Jump to content

Need help on DLL call output


Recommended Posts

Good afternoon,

I am proceeding Luigi Auriemma's work on steam password recovery by converting this code by desxor to Autoit.

I have the following but it does not seem to give the decrypted password as output, but the status code (0 for eveything went well)

The code:

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId")
$k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid")
$k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io")
$cKey = $k1&$k2&$k3
$cKeyLength = StringLen($cKey)
$Len = DllStructCreate("int")
$sBuffer = ""
$sBuffer = String($sBuffer)
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$password = DllCall($steamdll, "int", "SteamDecryptDataForThisMachine", "str", $cKey, "int", $cKeyLength, "str", $sBuffer, "int", "65535", "ptr*int", DllStructGetPtr($Len))
DLLClose($steamdll)
MsgBox(0, "test", $password)

What am I doing wrong?

Thank you in advance.

Regards,

Dennis

Edited by flxfxp
Link to comment
Share on other sites

Check the documentation for DllCall(). The return value is an array so you need to retrieve $password[0] as the actual return value from the call. Secondly, the return value is flagged as being of type "int" so you're going to get a numeric return and not a string here. Lastly, don't you actually want to output the value of $sBuffer since from looking at the other code, that's where the password is returned. You're claiming that $sBuffer is 65535 characters in size with your call but I don't believe it is.

Edit: And your last parameter I believe should be "int*". And the example code has a buffer size of 100 (65535 is overkill). I realise now that's quite a lot of things :D

Edited by WideBoyDixon
Link to comment
Share on other sites

It's hard to say without proper documentation, but it should be something like this:

;...

$aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _
        "str", $cKey, _
        "int", StringLen($cKey), _
        "str", "", _
        "int", 65535, _
        "dword*", 0)

;...

MsgBox(0, "test", $aCall[3])
Link to comment
Share on other sites

Similar. Tricky without documentation and without having the DLL to play with and without have a SteamID :D

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId")
$k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid")
$k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io")
$cKey = $k1&$k2&$k3
$cKeyLength = StringLen($cKey)
$sBuffer = DllStructCreate("char[100]")
DllStructGetPtr($sBuffer)
$Len = DllStructCreate("int")
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$password = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", "str", $cKey, "int", $cKeyLength, "ptr", DllStructGetPtr($sBuffer), "int", 100, "ptr", DllStructGetPtr($Len))
DLLClose($steamdll)
MsgBox(0, "test", DllStructGetData($sBuffer, 1))
Link to comment
Share on other sites

Hello Authenticity,

I tried trancexx's call but it didn't work. Please show me what you mean.

Btw, is the DllCall correctly implemented when you look at the original c code?

Thanks,

Dennis

Edited by flxfxp
Link to comment
Share on other sites

Today is, after all, the 1st of April ...

Link to comment
Share on other sites

I don't have this dll to test so...

The return value is an array if @error = 0 so MsgBox(0, "test", $password) is wrong.

Also, check if there was an error before trying to access the last element which is int*.

http://aluigi.freeforums.org/steam-dll-pas...a-pro-t690.html - this page is somewhat relating to your issue, maybe it's unable to decipher the key?

Link to comment
Share on other sites

I don't have this dll to test so...

The return value is an array if @error = 0 so MsgBox(0, "test", $password) is wrong.

Also, check if there was an error before trying to access the last element which is int*.

http://aluigi.freeforums.org/steam-dll-pas...a-pro-t690.html - this page is somewhat relating to your issue, maybe it's unable to decipher the key?

All I know is that the code from this page does work. I have compiled it myself and it worked perfectly. So there is nothing wrong the dll itself, its just me being too stupid to properly implement it.

I'm sure Aussies would disagree.

@flxfxp, you need to determine what is failing. "didn't work" is too wide.

Well, what do you need?

First of all, you can download the steam.dll here: http://rapidshare.com/files/216224040/Steam.dll.html

Secondly, here's how my code looks like with your DllCall:

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$k1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId")
$k2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography", "MachineGuid")
$k3 = RegRead("HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings", "io")
$cKey = $k1&$k2&$k3
$cKeyLength = StringLen($cKey)
$Len = DllStructCreate("int")
$sBuffer = ""
$sBuffer = String($sBuffer)
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _
        "str", $cKey, _
        "int", StringLen($cKey), _
        "str", "", _
        "int", 65535, _
        "dword*", 0)
DLLClose($steamdll)
MsgBox(0, "test", $aCall[3])

$aCall[0] returns "1"

$aCall[1] returns the encrypted key

$aCall[2] returns "69"

$aCall[3] returns nothing

$aCall[4] returns "65535"

$aCall[5] returns "0"

I know "didn't work" doesn't provide a lot of info, but what do you need? Please tell me.

Thanks,

Dennis

Edited by flxfxp
Link to comment
Share on other sites

How can you expect anyone to help you when you are not providing things you should provide.

Did you post the description of that function? Do you even know what that function do?

Did you post the description of function parameters?

Did you verify calling convention?

What sould be the return value(s) for that function?

"code from this page" is related to yours only by Steam.dll and used function. Why would that result in success of your code?

You need to put additional effort in this if you really want help. Sometimes there would be someone that would do all that for you, but most of the times you would need to do it by your self.

Link to comment
Share on other sites

Hello,

The code below worked for me. Thanks to trancexx for his dllcall example which worked perfectly:

$steamPath = RegRead("HKEY_CURRENT_USER\Software\Valve\Steam", "SteamPath")
$cKey = "ABCDEF16272713712637163716371627621736217361726ABCBABCBACBABCABBCDBBDEBDEDBDEBBB323123123123"
$steamdll = DLLOpen($steamPath & "/Steam.dll")
$aCall = DllCall($steamdll, "int:cdecl", "SteamDecryptDataForThisMachine", _
        "str", $cKey, _
        "int", StringLen($cKey), _
        "str", "", _
        "int", 65535, _
        "dword*", 0)
MsgBox(0, "test", $aCall[3])

cKey is the encrypted password located in the clientregistry.blob file. I had manually entered it for my tests, so if you want autoit to automatically retrieve it you will have to do some extra work there. Luigi has a good explanation of how to parse the blob file here: http://aluigi.freeforums.org/steam-passwor...overy-t488.html

I have also posted the code above in Luigi's forum here: http://aluigi.freeforums.org/autoit-steam-...t783.html#p6023

Hope it works for you, because it does for me :D .

SomaFM

Link to comment
Share on other sites

Thanks alot SomaFM, that works :D

I'm currently writing a small script that locates the encrypted string but i dont fully have it working yet. Might someone take a look?

Thanks!

$StePath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam", "InstallPath")
$BlobOpen = FileRead(FileOpen($StePath & "\ClientRegistry.blob", 16))

$KeyBeginn = StringInStr($BlobOpen, '5C00000002000000') + 16
$KeyEnd = StringInStr($BlobOpen, '12002A000000436C6F636B536B6577546F6C6572')

$EncryptKey = _HexToString(StringMid($BlobOpen, $KeyBeginn, $KeyEnd - $KeyBeginn))

MsgBox(64, "Encryption Key", "The Encryption Key is:" & @CRLF & @CRLF & $EncryptKey)
Link to comment
Share on other sites

p.s for those too lazy to read it should do:

- search the text "phrase" (without ").

- skip 30 bytes from the beginning of phrase (so 24 bytes after it)

- here is located a 16 bit number, save it: num = byte1 + (byte2 * 256)

- skip the 2 bytes of the number

- here is located a 32 bit number, save it as before (remember that it's 4 bytes long)

- now skip the 4 bytes just read and the amount of bytes specified by the previous 16 bit number

- here is located the encrypted string of the password which has the length specified in the previous 32 bit number

in C it looks like:

p += 30;
        nlen = *(u16 *)p;   p += 2;
        len  = *(u32 *)p;   p += 4 + nlen;

the key im looking for sits between Phrase and ClockSkewTolerance like this:

50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00   Phrase.P~.......
04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00   ................
5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36   \.......9AFABD96
32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32   20CEC491F83DCE12
36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46   633D9CDAADE0B6FF
41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39   A2BBE012E8927369
35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38   5257CDCE9572A708
38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33   8B2CAC037DC83363
33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63        3355..*...Cloc
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...