem(int client, uint elemAddress)
    {
    SetMemory(elemAddress + 0xA8, ReverseBytes(BitConverter.GetBytes(client)));
    }

    public byte[] uintBytes(uint input)
    {
    byte[] data = BitConverter.GetBytes(input);
    Array.Reverse(data);
    return data;
    }

    public uint createText(string text)
    {
    CallFunc(0x1BE6CC, str_pointer(text));
    System.Threading.Thread.Sleep(10);
    return GetFuncReturn();
    }

    public byte[] ReverseBytes(byte[] inArray)
    {
    Array.Reverse(inArray);
    return inArray;
    }

    private uint HudElem_Alloc()
    {
    byte[] elem = new byte[1];
    uint add;
    for (int i = 0; i < 1024; i++)
    {
    add = (uint)(0xF0E10C + (i * 0xB7));
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, add, ref elem);
    if ((int)elem[0] == 0)
    {
    SetMemory(add, new byte[0xB1]);
    return add;
    }
    }
    return 0;
    }

    private void HudElem_DestroyAll()
    {
    SetMemory(0xF0E10C, new byte[184320]);
    }

    private int GetMaterialIndex(string str)
    {
    CallFunc(0x1BE744, str_pointer(str));
    return (int)GetFuncReturn();
    }


    That's all the functions you need for HUD elements and for RPC (remote procedure calls). Now, add this to the end of the function you use for attaching the process:

    RPC_Enable_124();


    That code will add a custom function into MW3 that allows you to call functions remotely (I'll explain how to do so later).



    Here's an example of spawning a Text HUD element:

    uint hud_example = HudElem_Alloc();
    setText(hud_example, uintBytes(createText("Example Text")), 6, 20, 170, 45, 1, 255, 0, 0, 255);
    spawnElem(0, hud_example);


    Here's an example of spawning a Shader HUD element:

    uint hud_example2 = HudElem_Alloc();
    setIcon(hud_example2, 1, 280, 100, 40, 30, 2, -10, 0, 0, 0, 150);
    spawnElem(0, hud_example2);


    Also, for anyone interested, here is the complete HUD elem structure thanks to aerosoul94: You must login or register to view this content.


    Remote Procedure Call

    Ok, all the code that you should have added to your program from above included all the funcs needed for RPC. Here's how to call a function remotely:

    For this example, I will use G_GivePlayerWeapon.

    First, you need the address of the function to call from within the elf. G_GivePlayerWeapon is located at 0x1C3034. Now you need the parameters for it. G_GivePlayerWeapon takes 3 parameters: clientState, weaponIndex, and altModelIndex.

    So to call the function, I would do something like this:

    uint G_GivePlayerWeapon = 0x1C3034;
    uint clientState = 0x110A280;
    CallFunc(G_GivePlayerWeapon, clientState, 1, 0);


    That code would give a Default Weapon to client number 0.

    RPC is a bit more advanced, so if what I just said made no sense to you, don't worry about it. Here's some good functions for you to have:

    uint Add_Ammo = 0x18A29C; //Add_Ammo(uint *g_entity, uint weaponIndex, uint weaponModel, uint count, uint fillClip)
    uint G_GivePlayerWeapon = 0x1C3034; //G_GivePlayerWeapon(uint *g_client, uint weaponIndex, uint altModelIndex)
    uint G_SetModel = 0x1BEF5C; //G_SetModel(uint *g_entity, char *modelName)
    uint Cmd_ExecuteSingleCommand = 0x1DB240; //Cmd_ExecuteSingleCommand(uint *localClientIndex, char *command)


    Here's an example of a function that uses a string as a parameter:

    uint G_SetModel = 0x1BEF5C;
    CallFunc(G_SetModel, 0xFCA280, str_pointer("com_plasticcase_beige_big"));


    str_pointer is needed whenever passing a string to CallFunc.

    And for those who are completely lost about RPC, here's a few little functions I wrote in C# to make some mods easier for you:

            private void SetModel(int client, string model)
    {
    CallFunc(0x1BEF5C, (uint)(0xFCA280 + (client * 0x280)), str_pointer(model));
    }

    private void SV_GameSendServerCommand(int client, string command)
    {
    CallFunc(0x228FA8, (uint)client, 0, str_pointer(command));
    }

    private void GiveWeapon(int client, int weaponIndex)
    {
    CallFunc(0x1C3034, (uint)(0x110A280 + (client * 0x3980)), (uint)weaponIndex, 0);
    CallFunc(0x18A29C, (uint)(0xFCA280 + (client * 0x280)), (uint)weaponIndex, 0, 9999, 1);
    }


    Examples using the above functions:

    SetModel(0, "com_plasticcase_beige_big"); //sets client 0's model to a Care Package

    SV_GameSendServerCommand(0, "c \"^2Hello there!\""); //prints "^2Hello there!" on client 0's screen

    GiveWeapon(0, 1); //Gives a default weapon with full ammo to client 0





    Well, that's it. All the secrets are out now. Hopefully some of you found this useful and will make some sick mods with it. Once again, all credit for HUD elems goes to aerosoul94.


    Enjoy guys Winky Winky



    looks like im going to be re-coding my menu again lol, anyway nice release, i wasnt really bothered about hud and setText but i might as well use it now its here Smile
  10. 05-21-2013, 10:17 AM
    riggstq's Avatar
    riggstq
    [move]Haters Gonna Hate[/move]
    riggstq's Avatar
    riggstq
    [move]Haters Gonna Hate[/move]
    1,109
    Posts
    11,621
    Reputation
    Aug 2012
    NextGenUpdate
    Originally Posted by Choco View Post
    You must login or register to view this content.


    Hey guys,

    Since everyone is starting to figure this out now, it's time to release. I've had it for quite awhile, but wouldn't have found it without aerosoul94, so big thanks to him. Also, a lot of my HUD functions have been adapted from Hacksorce's Xbox functions, so thanks to him. Also thanks to Carter and Godly for their research.



    Ok, so I'm going to be giving you all several things in this thread. Firstly, I am going to give you the functions needed to make your own HUD element menu in C#. Secondly, I am going to show you all how to call any MW3 function you want remotely (Remote Procedure Call).


    HUD Elements

    Ok, so first, you need to have your program set up to connect to your PS3. If you haven't done this, check out You must login or register to view this content..

    Now, you are going to add this code to your program:

            public static class HElems
    {
    public static uint
    xOffset = 0x08,
    yOffset = 0x04,
    textOffset = 0x84,
    fontOffset = 0x24,
    fontSizeOffset = 0x14,
    colorOffset = 0x30,
    relativeOffset = 0x2c,
    widthOffset = 0x44,
    heightOffset = 0x48,
    shaderOffset = 0x4c,
    GlowColor = 0x8C,
    alignOffset = 0x2C;
    }

    public void setIcon(uint elem, uint shader, int width, int height, float x, float y, uint align, float sort = 0, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x04 });

    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.shaderOffset, uintBytes(shader));
    SetMemory(elem + HElems.heightOffset, ReverseBytes(BitConverter.GetBytes(height)));
    SetMemory(elem + HElems.widthOffset, ReverseBytes(BitConverter.GetBytes(width)));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, ReverseBytes(BitConverter.GetBytes(sort)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }

    public void setText(uint elem, byte[] text, uint font, float fontScale, float x, float y, uint align, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x01 });

    SetMemory(elem + HElems.textOffset, text);
    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.fontOffset, uintBytes(font));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, new byte[] { 0x40, 0x00 });
    SetMemory(elem + HElems.fontSizeOffset, ReverseBytes(BitConverter.GetBytes(fontScale)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }


    private void SetMemory(uint addr, byte[] val)
    {
    snresult = PS3TMAPI.ProcessSetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, val);
    }

    private void RPC_Enable_124()
    {
    SetMemory(0x523B10, new byte[2175]);
    SetMemory(0x18BE6C, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x3BC9CC, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x18BE74, new byte[] { 0x48, 0x00, 0x00, 0x68 });
    SetMemory(0x1DB1244, new byte[4]);
    SetMemory(0x114AE64, new byte[4]);
    SetMemory(0x3BC9E4, new byte[] { 0x41, 0x82, 0x02, 0x20, 0x3D, 0x00, 0x00, 0x52, 0x80, 0x68, 0x3B, 0x10, 0x80, 0x88, 0x3B, 0x14, 0x80, 0xA8, 0x3B, 0x18, 0x80, 0xC8, 0x3B, 0x1C, 0x80, 0xE8, 0x3B, 0x20, 0x39, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x1D, 0x3C, 0x80, 0x01, 0x15, 0x90, 0x64, 0xAE, 0x64, 0x38, 0x80, 0x00, 0x00, 0x3C, 0x60, 0x01, 0xDB, 0x90, 0x83, 0x12, 0x44, 0x48, 0x00, 0x01, 0xE8, 0x4E, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00 });
    }

    private uint str_pointer(string str)
    {
    uint addr = 0x523B30;
    byte[] check = new byte[1];
    uint i;
    for (i = 0; i < 5; i++)
    {
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, ref check);
    if (check[0] == 0x00) break;
    if (i == 4)
    {
    i = 0;
    break;
    }
    }
    addr = (0x523B30 + (i * 0x6Cool Man (aka Tustin));
    SetMemory(addr, new byte[0x68]);
    SetMemory(addr, Encoding.UTF8.GetBytes(str));
    return addr;
    }

    private void CallFunc(uint func_addr, uint param1 = 0, uint param2 = 0, uint param3 = 0, uint param4 = 0, uint param5 = 0)
    {
    byte[] par1 = BitConverter.GetBytes(param1);
    byte[] par2 = BitConverter.GetBytes(param2);
    byte[] par3 = BitConverter.GetBytes(param3);
    byte[] par4 = BitConverter.GetBytes(param4);
    byte[] par5 = BitConverter.GetBytes(param5);
    Array.Reverse(par1);
    Array.Reverse(par2);
    Array.Reverse(par3);
    Array.Reverse(par4);
    Array.Reverse(par5);
    SetMemory(0x523B10, par1);
    SetMemory(0x523B14, par2);
    SetMemory(0x523B18, par3);
    SetMemory(0x523B1C, par4);
    SetMemory(0x523B20, par5);
    SetMemory(0x3BCA04, MakeBl(0x3BCA04, func_addr));
    SetMemory(0x1DB1244, new byte[] { 0x00, 0x00, 0x00, 0x01 });
    System.Threading.Thread.Sleep(10);
    }

    private uint GetFuncReturn()
    {
    byte[] ret = new byte[4];
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, 0x114AE64, ref ret);
    Array.Reverse(ret);
    return BitConverter.ToUInt32(ret, 0);
    }

    private byte[] MakeBl(uint callAddr, uint addrToBlTo)
    {
    byte[] instruction = new byte[4];
    uint addr_t = (uint)(((int)addrToBlTo - (int)callAddr) + 1);
    if ((int)addrToBlTo > (int)callAddr) instruction[3] = 0x48;
    else
    {
    instruction[3] = 0x4B;
    addr_t = (uint)(0x1000000 - ((int)callAddr - (int)addrToBlTo) + 1);
    }
    byte[] addr = BitConverter.GetBytes(addr_t);
    for (int i = 0; i < 3; i++)
    {
    instruction = addr;
    }
    Array.Reverse(instruction);
    return instruction;
    }

    public void DestroyElem(uint elem)
    {
    SetMemory(elem, new byte[0xB4]);
    }

    public void spawnElem(int client, uint elemAddress)
    {
    SetMemory(elemAddress + 0xA8, ReverseBytes(BitConverter.GetBytes(client)));
    }

    public byte[] uintBytes(uint input)
    {
    byte[] data = BitConverter.GetBytes(input);
    Array.Reverse(data);
    return data;
    }

    public uint createText(string text)
    {
    CallFunc(0x1BE6CC, str_pointer(text));
    System.Threading.Thread.Sleep(10);
    return GetFuncReturn();
    }

    public byte[] ReverseBytes(byte[] inArray)
    {
    Array.Reverse(inArray);
    return inArray;
    }

    private uint HudElem_Alloc()
    {
    byte[] elem = new byte[1];
    uint add;
    for (int i = 0; i < 1024; i++)
    {
    add = (uint)(0xF0E10C + (i * 0xB7));
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, add, ref elem);
    if ((int)elem[0] == 0)
    {
    SetMemory(add, new byte[0xB1]);
    return add;
    }
    }
    return 0;
    }

    private void HudElem_DestroyAll()
    {
    SetMemory(0xF0E10C, new byte[184320]);
    }

    private int GetMaterialIndex(string str)
    {
    CallFunc(0x1BE744, str_pointer(str));
    return (int)GetFuncReturn();
    }


    That's all the functions you need for HUD elements and for RPC (remote procedure calls). Now, add this to the end of the function you use for attaching the process:

    RPC_Enable_124();


    That code will add a custom function into MW3 that allows you to call functions remotely (I'll explain how to do so later).



    Here's an example of spawning a Text HUD element:

    uint hud_example = HudElem_Alloc();
    setText(hud_example, uintBytes(createText("Example Text")), 6, 20, 170, 45, 1, 255, 0, 0, 255);
    spawnElem(0, hud_example);


    Here's an example of spawning a Shader HUD element:

    uint hud_example2 = HudElem_Alloc();
    setIcon(hud_example2, 1, 280, 100, 40, 30, 2, -10, 0, 0, 0, 150);
    spawnElem(0, hud_example2);


    Also, for anyone interested, here is the complete HUD elem structure thanks to aerosoul94: You must login or register to view this content.


    Remote Procedure Call

    Ok, all the code that you should have added to your program from above included all the funcs needed for RPC. Here's how to call a function remotely:

    For this example, I will use G_GivePlayerWeapon.

    First, you need the address of the function to call from within the elf. G_GivePlayerWeapon is located at 0x1C3034. Now you need the parameters for it. G_GivePlayerWeapon takes 3 parameters: clientState, weaponIndex, and altModelIndex.

    So to call the function, I would do something like this:

    uint G_GivePlayerWeapon = 0x1C3034;
    uint clientState = 0x110A280;
    CallFunc(G_GivePlayerWeapon, clientState, 1, 0);


    That code would give a Default Weapon to client number 0.

    RPC is a bit more advanced, so if what I just said made no sense to you, don't worry about it. Here's some good functions for you to have:

    uint Add_Ammo = 0x18A29C; //Add_Ammo(uint *g_entity, uint weaponIndex, uint weaponModel, uint count, uint fillClip)
    uint G_GivePlayerWeapon = 0x1C3034; //G_GivePlayerWeapon(uint *g_client, uint weaponIndex, uint altModelIndex)
    uint G_SetModel = 0x1BEF5C; //G_SetModel(uint *g_entity, char *modelName)
    uint Cmd_ExecuteSingleCommand = 0x1DB240; //Cmd_ExecuteSingleCommand(uint *localClientIndex, char *command)


    Here's an example of a function that uses a string as a parameter:

    uint G_SetModel = 0x1BEF5C;
    CallFunc(G_SetModel, 0xFCA280, str_pointer("com_plasticcase_beige_big"));


    str_pointer is needed whenever passing a string to CallFunc.

    And for those who are completely lost about RPC, here's a few little functions I wrote in C# to make some mods easier for you:

            private void SetModel(int client, string model)
    {
    CallFunc(0x1BEF5C, (uint)(0xFCA280 + (client * 0x280)), str_pointer(model));
    }

    private void SV_GameSendServerCommand(int client, string command)
    {
    CallFunc(0x228FA8, (uint)client, 0, str_pointer(command));
    }

    private void GiveWeapon(int client, int weaponIndex)
    {
    CallFunc(0x1C3034, (uint)(0x110A280 + (client * 0x3980)), (uint)weaponIndex, 0);
    CallFunc(0x18A29C, (uint)(0xFCA280 + (client * 0x280)), (uint)weaponIndex, 0, 9999, 1);
    }


    Examples using the above functions:

    SetModel(0, "com_plasticcase_beige_big"); //sets client 0's model to a Care Package

    SV_GameSendServerCommand(0, "c \"^2Hello there!\""); //prints "^2Hello there!" on client 0's screen

    GiveWeapon(0, 1); //Gives a default weapon with full ammo to client 0





    Well, that's it. All the secrets are out now. Hopefully some of you found this useful and will make some sick mods with it. Once again, all credit for HUD elems goes to aerosoul94.


