Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 18:07

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 23 posts ] 
Author Message
 Post subject: Steam password recovery?
PostPosted: 18 Aug 2008 19:20 

Joined: 18 Aug 2008 19:16
Posts: 4
in the txt you write:
"If you want you can locate the password very easily, it's just the hex
sequence of chars ("012345678...9ABCDEF") after "Phrase" and is at
least 92 chars long."

can you explain how more specified?

thanks.


Top
 Profile  
 
 
 Post subject:
PostPosted: 18 Aug 2008 20:08 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
it's simple, take your clientregistry.blob file on which is saved your password and open it with a hex editor and then:
- search the text "phrase" (without ").
- skip 30 bytes from the beginning of phrase (so 24 bytes after it)
- here is located a 16 bit number, save it: num = byte1 + (byte2 * 256)
- skip the 2 bytes of the number
- here is located a 32 bit number, save it as before (remember that it's 4 bytes long)
- now skip the 4 bytes just read and the amount of bytes specified by the previous 16 bit number
- here is located the encrypted string of the password which has the length specified in the previous 32 bit number

in C it's more simple than words:
Code:
        p += 30;
        nlen = *(u16 *)p;   p += 2;
        len  = *(u32 *)p;   p += 4 + nlen;


Top
 Profile  
 
 Post subject:
PostPosted: 18 Aug 2008 21:13 

Joined: 18 Aug 2008 19:16
Posts: 4
i didn't understand..

can you explain more easily?
in line
num = byte1 + (byte2 * 256)
so if i get
44
so i do ?
256 * 4 + 4 ?


Top
 Profile  
 
 Post subject:
PostPosted: 18 Aug 2008 23:08 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Ok, let's try with an example.
After you find "phrase" you will see a situation similar to the following:
Code:
50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00   Phrase.P~.......
04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00   ................
5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36   \.......9AFABD96
32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32   20CEC491F83DCE12
36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46   633D9CDAADE0B6FF
41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39   A2BBE012E8927369
35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38   5257CDCE9572A708
38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33   8B2CAC037DC83363
33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63         3355..*...Cloc

so skip the 30 bytes from Phrase and you reach "04 00" which is the number 4 (0x04 + (0x00 * 256))
the subsequent number "5c 00 00 00" is the size of the encrypted string and is a 32bit number equal to 0x5c (92)
now skip the 4 bytes which were specified in the previous 16 bit number and you reach your encrypted string


Top
 Profile  
 
 Post subject:
PostPosted: 19 Aug 2008 20:23 

Joined: 18 Aug 2008 19:16
Posts: 4
aluigi wrote:
Ok, let's try with an example.
After you find "phrase" you will see a situation similar to the following:
Code:
50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00   Phrase.P~.......
04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00   ................
5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36   \.......9AFABD96
32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32   20CEC491F83DCE12
36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46   633D9CDAADE0B6FF
41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39   A2BBE012E8927369
35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38   5257CDCE9572A708
38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33   8B2CAC037DC83363
33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63         3355..*...Cloc

so skip the 30 bytes from Phrase and you reach "04 00" which is the number 4 (0x04 + (0x00 * 256))
the subsequent number "5c 00 00 00" is the size of the encrypted string and is a 32bit number equal to 0x5c (92)
now skip the 4 bytes which were specified in the previous 16 bit number and you reach your encrypted string



and what i do now ?
after "5c 00 00 00" i find my encrypted string how i reach the password ?


Top
 Profile  
 
 Post subject:
PostPosted: 19 Aug 2008 22:20 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
naturally the password is encrypted, you must decrypt it using the algorithm explained in the steampwd.c using the keys specifics of your computer


Top
 Profile  
 
 Post subject:
PostPosted: 20 Aug 2008 00:29 

Joined: 18 Aug 2008 19:16
Posts: 4
aluigi wrote:
naturally the password is encrypted, you must decrypt it using the algorithm explained in the steampwd.c using the keys specifics of your computer


ok, but why in the txt you write

"If you want you can locate the password very easily, it's just the hex
sequence of chars ("012345678...9ABCDEF") after "Phrase" and is at
least 92 chars long."

you didn't said to locate the encrypted password...

thanks anyway..


Top
 Profile  
 
 Post subject:
PostPosted: 20 Aug 2008 10:37 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if the password wasn't encrypted why I needed to create steampwd?!?

then you must read all the section and not only the last part:

"The encrypted password is contained in the ClientRegistry.blob file...
If you want you can locate the password very easily..."


