 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
 Posted: Tue Mar 12, 2013 2:09 am Post subject: Crysis 3 Integrity Check Bypass (Auto Assembler Script) :D |
 |
|
EDIT3: Added version 2 of the script, and uploaded my current CT... This script uses a different method! Instead of making a copy of the entire region, it only bypasses itself, which gives it time to extract the three valid checksums! When 'ChecksumIndex' reaches three, you are ready to modify your memory 
EDIT2: Added an AOBScan verison of the script, this one should be more workable for more people! See the third post if still not working, your region you need to make a copy of might have a different size
EDIT: lol Okay so I guess I didn't get it quite right my first draft of the script! I noticed when I looked at it in memory that it didn't look quite right and thought CE wasn't assembling it correctly... That wasn't the case, I didn't change my 'alloc(IntegrityCheckBypass,64)' to a more proper number like 'alloc(IntegrityCheckBypass,128)' (the code is 99 bytes in memory...) So when I changed it to that, disabled infinite ammo disabled the bypass and re-enabled it... It wasn't making a new dump, so I was huh that's strange, the code wasn't running through there anymore, so I somehow disabled the thread when I didn't allocate enough memory and it had some weird instructions but the game still ran amazingly... So I restarted the game to test it again... and it crashed 
HOWEVER! I thought about it and spotted the problem, since I hooked the check itself, and the check checks itself and since the check is within the copied region, it copied the hook bytes into the supposed to be untouched copy...
So by making it fix the bytes in the copy after making the copy, I got it to work again! This time it's proper!
Script updated to revision 1 (I guess even I can't think of everything the first time  )
Before touching any memory (enabling infinite ammo for example) Enable the bypass first! Then go in game and move around for a minute or two just to make sure the copy of the untouched memory has been made! (when the check does it's routine at least once) then you are free to modify any memory within the range Crysis3.exe image base + 0x1000 - Crysis3.exe+2865000 which is where you'll most likely be finding your cheat addresses to hook/modify!
Hello everyone! I haven't been on Cheat Engine Forums in a while (been busy with work and stuff)
Crysis 3 came out though, so I just had to hack it!
I immediately found infinite ammo (like I usually do) and proceeded to script it. Windows debugger crashed the game, so before trying some anti- anti debug tricks, I tried the VEH debugger... That worked and I got the ammo address!
When I scripted it though I noticed something happen in-game... It would crash... So I was like hmm, did I make my script wrong or something? so I just nopped the address instead. Still crashing...
I was then like well they might be doing a crc check or something like that, so I did a kind of 'breakpoint NOP' (See attached image) where you use a hardware breakpoint to jump over the instruction which decreases ammo...
That worked to achieve infinite ammo + no reload, however it isn't ideal (can't just tick a script) but it did prove to me that there was some sort of checking going on!
Came here to see what's up, if others have run into this issue, and sure enough I found this thread: http://forum.cheatengine.org/viewtopic.php?t=562725&postdays=0&postorder=asc&start=0
Used that screenshot to make an AOB and I located the same 'Integrity Check Routine' as depicted in the image!
After seeing Dark Byte's comment, I thought back to a little old game that I remember the CRC Bypass used that technique with!
So I was like this is easy! This won't be a problem!
Wrote up a script employing the method, first try (first draft of the script) enabled it, then enabled my Infinite Ammo script, tested it out for a bit, and THE GAME NO LONGER CRASHES!
The game is even still running right now with my modified memory  The integrity check is reading from an unmodified copy made on the fly by the script!
So I've done it! defeated Crysis 3's Integrity Check! So I'm posting this script here for all to enjoy and / or learn from!
So bye for now! I'll be hacking up Crysis 3 now that I can modify the memory to my hearts desire! 
Thanks Dark Byte for reminding me of that method of bypassing integrity / crc checks!
Enjoy!
Integrity Check Bypass Version 2: Checksum Spoofer Method!
(Dynamically get's valid Checksums while keeping itself bypassed)
| Code: |
//Integrity Check Bypass [Checksum Spoofer Method]
//Crysis 3
//Steve Andrew
[enable]
alloc(IntegrityChecksumSpoofer,512)
aobscan(CheckRoutineStart, 80 3d ? ? ? ? 00 8b 44 24 0c 56 75)
aobscan(CheckRoutineHookAddress, 0f b6 39 8b f0 c1 ee 18 33)
label(CheckRoutineHookAddy)
label(ChecksumSpooferRet)
label(Checksums)
label(ChecksumIndex)
label(CorrectCheckBytes)
label(GetChecksumsWhileCoveringTheseHooks)
label(KeepCounting)
label(GotSizeOfAreaToProtect)
label(SizeOfAreaToProtect)
label(CallHook)
label(SizeOfAreaThisChecksumCovers)
label(AlreadyGotChecksums)
label(GetNextValidChecksum)
label(ReturnValidChecksum)
label(SkipHidingTheseHooks)
registersymbol(CheckRoutineHookAddy)
registersymbol(CallHook)
registersymbol(Checksums)
registersymbol(ChecksumIndex)
IntegrityChecksumSpoofer:
pushfd
cmp [CorrectCheckBytes],8b39b60f
je GetChecksumsWhileCoveringTheseHooks
push eax
push ecx
xor ecx,ecx
mov eax,CheckRoutineHookAddress
KeepCounting:
cmp dword ptr [eax],0c2474ff
je GotSizeOfAreaToProtect
inc eax
inc ecx
jmp KeepCounting
GotSizeOfAreaToProtect:
add ecx,0d //add 13 to it
mov [SizeOfAreaToProtect],ecx
mov esi,CheckRoutineHookAddress
mov edi,CorrectCheckBytes
repe movsb
//fix the only hook copied to that correct memory
mov edi,CorrectCheckBytes
mov [edi],8b39b60f
mov byte ptr [edi+4],f0
//do second hook, hooking the call of this routine
mov esi,CheckRoutineHookAddress
add esi,[SizeOfAreaToProtect]
sub esi,5 //go do the start of the 'call [x]' instruction
//to - from - 5
mov edi,CallHook
sub edi,esi
sub edi,5
//hook that call ;) [change it to a jump]
mov byte ptr [esi],e9
mov [esi+1],edi
pop ecx
pop eax
jmp GetChecksumsWhileCoveringTheseHooks
//so we can get the return value / correct checksums + sizes
CallHook:
//could also use [esp]: base address of checksum area
mov eax,[esp+4] //size of checksum area
mov [SizeOfAreaThisChecksumCovers],eax
call CheckRoutineStart
pushfd
cmp [ChecksumIndex],3
je AlreadyGotChecksums
push ebx
push ecx
push edx
mov ebx,Checksums
mov ecx,[ChecksumIndex]
mov edx,[SizeOfAreaThisChecksumCovers]
mov [ebx+ecx*8],edx //backup size of checksum
mov [ebx+ecx*8+4],eax //backup checksum itself
inc [ChecksumIndex]
pop edx
pop ecx
pop ebx
popfd
add esp,0c
ret
AlreadyGotChecksums:
push ebx
push ecx
push edx
xor edx,edx
mov ebx,Checksums
mov ecx,[SizeOfAreaThisChecksumCovers]
GetNextValidChecksum:
cmp [ebx+edx*8],ecx
je ReturnValidChecksum
inc edx
jmp GetNextValidChecksum
ReturnValidChecksum:
mov eax,[ebx+edx*8+4] //Return That VALID Checksum :D
pop edx
pop ecx
pop ebx
popfd
add esp,0c
ret
GetChecksumsWhileCoveringTheseHooks:
push eax
mov eax,CheckRoutineHookAddress
cmp ecx,eax
jb SkipHidingTheseHooks
add eax,[SizeOfAreaToProtect]
cmp ecx,eax
jae SkipHidingTheseHooks
push ecx // this was the trick ;)
sub ecx,CheckRoutineHookAddress
add ecx,CorrectCheckBytes
movzx edi,byte ptr [ecx]
pop ecx
jmp SkipHidingTheseHooks+3
SkipHidingTheseHooks:
movzx edi,byte ptr [ecx]
pop eax
popfd
mov esi,eax
jmp ChecksumSpooferRet
SizeOfAreaToProtect:
dd 0
SizeOfAreaThisChecksumCovers:
dd 0
ChecksumIndex:
dd 0
Checksums: //enough room for 3 checksums + sizes
dd 0 0 0 0 0 0
CorrectCheckBytes:
dd 0
CheckRoutineHookAddress:
CheckRoutineHookAddy:
jmp IntegrityChecksumSpoofer
ChecksumSpooferRet:
[disable]
unregistersymbol(CheckRoutineHookAddy)
unregistersymbol(CallHook)
unregistersymbol(Checksums)
unregistersymbol(ChecksumIndex)
|
Integrity Check Bypass AOBScan Version:
| Code: |
//Crysis 3
//Integrity Check Bypass Rev 001
//Steve Andrew ;)
//Special Thanks: Dark Byte
[enable]
alloc(IntegrityCheckBypass,256)
alloc(OnTheFlyCopy,42352640) //Crysis3.exe image base + 0x1000 - Crysis3.exe image base + 0x2865000
aobscan(IntegrityCheckAddress,0f b6 39 8b f0 c1 ee 18 33 f7 c1 e0 08 33)
label(IntegrityCheckRet)
label(SkipMakingCopy)
label(NotInDumpRange)
label(IntegrityCheckAddy)
registersymbol(IntegrityCheckAddy)
IntegrityCheckBypass:
cmp [OnTheFlyCopy],0
jne SkipMakingCopy
push ecx
lea esi,[Crysis3.exe+1000]
lea edi,[OnTheFlyCopy]
mov ecx,2864000
repe movsb
//Fix this bypass hook itself in copy :D
mov ecx,IntegrityCheckAddress
sub ecx,Crysis3.exe+1000
lea edi,[OnTheFlyCopy]
mov [edi+ecx],8b39b60f //movzx edi,byte ptr [ecx]
mov byte ptr [edi+ecx+4],f0 //mov esi,eax
pop ecx
SkipMakingCopy:
cmp ecx,Crysis3.exe+1000
jb NotInDumpRange
cmp ecx,Crysis3.exe+2865000
ja NotInDumpRange
sub ecx,Crysis3.exe+1000
add ecx,OnTheFlyCopy
NotInDumpRange:
movzx edi,byte ptr [ecx]
mov esi,eax
jmp IntegrityCheckRet
OnTheFlyCopy:
dd 0
IntegrityCheckAddress:
IntegrityCheckAddy:
jmp IntegrityCheckBypass
IntegrityCheckRet:
[disable]
IntegrityCheckAddy:
movzx edi,byte ptr [ecx]
mov esi,eax
dealloc(IntegrityCheckBypass)
dealloc(OnTheFlyCopy)
unregistersymbol(IntegrityCheckAddy)
|
Integrity Check Bypass Rev 001:
| Code: |
//Crysis 3
//Integrity Check Bypass Rev 001
//Steve Andrew ;)
//Special Thanks: Dark Byte
[enable]
alloc(IntegrityCheckBypass,128)
alloc(OnTheFlyCopy,42352640) //From: Crysis3.exe image base + 0x1000
label(IntegrityCheckRet) //To: Crysis3.exe image base + 0x2865000
label(SkipMakingCopy)
label(NotInDumpRange)
IntegrityCheckBypass:
cmp [OnTheFlyCopy],0
jne SkipMakingCopy
push ecx
lea esi,[Crysis3.exe+1000]
mov edi,OnTheFlyCopy
mov ecx,2864000
repe movsb
//Fix this bypass hook itself in copy :D
lea edi,[OnTheFlyCopy+242c00f]
mov [edi],8b39b60f //movzx edi,byte ptr [ecx]
mov byte ptr [edi+4],f0 //mov esi,eax
pop ecx
SkipMakingCopy:
cmp ecx,Crysis3.exe+1000
jb NotInDumpRange
cmp ecx,Crysis3.exe+2865000
ja NotInDumpRange
sub ecx,Crysis3.exe+1000
add ecx,OnTheFlyCopy
NotInDumpRange:
movzx edi,byte ptr [ecx]
mov esi,eax
jmp IntegrityCheckRet
OnTheFlyCopy:
dd 0
crysis3.exe+242d00f:
jmp IntegrityCheckBypass
IntegrityCheckRet:
[disable]
crysis3.exe+242d00f:
movzx edi,byte ptr [ecx]
mov esi,eax
dealloc(IntegrityCheckBypass)
dealloc(OnTheFlyCopy)
|
Infinite Ammo script to test it:
| Code: |
//Crysis 3
//Infinite Ammo + No Reload
//Steve Andrew
[enable]
alloc(NoReload,64)
label(NoReloadRet)
NoReload:
mov eax,63
mov [edx+4],eax
mov al,1
jmp NoReloadRet
Crysis3.exe+234f47:
jmp NoReload
NoReloadRet:
[disable]
Crysis3.exe+234f47:
mov [edx+4],eax
mov al,1
dealloc(NoReload)
|
P.S. I'll also make it into an AOB scan script (The Integrity Check Bypass) just in case that address is different for you!
 - Steve Andrew
| Description: |
|
| Filesize: |
43.89 KB |
| Viewed: |
24320 Time(s) |
|
| Description: |
|
| Filesize: |
23.14 KB |
| Viewed: |
24337 Time(s) |
|
| Description: |
| Contains both of my bypass scripts + the hacks I've found so far ;) |
|
Download |
| Filename: |
Crysis3 - Steve Andrew Bypass.CT |
| Filesize: |
14.04 KB |
| Downloaded: |
2011 Time(s) |
_________________
Last edited by SteveAndrew on Thu Mar 14, 2013 10:55 am; edited 3 times in total |
|
| Back to top |
|
 |
shakib187
Expert Cheater
 Reputation: 0
Joined: 24 May 2007
Posts: 215
|
| Posted: Tue Mar 12, 2013 6:33 pm Post subject: |
|
|
| Bypass didn't work for me still using the call sleep method and can you do me a favor and teach me what you did with the infinite ammo and how you came to the conclusion to attaching that address to EIP register? still learning gamehacking ..From the code you wrote it looks like you are just moving 99 to the edx+04 so why did you show the address in EIP lol
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Thu Mar 14, 2013 1:49 am Post subject: |
|
|
| shakib187 wrote: | | Bypass didn't work for me still using the call sleep method and can you do me a favor and teach me what you did with the infinite ammo and how you came to the conclusion to attaching that address to EIP register? still learning gamehacking ..From the code you wrote it looks like you are just moving 99 to the edx+04 so why did you show the address in EIP lol |
Well true you could just put 0x63 / 99 into eax at that address as well for almost the same effect (since eax is moved into [edx+4] at that address) but for some reason I went with changing the EIP to point to the very next address instead (not sure why lol). It is kind of like nopping that instruction. Since it skips to the next instruction, 'mov [edx+4],eax' never gets executed thus your ammo doesn't decrease. Changing eax isn't exactly the same but very similar but it's more like the script in that it consistently sets your ammo to a certain value (ammo still doesn't decrease)...
About it not working, I was aware that that could happen... It's likely you're on a newer update of the game (I'm on v1.0 flat) So I've added an AOB Scan version which doesn't depend on that address: Crysis3.exe+242d00f being the same for everyone... Double check that address to verify that it isn't right:
| Code: |
Crysis3.exe+242D00F - 0FB6 39 - movzx edi,byte ptr [ecx]
Crysis3.exe+242D012 - 8B F0 - mov esi,eax
Crysis3.exe+242D014 - C1 EE 18 - shr esi,18
Crysis3.exe+242D017 - 33 F7 - xor esi,edi
Crysis3.exe+242D019 - C1 E0 08 - shl eax,08
Crysis3.exe+242D01C - 33 04 B5 9C3AE43B - xor eax,[esi*4+Crysis3.exe+4E43A9C]
Crysis3.exe+242D023 - 41 - inc ecx
Crysis3.exe+242D024 - 4A - dec edx
Crysis3.exe+242D025 - 75 E8 - jne Crysis3.exe+242D00F
Crysis3.exe+242D027 - 5F - pop edi
Crysis3.exe+242D028 - 5E - pop esi
Crysis3.exe+242D029 - C3 - ret
|
If it doesn't look like that, then yeah that was the problem... If it does though, then the only other thing I could think is the problem is perhaps the size of the copy... If you're game is a slightly newer version and that address still happens to be right, the image size could be bigger or smaller perhaps... I only see it causing a problem though if it was smaller, if it was bigger it just wouldn't cover up until the very end, but if its smaller it would crash when making the copy... So just view-> memory regions (or CTRL+R when mem viewer is open) and scroll down until you see Crysis3 under 'Extra' column, you may have to expand the window a bit (See attached image) The second memory region of Crysis 3, (after the one with size 0x1000) which has Execute+Read+Write protection on it, is the one were interested in... Verify that it's size is 0x2864000
If it isn't the same size, it has to be adjusted in two places (in the new aob scan version of the script)
change it to:
| Code: |
mov ecx,{whatever your memory region size is}
|
then also change this line:
| Code: |
cmp ecx,Crysis3.exe+2865000
|
to:
| Code: |
cmp ecx,Crysis3.exe+{whatever your memory region size is + 0x1000}
|
And there you have it! How to get it to work for you even if the size of your memory region you need to bypass is different!
| Description: |
|
| Filesize: |
20.74 KB |
| Viewed: |
24205 Time(s) |
|
_________________
|
|
| Back to top |
|
|
shakib187
Expert Cheater
Reputation: 0
Joined: 24 May 2007
Posts: 215
|
| Posted: Wed Mar 20, 2013 5:15 pm Post subject: |
|
|
| Nice bro, it works!
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Thu Mar 21, 2013 6:21 pm Post subject: |
|
|
Thanks! Glad to get a 100% confirmation on that! (although I already knew it worked I don't code things that don't!)
_________________
|
|
| Back to top |
|
|
jeivarmarr
How do I cheat?
![]() Reputation: 0
Joined: 13 May 2013
Posts: 8
|
| Posted: Sat May 18, 2013 2:10 pm Post subject: |
|
|
| Help OPERATION7 eu Protect memori check.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