    Enjoy guys Winky Winky


    just wondering but are ngu elite member EVER going to see a menu? its been id say like 2 months since you showed us a "preview" of it, is it not about time we got to use something :P (also unsure if this is a rule 100% but if you show a preview arent you meant to release within 2 weeks or have the thread closed? i know ive seen this happen to newer members, why is it different for moderators?)

    sorry to act like im breaking your balls, its just these are a few questions ive had for a while and thought why not ask now...
  11. 05-21-2013, 10:54 AM
    Mango_Knife's Avatar
    Mango_Knife
    In my man cave
    Mango_Knife's Avatar
    Mango_Knife
    In my man cave
    3,599
    Posts
    38,731
    Reputation
    Sep 2012
    NextGenUpdate
    Originally Posted by Choco View Post
    You must login or register to view this content.


    Hey guys,

    Since everyone is starting to figure this out now, it's time to release. I've had it for quite awhile, but wouldn't have found it without aerosoul94, so big thanks to him. Also, a lot of my HUD functions have been adapted from Hacksorce's Xbox functions, so thanks to him. Also thanks to Carter and Godly for their research.



    Ok, so I'm going to be giving you all several things in this thread. Firstly, I am going to give you the functions needed to make your own HUD element menu in C#. Secondly, I am going to show you all how to call any MW3 function you want remotely (Remote Procedure Call).


    HUD Elements

    Ok, so first, you need to have your program set up to connect to your PS3. If you haven't done this, check out You must login or register to view this content..

    Now, you are going to add this code to your program:

            public static class HElems
    {
    public static uint
    xOffset = 0x08,
    yOffset = 0x04,
    textOffset = 0x84,
    fontOffset = 0x24,
    fontSizeOffset = 0x14,
    colorOffset = 0x30,
    relativeOffset = 0x2c,
    widthOffset = 0x44,
    heightOffset = 0x48,
    shaderOffset = 0x4c,
    GlowColor = 0x8C,
    alignOffset = 0x2C;
    }

    public void setIcon(uint elem, uint shader, int width, int height, float x, float y, uint align, float sort = 0, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x04 });

    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.shaderOffset, uintBytes(shader));
    SetMemory(elem + HElems.heightOffset, ReverseBytes(BitConverter.GetBytes(height)));
    SetMemory(elem + HElems.widthOffset, ReverseBytes(BitConverter.GetBytes(width)));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, ReverseBytes(BitConverter.GetBytes(sort)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }

    public void setText(uint elem, byte[] text, uint font, float fontScale, float x, float y, uint align, int r = 255, int g = 255, int b = 255, int a = 255)
    {
    SetMemory(elem, new byte[0xB4]);
    SetMemory(elem, new byte[] { 0x00, 0x00, 0x00, 0x01 });

    SetMemory(elem + HElems.textOffset, text);
    SetMemory(elem + HElems.relativeOffset, uintBytes(0x05));
    SetMemory(elem + HElems.relativeOffset - 4, uintBytes(0x06));
    SetMemory(elem + HElems.fontOffset, uintBytes(font));
    SetMemory(elem + HElems.alignOffset, uintBytes(align));
    SetMemory(elem + HElems.textOffset + 4, new byte[] { 0x40, 0x00 });
    SetMemory(elem + HElems.fontSizeOffset, ReverseBytes(BitConverter.GetBytes(fontScale)));
    SetMemory(elem + HElems.xOffset, ReverseBytes(BitConverter.GetBytes(x)));
    SetMemory(elem + HElems.yOffset, ReverseBytes(BitConverter.GetBytes(y)));
    SetMemory(elem + HElems.colorOffset, new byte[] { BitConverter.GetBytes(r)[0], BitConverter.GetBytes(g)[0], BitConverter.GetBytes(b)[0], BitConverter.GetBytes(a)[0] });
    }


    private void SetMemory(uint addr, byte[] val)
    {
    snresult = PS3TMAPI.ProcessSetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, val);
    }

    private void RPC_Enable_124()
    {
    SetMemory(0x523B10, new byte[2175]);
    SetMemory(0x18BE6C, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x3BC9CC, new byte[] { 0x60, 0x00, 0x00, 0x00 });
    SetMemory(0x18BE74, new byte[] { 0x48, 0x00, 0x00, 0x68 });
    SetMemory(0x1DB1244, new byte[4]);
    SetMemory(0x114AE64, new byte[4]);
    SetMemory(0x3BC9E4, new byte[] { 0x41, 0x82, 0x02, 0x20, 0x3D, 0x00, 0x00, 0x52, 0x80, 0x68, 0x3B, 0x10, 0x80, 0x88, 0x3B, 0x14, 0x80, 0xA8, 0x3B, 0x18, 0x80, 0xC8, 0x3B, 0x1C, 0x80, 0xE8, 0x3B, 0x20, 0x39, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x1D, 0x3C, 0x80, 0x01, 0x15, 0x90, 0x64, 0xAE, 0x64, 0x38, 0x80, 0x00, 0x00, 0x3C, 0x60, 0x01, 0xDB, 0x90, 0x83, 0x12, 0x44, 0x48, 0x00, 0x01, 0xE8, 0x4E, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00 });
    }

