Valve Steam CEG and what it eats with. Everything complicated is simple

    image

    Good hour, % USERNAME% ! In my previous article, " Valve's Steam CEG and What It Eats With. An Introduction " was given only an abstract understanding and principles of CEG technology. This article will be on the absolute minimum of theory and the vast majority of practice. Today and now we will consider whether it is possible to "wean" the treasured executable file from this protection.

    Step I. Choosing a “victim” and analyzing it

    The presence of CEG, and of any version, can be easily detected by the presence of the .version section in the header and the first four bytes in it ( 78 56 34 12 ):

    image

    Knowing this information and searching a bit in the Steam library, I chose the legendary HD reissue Age of Mythology with the prefix " Extended Edition ". After the download is completed successfully, after waiting a couple of seconds for CEG to sign the executable file, open it in our debugger, in my case in x64dbg . Oh yes, it is worth noting that CEG uses some anti-debugging tools, so we will use the ScyllaHide plugin with the following settings:

    image

    So, opening the executable file, we see that it is not covered by third-party packers, so we can safely proceed to the second step.

    Step II Debriefing

    Absolutely in any version of CEG, there is one function that performs a general calculation of the desired values. It looks as follows:

    image

    Knowing this, set a breakpoint on any instructions , or on the following: : Press " the Run " ( the F9 ) and see that the breakpoint load! “And what did it give us?” - you ask, I answer: the exact value of EAX in the buffer. You can verify this by looking in the right column opposite the " CPU " tab: As you can see from the image, we got the value EDB88320 . Copy it to the clipboard and move on. Press " Step Over " ( F8
    mov eax, dword ptr ds:[ecx]


    mov dword ptr ds:[ecx],eax


    image



    image

    ) twice and we find ourselves inside one of the functions used by CEG. And at this stage it is worth saying a few words about the existing types of such functions. Actually, there can be three types of them:

    1 . Functions with a constant value ( Constant ) - return a constant value that will always be the same. Patchatsya as ; 2 . Functions with a random value ( Random ) - return any integer value. Patched as: ( used only on the latest versions of CEG ); 3 . Protective functions ( Protect ) - are pointers that lead to the true function Patched as:
    mov eax, <значение> ret


    mov eax, <значение> ret


    jmp <адрес>
    .

    Now let's get back to our game. We are inside the desired function and we have the correct value in the buffer. Now we must determine the form of our function. Scrolling down a couple of instructions, we see that the instruction is used : And this can only mean one thing - we are dealing with a function that returns a constant value. In general, it should be remembered that if values ​​like EDB88320 , 60 , 11 , 5 , 3f , etc. appear in the EAX buffer , then it will immediately be clear that the function that uses this value will be constant. Why? Because these are “well-known” CEG constant values, they will be the same
    lea eax, dword ptr ds[esi+ebx]


    image

    on any version of CEG. Therefore, we move to the very beginning of the function and adjust it, changing to : So, what next? And then we repeat everything again (of course, having the same breakdown on the function that calculates the values) until the game starts (Profit!), Which means that we have passed all the CEG checks. All ?! Well let's see. We save the file with the patches done and try to run it on another PC (on which the game has already been obviously downloaded). And then ... bummer. The game does not want to run! Oh yes, we forgot about another important detail! The fact is that CEG, as mentioned in the first article, uses the so-called file checks. Opening the debugger again, we can easily detect these checks by the presence of the characteristic features of the wonderful WinAPI :
    mov eax, EDB88320
    ret


    image

    GetFileInformationByHandle , CreateFileW , OpenFileById , StringFromGUID2 , RegOpenKeyExW , SystemFunction036 and lstrcmpiW . In our game - there is only one such check, you can find it right away by driving GetFileInformationByHandle into the search for " References ":

    image

    Go to the beginning and look for the function that calls this check ( RMB -> Find references -> To Selected Address (es) , or a combination keys the CTRL + the R ). It will look like this:

    image

    Well then, let's do it! Although this can be done in a more sophisticated way, but we will do it easier using Save the result of the work done and test the second time about the Gods, the game started on another Steam account and on another PC!
    mov eax, 1 ret


    image



    Step III Full release of the game from Steam (Yarr! Edition)

    Of course, after the pleasure, I wanted more extreme. But what if I just want to play with a friend on a LAN without Steam there like in bearded times? Well, no question. To do this, I downloaded an excellent Steam emulator with partial overlay support (!) Called SmartSteamEmu . Having configured it, I launched the game without Steam enabled. And what I see - the * .STEAMSTART file was created and the game hung in the processes. After thinking about thirty seconds, the game still started and worked properly. But why? We all seem to have done, right? Yes, it is, but we forgot about one small touch. The fact is that this event file is created when the Steam process is not running and is essentially the last micro-check. Well, open the debugger for the third time and look for all the functions withCreateFileA . Without hesitation, we put breaks on all functions (in this case there are only two of them). When the game started, the breaker worked:

    image

    STEAMSTART , we see you! So, in order to end this misunderstanding, we simply change the top JE to JNZ or JMP:

    image

    Save the patch, try to run the game again again without Steam with fingers crossed . And voila - the game started in seconds! We did this to you, CEG , forgive us.

    Actually, the conclusion

    CEG in the game Age of Mythology: Extended Edition was not difficult. This game had neither Protect nor Random functions, only Constant ones , which greatly simplified the task. Also in this game there were no minor checks, in the form of the good old CRC or the latest checks on the processor ID or the serial number of the hard drive .
    In the future, I hope I can master these two new checks and write a new article, but for now - see you soon!

    Also popular now: