[Discussion] Possible way of faking SteamID?

[NightmareTX_RETIRED]

Now I don't set it as an official release because I dont know if it does affect the SteamID or not. But there is something I found, using CE, in IW5MP.exe called "STEAMID=" and next to the "=" there is your actual SteamID. I wonder that if you do modify it, do you think that it will make the report option useless?

My Predictions:

95% that it wont do squat
3% that it might work and that when players want to report they will see your avatar and name but the link might redirect them to a fake Profile Page.
2% That your name and avatar might not show at all

For those who are expert in hacking, what do you think?

[[MPGH]master131]

Probably won't work. You could always try if you want though.

EDIT - I know of a struct array in the game's memory that has a string that contains each player's Steam ID, XUID and whatnot. It only appears when you are host so modifying it *might* work. The address for the 1st player information string (not the actual struct) is located at 0x4C35A00.

[NightmareTX_RETIRED]

Modified SteamID and It didnt found my name in the Recent Game Tab. Normally I should see myself no? Althought this window doesnt refresh very often
@master131

[The0neThe0nly]

A while ago in CS:S, you were able to do this and use Console to connect to a game even if you were VAC'd. I'm not sure if it would work in Modern Warfare 3 though, give it a shot.

[[MPGH]master131]

Modified SteamID and It didnt found my name in the Recent Game Tab. Normally I should see myself no? Althought this window doesnt refresh very often
@master131

No, I'm pretty sure you don't see yourself on that list.

[NightmareTX_RETIRED]

No, I'm pretty sure you don't see yourself on that list.

Strange because sometime I do.

*EDIT*
1. After a full restart of the game, I can see myself in the Recent Game Tab
2. Modify SteamID
3. Started Private Match
4. My Icon and link is gone.

To Make Sure:
1. After a full restart of the game, I can see myself in the Recent Game Tab
2. DID NOT modify SteamID
3. Started Private Match
4. My Icon and link is gone.

hmmm.....

[[MPGH]master131]

Strange because sometime I do

Well, I don't pay attention to it so yeah. See if you can get a friend to help you test.

[NightmareTX_RETIRED]

Well, I don't pay attention to it so yeah. See if you can get a friend to help you test.

Yeah. that would be best

[[MPGH]master131]

@NightmareTX The string edit alone probably isn't going to work because the game uses an int64 to hold the XUID/Steam ID value in the same struct. The address of this 8 byte value is for the first player is at 0x4C79C0A. Set the value to anything apart from zero and see what happens. There's also another one at 0x4C7A658.

I can also think of another method to fake Steam ID by modifying a function in steam_api.dll to return a fake Steam ID but that can be risky because I'm not sure if VAC checks for modifications on it.

[rawr im a tiger]

@NightmareTX The string edit alone probably isn't going to work because the game uses an int64 to hold the XUID/Steam ID value in the same struct. The address of this 8 byte value is for the first player is at 0x4C79C0A. Set the value to anything apart from zero and see what happens. There's also another one at 0x4C7A658.

I can also think of another method to fake Steam ID by modifying a function in steam_api.dll to return a fake Steam ID but that can be risky because I'm not sure if VAC checks for modifications on it.

ie. CSteamID CSteamUser014::GetPlayerSteamID()? If you hook that and IsVacBanned, you'd probably be able to play in private matches while banned.

As for spoofing ID as a variable, I'm no protocol expert, but I think steam requires validation and does a server-side VAC Ban check before allowing you to auth to DemonWare.

[[MPGH]master131]

ie. CSteamID CSteamUser014::GetPlayerSteamID()? If you hook that and IsVacBanned, you'd probably be able to play in private matches while banned.

As for spoofing ID as a variable, I'm no protocol expert, but I think steam requires validation and does a server-side VAC Ban check before allowing you to auth to DemonWare.

Yes, that's what I was referring to. And if anyone is interested in the psuedo-code, here it is (for 1.9.453):

Code:

// 0x3B418448 is a pointer to the current player's ISteamUser class
steamUserStruct = Read<IntPtr>(0x3B418448);

// The first value of the ISteamUser class is a pointer to a virtual method table
vTableAddress = Read<IntPtr>(steamUserStruct);

// The GetSteamID function is the 3rd one in the VMT.
// +0 = GetHSteamUser
// +4 = BLoggedOn
// +8 = GetSteamID
getSteamIDMethodPtr = (IntPtr)(vTableAddress.ToInt64() + 0x8); 

// Read the pointer to the function
getSteamIDMethodAddress = Read<IntPtr>(getSteamIDMethodPtr); 

// Now modify the function at getSteamIDMethodAddress to do whatever, like return
// a fake CSteamID value (essentially an int64 which is stored as an EAX and EDX value).
// Example, to return a Steam ID of 0xDEADBEEFBEEFDEAD, we'd replace the function with this:
// mov eax, BEEFDEAD
// mov edx, DEADBEEF
// ret

Thanks to VoiDeD for making Open Steamworks public. :3

IntPtr can be replaced with Int32/Integer since all pointers in 32-bit processes are only 4 bytes long.