|
Page 1 of 1
|
[ 3 posts ] |
|
| Author |
Message |
|
(+)
Ultra Elite
Joined: Wed Jul 02, 2008 11:21 am
Posts: 789
|
 Non - Steam unban Funniest thing happened to me today . Got myself unbanned from all non steam servers Iv'e tried . 1.) Start a single player game . 2.) Type status on the console . 3.) Write down you steam id . 4.) Open hl.exe using artmoney and search for your steam id . 5.) Standard integer 4bytes . 6.) Change all you fins . 7.) Type status again , doesn't matter if its still the same . 8.) Now try to join a non steam server your banned on . ----------------------- Now you can change your MAC and release and renew IP using this if you want . http://www.technitium.com/tmac/index.html-- Tue Mar 22, 2011 11:57 am -- Might actually add this to my new cheat . Non - steam unbanner . Sounds catchy . -- Tue Mar 22, 2011 12:29 pm -- LOL ! Works good ! Doesnt seem like AMX Mod or Steam buster or steamrev or whatever can do module hashes and so on . Cause they are all serversided . So , makes sense they just use steam id . LOL ! -- Wed Mar 23, 2011 4:25 am -- LOL ! In hw.dll to be exact . Two addresses 4 bytes . I'll debug and look for some sigs . -- Wed Mar 23, 2011 4:35 am -- No, wait , one address in hw.dll and another in steamclient.dll . Wait , does artmoney give pointers ? -- Wed Mar 23, 2011 5:00 am -- Okay here it is :  | | | | Code: 678D0CCD INT3
678D0CCE INT3
678D0CCF INT3
678D0CD0 SUB ESP,1C
678D0CD3 PUSH EBX
678D0CD4 XOR EBX,EBX
678D0CD6 MOV DWORD PTR DS:[6791B14C],steamcli.679>
678D0CE0 XOR EAX,EAX
678D0CE2 /MOV CL,BYTE PTR DS:[EAX+6791A448]
678D0CE8 |MOV BYTE PTR DS:[EAX+6791AC50],CL
678D0CEE |INC EAX
678D0CEF |CMP CL,BL
678D0CF1 \JNZ SHORT steamcli.678D0CE2
678D0CF3 MOV EAX,steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0CF8 MOV DWORD PTR SS:[ESP+1C],0F
678D0D00 MOV DWORD PTR SS:[ESP+18],EBX
678D0D04 MOV BYTE PTR SS:[ESP+8],BL
678D0D08 LEA EDX,DWORD PTR DS:[EAX+1]
678D0D0B JMP SHORT steamcli.678D0D10
678D0D0D LEA ECX,DWORD PTR DS:[ECX]
678D0D10 /MOV CL,BYTE PTR DS:[EAX]
678D0D12 |INC EAX
678D0D13 |CMP CL,BL
678D0D15 \JNZ SHORT steamcli.678D0D10
678D0D17 SUB EAX,EDX
678D0D19 PUSH EAX
678D0D1A PUSH steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0D1F LEA ECX,DWORD PTR SS:[ESP+C]
678D0D23 CALL steamcli.678C29C0
678D0D28 LEA EBX,DWORD PTR SS:[ESP+4]
678D0D2C CALL steamcli.678CBC80
678D0D31 CMP DWORD PTR SS:[ESP+1C],10
678D0D36 MOV DWORD PTR DS:[6791AC3C],EAX
678D0D3B JB SHORT steamcli.678D0D4A
678D0D3D MOV EAX,DWORD PTR SS:[ESP+8]
678D0D41 PUSH EAX
678D0D42 CALL steamcli.678E5997
678D0D47 ADD ESP,4
678D0D4A XOR EBX,EBX
678D0D4C MOV EAX,steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0D51 MOV DWORD PTR DS:[6791AC38],4A
678D0D5B MOV DWORD PTR DS:[6791AC40],726576
678D0D65 MOV DWORD PTR DS:[6791AC44],EBX
678D0D6B MOV DWORD PTR SS:[ESP+1C],0F
678D0D73 MOV DWORD PTR SS:[ESP+18],EBX
678D0D77 MOV BYTE PTR SS:[ESP+8],BL
678D0D7B LEA EDX,DWORD PTR DS:[EAX+1]
678D0D7E MOV EDI,EDI
678D0D80 /MOV CL,BYTE PTR DS:[EAX]
678D0D82 |INC EAX
678D0D83 |CMP CL,BL
678D0D85 \JNZ SHORT steamcli.678D0D80
678D0D87 SUB EAX,EDX
678D0D89 PUSH EAX
678D0D8A PUSH steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0D8F LEA ECX,DWORD PTR SS:[ESP+C]
678D0D93 CALL steamcli.678C29C0
678D0D98 LEA EBX,DWORD PTR SS:[ESP+4]
678D0D9C CALL steamcli.678CBC80
678D0DA1 MOV BYTE PTR DS:[6791AC37],1
678D0DA8 MOV ECX,DWORD PTR DS:[6791AC34]
678D0DAE AND ECX,FF100001
678D0DB4 ADD EAX,EAX
678D0DB6 OR ECX,100001
678D0DBC CMP DWORD PTR SS:[ESP+1C],10
678D0DC1 MOV DWORD PTR DS:[6791AC30],EAX
678D0DC6 MOV DWORD PTR DS:[6791AC34],ECX
678D0DCC POP EBX
678D0DCD JB SHORT steamcli.678D0DE7
678D0DCF MOV ECX,DWORD PTR SS:[ESP+4]
678D0DD3 PUSH ECX
678D0DD4 CALL steamcli.678E5997
678D0DD9 MOV ECX,DWORD PTR DS:[6791AC34]
678D0DDF MOV EAX,DWORD PTR DS:[6791AC30]
678D0DE4 ADD ESP,4
678D0DE7 MOV DWORD PTR DS:[6791AC48],EAX
678D0DEC MOV DWORD PTR DS:[6791AC4C],ECX
678D0DF2 MOV EAX,steamcli.6791B14C
678D0DF7 ADD ESP,1C
678D0DFA RETN
| | | | |
The steam id is stored in a variable inside steamclient.dll it seems . That will explain the address at the high end of the module address range and a pointer to the address can be found at the adsress range above. Artmoney found : 0x6791AC3C value is : 766382671 (My non-steam id v42) -- Wed Mar 23, 2011 5:01 am -- 678D0D36 MOV DWORD PTR DS:[6791AC3C],EAX Right there . Now I'll try to make a unique signature from the unique byte structure of that area of code . -- Wed Mar 23, 2011 5:33 am -- Okay forgot to show the opcode bytes : | | | | Code: 678D0CD0 83EC 1C SUB ESP,1C
678D0CD3 53 PUSH EBX
678D0CD4 33DB XOR EBX,EBX
678D0CD6 C705 4CB19167 DC>MOV DWORD PTR DS:[6791B14C],steamcli.679>
678D0CE0 33C0 XOR EAX,EAX
678D0CE2 8A88 48A49167 MOV CL,BYTE PTR DS:[EAX+6791A448]
678D0CE8 8888 50AC9167 MOV BYTE PTR DS:[EAX+6791AC50],CL
678D0CEE 40 INC EAX
678D0CEF 3ACB CMP CL,BL
678D0CF1 ^75 EF JNZ SHORT steamcli.678D0CE2
678D0CF3 B8 48A49167 MOV EAX,steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0CF8 C74424 1C 0F0000>MOV DWORD PTR SS:[ESP+1C],0F
678D0D00 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX
678D0D04 885C24 08 MOV BYTE PTR SS:[ESP+8],BL
678D0D08 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
678D0D0B EB 03 JMP SHORT steamcli.678D0D10
678D0D0D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
678D0D10 8A08 MOV CL,BYTE PTR DS:[EAX]
678D0D12 40 INC EAX
678D0D13 3ACB CMP CL,BL
678D0D15 ^75 F9 JNZ SHORT steamcli.678D0D10
678D0D17 2BC2 SUB EAX,EDX
678D0D19 50 PUSH EAX
678D0D1A 68 48A49167 PUSH steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0D1F 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
678D0D23 E8 981CFFFF CALL steamcli.678C29C0
678D0D28 8D5C24 04 LEA EBX,DWORD PTR SS:[ESP+4]
678D0D2C E8 4FAFFFFF CALL steamcli.678CBC80
678D0D31 837C24 1C 10 CMP DWORD PTR SS:[ESP+1C],10
678D0D36 A3 3CAC9167 MOV DWORD PTR DS:[6791AC3C],EAX
678D0D3B 72 0D JB SHORT steamcli.678D0D4A
678D0D3D 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
678D0D41 50 PUSH EAX
678D0D42 E8 504C0100 CALL steamcli.678E5997
678D0D47 83C4 04 ADD ESP,4
678D0D4A 33DB XOR EBX,EBX
678D0D4C B8 48A49167 MOV EAX,steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0D51 C705 38AC9167 4A>MOV DWORD PTR DS:[6791AC38],4A
678D0D5B C705 40AC9167 76>MOV DWORD PTR DS:[6791AC40],726576
678D0D65 891D 44AC9167 MOV DWORD PTR DS:[6791AC44],EBX
678D0D6B C74424 1C 0F0000>MOV DWORD PTR SS:[ESP+1C],0F
678D0D73 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX
678D0D77 885C24 08 MOV BYTE PTR SS:[ESP+8],BL
