Luigi Auriemma

in the txt you write:
"If you want you can locate the password very easily, it's just the hex
sequence of chars ("012345678...9ABCDEF") after "Phrase" and is at
least 92 chars long."

can you explain how more specified?

thanks.

it's simple, take your clientregistry.blob file on which is saved your password and open it with a hex editor and then:
- search the text "phrase" (without ").
- skip 30 bytes from the beginning of phrase (so 24 bytes after it)
- here is located a 16 bit number, save it: num = byte1 + (byte2 * 256)
- skip the 2 bytes of the number
- here is located a 32 bit number, save it as before (remember that it's 4 bytes long)
- now skip the 4 bytes just read and the amount of bytes specified by the previous 16 bit number
- here is located the encrypted string of the password which has the length specified in the previous 32 bit number

in C it's more simple than words:

i didn't understand..

can you explain more easily?
in line
num = byte1 + (byte2 * 256)
so if i get
44
so i do ?
256 * 4 + 4 ?

Ok, let's try with an example.
After you find "phrase" you will see a situation similar to the following:

so skip the 30 bytes from Phrase and you reach "04 00" which is the number 4 (0x04 + (0x00 * 256))
the subsequent number "5c 00 00 00" is the size of the encrypted string and is a 32bit number equal to 0x5c (92)
now skip the 4 bytes which were specified in the previous 16 bit number and you reach your encrypted string

and what i do now ?
after "5c 00 00 00" i find my encrypted string how i reach the password ?

naturally the password is encrypted, you must decrypt it using the algorithm explained in the steampwd.c using the keys specifics of your computer

ok, but why in the txt you write

"If you want you can locate the password very easily, it's just the hex
sequence of chars ("012345678...9ABCDEF") after "Phrase" and is at
least 92 chars long."

you didn't said to locate the encrypted password...

thanks anyway..

if the password wasn't encrypted why I needed to create steampwd?!?

then you must read all the section and not only the last part:

"The encrypted password is contained in the ClientRegistry.blob file...
If you want you can locate the password very easily..."

How does the string Look like ? Is this that Piece?:


9AFABD96
32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32 20CEC491F83DCE12
36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46 633D9CDAADE0B6FF
41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39 A2BBE012E8927369
35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38 5257CDCE9572A708
38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33 8B2CAC037DC83363
33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63 3355

TK,

Lenny

yes, that one (9AFABD9620CEC491F83DCE12633D9CDAADE0B6FFA2BBE012E89273695257CDCE9572A7088B2CAC037DC833633355) is just the encrypted password

SO if I have opened the ClientRegistry.blob its just this String in the Middle of the Picture ?!



Why do I need things like


then `?

Take Care,

Lenny

the image doesn't exist.

that method I show is for finding the encrypted password easily throgh a programming language (a human doesn't need it because the password is enough visible since it's clear text).

then you must call the SteamDecryptDataForThisMachine function for decrypting it like in this example:

post3679.html#p3679

or using other solutions like using getting all the decryption keys manually and then using AESPHM_Decrypt (probably impossible with autoit)

Hi

I got a nice methode in AutoIt to get this String.

Now Next thing:

Do I have to create the Memory Structure due to Using the New DLL ?

And I dont Understand how to this Functions (Param's -> No Script in your Example)

The third thing I would like to know: When do I need the 3 registry Keys ?

My Script is just build like that:

FIND REGVALUES
FIND STEAM INSTALL DIRECTORY
FIND THE STRING IN THE BLOB
CREATE THE DLL STRUCTURE (like U discribed in the generel Forum)
CALL THE DLL (SteamDecryptDataForThisMachine; but what Params?)

Tk,

Lenny

Edit: Maybe that helps you (and me ;))

How the "DllCall" Function works in AutoIt:

DllCall ( "dll", "return type", "function" , ["type1" )

dll = Path to the dll
return type = The return type of the funtion

Some of them are:


function = The functionname in the DLL to call

type = The type of the parameter (Like Pointer)

And then the Parameters of the Function

the memory structure was needed ONLY for the previous method I used when SteamDecryptDataForThisMachine didn't exist in steam.dll (it was introduced by Valve only recently).

in your case I think that the SteamDecryptDataForThisMachine function can be declared as follows:

where:
- encpwd is your encrypted string (like 9AFABD9620...33355)
- encpwd_len is the length of the encrypted string (like 92)
- pwd is an empty buffer which will contain the decrypted string
- pwd_size is the full size of pwd, so 65535 in your case
- pwd_len is an integer which receives the length of the decrypted password, so I don't know how to declare it in autoit

the return value is 0 if the password has been successfully decrypted or any other value for a failure.
the decryption key is automatically retrieved by the same function so you don't need to handle it

Hi Thank you so much, but:

How do I get the encpwd_len ? Is it Always 92 ? (My Personal string in the Blob is 92 Chars long, too)


For the dll-call: I have to create a Buffer then ? Or can I use normal Variables ?

How large should the Buffer be ?

I bet that autoit has a function for getting the length of a string... for example in C it's strlen

about the buffer (I think you refer to pwd) I think that you can simply declaring it as str because in the list you posted is written that "str an ANSI string (cannot be more than 65536 chars)." so if you must decide a size I suggest you to use 64 or 128 since it's only a password

Yea ... AutoIt has a func to get a strings length -> StringLen

But I am searching in the Blob file for the beginning of the string and go 92 steps Forward. I will find another possibility for sure.

The Problem is: I don't think there is a possibility in AutoIt to Create a Buffer.

The list I posted was just a List for Using DllCall.

Second Thing: In AutoIt you don't declare variables in the "Str, Int ..." style. You Just write

$Variable = "abc.23.de67,89"

You Know ?

TK

uhmmm I don't know how to define the size of a variable string in autoit, anyway for the moment you can try something like: $Variable = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
64 chars are more than enough

Hi aluigi!

Thank you for all your replys till now :o)

I got the Function to return "0" and AutoIt doesnt crash anymore.

But in "pwd" keeps being empty.

I dunno why.

what is the exact instruction you used to call SteamDecryptDataForThisMachine?

Hi!

This is the Part:

00019540 00 00 50 68 72 61 73 65 01 50 7E 00 00 00 00 00 ..Phrase.P~.....
00019550 00 00 04 00 04 00 00 00 01 00 00 00 02 00 00 00 ................
00019560 04 00 5C 00 00 00 02 00 00 00 43 37 35 36 41 33 ..\.......C756A3
00019570 31 41 30 38 32 46 42 33 45 30 31 34 46 41 34 37 1A082FB3E014FA47
00019580 42 41 37 32 41 41 42 43 38 41 35 46 38 31 32 37 BA72AABC8A5F8127
00019590 44 39 35 43 34 32 43 45 46 45 37 30 39 42 43 45 D95C42CEFE709BCE
000195A0 31 46 35 37 34 30 37 32 35 39 44 36 34 31 35 33 1F57407259D64153
000195B0 46 44 34 46 30 41 32 35 43 43 31 42 33 34 39 38 FD4F0A25CC1B3498
000195C0 30 38 45 31 30 33 12 00 2A 00 00 00 43 6C 6F 63 08E103..*...Cloc

how do i get my key and these values?
- encpwd is your encrypted string
- encpwd_len is the length of the encrypted string
- pwd is an empty buffer which will contain the decrypted string
- pwd_size is the full size of pwd
- pwd_len

thank you

for the quick method to extract the encrypted string this is just the thread in which it has been discussed (and there are also the practical examples as you can see above) so there is nothing else to add.

while for the code, it's like the following: