flxfxp Posted April 1, 2009 Posted April 1, 2009 (edited) Good afternoon,I am proceeding Luigi Auriemma's work on steam password recovery by converting this code by desxor to Autoit.I have the following but it does not seem to give the decrypted password as output, but the status code (0 for eveything went well)The code:$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath") $k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId") $k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid") $k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io") $cKey = $k1&$k2&$k3 $cKeyLength = StringLen($cKey) $Len = DllStructCreate("int") $sBuffer = "" $sBuffer = String($sBuffer) $steamdll = DLLOpen($steamPath & "/Steam.dll") $password = DllCall($steamdll, "int", "SteamDecryptDataForThisMachine", "str", $cKey, "int", $cKeyLength, "str", $sBuffer, "int", "65535", "ptr*int", DllStructGetPtr($Len)) DLLClose($steamdll) MsgBox(0, "test", $password)What am I doing wrong?Thank you in advance.Regards,Dennis Edited April 1, 2009 by flxfxp
WideBoyDixon Posted April 1, 2009 Posted April 1, 2009 (edited) Check the documentation for DllCall(). The return value is an array so you need to retrieve $password[0] as the actual return value from the call. Secondly, the return value is flagged as being of type "int" so you're going to get a numeric return and not a string here. Lastly, don't you actually want to output the value of $sBuffer since from looking at the other code, that's where the password is returned. You're claiming that $sBuffer is 65535 characters in size with your call but I don't believe it is. Edit: And your last parameter I believe should be "int*". And the example code has a buffer size of 100 (65535 is overkill). I realise now that's quite a lot of things Edited April 1, 2009 by WideBoyDixon [center]Wide by name, Wide by nature and Wide by girth[u]Scripts[/u]{Hot Folders} {Screen Calipers} {Screen Crosshairs} {Cross-Process Subclassing} {GDI+ Clock} {ASCII Art Signatures}{Another GDI+ Clock} {Desktop Goldfish} {Game of Life} {3D Pie Chart} {Stock Tracker}[u]UDFs[/u]{_FileReplaceText} {_ArrayCompare} {_ToBase}~ My Scripts On Google Code ~[/center]
flxfxp Posted April 1, 2009 Author Posted April 1, 2009 (edited) I checked the documentation, thanks! I still can't get it working tho. I've edited the last post to include the correct c code:http://aluigi.freeforums.org/how-steampwd-...9-30.html#p4023I would greatly appreciate it if you could help me fix the DllCall.Regards,Dennis Edited April 1, 2009 by flxfxp
trancexx Posted April 1, 2009 Posted April 1, 2009 It's hard to say without proper documentation, but it should be something like this: ;... $aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _ "str", $cKey, _ "int", StringLen($cKey), _ "str", "", _ "int", 65535, _ "dword*", 0) ;... MsgBox(0, "test", $aCall[3]) ♡♡♡ . eMyvnE
WideBoyDixon Posted April 1, 2009 Posted April 1, 2009 Similar. Tricky without documentation and without having the DLL to play with and without have a SteamID $steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath") $k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId") $k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid") $k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io") $cKey = $k1&$k2&$k3 $cKeyLength = StringLen($cKey) $sBuffer = DllStructCreate("char[100]") DllStructGetPtr($sBuffer) $Len = DllStructCreate("int") $steamdll = DLLOpen($steamPath & "/Steam.dll") $password = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", "str", $cKey, "int", $cKeyLength, "ptr", DllStructGetPtr($sBuffer), "int", 100, "ptr", DllStructGetPtr($Len)) DLLClose($steamdll) MsgBox(0, "test", DllStructGetData($sBuffer, 1)) [center]Wide by name, Wide by nature and Wide by girth[u]Scripts[/u]{Hot Folders} {Screen Calipers} {Screen Crosshairs} {Cross-Process Subclassing} {GDI+ Clock} {ASCII Art Signatures}{Another GDI+ Clock} {Desktop Goldfish} {Game of Life} {3D Pie Chart} {Stock Tracker}[u]UDFs[/u]{_FileReplaceText} {_ArrayCompare} {_ToBase}~ My Scripts On Google Code ~[/center]
flxfxp Posted April 1, 2009 Author Posted April 1, 2009 First of all, thank you very much. I've tested both and they don't seem to work. It shows a empty msgbox
Authenticity Posted April 1, 2009 Posted April 1, 2009 Passing int* doesn't require to allocate dllstruct, use 'int*', '' and the return value, if successful, is assigned to the corresponding array element. You made a few mistakes with the return value. Look how trancexx made the call.
flxfxp Posted April 1, 2009 Author Posted April 1, 2009 (edited) Hello Authenticity, I tried trancexx's call but it didn't work. Please show me what you mean. Btw, is the DllCall correctly implemented when you look at the original c code? Thanks, Dennis Edited April 1, 2009 by flxfxp
flxfxp Posted April 1, 2009 Author Posted April 1, 2009 oh yeah, I found this floating on the internet: $Len = DllStructCreate("int") Local $sBuffer $sBuffer = String($sBuffer) $String = DllCall($SteamDll, "int", "SteamDecryptDataForThisMachine", "str", $EncryptKey, "int", $KeyLength, "str", $sBuffer, "int", "65535", "ptr*int", DllStructGetPtr($Len)) Maybe this will help?
WideBoyDixon Posted April 1, 2009 Posted April 1, 2009 Today is, after all, the 1st of April ... [center]Wide by name, Wide by nature and Wide by girth[u]Scripts[/u]{Hot Folders} {Screen Calipers} {Screen Crosshairs} {Cross-Process Subclassing} {GDI+ Clock} {ASCII Art Signatures}{Another GDI+ Clock} {Desktop Goldfish} {Game of Life} {3D Pie Chart} {Stock Tracker}[u]UDFs[/u]{_FileReplaceText} {_ArrayCompare} {_ToBase}~ My Scripts On Google Code ~[/center]
flxfxp Posted April 1, 2009 Author Posted April 1, 2009 Well, I'm not pulling a joke, otherwise it would be a incredibly lame one
Authenticity Posted April 1, 2009 Posted April 1, 2009 I don't have this dll to test so...The return value is an array if @error = 0 so MsgBox(0, "test", $password) is wrong.Also, check if there was an error before trying to access the last element which is int*.http://aluigi.freeforums.org/steam-dll-pas...a-pro-t690.html - this page is somewhat relating to your issue, maybe it's unable to decipher the key?
trancexx Posted April 1, 2009 Posted April 1, 2009 Today is, after all, the 1st of April ...I'm sure Aussies would disagree.@flxfxp, you need to determine what is failing. "didn't work" is too wide. ♡♡♡ . eMyvnE
flxfxp Posted April 1, 2009 Author Posted April 1, 2009 (edited) I don't have this dll to test so... The return value is an array if @error = 0 so MsgBox(0, "test", $password) is wrong. Also, check if there was an error before trying to access the last element which is int*. http://aluigi.freeforums.org/steam-dll-pas...a-pro-t690.html - this page is somewhat relating to your issue, maybe it's unable to decipher the key? All I know is that the code from this page does work. I have compiled it myself and it worked perfectly. So there is nothing wrong the dll itself, its just me being too stupid to properly implement it. I'm sure Aussies would disagree. @flxfxp, you need to determine what is failing. "didn't work" is too wide. Well, what do you need? First of all, you can download the steam.dll here: http://rapidshare.com/files/216224040/Steam.dll.html Secondly, here's how my code looks like with your DllCall: $steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath") $k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId") $k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid") $k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io") $cKey = $k1&$k2&$k3 $cKeyLength = StringLen($cKey) $Len = DllStructCreate("int") $sBuffer = "" $sBuffer = String($sBuffer) $steamdll = DLLOpen($steamPath & "/Steam.dll") $aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _ "str", $cKey, _ "int", StringLen($cKey), _ "str", "", _ "int", 65535, _ "dword*", 0) DLLClose($steamdll) MsgBox(0, "test", $aCall[3]) $aCall[0] returns "1" $aCall[1] returns the encrypted key $aCall[2] returns "69" $aCall[3] returns nothing $aCall[4] returns "65535" $aCall[5] returns "0" I know "didn't work" doesn't provide a lot of info, but what do you need? Please tell me. Thanks, Dennis Edited April 1, 2009 by flxfxp
trancexx Posted April 2, 2009 Posted April 2, 2009 How can you expect anyone to help you when you are not providing things you should provide. Did you post the description of that function? Do you even know what that function do? Did you post the description of function parameters? Did you verify calling convention? What sould be the return value(s) for that function? "code from this page" is related to yours only by Steam.dll and used function. Why would that result in success of your code? You need to put additional effort in this if you really want help. Sometimes there would be someone that would do all that for you, but most of the times you would need to do it by your self. ♡♡♡ . eMyvnE
SomaFM Posted April 2, 2009 Posted April 2, 2009 Hello,The code below worked for me. Thanks to trancexx for his dllcall example which worked perfectly:$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath") $cKey = "ABCDEF16272713712637163716371627621736217361726ABCBABCBACBABCABBCDBBDEBDEDBDEBBB323123123123" $steamdll = DLLOpen($steamPath & "/Steam.dll") $aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _ "str", $cKey, _ "int", StringLen($cKey), _ "str", "", _ "int", 65535, _ "dword*", 0) MsgBox(0, "test", $aCall[3])cKey is the encrypted password located in the clientregistry.blob file. I had manually entered it for my tests, so if you want autoit to automatically retrieve it you will have to do some extra work there. Luigi has a good explanation of how to parse the blob file here: http://aluigi.freeforums.org/steam-passwor...overy-t488.htmlI have also posted the code above in Luigi's forum here: http://aluigi.freeforums.org/autoit-steam-...t783.html#p6023Hope it works for you, because it does for me .SomaFM
flxfxp Posted April 3, 2009 Author Posted April 3, 2009 Thanks alot SomaFM, that works I'm currently writing a small script that locates the encrypted string but i dont fully have it working yet. Might someone take a look? Thanks! $StePath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam", "InstallPath") $BlobOpen = FileRead(FileOpen($StePath & "\ClientRegistry.blob", 16)) $KeyBeginn = StringInStr($BlobOpen, '5C00000002000000') + 16 $KeyEnd = StringInStr($BlobOpen, '12002A000000436C6F636B536B6577546F6C6572') $EncryptKey = _HexToString(StringMid($BlobOpen, $KeyBeginn, $KeyEnd - $KeyBeginn)) MsgBox(64, "Encryption Key", "The Encryption Key is:" & @CRLF & @CRLF & $EncryptKey)
flxfxp Posted April 3, 2009 Author Posted April 3, 2009 p.s for those too lazy to read it should do: - search the text "phrase" (without "). - skip 30 bytes from the beginning of phrase (so 24 bytes after it) - here is located a 16 bit number, save it: num = byte1 + (byte2 * 256) - skip the 2 bytes of the number - here is located a 32 bit number, save it as before (remember that it's 4 bytes long) - now skip the 4 bytes just read and the amount of bytes specified by the previous 16 bit number - here is located the encrypted string of the password which has the length specified in the previous 32 bit number in C it looks like: p += 30; nlen = *(u16 *)p; p += 2; len = *(u32 *)p; p += 4 + nlen; the key im looking for sits between Phrase and ClockSkewTolerance like this: 50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00 Phrase.P~....... 04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00 ................ 5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36 \.......9AFABD96 32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32 20CEC491F83DCE12 36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46 633D9CDAADE0B6FF 41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39 A2BBE012E8927369 35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38 5257CDCE9572A708 38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33 8B2CAC037DC83363 33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63 3355..*...Cloc
flxfxp Posted April 3, 2009 Author Posted April 3, 2009 Nevermind, thanks guys! i got it fixed with the following code: $BlobOpen = FileRead(FileOpen($steamPath & "\ClientRegistry.blob", 16)) $KeyBegin = StringInStr($BlobOpen, '506872617365') + 80 $KeyEnd = StringInStr($BlobOpen, '436C6F636B536B6577546F6C6572616E6365') - 12 $EncryptKey = _HexToString(StringMid($BlobOpen, $KeyBegin, $KeyEnd - $KeyBegin))
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now