678D0D7B 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
678D0D7E 8BFF MOV EDI,EDI
678D0D80 8A08 MOV CL,BYTE PTR DS:[EAX]
678D0D82 40 INC EAX
678D0D83 3ACB CMP CL,BL
678D0D85 ^75 F9 JNZ SHORT steamcli.678D0D80
678D0D87 2BC2 SUB EAX,EDX
678D0D89 50 PUSH EAX
678D0D8A 68 48A49167 PUSH steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
678D0D8F 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
678D0D93 E8 281CFFFF CALL steamcli.678C29C0
678D0D98 8D5C24 04 LEA EBX,DWORD PTR SS:[ESP+4]
678D0D9C E8 DFAEFFFF CALL steamcli.678CBC80
678D0DA1 C605 37AC9167 01 MOV BYTE PTR DS:[6791AC37],1
678D0DA8 8B0D 34AC9167 MOV ECX,DWORD PTR DS:[6791AC34]
678D0DAE 81E1 010010FF AND ECX,FF100001
678D0DB4 03C0 ADD EAX,EAX
678D0DB6 81C9 01001000 OR ECX,100001
678D0DBC 837C24 1C 10 CMP DWORD PTR SS:[ESP+1C],10
678D0DC1 A3 30AC9167 MOV DWORD PTR DS:[6791AC30],EAX
678D0DC6 890D 34AC9167 MOV DWORD PTR DS:[6791AC34],ECX
678D0DCC 5B POP EBX
678D0DCD 72 18 JB SHORT steamcli.678D0DE7
678D0DCF 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
678D0DD3 51 PUSH ECX
678D0DD4 E8 BE4B0100 CALL steamcli.678E5997
678D0DD9 8B0D 34AC9167 MOV ECX,DWORD PTR DS:[6791AC34]
678D0DDF A1 30AC9167 MOV EAX,DWORD PTR DS:[6791AC30]
678D0DE4 83C4 04 ADD ESP,4
678D0DE7 A3 48AC9167 MOV DWORD PTR DS:[6791AC48],EAX
678D0DEC 890D 4CAC9167 MOV DWORD PTR DS:[6791AC4C],ECX
678D0DF2 B8 4CB19167 MOV EAX,steamcli.6791B14C
678D0DF7 83C4 1C ADD ESP,1C
| | | | |
-- Wed Mar 23, 2011 5:52 am -- Now we can use the opcode bytes to find the address we need to change . Using seren1ty's source codes FindCodeAddress . | | | | Code:
68 48A49167 PUSH steamcli.6791A448 ; ASCII "S0MQJ1MQ112034 "
8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
E8 981CFFFF CALL steamcli.678C29C0
8D5C24 04 LEA EBX,DWORD PTR SS:[ESP+4]
E8 4FAFFFFF CALL steamcli.678CBC80
837C24 1C 10 CMP DWORD PTR SS:[ESP+1C],10
A3 3CAC9167 MOV DWORD PTR DS:[6791AC3C],EAX
-------------------------------------------------
( 0xFF - means undefined or unknown/changing )
BYTE SteamIdCode[33] =
{
0x68, 0xFF, 0xFF, 0xFF, 0xFF,
0x8D, 0x4C, 0x24, 0x0C
0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
0x8D, 0x5C, 0x24, 0x04
0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
0x83, 0x7C, 0x24, 0x1C, 0x10
0xA3, 0x3C, 0xAC, 0x91, 0x67
};
//////////////////////////////////////////////////
bool CompareMemory(LPCBYTE bAddress, LPCBYTE bCode, int Size)
{
for(int i=0; i<Size; i++, bCode++, bAddress++)
{
if((*bAddress != *bCode) && (*bCode != 0xFF))
return false;
}
return true;
}
DWORD FindCodeAddress(DWORD dwStart, DWORD dwEnd, LPBYTE bCode, int CodeSize, int OpcodeNum)
{
for(DWORD d=dwStart; (d+CodeSize) < dwEnd; d++)
{
if( CompareMemory((LPBYTE)d, bCode, CodeSize))
return (DWORD)(d+OpcodeNum);
}
return 0xFFFFFFFF;
}
| | | | |
So : 29 = first byte + 29 *(PDWORD) to make it a ( dword / right way aligned address ) since its written in reverse order in memory . Then all you would need to do is change the value . But the player must either be connected or in single player otherwise non will be found . -- Wed Mar 23, 2011 5:54 am -- Untested as of now , but I'm gonna test as I speak/type . -- Wed Mar 23, 2011 6:01 am -- AhAHhAhHAhAH !!!!!!! WORKS !!!!!!!!!!! -- Wed Mar 23, 2011 6:11 am -- LOL ! AhAHHAhHAhh !!!! -- Wed Mar 23, 2011 6:17 am -- This for non - steam v42 by the way . -- Wed Mar 23, 2011 7:06 am -- Wait I made a mistake . Will update . -- Wed Mar 23, 2011 7:25 am -- Hmm , there seems to be two steamclient.dll's . LOL ! -- Wed Mar 23, 2011 7:53 am -- Okay , my error right here : | | | | Code: BYTE SteamIdCode[33] =
{
0x68, 0xFF, 0xFF, 0xFF, 0xFF,
0x8D, 0x4C, 0x24, 0x0C,
0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
0x8D, 0x5C, 0x24, 0x04,
0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
0x83, 0x7C, 0x24, 0x1C, 0x10,
0xA3, 0xFF, 0xFF, 0xFF, 0xFF,
};
| | | | |
-- Wed Mar 23, 2011 7:54 am -- Last line should be : 0xA3, 0xFF, 0xFF, 0xFF, 0xFF, -- Wed Mar 23, 2011 8:01 am -- Okay final code . Credits : Seren1ty etc . | | | | Code: BYTE bToggle = 0x00;
BYTE SteamIdCode[33] =
{
0x68, 0xFF, 0xFF, 0xFF, 0xFF,
0x8D, 0x4C, 0x24, 0x0C,
0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
0x8D, 0x5C, 0x24, 0x04,
0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
0x83, 0x7C, 0x24, 0x1C, 0x10,
0xA3, 0xFF, 0xFF, 0xFF, 0xFF,
};
bool CompareMemory(LPCBYTE bAddress, LPCBYTE bCode, int Size)
{
for(int i=0; i<Size; i++, bCode++, bAddress++)
{
if((*bAddress != *bCode) && (*bCode != 0xFF))
return false;
}
return true;
}
DWORD FindCodeAddress(DWORD dwStart, DWORD dwEnd, LPBYTE bCode, int CodeSize, int OpcodeNum)
{
for(DWORD d=dwStart; (d+CodeSize) < dwEnd; d++)
{
if( CompareMemory((LPBYTE)d, bCode, CodeSize))
return (DWORD)(d+OpcodeNum);
}
return 0xFFFFFFFF;
}
void APIENTRY New_wglSwapBuffers (HDC hDC)
{
if( !( GetKeyState( VK_NUMPAD1 ) < 0 ) )
bToggle = 0x00;
else { if( !bToggle )
{
DWORD StartAddress = NULL;
while( !StartAddress ){StartAddress = (DWORD)GetModuleHandleA( "steamclient.dll" );}
DWORD DLL_SIZE = (DWORD)0x66000; //( 417792 in decimal )
DWORD SteamId = *(PDWORD)FindCodeAddress( StartAddress, StartAddress + DLL_SIZE, SteamIdCode, 33, 29 );
PDWORD pSteamId = (PDWORD)SteamId;
/* initialize random seed: */
srand ( (UINT)time(NULL) );
/* generate secret number: */
int NewId = rand() % 999999999 + 333333333;
*pSteamId = NewId;
bToggle = 0x01; } }
d_wglSwapBuffers(hDC);
}
| | | | |
-- Wed Mar 23, 2011 8:05 am -- Works 100% now . Man this is so fuuny . I think even getting banned by a VIP doesn't matter anymore with this . -- Thu Mar 24, 2011 1:07 am -- Wait , I think I got the data type wrong , I used int pointer . I'm not sure what it must be . Causes crash when you type . Maybe need to do FlushInstructionCache . -- Thu Mar 24, 2011 2:45 am -- ================================== EDIT : March 24 , 2011 .
_________________
 
|
| Tue Mar 22, 2011 3:56 pm |
|
|
|
drdr
N00b
Joined: Tue May 10, 2011 9:46 pm
Posts: 1
|
Re: Non - Steam unban Please upload compiled EXE file for change steam.
|
| Tue May 10, 2011 9:53 pm |
|
|
|
edmondg
N00b
Joined: Mon Jul 11, 2011 10:59 pm
Posts: 1
|
Re: Non - Steam unban Hello. I have seen your post about NON STEAM UNBAN,,, dude pllz make exe file or give good explanetion to this... Dude milion of players will thank you for this. plz make unban program. thank you...
|
| Mon Jul 11, 2011 11:04 pm |
|
|
|
|
Page 1 of 1
|
[ 3 posts ] |
|
Who is online |
Users browsing this forum: No registered users and 1 guest |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
|
