Page 1 of 1

Crysis 3 [+ 9] Including 2 Bypass Methods

Posted: Thu Apr 13, 2017 8:08 am
by STN
Made by SteveAndrew

EDIT->UPDATED: Added Checksum Spoofer Bypass Method V2.0 (It has been improved! Wink The number of checksums to grab is no longer hard coded to 3 [See my second post in this thread for more info on other improvements])
Added Infinite Arrows v2.0 (for those of you that it didn't work before)


This is my Crysis 3 CT so far...
Image
It doesn't contain any pointers, it has:

*2 Different Integrity Check Bypass Methods (Scripts that I wrote Wink neither one is the infinite loop method)

EDIT: Fixed the AOB for health! Should actually enable now! lol
JUST ADDED: *Infinite Health (for player only Very Happy) Thanks to DDS (♦ DarKDragonSlayer ♦)

*Kill Me hack (In case you get stuck / fall off of somewhere and don't die [/w infinite health enabled] [there is no restart from last checkpoint option])

*Infinite Ammo + No Reload

*Infinite Arrows

*Infinite Energy

JUST ADDED: *Infinite Cloak Time! Use the cloak for as long as you want! Must have infinite energy enabled also!

JUST ADDED: *Infinite NanoSuit Upgrades Don't get the heavy armor upgrade as it says slower movement speed, just use infinite health instead Wink[/b]

JUST ADDED: *Player Teleport Fly - Kind of like a no-clip, but based on coordinates relative to the map, rather then relative to your view angle... Upon enabling the script, then pressing F1 in game (toggles teleport fly on/off) it will lift you up into the air slightly, and you can 'fly' around using the WSAD keys, left shift to move you up, left control to move you down.

JUST ADDED: *Enemy Vac A fun one! Upon enabling the script, then pressing F2 in game (toggles the vac on/off) it vacs all enemies within the area to your current position and locks them in place! Move the vac around with the arrow keys and right control + right alt to move it up and down

To see what they are like view this video here: (although I've since then adjusted the fly and move speed to 0.2 by default as it was too hard to control before)
[Link]

Will be updating as I find more cheats! If anymore are even needed...

Instructions:


Enable one of the bypass methods first! (I recommend the second one on the CT, but try both if one or the other doesn't work for you)


If using the second bypass method, after enabling wait until 'ChecksumIndex' equals 3 before enabling any other cheats... (It has to capture the three valid Checksums before it's bypassing you)

If using the first bypass method, after enabling just wait between 1-2 minutes to know for certain it's in effect, then feel free to enable other cheats!

Enjoy Very Happy

EDIT: With the help of DDS (♦ DarKDragonSlayer ♦), I was able to track down the real health address, and find a location where only the player's health address passes through! It also contains the decryption key in the eax register (or +4 from the health address)

By finding the health percentage standard 4 byte value (when full health it's at 100) you can reverse from there, and pretty easily find an instruction that accesses the real health address at offset 24(which is a float value, which also happens to have a simple xor encryption on it (that's why you can't find it with increased/decreased scans)) It was only 2 returns into the call stack I believe...

Here's the health script contained in the updated CT:
Code:

//Crysis 3
//Infinite Health
//Steve Andrew /w Credit To: DDS (♦ DarKDragonSlayer ♦)
//Thanks for helping me DDS!
[enable]
alloc(InfiniteHealth,64)
aobscan(PlayerOnlyHealthAddress,8b 56 ? ? ? 89 54 24 ? 8b 01 d9 44 24)
label(PlayerOnlyHealthAddy)
label(HealthRet)
label(FullHealthValue)
registersymbol(PlayerOnlyHealthAddy)

InfiniteHealth:
mov edx,[FullHealthValue]
xor edx,eax //eax contains encryption/decryption key here ;)
mov [esi+24],edx //copy encrypted full health to player health addy
xor edx,eax //have decrypted value in edx before jumping back
jmp HealthRet

FullHealthValue:
dd (float)1000

PlayerOnlyHealthAddress:
PlayerOnlyHealthAddy:
jmp InfiniteHealth
HealthRet:

[disable]

PlayerOnlyHealthAddy:
mov edx,[esi+24]
xor edx,eax

dealloc(InfiniteHealth)
unregistersymbol(PlayerOnlyHealthAddy)


Here's the player teleport fly script here so you can get an idea of how I pulled it off: (I found a value at offset d4 into the structure which contains the coordinates, that is only a certain value when it's the player, so that's how I was able to tell them apart)
Code:

//Crysis 3
//Teleport Fly Hack
//Steve Andrew
[enable]
alloc(TeleportFly,128)
alloc(KeyHandlerThread,256)
aobscan(TeleportFlyAddress,8b 4e 74 8b 56 78 8b 46 7c 89 4d ? 89 55 ? 89 45)
label(TeleportFlyAddy)
label(ExitKeyHandler)
label(ToggleOnOff)
label(TeleportFlyFullyDisabled)
label(TestKeyAndIncreaseDecreaseIfNeeded)
label(IncreaseIt)
label(NotPressed)
label(InitialLiftAmount)
label(FlySpeed)
label(TeleportFlyEnabled)
label(CurrentCoords)
label(AlreadyGotCoords)
label(TeleportRet)
createthread(KeyHandlerThread)
registersymbol(TeleportFlyAddy)
registersymbol(TeleportFlyFullyDisabled)
registersymbol(CurrentCoords)
registersymbol(FlySpeed)

TeleportFly:
mov edx,[esi+78]
mov eax,[esi+7c]
cmp [esi+d4],2 //Not player if it's not 2
jne TeleportRet
cmp [TeleportFlyEnabled],1
jne TeleportRet
cmp [CurrentCoords],0
jne AlreadyGotCoords

mov [CurrentCoords],ecx //X
mov [CurrentCoords+4],edx //Y
mov [CurrentCoords+8],eax //Z

fld dword ptr [CurrentCoords+8]
fadd dword ptr [InitialLiftAmount] //Lift you up a little bit to start ;)
fstp dword ptr [CurrentCoords+8]

AlreadyGotCoords:
mov ecx,[CurrentCoords]
mov edx,[CurrentCoords+4]
mov eax,[CurrentCoords+8]
jmp TeleportRet

KeyHandlerThread:
push 0a
call Sleep

cmp [TeleportFlyFullyDisabled],1
je ExitKeyHandler

push 70 //F1
call GetAsyncKeyState
test ax,ax
jne ToggleOnOff

cmp [TeleportFlyEnabled],1
jne KeyHandlerThread

push CurrentCoords //X
push 1 //increase it if key is down
push 'D' //Key: 'D'
call TestKeyAndIncreaseDecreaseIfNeeded

push CurrentCoords //X
push 0 //decrease it if key is down
push 'A' //Key: 'A'
call TestKeyAndIncreaseDecreaseIfNeeded

push CurrentCoords+4 //Y
push 1
push 'W'
call TestKeyAndIncreaseDecreaseIfNeeded

push CurrentCoords+4 //Y
push 0
push 'S'
call TestKeyAndIncreaseDecreaseIfNeeded

push CurrentCoords+8 //Z
push 1
push a0 //Key: 'left shift'
call TestKeyAndIncreaseDecreaseIfNeeded

push CurrentCoords+8 //Z
push 0
push a2 //Key: 'left control'
call TestKeyAndIncreaseDecreaseIfNeeded
jmp KeyHandlerThread

ToggleOnOff:
xor eax,eax
mov [CurrentCoords],eax
xor [TeleportFlyEnabled],1
push 96
call Sleep
jmp KeyHandlerThread

ExitKeyHandler:
ret

//void __stdcall TestKeyAndIncDec(int Key, bool IncOrDec, float *pFloatValue)
TestKeyAndIncreaseDecreaseIfNeeded:
push ebp
mov ebp,esp

push [ebp+8] //Key
call GetAsyncKeyState
test ax,ax
je NotPressed

mov eax,[ebp+10] //Address of the coordinate
fld dword ptr [eax]

cmp [ebp+0c],1 //Increase or decrease it?
je IncreaseIt

fsub dword ptr [FlySpeed]
fstp dword ptr [eax]
jmp NotPressed

IncreaseIt:
fadd dword ptr [FlySpeed]
fstp dword ptr [eax]

NotPressed:
mov esp,ebp
pop ebp
ret 0c

TeleportFlyEnabled:
dd 0

TeleportFlyFullyDisabled:
dd 0

FlySpeed:
dd (float)0.2

InitialLiftAmount:
dd (float)5

CurrentCoords:
dd 0 0 0

TeleportFlyAddress+3:
TeleportFlyAddy:
jmp TeleportFly
nop
TeleportRet:

[disable]

TeleportFlyAddy:
mov edx,[esi+78]
mov eax,[esi+7c]

TeleportFlyFullyDisabled:
dd 1

dealloc(TeleportFly)
unregistersymbol(TeleportFlyAddy)
unregistersymbol(TeleportFlyFullyDisabled)
unregistersymbol(CurrentCoords)
unregistersymbol(FlySpeed)



If while using the infinite health script, you get stuck after falling off into water for example (as shown in this image) where you were supposed to die normally, then enable the 'Kill Me' script! then disable it right away, then in game it will say low energy / health critical (you are really dead though) press escape as if bringing up the menu and you will respawn Very Happy

Stuck in the water on the bottom of the map, an ideal place to use the 'Kill Me' script:

Image

Re: Crysis 3 [+ 9] Including 2 Bypass Methods

Posted: Wed Feb 28, 2018 2:05 pm
by Bob73
Good time. You can create an MP player to work the energy and the cloak

Crysis 3 [+ 9] Including 2 Bypass Methods

Posted: Mon Apr 30, 2018 1:55 am
by Thunderheadz
[QUOTE="Bob73, post: 34820, member: 13317"]Good time. You can create an MP player to work the energy and the cloak[/QUOTE]

how do i create a mp player i crash every time i attack an enemy!



Edit: it crashes with all except health i think

Re: Crysis 3 [+ 9] Including 2 Bypass Methods

Posted: Sun Oct 03, 2021 5:57 pm
by PrimarchZero
so the bypass methods dont work what can i do to fix this