29
"Integrity Check Bypass memcpy Method"
80000008
Auto Assembler Script
//Crysis 3
//Integrity Check Bypass Rev 001
//Steve Andrew ;)
//Special Thanks: Dark Byte
[enable]
alloc(IntegrityCheckBypass,256)
alloc(OnTheFlyCopy,42352640) //Crysis3.exe image base + 0x1000 - Crysis3.exe image base + 0x2865000
aobscan(IntegrityCheckAddress,0f b6 39 8b f0 c1 ee 18 33 f7 c1 e0 08 33)
label(IntegrityCheckRet)
label(SkipMakingCopy)
label(NotInDumpRange)
label(IntegrityCheckAddy)
registersymbol(IntegrityCheckAddy)
IntegrityCheckBypass:
cmp [OnTheFlyCopy],0
jne SkipMakingCopy
push ecx
lea esi,[Crysis3.exe+1000]
lea edi,[OnTheFlyCopy]
mov ecx,2864000
repe movsb
//Fix this bypass hook itself in copy :D
mov ecx,IntegrityCheckAddress
sub ecx,Crysis3.exe+1000
lea edi,[OnTheFlyCopy]
mov [edi+ecx],8b39b60f //movzx edi,byte ptr [ecx]
mov byte ptr [edi+ecx+4],f0 //mov esi,eax
pop ecx
SkipMakingCopy:
cmp ecx,Crysis3.exe+1000
jb NotInDumpRange
cmp ecx,Crysis3.exe+2865000
ja NotInDumpRange
sub ecx,Crysis3.exe+1000
add ecx,OnTheFlyCopy
NotInDumpRange:
movzx edi,byte ptr [ecx]
mov esi,eax
jmp IntegrityCheckRet
OnTheFlyCopy:
dd 0
IntegrityCheckAddress:
IntegrityCheckAddy:
jmp IntegrityCheckBypass
IntegrityCheckRet:
[disable]
IntegrityCheckAddy:
movzx edi,byte ptr [ecx]
mov esi,eax
dealloc(IntegrityCheckBypass)
dealloc(OnTheFlyCopy)
unregistersymbol(IntegrityCheckAddy)
343
"Integrity Check Bypass Checksum Spoofer Method v2.0"
80000008
Auto Assembler Script
//Integrity Check Bypass [Checksum Spoofer Method] V2.0 ;)
//Simplified! Smaller Footprint!
//Crysis 3
//Steve Andrew
[enable]
alloc(CopierAndHookerThread,512)
aobscan(CheckRoutineHookAddress, 0f b6 39 8b f0 c1 ee 18 33)
label(CheckRoutineHookAddy)
label(HookHider) //Hide's hooks
label(ChecksumSpooferVersion2) //Spoofs Checksums
label(Checksums)
label(ChecksumIndex)
label(CurrentChecksumBaseAddress)
label(NumberOfCorrectChecksums)
label(IntegrityCheckBytes)
label(KeepCounting)
label(SizeOfAreaToProtect)
label(GotSizeOfAreaToProtect)
label(PlaceHook)
label(AlreadyGotChecksums)
label(KeepCapturingChecksums)
label(GetNextValidChecksum)
label(ReturnValidChecksum)
label(SkipHidingTheseHooks)
registersymbol(CheckRoutineHookAddy)
registersymbol(Checksums)
registersymbol(ChecksumIndex)
registersymbol(NumberOfCorrectChecksums)
createthread(CopierAndHookerThread)
CopierAndHookerThread:
push 0a
call Sleep
mov eax,CheckRoutineHookAddy
test eax,eax
je CopierAndHookerThread
xor ecx,ecx
KeepCounting:
cmp dword ptr [eax-4],c35e5fe8
je GotSizeOfAreaToProtect
inc eax
inc ecx
jmp KeepCounting
GotSizeOfAreaToProtect:
mov [SizeOfAreaToProtect],ecx
mov esi,CheckRoutineHookAddress
mov edi,IntegrityCheckBytes
repe movsb
//No need to fix any bytes, since we haven't touched them yet! ;)
//Do main hook (to hide both hooks)
push HookHider
push CheckRoutineHookAddy
call PlaceHook
//Do second hook (to capture and then return valid checksums)
mov ecx,CheckRoutineHookAddy
add ecx,[SizeOfAreaToProtect]
sub ecx,5 //Now points to: jne CheckRoutineHookAddress
push ChecksumSpooferVersion2
push ecx
call PlaceHook
ret
//void __stdcall PlaceHook(void *From, void *To)
PlaceHook:
mov eax,[esp+8] //to
mov ebx,[esp+4] //from
sub eax,ebx
sub eax,5
mov byte [ebx],e9
mov [ebx+1],eax
ret 8
//so we can get the return value / correct checksums + sizes
ChecksumSpooferVersion2:
jne HookHider //until edx is zero keep calculating that checksum
//Done now capture however many checksums there are
//Or return the correct valid checksum once we already have! ;)
mov edi,[esp+0c] //[esp+0c] == Checksum Base Address; [esp+10] == Checksum Size
mov [CurrentChecksumBaseAddress],edi
pushfd
mov edi,[NumberOfCorrectChecksums]
cmp [ChecksumIndex],edi
je AlreadyGotChecksums
//Compare first checksum with current checksum
//If they are equal, then we've captured all checksums!
cmp [Checksums+4],eax
jne KeepCapturingChecksums
mov edi,[ChecksumIndex]
mov [NumberOfCorrectChecksums],edi
jmp AlreadyGotChecksums
KeepCapturingChecksums:
push ebx
push ecx
push edx
mov ebx,Checksums
mov ecx,[ChecksumIndex]
mov edx,[CurrentChecksumBaseAddress]
mov [ebx+ecx*8],edx //backup checksum base address
mov [ebx+ecx*8+4],eax //backup checksum itself
inc [ChecksumIndex]
pop edx
pop ecx
pop ebx
popfd
pop edi
pop esi
ret
AlreadyGotChecksums:
push ebx
push ecx
push edx
xor edx,edx
mov ebx,Checksums
mov ecx,[CurrentChecksumBaseAddress]
GetNextValidChecksum:
cmp [ebx+edx*8],ecx
je ReturnValidChecksum
inc edx
jmp GetNextValidChecksum
ReturnValidChecksum:
mov eax,[ebx+edx*8+4] //Return Correct VALID Checksum :D
pop edx
pop ecx
pop ebx
popfd
pop edi
pop esi
ret
HookHider:
pushfd
mov edi,CheckRoutineHookAddy
cmp ecx,edi
jb SkipHidingTheseHooks
add edi,[SizeOfAreaToProtect]
cmp ecx,edi
jae SkipHidingTheseHooks
//DONT! touch ECX at all cost! :D LOL
mov edi,ecx
sub edi,CheckRoutineHookAddress
add edi,IntegrityCheckBytes
movzx edi,byte [edi]
jmp SkipHidingTheseHooks+3
//It isn't checking within the small surface area of our hooks
//So it's okay to let it pass through normally
SkipHidingTheseHooks:
movzx edi,byte [ecx]
mov esi,eax
popfd
jmp CheckRoutineHookAddress+5
SizeOfAreaToProtect:
dd 0
CurrentChecksumBaseAddress:
dd 0
ChecksumIndex:
dd 0
NumberOfCorrectChecksums:
dd 539
Checksums: //enough room for up to 10 checksums + base addies at the moment :D
dd 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
IntegrityCheckBytes:
dd 0
//Don't hook it here, just make our registered symbol match it ;)
CheckRoutineHookAddress:
CheckRoutineHookAddy:
[disable]
unregistersymbol(CheckRoutineHookAddy)
unregistersymbol(Checksums)
unregistersymbol(ChecksumIndex)
unregistersymbol(NumberOfCorrectChecksums)
349
"Number Of Correct Checksums"
80000008
4 Bytes
NumberOfCorrectChecksums
344
"Checksum Index"
80000008
4 Bytes
ChecksumIndex
345
"Checksum 1"
1
80000008
4 Bytes
Checksums+4
346
"Checksum 2"
1
80000008
4 Bytes
Checksums+c
347
"Checksum 3"
1
80000008
4 Bytes
Checksums+14
350
"Checksum 4"
1
80000008
4 Bytes
Checksums+1c
351
"Checksum 5"
1
80000008
4 Bytes
Checksums+24
352
"Checksum 6"
1
80000008
4 Bytes
Checksums+2c
193
"Infinite Health [Steve Andrew + DarKDragonSlayer]"
80000008
Auto Assembler Script
//Crysis 3
//Infinite Health
//Steve Andrew /w Credit To: DDS (♦ DarKDragonSlayer ♦)
//Thanks for helping me DDS!
[enable]
alloc(InfiniteHealth,64)
aobscan(PlayerOnlyHealthAddress,8b 56 ? ? ? 89 54 24 ? 8b 01 d9 44 24)
label(PlayerOnlyHealthAddy)
label(HealthRet)
label(FullHealthValue)
registersymbol(PlayerOnlyHealthAddy)
InfiniteHealth:
mov edx,[FullHealthValue]
xor edx,eax //eax contains encryption/decryption key here ;)
mov [esi+24],edx //copy encrypted full health to player health addy
xor edx,eax //have decrypted value in edx before jumping back
jmp HealthRet
FullHealthValue:
dd (float)1000
PlayerOnlyHealthAddress:
PlayerOnlyHealthAddy:
jmp InfiniteHealth
HealthRet:
[disable]
PlayerOnlyHealthAddy:
mov edx,[esi+24]
xor edx,eax
dealloc(InfiniteHealth)
unregistersymbol(PlayerOnlyHealthAddy)
194
"Kill Me (If you get stuck / fall off somewhere)"
80000008
Auto Assembler Script
[enable]
alloc(KillMe,64)
aobscan(EveryonesHealthAddress,8b 49 24 ? ? 89 0c 24 0f 57 c0 0f 2f 04 24)
label(EveryonesHealthAddy)
label(EveryonesHealthRet)
label(ZeroHealth)
registersymbol(EveryonesHealthAddy)
KillMe:
push ebx
mov ebx,[ZeroHealth]
xor ebx,eax
mov [ecx+24],ebx
mov ecx,ebx
pop ebx
jmp EveryonesHealthRet
ZeroHealth:
dd (float)0
EveryonesHealthAddress:
EveryonesHealthAddy:
jmp KillMe
EveryonesHealthRet:
[disable]
EveryonesHealthAddy:
mov ecx,[ecx+24]
xor ecx,eax
dealloc(KillMe)
unregistersymbol(EveryonesHealthAddy)
2
"Infinite Ammo + No Reload"
80000008
Auto Assembler Script
//Infinite Ammo + No Reload
//Crysis 3
[enable]
alloc(NoReload,64)
aobscan(NoReloadAddress,89 42 04 b0 01 5b 83 c4 08 c3)
label(NoReloadAddy)
label(NoReloadRet)
label(AmmoAddy)
registersymbol(NoReloadAddy)
registersymbol(AmmoAddy)
NoReload:
mov eax,9
mov [AmmoAddy],edx
mov [edx+4],eax
mov al,1
jmp NoReloadRet
AmmoAddy:
dd 0
NoReloadAddress:
NoReloadAddy:
jmp NoReload
NoReloadRet:
[disable]
NoReloadAddy:
mov [edx+4],eax
mov al,1
dealloc(NoReload)
unregistersymbol(NoReloadAddy)
unregistersymbol(AmmoAddy)
40
"Infinite Arrows v2.0"
80000008
Auto Assembler Script
[enable]
alloc(InfiniteArrowsVersion2,64)
aobscan(ArrowsAddress2,89 30 eb 0f 8d 4c 24 14 51 8d 4f)
label(ArrowsAddy2)
registersymbol(ArrowsAddy2)
InfiniteArrowsVersion2:
mov esi,9
mov [eax],esi
jmp ArrowsAddress2+13
ArrowsAddress2:
ArrowsAddy2:
jmp InfiniteArrowsVersion2
db 90 90 90
[disable]
ArrowsAddy2:
db 89 30 eb 0f 8d 4c 24 14
dealloc(InfiniteArrowsVersion2)
unregistersymbol(ArrowsAddy2)
32
"Infinite Energy"
80000008
Auto Assembler Script
[enable]
alloc(InfiniteEnergy,64)
aobscan(EnergyAddress,d9 00 8b 52 08 53 51 d9 1c 24 ff d2)
label(EnergyRet)
label(EnergyAddy)
label(FullEnergy)
registersymbol(EnergyAddy)
InfiniteEnergy:
fld dword ptr [FullEnergy]
mov edx,[edx+08]
jmp EnergyRet
FullEnergy:
dd (float)100
EnergyAddress:
EnergyAddy:
jmp InfiniteEnergy
EnergyRet:
[disable]
EnergyAddy:
db d9 00 8b 52 08
dealloc(InfiniteEnergy)
unregistersymbol(EnergyAddy)
214
"Infinite Cloak Time"
80000008
Auto Assembler Script
[enable]
alloc(InfiniteCloakTime,64)
aobscan(CloakTimeAddress,de c9 d9 1e 5e 83 c4 10 c2 04 00)
label(CloakTimeAddy)
label(DesiredCloakTimeValue)
registersymbol(CloakTimeAddy)
InfiniteCloakTime:
fstp st(0)
fld dword ptr [DesiredCloakTimeValue]
fstp dword ptr [esi]
pop esi
add esp,10
ret 4
DesiredCloakTimeValue:
dd (float)20 //freeze it at 20 seconds cloak time
CloakTimeAddress+2:
CloakTimeAddy:
jmp InfiniteCloakTime
nop
[disable]
CloakTimeAddy:
fstp dword ptr [esi]
pop esi
add esp,10
dealloc(InfiniteCloakTime)
unregistersymbol(CloakTimeAddy)
333
"Teleport Fly"
80000008
Auto Assembler Script
//Crysis 3
//Teleport Fly Hack
//Steve Andrew
[enable]
alloc(TeleportFly,128)
alloc(KeyHandlerThread,256)
aobscan(TeleportFlyAddress,8b 4e 74 8b 56 78 8b 46 7c 89 4d ? 89 55 ? 89 45)
label(TeleportFlyAddy)
label(ExitKeyHandler)
label(ToggleOnOff)
label(TeleportFlyFullyDisabled)
label(TestKeyAndIncreaseDecreaseIfNeeded)
label(IncreaseIt)
label(NotPressed)
label(InitialLiftAmount)
label(FlySpeed)
label(TeleportFlyEnabled)
label(CurrentCoords)
label(AlreadyGotCoords)
label(TeleportRet)
label(pPlayer)
createthread(KeyHandlerThread)
registersymbol(TeleportFlyAddy)
registersymbol(TeleportFlyFullyDisabled)
registersymbol(CurrentCoords)
registersymbol(FlySpeed)
registersymbol(pPlayer)
TeleportFly:
mov edx,[esi+78]
mov eax,[esi+7c]
cmp [esi+d4],2 //Not player if it's not 2
jne TeleportRet
mov [pPlayer],esi
cmp [TeleportFlyEnabled],1
jne TeleportRet
cmp [CurrentCoords],0
jne AlreadyGotCoords
mov [CurrentCoords],ecx //X
mov [CurrentCoords+4],edx //Y
mov [CurrentCoords+8],eax //Z
fld dword ptr [CurrentCoords+8]
fadd dword ptr [InitialLiftAmount] //Lift you up a little bit to start ;)
fstp dword ptr [CurrentCoords+8]
AlreadyGotCoords:
mov ecx,[CurrentCoords]
mov edx,[CurrentCoords+4]
mov eax,[CurrentCoords+8]
jmp TeleportRet
KeyHandlerThread:
push 0a
call Sleep
cmp [TeleportFlyFullyDisabled],1
je ExitKeyHandler
push 70 //F1
call GetAsyncKeyState
test ax,ax
jne ToggleOnOff
cmp [TeleportFlyEnabled],1
jne KeyHandlerThread
push CurrentCoords //X
push 1 //increase it if key is down
push 'D' //Key: 'D'
call TestKeyAndIncreaseDecreaseIfNeeded
push CurrentCoords //X
push 0 //decrease it if key is down
push 'A' //Key: 'A'
call TestKeyAndIncreaseDecreaseIfNeeded
push CurrentCoords+4 //Y
push 1
push 'W'
call TestKeyAndIncreaseDecreaseIfNeeded
push CurrentCoords+4 //Y
push 0
push 'S'
call TestKeyAndIncreaseDecreaseIfNeeded
push CurrentCoords+8 //Z
push 1
push a0 //Key: 'left shift'
call TestKeyAndIncreaseDecreaseIfNeeded
push CurrentCoords+8 //Z
push 0
push a2 //Key: 'left control'
call TestKeyAndIncreaseDecreaseIfNeeded
jmp KeyHandlerThread
ToggleOnOff:
xor eax,eax
mov [CurrentCoords],eax
xor [TeleportFlyEnabled],1
push 96
call Sleep
jmp KeyHandlerThread
ExitKeyHandler:
ret
//void __stdcall TestKeyAndIncDec(int Key, bool IncOrDec, float *pFloatValue)
TestKeyAndIncreaseDecreaseIfNeeded:
push [esp+4] //Key
call GetAsyncKeyState
test ax,ax
je NotPressed
mov eax,[esp+0c] //Address of the coordinate
fld dword ptr [eax]
cmp [esp+8],1 //Increase or decrease it?
je IncreaseIt
fsub dword ptr [FlySpeed]
fstp dword ptr [eax]
jmp NotPressed
IncreaseIt:
fadd dword ptr [FlySpeed]
fstp dword ptr [eax]
NotPressed:
ret 0c
TeleportFlyEnabled:
dd 0
TeleportFlyFullyDisabled:
dd 0
FlySpeed:
dd (float)0.1
InitialLiftAmount:
dd (float)2
CurrentCoords:
dd 0 0 0
pPlayer:
dd 0
TeleportFlyAddress+3:
TeleportFlyAddy:
jmp TeleportFly
nop
TeleportRet:
[disable]
TeleportFlyAddy:
mov edx,[esi+78]
mov eax,[esi+7c]
TeleportFlyFullyDisabled:
dd 1
dealloc(TeleportFly)
unregistersymbol(TeleportFlyAddy)
unregistersymbol(TeleportFlyFullyDisabled)
unregistersymbol(CurrentCoords)
unregistersymbol(FlySpeed)
unregistersymbol(pPlayer)
341
"Fly Speed"
80000008
Float
FlySpeed
335
"Current Fly Player X"
80000008
Float
CurrentCoords
336
"Current Fly Player Y"
80000008
Float
CurrentCoords+4
337
"Current Fly Player Z"
80000008
Float
CurrentCoords+8
1259
"Player X"
80000008
Float
pPlayer
74
Decrease Value
100
1
0
Increase Value
102
1
1
Increase Value
17
102
10
2
Decrease Value
17
100
10
3
276
"Player Y"
80000008
Float
pPlayer
78
Increase Value
17
104
10
0
Decrease Value
17
98
10
1
Increase Value
104
1
2
Decrease Value
98
1
3
1260
"Player Z"
80000008
Float
pPlayer
7C
Increase Value
105
.3
0
Decrease Value
99
.3
1
Increase Value
17
105
3.5
2
Decrease Value
17
99
3.5
3
Toggle Activation
46
4
1269
"X Speed"
80000008
Float
pPlayer
F8
Set Value
101
0
0
1268
"Y Speed"
80000008
Float
pPlayer
FC
Set Value
101
0
0
1267
"Z Speed"
80000008
Float
pPlayer
100
Toggle Activation
46
4
Set Value
46
0
0
279
"Kill Gravity"
80000008
Auto Assembler Script
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
jmp exit
originalcode:
mov [esi+7C],eax
mov eax,[esi+000000D4]
exit:
jmp returnhere
"crysis3.exe"+A125ED:
jmp newmem
nop
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"crysis3.exe"+A125ED:
mov [esi+7C],eax
mov eax,[esi+000000D4]
Toggle Activation
46
0
ArrowsAddy2
373B4026
CheckRoutineHookAddy
3930FFBA
Checksums
029E0150
ChecksumIndex
029E0148
NumberOfCorrectChecksums
029E014C
PlayerOnlyHealthAddy
380E82B0
EnergyAddy
3816BEBB
CloakTimeAddy
3816D6D1
TeleportFlyAddy
37A15917
TeleportFlyFullyDisabled
0311016A
CurrentCoords
03110176
FlySpeed
0311016E
pPlayer
03110182
NoReloadAddy
3803A127
AmmoAddy
02C20015
[player xyz coords]
+1a4 == 1 (float)
+12c == 10 (float)
+130 == 11 (float)
+d4 == 2 (4 byte)
+d8 == 2 (4 byte)
+dc == 102 (4 byte)
+44 == 3 (4 byte)