Jump to content
Sign in to follow this  
flxfxp

Need help on DLL call output

Recommended Posts

flxfxp

Good afternoon,

I am proceeding Luigi Auriemma's work on steam password recovery by converting this code by desxor to Autoit.

I have the following but it does not seem to give the decrypted password as output, but the status code (0 for eveything went well)

The code:

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId")
$k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid")
$k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io")
$cKey = $k1&$k2&$k3
$cKeyLength = StringLen($cKey)
$Len = DllStructCreate("int")
$sBuffer = ""
$sBuffer = String($sBuffer)
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$password = DllCall($steamdll, "int", "SteamDecryptDataForThisMachine", "str", $cKey, "int", $cKeyLength, "str", $sBuffer, "int", "65535", "ptr*int", DllStructGetPtr($Len))
DLLClose($steamdll)
MsgBox(0, "test", $password)

What am I doing wrong?

Thank you in advance.

Regards,

Dennis

Edited by flxfxp

Share this post


Link to post
Share on other sites
WideBoyDixon

Check the documentation for DllCall(). The return value is an array so you need to retrieve $password[0] as the actual return value from the call. Secondly, the return value is flagged as being of type "int" so you're going to get a numeric return and not a string here. Lastly, don't you actually want to output the value of $sBuffer since from looking at the other code, that's where the password is returned. You're claiming that $sBuffer is 65535 characters in size with your call but I don't believe it is.

Edit: And your last parameter I believe should be "int*". And the example code has a buffer size of 100 (65535 is overkill). I realise now that's quite a lot of things :D

Edited by WideBoyDixon

Share this post


Link to post
Share on other sites
flxfxp

I checked the documentation, thanks! I still can't get it working tho. I've edited the last post to include the correct c code:

http://aluigi.freeforums.org/how-steampwd-...9-30.html#p4023

I would greatly appreciate it if you could help me fix the DllCall.

Regards,

Dennis

Edited by flxfxp

Share this post


Link to post
Share on other sites
trancexx

It's hard to say without proper documentation, but it should be something like this:

;...

$aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _
        "str", $cKey, _
        "int", StringLen($cKey), _
        "str", "", _
        "int", 65535, _
        "dword*", 0)

;...

MsgBox(0, "test", $aCall[3])

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
WideBoyDixon

Similar. Tricky without documentation and without having the DLL to play with and without have a SteamID :D

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId")
$k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid")
$k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io")
$cKey = $k1&$k2&$k3
$cKeyLength = StringLen($cKey)
$sBuffer = DllStructCreate("char[100]")
DllStructGetPtr($sBuffer)
$Len = DllStructCreate("int")
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$password = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", "str", $cKey, "int", $cKeyLength, "ptr", DllStructGetPtr($sBuffer), "int", 100, "ptr", DllStructGetPtr($Len))
DLLClose($steamdll)
MsgBox(0, "test", DllStructGetData($sBuffer, 1))

Share this post


Link to post
Share on other sites
flxfxp

First of all, thank you very much.

I've tested both and they don't seem to work. It shows a empty msgbox :D

Share this post


Link to post
Share on other sites
Authenticity

Passing int* doesn't require to allocate dllstruct, use 'int*', '' and the return value, if successful, is assigned to the corresponding array element. You made a few mistakes with the return value. Look how trancexx made the call.

Share this post


Link to post
Share on other sites
flxfxp

Hello Authenticity,

I tried trancexx's call but it didn't work. Please show me what you mean.

Btw, is the DllCall correctly implemented when you look at the original c code?

Thanks,

Dennis

Edited by flxfxp

Share this post


Link to post
Share on other sites
flxfxp

oh yeah, I found this floating on the internet:

$Len = DllStructCreate("int")
   
   Local $sBuffer
   $sBuffer = String($sBuffer)

   $String = DllCall($SteamDll, "int", "SteamDecryptDataForThisMachine", "str", $EncryptKey, "int", $KeyLength, "str", $sBuffer, "int", "65535", "ptr*int", DllStructGetPtr($Len))

Maybe this will help?

Share this post


Link to post
Share on other sites
WideBoyDixon

Today is, after all, the 1st of April ...

Share this post


Link to post
Share on other sites
flxfxp

Well, I'm not pulling a joke, otherwise it would be a incredibly lame one :D

Share this post


Link to post
Share on other sites
Authenticity

I don't have this dll to test so...

The return value is an array if @error = 0 so MsgBox(0, "test", $password) is wrong.

Also, check if there was an error before trying to access the last element which is int*.

http://aluigi.freeforums.org/steam-dll-pas...a-pro-t690.html - this page is somewhat relating to your issue, maybe it's unable to decipher the key?

Share this post


Link to post
Share on other sites
trancexx

Today is, after all, the 1st of April ...

I'm sure Aussies would disagree.

@flxfxp, you need to determine what is failing. "didn't work" is too wide.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
flxfxp

I don't have this dll to test so...

The return value is an array if @error = 0 so MsgBox(0, "test", $password) is wrong.

Also, check if there was an error before trying to access the last element which is int*.

http://aluigi.freeforums.org/steam-dll-pas...a-pro-t690.html - this page is somewhat relating to your issue, maybe it's unable to decipher the key?

All I know is that the code from this page does work. I have compiled it myself and it worked perfectly. So there is nothing wrong the dll itself, its just me being too stupid to properly implement it.

I'm sure Aussies would disagree.

@flxfxp, you need to determine what is failing. "didn't work" is too wide.

Well, what do you need?

First of all, you can download the steam.dll here: http://rapidshare.com/files/216224040/Steam.dll.html

Secondly, here's how my code looks like with your DllCall:

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId")
$k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid")
$k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io")
$cKey = $k1&$k2&$k3
$cKeyLength = StringLen($cKey)
$Len = DllStructCreate("int")
$sBuffer = ""
$sBuffer = String($sBuffer)
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _
        "str", $cKey, _
        "int", StringLen($cKey), _
        "str", "", _
        "int", 65535, _
        "dword*", 0)
DLLClose($steamdll)
MsgBox(0, "test", $aCall[3])

$aCall[0] returns "1"

$aCall[1] returns the encrypted key

$aCall[2] returns "69"

$aCall[3] returns nothing

$aCall[4] returns "65535"

$aCall[5] returns "0"

I know "didn't work" doesn't provide a lot of info, but what do you need? Please tell me.

Thanks,

Dennis

Edited by flxfxp

Share this post


Link to post
Share on other sites
flxfxp

Anyone? Please?

Share this post


Link to post
Share on other sites
trancexx

How can you expect anyone to help you when you are not providing things you should provide.

Did you post the description of that function? Do you even know what that function do?

Did you post the description of function parameters?

Did you verify calling convention?

What sould be the return value(s) for that function?

"code from this page" is related to yours only by Steam.dll and used function. Why would that result in success of your code?

You need to put additional effort in this if you really want help. Sometimes there would be someone that would do all that for you, but most of the times you would need to do it by your self.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
SomaFM

Hello,

The code below worked for me. Thanks to trancexx for his dllcall example which worked perfectly:

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$cKey = "ABCDEF16272713712637163716371627621736217361726ABCBABCBACBABCABBCDBBDEBDEDBDEBBB323123123123"
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _
        "str", $cKey, _
        "int", StringLen($cKey), _
        "str", "", _
        "int", 65535, _
        "dword*", 0)
MsgBox(0, "test", $aCall[3])

cKey is the encrypted password located in the clientregistry.blob file. I had manually entered it for my tests, so if you want autoit to automatically retrieve it you will have to do some extra work there. Luigi has a good explanation of how to parse the blob file here: http://aluigi.freeforums.org/steam-passwor...overy-t488.html

I have also posted the code above in Luigi's forum here: http://aluigi.freeforums.org/autoit-steam-...t783.html#p6023

Hope it works for you, because it does for me :D .

SomaFM

Share this post


Link to post
Share on other sites
flxfxp

Thanks alot SomaFM, that works :D

I'm currently writing a small script that locates the encrypted string but i dont fully have it working yet. Might someone take a look?

Thanks!

$StePath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam", "InstallPath")
$BlobOpen = FileRead(FileOpen($StePath & "\ClientRegistry.blob", 16))

$KeyBeginn = StringInStr($BlobOpen, '5C00000002000000') + 16
$KeyEnd = StringInStr($BlobOpen, '12002A000000436C6F636B536B6577546F6C6572')

$EncryptKey = _HexToString(StringMid($BlobOpen, $KeyBeginn, $KeyEnd - $KeyBeginn))

MsgBox(64, "Encryption Key", "The Encryption Key is:" & @CRLF & @CRLF & $EncryptKey)

Share this post


Link to post
Share on other sites
flxfxp

p.s for those too lazy to read it should do:

- search the text "phrase" (without ").

- skip 30 bytes from the beginning of phrase (so 24 bytes after it)

- here is located a 16 bit number, save it: num = byte1 + (byte2 * 256)

- skip the 2 bytes of the number

- here is located a 32 bit number, save it as before (remember that it's 4 bytes long)

- now skip the 4 bytes just read and the amount of bytes specified by the previous 16 bit number

- here is located the encrypted string of the password which has the length specified in the previous 32 bit number

in C it looks like:

p += 30;
        nlen = *(u16 *)p;   p += 2;
        len  = *(u32 *)p;   p += 4 + nlen;

the key im looking for sits between Phrase and ClockSkewTolerance like this:

50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00   Phrase.P~.......
04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00   ................
5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36   \.......9AFABD96
32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32   20CEC491F83DCE12
36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46   633D9CDAADE0B6FF
41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39   A2BBE012E8927369
35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38   5257CDCE9572A708
38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33   8B2CAC037DC83363
33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63        3355..*...Cloc

Share this post


Link to post
Share on other sites
flxfxp

Nevermind, thanks guys! i got it fixed with the following code:

$BlobOpen = FileRead(FileOpen($steamPath & "\ClientRegistry.blob", 16))

$KeyBegin = StringInStr($BlobOpen, '506872617365') + 80
$KeyEnd = StringInStr($BlobOpen, '436C6F636B536B6577546F6C6572616E6365') - 12

$EncryptKey = _HexToString(StringMid($BlobOpen, $KeyBegin, $KeyEnd - $KeyBegin))

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×