<?xml version="1.0" encoding="utf-8"?>
<CheatTable CheatEngineTableVersion="14">
  <CheatEntries>
    <CheatEntry>
      <ID>29</ID>
      <Description>"Integrity Check Bypass Rev 001 AOB"</Description>
      <Color>80000008</Color>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>//Crysis 3
//Integrity Check Bypass Rev 001
//Steve Andrew ;)
//Special Thanks: Dark Byte
[enable]
alloc(IntegrityCheckBypass,256)
alloc(OnTheFlyCopy,42352640) //Crysis3.exe image base + 0x1000 - Crysis3.exe image base + 0x2865000
aobscan(IntegrityCheckAddress,0f b6 39 8b f0 c1 ee 18 33 f7 c1 e0 08 33)
label(IntegrityCheckRet)
label(SkipMakingCopy)
label(NotInDumpRange)
label(IntegrityCheckAddy)
registersymbol(IntegrityCheckAddy)

IntegrityCheckBypass:
cmp [OnTheFlyCopy],0
jne SkipMakingCopy

push ecx
lea esi,[Crysis3.exe+1000]
lea edi,[OnTheFlyCopy]
mov ecx,2864000
repe movsb
//Fix this bypass hook itself in copy :D
mov ecx,IntegrityCheckAddress
sub ecx,Crysis3.exe+1000
lea edi,[OnTheFlyCopy]
mov [edi+ecx],8b39b60f //movzx edi,byte ptr [ecx]
mov byte ptr [edi+ecx+4],f0 //mov esi,eax
pop ecx

SkipMakingCopy:
cmp ecx,Crysis3.exe+1000
jb NotInDumpRange
cmp ecx,Crysis3.exe+2865000
ja NotInDumpRange

sub ecx,Crysis3.exe+1000
add ecx,OnTheFlyCopy

NotInDumpRange:
movzx edi,byte ptr [ecx]
mov esi,eax
jmp IntegrityCheckRet

OnTheFlyCopy:
dd 0

IntegrityCheckAddress:
IntegrityCheckAddy:
jmp IntegrityCheckBypass
IntegrityCheckRet:

[disable]

//IntegrityCheckAddy:
//movzx edi,byte ptr [ecx]
//mov esi,eax

//dealloc(IntegrityCheckBypass)
//dealloc(OnTheFlyCopy)
//unregistersymbol(IntegrityCheckAddy)
</AssemblerScript>
    </CheatEntry>
    <CheatEntry>
      <ID>44</ID>
      <Description>"Integrity Check Bypass Checksum Spoofer Method"</Description>
      <Color>80000008</Color>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>//Integrity Check Bypass [Checksum Spoofer Method]
//Crysis 3
//Steve Andrew
[enable]
alloc(IntegrityChecksumSpoofer,512)
aobscan(CheckRoutineStart, 80 3d ? ? ? ? 00 8b 44 24 0c 56 75)
aobscan(CheckRoutineHookAddress, 0f b6 39 8b f0 c1 ee 18 33)
label(CheckRoutineHookAddy)
label(ChecksumSpooferRet)
label(Checksums)
label(ChecksumIndex)
label(CorrectCheckBytes)
label(GetChecksumsWhileCoveringTheseHooks)
label(KeepCounting)
label(GotSizeOfAreaToProtect)
label(SizeOfAreaToProtect)
label(CallHook)
label(SizeOfAreaThisChecksumCovers)
label(AlreadyGotChecksums)
label(GetNextValidChecksum)
label(ReturnValidChecksum)
label(SkipHidingTheseHooks)
registersymbol(CheckRoutineHookAddy)
registersymbol(CallHook)
registersymbol(Checksums)
registersymbol(ChecksumIndex)

IntegrityChecksumSpoofer:
pushfd
cmp [CorrectCheckBytes],8b39b60f
je GetChecksumsWhileCoveringTheseHooks

push eax
push ecx
xor ecx,ecx
mov eax,CheckRoutineHookAddress

KeepCounting:
cmp dword ptr [eax],0c2474ff
je GotSizeOfAreaToProtect
inc eax
inc ecx
jmp KeepCounting

GotSizeOfAreaToProtect:
add ecx,0d //add 13 to it
mov [SizeOfAreaToProtect],ecx
mov esi,CheckRoutineHookAddress
mov edi,CorrectCheckBytes
repe movsb

//fix the only hook copied to that correct memory
mov edi,CorrectCheckBytes
mov [edi],8b39b60f
mov byte ptr [edi+4],f0

//do second hook, hooking the call of this routine
mov esi,CheckRoutineHookAddress
add esi,[SizeOfAreaToProtect]
sub esi,5 //go do the start of the 'call [x]' instruction
//to - from - 5
mov edi,CallHook
sub edi,esi
sub edi,5
//hook that call ;) [change it to a jump]
mov byte ptr [esi],e9
mov [esi+1],edi
pop ecx
pop eax
jmp GetChecksumsWhileCoveringTheseHooks

//so we can get the return value / correct checksums + sizes
CallHook:
//could also use [esp]: base address of checksum area
mov eax,[esp+4] //size of checksum area
mov [SizeOfAreaThisChecksumCovers],eax
call CheckRoutineStart

pushfd
cmp [ChecksumIndex],3
je AlreadyGotChecksums

push ebx
push ecx
push edx
mov ebx,Checksums
mov ecx,[ChecksumIndex]
mov edx,[SizeOfAreaThisChecksumCovers]
mov [ebx+ecx*8],edx //backup size of checksum
mov [ebx+ecx*8+4],eax //backup checksum itself
inc [ChecksumIndex]
pop edx
pop ecx
pop ebx
popfd
add esp,0c
ret

AlreadyGotChecksums:
push ebx
push ecx
push edx
xor edx,edx
mov ebx,Checksums
mov ecx,[SizeOfAreaThisChecksumCovers]
GetNextValidChecksum:
cmp [ebx+edx*8],ecx
je ReturnValidChecksum
inc edx
jmp GetNextValidChecksum

ReturnValidChecksum:
mov eax,[ebx+edx*8+4] //Return That VALID Checksum :D
pop edx
pop ecx
pop ebx
popfd
add esp,0c
ret

GetChecksumsWhileCoveringTheseHooks:
push eax
mov eax,CheckRoutineHookAddress
cmp ecx,eax
jb SkipHidingTheseHooks
add eax,[SizeOfAreaToProtect]
cmp ecx,eax
jae SkipHidingTheseHooks

push ecx // this was the trick ;)
sub ecx,CheckRoutineHookAddress
add ecx,CorrectCheckBytes
movzx edi,byte ptr [ecx]
pop ecx
jmp SkipHidingTheseHooks+3

SkipHidingTheseHooks:
movzx edi,byte ptr [ecx]
pop eax
popfd
mov esi,eax
jmp ChecksumSpooferRet

SizeOfAreaToProtect:
dd 0

SizeOfAreaThisChecksumCovers:
dd 0

ChecksumIndex:
dd 0

Checksums: //enough room for 3 checksums + sizes
dd 0 0 0 0 0 0

CorrectCheckBytes:
dd 0

CheckRoutineHookAddress:
CheckRoutineHookAddy:
jmp IntegrityChecksumSpoofer
ChecksumSpooferRet:

[disable]

unregistersymbol(CheckRoutineHookAddy)
unregistersymbol(CallHook)
unregistersymbol(Checksums)
unregistersymbol(ChecksumIndex)
</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>45</ID>
          <Description>"Checksum Index"</Description>
          <Color>80000008</Color>
          <VariableType>4 Bytes</VariableType>
          <Address>ChecksumIndex</Address>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
    <CheatEntry>
      <ID>2</ID>
      <Description>"Infinite Ammo No Reload"</Description>
      <Color>80000008</Color>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>//Infinite Ammo + No Reload
//Crysis 3
[enable]
alloc(NoReload,64)
label(NoReloadRet)

NoReload:
mov eax,63
mov [edx+4],eax
mov al,1
jmp NoReloadRet

Crysis3.exe+234f47:
jmp NoReload
NoReloadRet:

[disable]

Crysis3.exe+234f47:
mov [edx+4],eax
mov al,1

dealloc(NoReload)
</AssemblerScript>
    </CheatEntry>
    <CheatEntry>
      <ID>32</ID>
      <Description>"Infinite Energy"</Description>
      <Color>80000008</Color>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(FullEnergy)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
fld dword ptr [FullEnergy]
mov edx,[edx+08]

exit:
jmp returnhere

FullEnergy:
dd (float)100

"Crysis3.exe"+3C173B:
jmp newmem
returnhere:


 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Crysis3.exe"+3C173B:
fld dword ptr [eax]
mov edx,[edx+08]
//Alt: db D9 00 8B 52 08
</AssemblerScript>
    </CheatEntry>
    <CheatEntry>
      <ID>40</ID>
      <Description>"Infinite Arrows"</Description>
      <Color>80000008</Color>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>[enable]
alloc(InfiniteArrows,64)

InfiniteArrows:
mov eax,9
ret 0004

Crysis3.exe+3b3574:
jmp InfiniteArrows
nop
 
[disable]
Crysis3.exe+3b3574:
mov eax,[edx+14]
ret 0004
//Alt: db 8B 42 14 C2 04 00

dealloc(InfiniteArrows)
</AssemblerScript>
    </CheatEntry>
  </CheatEntries>
  <CheatCodes>
    <CodeEntry>
      <Description>Code :movzx edi,byte ptr [ecx]</Description>
      <Address>3942D00F</Address>
      <ModuleName>Crysis3.exe</ModuleName>
      <ModuleNameOffset>242D00F</ModuleNameOffset>
      <Before>
        <Byte>8B</Byte>
        <Byte>4C</Byte>
        <Byte>24</Byte>
        <Byte>08</Byte>
        <Byte>57</Byte>
      </Before>
      <Actual>
        <Byte>0F</Byte>
        <Byte>B6</Byte>
        <Byte>39</Byte>
      </Actual>
      <After>
        <Byte>8B</Byte>
        <Byte>F0</Byte>
        <Byte>C1</Byte>
        <Byte>EE</Byte>
        <Byte>18</Byte>
      </After>
    </CodeEntry>
    <CodeEntry>
      <Description>Change of jmp 567D0035</Description>
      <Address>567D0035</Address>
      <ModuleName/>
      <ModuleNameOffset>0</ModuleNameOffset>
      <Before>
        <Byte>04</Byte>
        <Byte>F0</Byte>
        <Byte>59</Byte>
        <Byte>5F</Byte>
        <Byte>5E</Byte>
      </Before>
      <Actual>
        <Byte>EB</Byte>
        <Byte>FE</Byte>
      </Actual>
      <After>
        <Byte>81</Byte>
        <Byte>F9</Byte>
        <Byte>00</Byte>
        <Byte>10</Byte>
        <Byte>00</Byte>
      </After>
    </CodeEntry>
    <CodeEntry>
      <Description>Change of je Crysis3.exe+22B5E78</Description>
      <Address>392B5E65</Address>
      <ModuleName>Crysis3.exe</ModuleName>
      <ModuleNameOffset>22B5E65</ModuleNameOffset>
      <Before>
        <Byte>68</Byte>
        <Byte>35</Byte>
        <Byte>1B</Byte>
        <Byte>00</Byte>
        <Byte>00</Byte>
      </Before>
      <Actual>
        <Byte>74</Byte>
        <Byte>11</Byte>
      </Actual>
      <After>
        <Byte>81</Byte>
        <Byte>04</Byte>
        <Byte>24</Byte>
        <Byte>06</Byte>
        <Byte>43</Byte>
      </After>
    </CodeEntry>
    <CodeEntry>
      <Description>Change of jne Crysis3.exe+22B5EA0</Description>
      <Address>392B5EB5</Address>
      <ModuleName>Crysis3.exe</ModuleName>
      <ModuleNameOffset>22B5EB5</ModuleNameOffset>
      <Before>
        <Byte>FF</Byte>
        <Byte>4C</Byte>
        <Byte>24</Byte>
        <Byte>10</Byte>
        <Byte>90</Byte>
      </Before>
      <Actual>
        <Byte>75</Byte>
        <Byte>E9</Byte>
      </Actual>
      <After>
        <Byte>80</Byte>
        <Byte>4C</Byte>
        <Byte>24</Byte>
        <Byte>14</Byte>
        <Byte>01</Byte>
      </After>
    </CodeEntry>
    <CodeEntry>
      <Description>Change of jna Crysis3.exe+22B5ED8</Description>
      <Address>392B5EC4</Address>
      <ModuleName>Crysis3.exe</ModuleName>
      <ModuleNameOffset>22B5EC4</ModuleNameOffset>
      <Before>
        <Byte>14</Byte>
        <Byte>77</Byte>
        <Byte>03</Byte>
        <Byte>00</Byte>
        <Byte>00</Byte>
      </Before>
      <Actual>
        <Byte>76</Byte>