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 06 Jan 2009 19:30 

Joined: 19 Dec 2008 20:20
Posts: 11
How does the string Look like ? Is this that Piece?:


9AFABD96
32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32 20CEC491F83DCE12
36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46 633D9CDAADE0B6FF
41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39 A2BBE012E8927369
35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38 5257CDCE9572A708
38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33 8B2CAC037DC83363
33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63 3355

TK,

Lenny


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 08:17 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
yes, that one (9AFABD9620CEC491F83DCE12633D9CDAADE0B6FFA2BBE012E89273695257CDCE9572A7088B2CAC037DC833633355) is just the encrypted password


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 10:03 

Joined: 19 Dec 2008 20:20
Posts: 11
SO if I have opened the ClientRegistry.blob its just this String in the Middle of the Picture ?!

Image

Why do I need things like

Quote:
it's simple, take your clientregistry.blob file on which is saved your password and open it with a hex editor and then:
- search the text "phrase" (without ").
- skip 30 bytes from the beginning of phrase (so 24 bytes after it)
- here is located a 16 bit number, save it: num = byte1 + (byte2 * 256)
- skip the 2 bytes of the number
- here is located a 32 bit number, save it as before (remember that it's 4 bytes long)
- now skip the 4 bytes just read and the amount of bytes specified by the previous 16 bit number
- here is located the encrypted string of the password which has the length specified in the previous 32 bit number

then `?

Take Care,

Lenny


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 18:46 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the image doesn't exist.

that method I show is for finding the encrypted password easily throgh a programming language (a human doesn't need it because the password is enough visible since it's clear text).

then you must call the SteamDecryptDataForThisMachine function for decrypting it like in this example:

post3679.html#p3679

or using other solutions like using getting all the decryption keys manually and then using AESPHM_Decrypt (probably impossible with autoit)


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 19:10 

Joined: 19 Dec 2008 20:20
Posts: 11
Hi

I got a nice methode in AutoIt to get this String.

Now Next thing:

Do I have to create the Memory Structure due to Using the New DLL ?

And I dont Understand how to this Functions (Param's -> No Script in your Example)

The third thing I would like to know: When do I need the 3 registry Keys ?

My Script is just build like that:

FIND REGVALUES
FIND STEAM INSTALL DIRECTORY
FIND THE STRING IN THE BLOB
CREATE THE DLL STRUCTURE (like U discribed in the generel Forum)
CALL THE DLL (SteamDecryptDataForThisMachine; but what Params?)

Tk,

Lenny

Edit: Maybe that helps you (and me ;))

How the "DllCall" Function works in AutoIt:

DllCall ( "dll", "return type", "function" , ["type1" )

dll = Path to the dll
return type = The return type of the funtion

Some of them are:
Code:
byte a 8 bit integer
ubyte an unsigned 8 bit integer
short a 16 bit integer
ushort an unsigned 16 bit integer
dword an unsigned 32 bit integer
udword an unsigned 32 bit integer
int a 32 bit integer
uint an unsigned 32 bit integer
long a 32 bit integer
ulong an unsigned 32 bit integer
int64 a 64 bit integer
uint64 an unsigned 64 bit integer
str an ANSI string (cannot be more than 65536 chars).
wstr a UNICODE wide character string (converted to/from an ANSI string during the call if needed). Cannot be more than 65536 chars.
hwnd a window handle (pointer)
ptr a general pointer (void *)
float a single precision floating point number
double a double precision floating point number


function = The functionname in the DLL to call

type = The type of the parameter (Like Pointer)

And then the Parameters of the Function


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 19:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the memory structure was needed ONLY for the previous method I used when SteamDecryptDataForThisMachine didn't exist in steam.dll (it was introduced by Valve only recently).

in your case I think that the SteamDecryptDataForThisMachine function can be declared as follows:
Code:
int SteamDecryptDataForThisMachine(str encpwd, int encpwd_len, str pwd, int pwd_size, ptr int pwd_len)

where:
- encpwd is your encrypted string (like 9AFABD9620...33355)
- encpwd_len is the length of the encrypted string (like 92)
- pwd is an empty buffer which will contain the decrypted string
- pwd_size is the full size of pwd, so 65535 in your case
- pwd_len is an integer which receives the length of the decrypted password, so I don't know how to declare it in autoit

the return value is 0 if the password has been successfully decrypted or any other value for a failure.
the decryption key is automatically retrieved by the same function so you don't need to handle it


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 20:08 

Joined: 19 Dec 2008 20:20
Posts: 11
Hi Thank you so much, but:

How do I get the encpwd_len ? Is it Always 92 ? (My Personal string in the Blob is 92 Chars long, too)


For the dll-call: I have to create a Buffer then ? Or can I use normal Variables ?

How large should the Buffer be ?


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 20:13 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I bet that autoit has a function for getting the length of a string... for example in C it's strlen

about the buffer (I think you refer to pwd) I think that you can simply declaring it as str because in the list you posted is written that "str an ANSI string (cannot be more than 65536 chars)." so if you must decide a size I suggest you to use 64 or 128 since it's only a password


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 07 Jan 2009 20:20 

Joined: 19 Dec 2008 20:20
Posts: 11
Yea ... AutoIt has a func to get a strings length -> StringLen

But I am searching in the Blob file for the beginning of the string and go 92 steps Forward. I will find another possibility for sure.

The Problem is: I don't think there is a possibility in AutoIt to Create a Buffer.

The list I posted was just a List for Using DllCall.

Second Thing: In AutoIt you don't declare variables in the "Str, Int ..." style. You Just write

$Variable = "abc.23.de67,89"

You Know ?

TK


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 08 Jan 2009 01:29 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmmm I don't know how to define the size of a variable string in autoit, anyway for the moment you can try something like: $Variable = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
64 chars are more than enough


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 08 Jan 2009 19:21 

Joined: 19 Dec 2008 20:20
Posts: 11
Hi aluigi!

Thank you for all your replys till now :o)

I got the Function to return "0" and AutoIt doesnt crash anymore.

But in "pwd" keeps being empty.

I dunno why.


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 08 Jan 2009 21:17 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
what is the exact instruction you used to call SteamDecryptDataForThisMachine?


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 08 Jan 2009 21:32 

Joined: 19 Dec 2008 20:20
Posts: 11
Hi!

This is the Part:

Code:
   $Len = DllStructCreate("int")
   
   Local $sBuffer
   $sBuffer = String($sBuffer)

   $String = DllCall($SteamDll, "int", "SteamDecryptDataForThisMachine", "str", $EncryptKey, "int", $KeyLength, "str", $sBuffer, "int", "65535", "ptr*int", DllStructGetPtr($Len))
   


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 19 May 2009 19:24 

Joined: 19 Apr 2009 23:01
Posts: 13
00019540 00 00 50 68 72 61 73 65 01 50 7E 00 00 00 00 00 ..Phrase.P~.....
00019550 00 00 04 00 04 00 00 00 01 00 00 00 02 00 00 00 ................
00019560 04 00 5C 00 00 00 02 00 00 00 43 37 35 36 41 33 ..\.......C756A3
00019570 31 41 30 38 32 46 42 33 45 30 31 34 46 41 34 37 1A082FB3E014FA47
00019580 42 41 37 32 41 41 42 43 38 41 35 46 38 31 32 37 BA72AABC8A5F8127
00019590 44 39 35 43 34 32 43 45 46 45 37 30 39 42 43 45 D95C42CEFE709BCE
000195A0 31 46 35 37 34 30 37 32 35 39 44 36 34 31 35 33 1F57407259D64153
000195B0 46 44 34 46 30 41 32 35 43 43 31 42 33 34 39 38 FD4F0A25CC1B3498
000195C0 30 38 45 31 30 33 12 00 2A 00 00 00 43 6C 6F 63 08E103..*...Cloc

how do i get my key and these values?
- encpwd is your encrypted string
- encpwd_len is the length of the encrypted string
- pwd is an empty buffer which will contain the decrypted string
- pwd_size is the full size of pwd
- pwd_len

thank you


Top
 Profile  
 
 Post subject: Re: Steam password recovery?
PostPosted: 19 May 2009 19:37 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
for the quick method to extract the encrypted string this is just the thread in which it has been discussed (and there are also the practical examples as you can see above) so there is nothing else to add.

while for the code, it's like the following:
Code:
int  pwd_len;
char encpwd[200];
char pwd[200];
strcpy(encpwd, "C756A31A082FB3E014FA47BA72AABC8A5F8127D95C42CEFE709BCE1F57407259D64153FD4F0A25CC1B349808E103");

if(!SteamDecryptDataForThisMachine(encpwd, strlen(encpwd), pwd, sizeof(pwd), &pwd_len)) {
    pwd[pwd_len] = 0;   // delimit
    printf("password: %s\n", pwd);
} else {
    printf("failed\n");
}


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 23 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: