Habe die Anleitung nur auf English weil ich den meisten teil nicht selbst übersetzen kann darum lass ich es auf English.

wanna crack here ya go ..a jump start

prevent the function below from beeing called
and you can download ALL games from steam.

Code:
Code:
	
sub_20028050 proc near

var_C= dword ptr -0Ch
var_4= dword ptr -4
arg_0= dword ptr  4

mov     eax, large fs:0
push    0FFFFFFFFh
push    offset loc_2020EF98
push    eax
mov     large fs:0, esp
push    esi
mov     esi, [esp+10h+arg_0]
push    offset aServerRejected ; "Server rejected session login"
push    esi
call    sub_200205C0
mov     [esp+10h+var_4], 0
mov     dword ptr [esi], offset off_20248D4C
mov     [esp+10h+var_4], 0FFFFFFFFh
mov     ecx, [esp+10h+var_C]
mov     eax, esi
mov     large fs:0, ecx
pop     esi
add     esp, 0Ch
retn    4
sub_20028050 endp

the sub function starts at memory address [20028050]
trace the disassembled function back in steam.dll to follow it along..
use ollydbg or ida to load steam.dll up and read asm code shown Wink

And the part that unlocks the games and allows them to run ?
well its easy i havnt looked at steam for a while but ill give ya all a tip..
remember a key word that is used close to the below function
and then you can always trace the keyword down and know where ya are..

the code responsible for unlocking GUI and games loading (its called 18 times in different places in steam.dll)

Code:
Code:
	
.text:200079A0
.text:200079A0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:200079A0
.text:200079A0
.text:200079A0 sub_200079A0    proc near               ; CODE XREF: sub_20198850+32p
.text:200079A0                                         ; sub_20198850+5Cp ...
.text:200079A0
.text:200079A0 var_8           = dword ptr -8
.text:200079A0 var_4           = dword ptr -4
.text:200079A0
.text:200079A0                 mov     edx, [ecx+4]
.text:200079A3                 mov     ecx, [edx+4]
.text:200079A6                 sub     esp, 8
.text:200079A9                 cmp     byte ptr [ecx+29h], 0
.text:200079AD                 push    esi
.text:200079AE                 push    edi
.text:200079AF                 mov     esi, edx
.text:200079B1                 jnz     short loc_200079C9
.text:200079B3                 mov     edi, [ebx]
.text:200079B5
.text:200079B5 loc_200079B5:                           ; CODE XREF: sub_200079A0+27j
.text:200079B5                 cmp     [ecx+0Ch], edi
.text:200079B8                 jnb     short loc_200079BF
.text:200079BA                 mov     ecx, [ecx+8]
.text:200079BD                 jmp     short loc_200079C3
.text:200079BF ; ---------------------------------------------------------------------------
.text:200079BF
.text:200079BF loc_200079BF:                           ; CODE XREF: sub_200079A0+18j
.text:200079BF                 mov     esi, ecx
.text:200079C1                 mov     ecx, [ecx]
.text:200079C3
.text:200079C3 loc_200079C3:                           ; CODE XREF: sub_200079A0+1Dj
.text:200079C3                 cmp     byte ptr [ecx+29h], 0
.text:200079C7                 jz      short loc_200079B5
.text:200079C9
.text:200079C9 loc_200079C9:                           ; CODE XREF: sub_200079A0+11j
.text:200079C9                 cmp     esi, edx
.text:200079CB                 mov     [esp+10h+var_8], esi
.text:200079CF                 jz      short loc_200079E6
.text:200079D1                 mov     ecx, [ebx]
.text:200079D3                 cmp     ecx, [esi+0Ch]
.text:200079D6                 jb      short loc_200079E6
.text:200079D8                 lea     ecx, [esp+10h+var_8]
.text:200079DC                 mov     edx, [ecx]
.text:200079DE                 pop     edi
.text:200079DF                 mov     [eax], edx
.text:200079E1                 pop     esi
.text:200079E2                 add     esp, 8
.text:200079E5                 retn
.text:200079E6 ; ---------------------------------------------------------------------------
.text:200079E6
.text:200079E6 loc_200079E6:                           ; CODE XREF: sub_200079A0+2Fj
.text:200079E6                                         ; sub_200079A0+36j
.text:200079E6                 lea     ecx, [esp+10h+var_4]
.text:200079EA                 mov     [esp+10h+var_4], edx
.text:200079EE                 mov     edx, [ecx]
.text:200079F0                 pop     edi
.text:200079F1                 mov     [eax], edx
.text:200079F3                 pop     esi
.text:200079F4                 add     esp, 8
.text:200079F7                 retn
.text:200079F7 sub_200079A0    endp
.text:200079F7
.text:200079F7 ; ---------------------------------------------------------------------------


you need to search for this chunk of binary code [8D 5C 24 60 8D 44 24 04]
the call, sub_200079A0 at address 20198882 lands you on the code i quoted above (the sub function called 18 times)
Code:
Code:
	
.text:20198882    call    sub_200079A0
the thing is one of the 18 calls unlocks the gui and one of them
allows games to load and another is a check on the "purchase pending message"

you need to know some very basic asm to do all this and the
needed tools to do the job (further discussion he he)
oh yeah and ya have to figure out where to edit what.

give ya a hint though.. the first call (*i think) you see when ya search for that chunk of binary #'s has to be nop'd and then your gui is unlocked ..pretty easy test Wink

now 1 or maybe 2 more edits are needed to allow certain games to run.

so if people wanna start im here to help and im curious what ya guys think of this post?

edit#1
when searching for [8D 5C 24 60 8D 44 24 04] you will find two results (when i last checked steam it only came up once) so..
i may be wrong at instead of teh first hit i mentioned above
it may actualy be teh second hit OR both (which may explain why recent steam cracks were broken pretty bad)
so investigate both, they look and act VERY similar. hmmmm
Have Fun

//EDIT: Selber nicht getestet! Aber Freunde behaupten das das geht!
Mfg
Dennis