    private uint str_pointer(string str)
    {
    uint addr = 0x523B30;
    byte[] check = new byte[1];
    uint i;
    for (i = 0; i < 5; i++)
    {
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, addr, ref check);
    if (check[0] == 0x00) break;
    if (i == 4)
    {
    i = 0;
    break;
    }
    }
    addr = (0x523B30 + (i * 0x6Cool Man (aka Tustin));
    SetMemory(addr, new byte[0x68]);
    SetMemory(addr, Encoding.UTF8.GetBytes(str));
    return addr;
    }

    private void CallFunc(uint func_addr, uint param1 = 0, uint param2 = 0, uint param3 = 0, uint param4 = 0, uint param5 = 0)
    {
    byte[] par1 = BitConverter.GetBytes(param1);
    byte[] par2 = BitConverter.GetBytes(param2);
    byte[] par3 = BitConverter.GetBytes(param3);
    byte[] par4 = BitConverter.GetBytes(param4);
    byte[] par5 = BitConverter.GetBytes(param5);
    Array.Reverse(par1);
    Array.Reverse(par2);
    Array.Reverse(par3);
    Array.Reverse(par4);
    Array.Reverse(par5);
    SetMemory(0x523B10, par1);
    SetMemory(0x523B14, par2);
    SetMemory(0x523B18, par3);
    SetMemory(0x523B1C, par4);
    SetMemory(0x523B20, par5);
    SetMemory(0x3BCA04, MakeBl(0x3BCA04, func_addr));
    SetMemory(0x1DB1244, new byte[] { 0x00, 0x00, 0x00, 0x01 });
    System.Threading.Thread.Sleep(10);
    }

    private uint GetFuncReturn()
    {
    byte[] ret = new byte[4];
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, 0x114AE64, ref ret);
    Array.Reverse(ret);
    return BitConverter.ToUInt32(ret, 0);
    }

    private byte[] MakeBl(uint callAddr, uint addrToBlTo)
    {
    byte[] instruction = new byte[4];
    uint addr_t = (uint)(((int)addrToBlTo - (int)callAddr) + 1);
    if ((int)addrToBlTo > (int)callAddr) instruction[3] = 0x48;
    else
    {
    instruction[3] = 0x4B;
    addr_t = (uint)(0x1000000 - ((int)callAddr - (int)addrToBlTo) + 1);
    }
    byte[] addr = BitConverter.GetBytes(addr_t);
    for (int i = 0; i < 3; i++)
    {
    instruction = addr;
    }
    Array.Reverse(instruction);
    return instruction;
    }

    public void DestroyElem(uint elem)
    {
    SetMemory(elem, new byte[0xB4]);
    }

    public void spawnElem(int client, uint elemAddress)
    {
    SetMemory(elemAddress + 0xA8, ReverseBytes(BitConverter.GetBytes(client)));
    }

    public byte[] uintBytes(uint input)
    {
    byte[] data = BitConverter.GetBytes(input);
    Array.Reverse(data);
    return data;
    }

    public uint createText(string text)
    {
    CallFunc(0x1BE6CC, str_pointer(text));
    System.Threading.Thread.Sleep(10);
    return GetFuncReturn();
    }

    public byte[] ReverseBytes(byte[] inArray)
    {
    Array.Reverse(inArray);
    return inArray;
    }

    private uint HudElem_Alloc()
    {
    byte[] elem = new byte[1];
    uint add;
    for (int i = 0; i < 1024; i++)
    {
    add = (uint)(0xF0E10C + (i * 0xB7));
    PS3TMAPI.ProcessGetMemory(0, PS3TMAPI.UnitType.PPU, ProcessID, 0xFFFFFFFF, add, ref elem);
    if ((int)elem[0] == 0)
    {
    SetMemory(add, new byte[0xB1]);
    return add;
    }
    }
    return 0;
    }

    private void HudElem_DestroyAll()
    {
    SetMemory(0xF0E10C, new byte[184320]);
    }

    private int GetMaterialIndex(string str)
    {
    CallFunc(0x1BE744, str_pointer(str));
    return (int)GetFuncReturn();
    }


    That's all the functions you need for HUD elements and for RPC (remote procedure calls). Now, add this to the end of the function you use for attaching the process:

    RPC_Enable_124();


    That code will add a custom function into MW3 that allows you to call functions remotely (I'll explain how to do so later).