        <Byte>12</Byte>
      </Actual>
      <After>
        <Byte>90</Byte>
        <Byte>C7</Byte>
        <Byte>04</Byte>
        <Byte>24</Byte>
        <Byte>38</Byte>
      </After>
    </CodeEntry>
    <CodeEntry>
      <Description>Change of jna Crysis3.exe+22C6187</Description>
      <Address>392C617C</Address>
      <ModuleName>Crysis3.exe</ModuleName>
      <ModuleNameOffset>22C617C</ModuleNameOffset>
      <Before>
        <Byte>1C</Byte>
        <Byte>F9</Byte>
        <Byte>0C</Byte>
        <Byte>00</Byte>
        <Byte>00</Byte>
      </Before>
      <Actual>
        <Byte>76</Byte>
        <Byte>09</Byte>
      </Actual>
      <After>
        <Byte>90</Byte>
        <Byte>BC</Byte>
        <Byte>00</Byte>
        <Byte>00</Byte>
        <Byte>00</Byte>
      </After>
    </CodeEntry>
    <CodeEntry>
      <Description>Change of jle Crysis3.exe+22C5F99</Description>
      <Address>392C5F92</Address>
      <ModuleName>Crysis3.exe</ModuleName>
      <ModuleNameOffset>22C5F92</ModuleNameOffset>
      <Before>
        <Byte>6C</Byte>
        <Byte>07</Byte>
        <Byte>00</Byte>
        <Byte>00</Byte>
        <Byte>90</Byte>
      </Before>
      <Actual>
        <Byte>7E</Byte>
        <Byte>05</Byte>
      </Actual>
      <After>
        <Byte>83</Byte>
        <Byte>C4</Byte>
        <Byte>08</Byte>
        <Byte>FF</Byte>
        <Byte>E1</Byte>
      </After>
    </CodeEntry>
    <CodeEntry>
      <Description>Change of je Crysis3.exe+242D028</Description>
      <Address>3942D008</Address>
      <ModuleName>Crysis3.exe</ModuleName>
      <ModuleNameOffset>242D008</ModuleNameOffset>
      <Before>
        <Byte>54</Byte>
        <Byte>24</Byte>
        <Byte>0C</Byte>
        <Byte>85</Byte>
        <Byte>D2</Byte>
      </Before>
      <Actual>
        <Byte>74</Byte>
        <Byte>1E</Byte>
      </Actual>
      <After>
        <Byte>8B</Byte>
        <Byte>4C</Byte>
        <Byte>24</Byte>
        <Byte>08</Byte>
        <Byte>57</Byte>
      </After>
    </CodeEntry>
  </CheatCodes>
  <UserdefinedSymbols>
    <SymbolEntry>
      <Name>CopyDone</Name>
      <Address>65690404</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>DisablingInfiniteLoopBypass</Name>
      <Address>021D001C</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>CurrentAddy</Name>
      <Address>022B009E</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>IntegrityCheckAddy</Name>
      <Address>3942D00F</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>ChecksumAddressBase</Name>
      <Address>0E190041</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>SizeOfChecksum</Name>
      <Address>01E5003A</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>CheckRoutineHookAddy</Name>
      <Address>3942D00F</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>Checksums</Name>
      <Address>01E2012B</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>ChecksumIndex</Name>
      <Address>01E20127</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>SizeOfAreaThisChecksumCovers</Name>
      <Address>01E20123</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>CorrectCheckBytes</Name>
      <Address>01E2015F</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>SizeOfAreaToProtect</Name>
      <Address>01E2011F</Address>
    </SymbolEntry>
    <SymbolEntry>
      <Name>CallHook</Name>
      <Address>01E20073</Address>
    </SymbolEntry>
  </UserdefinedSymbols>
</CheatTable>
