| View previous topic :: View next topic |
| Author |
Message |
Smanettone83
Expert Cheater
 Reputation: 3
Joined: 21 Feb 2011
Posts: 146
Location: Italia
|
 Posted: Fri Feb 22, 2013 3:14 pm Post subject: Bypass Anticheat protection Crysis 3 |
 |
|
Hi guys,
i think i've found the code that check the memory of game for the anticheat protection after i had set a data breakpoint on the instruction that accesses to my ammo...
the istruction is:
| Code: |
movzx edi,byte ptr [ecx]
|
i saw this backtracking the code
I tried to replace
3942ADF8 - je 3942AE18
with
3942ADF8 - jmp 3942AE18
i've tried to by pass the routine but of course it doesn't works.... maybe it isn't the right way... Any suggesting?
_________________
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Fri Feb 22, 2013 3:22 pm Post subject: |
|
|
that's the integrity check routine yes
what you could also do is make a copy of the whole game memory and adjust the ECX register to point to the copy, so it reads an unmodified version of the code
Or look into the stealthedit plugin for cheat engine
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Smanettone83
Expert Cheater
Reputation: 3
Joined: 21 Feb 2011
Posts: 146
Location: Italia
|
| Posted: Fri Feb 22, 2013 3:39 pm Post subject: |
|
|
| Dark Byte wrote: | that's the integrity check routine yes
what you could also do is make a copy of the whole game memory and adjust the ECX register to point to the copy, so it reads an unmodified version of the code
Or look into the stealthedit plugin for cheat engine |
Thanks. I don't know about stealthedit Plugin for Cheat Engine. What it does?
_________________
|
|
| Back to top |
|
|
Screitor
Cheater
![]() Reputation: 1
Joined: 26 Nov 2012
Posts: 33
Location: Venezuela
|
| Posted: Fri Feb 22, 2013 4:09 pm Post subject: |
|
|
| Dark Byte wrote: | | that's the integrity check routine yes |
How did you know that?
Is there a book or something?, or just by the fact of knowing asm we can figure out those stuff?
_________________
Everybody lies. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Fri Feb 22, 2013 4:18 pm Post subject: |
|
|
Just experience (shift and xor on a byte value that it got from reading code)
EAX is the return value of this "CalculateIntegrityValue()" function. (ECX=memory pointer, EDX=bytes left)
Instead of a copy you could also check the value of EAX at the point of ret and always make EAX that same value when returning (Tip: Check if there isn't another function that checks the integrity of that function separately)
But if this is too difficult, then Geri posted a stealthedit tutorial on his website, including links to stealthedit downloads and a video on how to use it
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
HiSaZuL
Expert Cheater
![]() Reputation: 6
Joined: 09 Aug 2011
Posts: 245
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Sat Feb 23, 2013 4:29 am Post subject: |
|
|
find the start of the function and write:
| Code: |
mov eax,f25eaafa
ret
|
And hope the module gets loaded at the same spot each time (Which i doubt looking at eip, but who knows, might just be a high base address since your eip was the same)
and hope that function is only used once for the whole module
option 2, find where the return value of that function is compared and change the result of that compare
392b3c41 stores it in the stack in a local variable
But I don't see much else in that stacktrace
Alternatively, look into auto assembler command "READMEM(address, size)" and change the integrity routine so ecx points to the relative location in the copy
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
HiSaZuL
Expert Cheater
![]() Reputation: 6
Joined: 09 Aug 2011
Posts: 245
|
| Posted: Sat Feb 23, 2013 4:53 pm Post subject: |
|
|
Thanks for explanations DB  Mhm... Its best I do little steps this is a bit over my head.... oh who am I kidding this is waaay over my head LOL. I pocked around didn't really figure out much.
Considering how bloody long it takes for crysis to start... not actual map load(its fairly fast) I got tired now meh ~_~.
And fling already got all that I wanted in trainer. His are well made no bs/pointless options so I'm going to leave integrity check study for a smaller easier to manage game
that someone with good asm knowledge just happens to mess with so I can get pointers as I go.
Again thanks for heads up it was interesting to try and see how integrity check works for a first time at least
|
|
| Back to top |
|
|
Daijobu
Master Cheater
 Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Sat Feb 23, 2013 4:57 pm Post subject: |
|
|
I wonder why a check like this is even put in a singleplayer game. But I'm a newb so it all just seems very silly to me.
Great thing that I found this topic though, explains why the game kept crashing over and over.
|
|
| Back to top |
|
|
HiSaZuL
Expert Cheater
![]() Reputation: 6
Joined: 09 Aug 2011
Posts: 245
|
| Posted: Sat Feb 23, 2013 5:19 pm Post subject: |
|
|
| Daijobu wrote: | I wonder why a check like this is even put in a singleplayer game. But I'm a newb so it all just seems very silly to me.
Great thing that I found this topic though, explains why the game kept crashing over and over. |
And even more importantly game with a console. LOL.
It does have multiplayer but... meh... Guess its to prevent aimbots wallhacks etc. But frankly with all the @#$% holding you get on a console + magic pajamas upgrades you get both aimbot and wallhack too. So its still bizzare.
Last edited by HiSaZuL on Sat Feb 23, 2013 5:20 pm; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Sat Feb 23, 2013 5:20 pm Post subject: |
|
|
Perhaps it's an extra layer of drm for situations like delay loaded cracks.
e.g: a crack that disables the copy protection before it is executed, but after the exe has been started (so no modified exe but the copy protection check got removed)
or who knows, perhaps they only want their own DLC to have an effect in the game (e.g. selling godmode)
Also, have you tried the cracked version of the game ?
Cracked versions often take out checks like that, and the added bonus is that the game will run a lot smoother (less memory checks)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
HiSaZuL
Expert Cheater
![]() Reputation: 6
Joined: 09 Aug 2011
Posts: 245
|
| Posted: Sat Feb 23, 2013 5:22 pm Post subject: |
|
|
| Dark Byte wrote: | Perhaps it's an extra layer of drm for situations like delay loaded cracks.
e.g: a crack that disables the copy protection before it is executed, but after the exe has been started (so no modified exe but the copy protection check got removed)
or who knows, perhaps they only want their own DLC to have an effect in the game (e.g. selling godmode)
Also, have you tried the cracked version of the game ?
Cracked versions often take out checks like that, and the added bonus is that the game will run a lot smoother (less memory checks) |
Yeah tried. Unforunately reloaded did it with a loader. And this loader initially crashed game mission 2 and up. So they didn't remove much if anything from executable.
But yes a lot of options that 1 can add with few memory tweaks will probably be shoved about as dlc in one form or another. Weapons/weapon mods/suit mods. This is ea after all. heh
|
|
| Back to top |
|
|
Daijobu
Master Cheater
Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Sat Feb 23, 2013 5:38 pm Post subject: |
|
|
And here I sat diligently creating all the hacks I wanted to blast through the singleplayer like a demi-god. 10 to 20 seconds after injection > exit to desktop without warning or error.
I see some trainers have already been released. Lingon being one of them. Those guys must have circumvented this system already!
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Sat Feb 23, 2013 5:45 pm Post subject: |
|
|
It's really not that hard to do. Check out recifense table on shogun 2 steam version where he bypasses a similar protection.
And as I said, you might be able to use stealthedit to quickly bypass it without needing to know any assembler (besides the assembler to do the cheats you wish)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
redleouf
Advanced Cheater
 Reputation: 0
Joined: 13 Feb 2013
Posts: 76
|
| Posted: Sat Feb 23, 2013 6:01 pm Post subject: |
|
|
I am going to test the stealthedit method later this week, and if nobody made it before me, I will post the result
Thank you for the advice Darkbyte 
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