    Here's an example of spawning a Text HUD element:

    uint hud_example = HudElem_Alloc();
    setText(hud_example, uintBytes(createText("Example Text")), 6, 20, 170, 45, 1, 255, 0, 0, 255);
    spawnElem(0, hud_example);


    Here's an example of spawning a Shader HUD element:

    uint hud_example2 = HudElem_Alloc();
    setIcon(hud_example2, 1, 280, 100, 40, 30, 2, -10, 0, 0, 0, 150);
    spawnElem(0, hud_example2);


    Also, for anyone interested, here is the complete HUD elem structure thanks to aerosoul94: You must login or register to view this content.


    Remote Procedure Call

    Ok, all the code that you should have added to your program from above included all the funcs needed for RPC. Here's how to call a function remotely:

    For this example, I will use G_GivePlayerWeapon.

    First, you need the address of the function to call from within the elf. G_GivePlayerWeapon is located at 0x1C3034. Now you need the parameters for it. G_GivePlayerWeapon takes 3 parameters: clientState, weaponIndex, and altModelIndex.

    So to call the function, I would do something like this:

    uint G_GivePlayerWeapon = 0x1C3034;
    uint clientState = 0x110A280;
    CallFunc(G_GivePlayerWeapon, clientState, 1, 0);


    That code would give a Default Weapon to client number 0.

    RPC is a bit more advanced, so if what I just said made no sense to you, don't worry about it. Here's some good functions for you to have:

    uint Add_Ammo = 0x18A29C; //Add_Ammo(uint *g_entity, uint weaponIndex, uint weaponModel, uint count, uint fillClip)
    uint G_GivePlayerWeapon = 0x1C3034; //G_GivePlayerWeapon(uint *g_client, uint weaponIndex, uint altModelIndex)
    uint G_SetModel = 0x1BEF5C; //G_SetModel(uint *g_entity, char *modelName)
    uint Cmd_ExecuteSingleCommand = 0x1DB240; //Cmd_ExecuteSingleCommand(uint *localClientIndex, char *command)


    Here's an example of a function that uses a string as a parameter:

    uint G_SetModel = 0x1BEF5C;
    CallFunc(G_SetModel, 0xFCA280, str_pointer("com_plasticcase_beige_big"));


    str_pointer is needed whenever passing a string to CallFunc.

    And for those who are completely lost about RPC, here's a few little functions I wrote in C# to make some mods easier for you:

            private void SetModel(int client, string model)
    {
    CallFunc(0x1BEF5C, (uint)(0xFCA280 + (client * 0x280)), str_pointer(model));
    }

    private void SV_GameSendServerCommand(int client, string command)
    {
    CallFunc(0x228FA8, (uint)client, 0, str_pointer(command));
    }

    private void GiveWeapon(int client, int weaponIndex)
    {
    CallFunc(0x1C3034, (uint)(0x110A280 + (client * 0x3980)), (uint)weaponIndex, 0);
    CallFunc(0x18A29C, (uint)(0xFCA280 + (client * 0x280)), (uint)weaponIndex, 0, 9999, 1);
    }


    Examples using the above functions:

    SetModel(0, "com_plasticcase_beige_big"); //sets client 0's model to a Care Package

    SV_GameSendServerCommand(0, "c \"^2Hello there!\""); //prints "^2Hello there!" on client 0's screen

    GiveWeapon(0, 1); //Gives a default weapon with full ammo to client 0





    Well, that's it. All the secrets are out now. Hopefully some of you found this useful and will make some sick mods with it. Once again, all credit for HUD elems goes to aerosoul94.


    Enjoy guys Winky Winky


    Awesome
    I Can see it now many mw3 mod menus are going to come Smile