wanna crack here ya go ..a jump start
prevent the function below from beeing called
and you can download ALL games from steam.
Code:
Code:
sub_20028050 proc near
var_C= dword ptr -0Ch
var_4= dword ptr -4
arg_0= dword ptr 4
mov eax, large fs:0
push 0FFFFFFFFh
push offset loc_2020EF98
push eax
mov large fs:0, esp
push esi
mov esi, [esp+10h+arg_0]
push offset aServerRejected ; "Server rejected session login"
push esi
call sub_200205C0
mov [esp+10h+var_4], 0
mov dword ptr [esi], offset off_20248D4C
mov [esp+10h+var_4], 0FFFFFFFFh
mov ecx, [esp+10h+var_C]
mov eax, esi
mov large fs:0, ecx
pop esi
add esp, 0Ch
retn 4
sub_20028050 endp
the sub function starts at memory address [20028050]
trace the disassembled function back in steam.dll to follow it along..
use ollydbg or ida to load steam.dll up and read asm code shown Wink
And the part that unlocks the games and allows them to run ?
well its easy i havnt looked at steam for a while but ill give ya all a tip..
remember a key word that is used close to the below function
and then you can always trace the keyword down and know where ya are..
the code responsible for unlocking GUI and games loading (its called 18 times in different places in steam.dll)
Code:
Code:
.text:200079A0
.text:200079A0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:200079A0
.text:200079A0
.text:200079A0 sub_200079A0 proc near ; CODE XREF: sub_20198850+32p
.text:200079A0 ; sub_20198850+5Cp ...
.text:200079A0
.text:200079A0 var_8 = dword ptr -8
.text:200079A0 var_4 = dword ptr -4
.text:200079A0
.text:200079A0 mov edx, [ecx+4]
.text:200079A3 mov ecx, [edx+4]
.text:200079A6 sub esp, 8
.text:200079A9 cmp byte ptr [ecx+29h], 0
.text:200079AD push esi
.text:200079AE push edi
.text:200079AF mov esi, edx
.text:200079B1 jnz short loc_200079C9
.text:200079B3 mov edi, [ebx]
.text:200079B5
.text:200079B5 loc_200079B5: ; CODE XREF: sub_200079A0+27j
.text:200079B5 cmp [ecx+0Ch], edi
.text:200079B8 jnb short loc_200079BF
.text:200079BA mov ecx, [ecx+8]
.text:200079BD jmp short loc_200079C3
.text:200079BF ; ---------------------------------------------------------------------------
.text:200079BF
.text:200079BF loc_200079BF: ; CODE XREF: sub_200079A0+18j
.text:200079BF mov esi, ecx
.text:200079C1 mov ecx, [ecx]
.text:200079C3
.text:200079C3 loc_200079C3: ; CODE XREF: sub_200079A0+1Dj
.text:200079C3 cmp byte ptr [ecx+29h], 0
.text:200079C7 jz short loc_200079B5
.text:200079C9
.text:200079C9 loc_200079C9: ; CODE XREF: sub_200079A0+11j
.text:200079C9 cmp esi, edx
.text:200079CB mov [esp+10h+var_8], esi
.text:200079CF jz short loc_200079E6
.text:200079D1 mov ecx, [ebx]
.text:200079D3 cmp ecx, [esi+0Ch]
.text:200079D6 jb short loc_200079E6
.text:200079D8 lea ecx, [esp+10h+var_8]
.text:200079DC mov edx, [ecx]
.text:200079DE pop edi
.text:200079DF mov [eax], edx
.text:200079E1 pop esi
.text:200079E2 add esp, 8
.text:200079E5 retn
.text:200079E6 ; ---------------------------------------------------------------------------
.text:200079E6
.text:200079E6 loc_200079E6: ; CODE XREF: sub_200079A0+2Fj
.text:200079E6 ; sub_200079A0+36j
.text:200079E6 lea ecx, [esp+10h+var_4]
.text:200079EA mov [esp+10h+var_4], edx
.text:200079EE mov edx, [ecx]
.text:200079F0 pop edi
.text:200079F1 mov [eax], edx
.text:200079F3 pop esi
.text:200079F4 add esp, 8
.text:200079F7 retn
.text:200079F7 sub_200079A0 endp
.text:200079F7
.text:200079F7 ; ---------------------------------------------------------------------------
you need to search for this chunk of binary code [8D 5C 24 60 8D 44 24 04]
the call, sub_200079A0 at address 20198882 lands you on the code i quoted above (the sub function called 18 times)
Code:
Code:
.text:20198882 call sub_200079A0
the thing is one of the 18 calls unlocks the gui and one of them
allows games to load and another is a check on the "purchase pending message"
you need to know some very basic asm to do all this and the
needed tools to do the job (further discussion he he)
oh yeah and ya have to figure out where to edit what.
give ya a hint though.. the first call (*i think) you see when ya search for that chunk of binary #'s has to be nop'd and then your gui is unlocked ..pretty easy test Wink
now 1 or maybe 2 more edits are needed to allow certain games to run.
so if people wanna start im here to help and im curious what ya guys think of this post?
edit#1
when searching for [8D 5C 24 60 8D 44 24 04] you will find two results (when i last checked steam it only came up once) so..
i may be wrong at instead of teh first hit i mentioned above
it may actualy be teh second hit OR both (which may explain why recent steam cracks were broken pretty bad)
so investigate both, they look and act VERY similar. hmmmm