meep Posted December 13, 2006 Share Posted December 13, 2006 I'm a gamer and i was wondering where does my Steam password get saved to . Cause i have it set to log me in automatically on steam? can someone also tell me the command in the command line to get a single REG_SZ file from the reg for example might be HKEY_LOCAL_MACHINESOFTWARETest then the REG_SZ keys name is test thanks in advance Quote Link to comment Share on other sites More sharing options...
Freakish Posted December 13, 2006 Share Posted December 13, 2006 I'm a gamer and i was wondering where does my Steam password get saved to .Cause i have it set to log me in automatically on steam? Why do you need to find where "your" password is saved? Quote Link to comment Share on other sites More sharing options...
DLSS Posted December 13, 2006 Share Posted December 13, 2006 cos he lost it ? happens to me everytime , not on steam tho , but on im's and stuff (i almost never use msn and have miranda and gaim set to autologin so if i need to login from somewere else it can happen i dont remember my pass ....) tho u can just get it reset .... and recieve the mail ... (thats were if it comes to steami have my 2nd problem ... i no loger have that mail adress i used to register my 1st account cos that host got sold to another one and they didnt transfere the accounts ...) Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 13, 2006 Share Posted December 13, 2006 if steam is any good it will only remember the hash of the password it sends to authenticate you. Quote Link to comment Share on other sites More sharing options...
jool Posted December 13, 2006 Share Posted December 13, 2006 He obviously just wants to steal someones account because if he wasn't a complete tool and really was interested it wouldn't be difficult to find. Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 13, 2006 Share Posted December 13, 2006 if steam is any good it will only remember the hash of the password it sends to authenticate you. I just realised how stupid this is, if it stores the hash, some one could just take the hash, not know what the password is and insert the stolen hash. So, let me correct this statment ^^ If steam is any good it will use some kind of reversible encryption algorithm (with a predefined key that is not public) to encrypt the hash of the password that is eventually sent to the steam servers. Quote Link to comment Share on other sites More sharing options...
jool Posted December 13, 2006 Share Posted December 13, 2006 It will still not be safe since you will need the correct key to send to the server to be able to log in. If it is encrypted the decryption key and algorithm will be inside the steam application and almost trivial to reverse engineer. Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 13, 2006 Share Posted December 13, 2006 Ye, there is no real way to store a password (or a password hash) that it could not be get back. Quote Link to comment Share on other sites More sharing options...
CompTech Posted December 14, 2006 Share Posted December 14, 2006 I don't think your question sounds all that nefarious, so I'll help you in your quest for knowledge. If you should use this to steal others accounts, I hope you get what's coming to you! Otherwise I hope I can help. Steam stores everything about the users that use a machine in a file called ClientRegistry.blob. This file is located at: C:Program FilesValveSteamClientRegistry.blob The password (when you hit "Remember my password") is stored in ClientRegistry.blob. The password is MD5 hashed by steam. But it is possible to find the saved password if you make a call to the steam.dll file to decrypt it, this works because of a serious implementation flaw by Valve. Luigi Auriemma has already written a hack to decrypt the stored password. Now a history lesson in stolen code. After he wrote this code, someone stole it and wrote a version that decrypted the password and then sent it to them so they could steal every steam account for everyone that used it. Luigi's version IS NOT A TROJAN, but antivirus software will flag it as such because it is a huge chuck of a trojan (again, they stole his code for part of it). You'll have to disable your antivirus for the program to be able to run if it flags it. This is the decrypter he wrote: http://aluigi.altervista.org/pwdrec/steampwd.zip This is his other hacks for decrypting passwords: http://aluigi.altervista.org/pwdrec.htm Quote Link to comment Share on other sites More sharing options...
burn Posted December 15, 2006 Share Posted December 15, 2006 good luck with that :) Quote Link to comment Share on other sites More sharing options...
bommaboy2789 Posted December 15, 2006 Share Posted December 15, 2006 y not before u lose it send urself an email or somthing if ur gonna lose it also go to the steam website and see if u can find anything on pw revovery Quote Link to comment Share on other sites More sharing options...
steaknuggetz Posted December 25, 2006 Share Posted December 25, 2006 I might be new to Hak5 forum but I wasn't born yesterday. I really think he has some "mischievous" tasks planned if he wants to know where "his" steam password is stored. Quote Link to comment Share on other sites More sharing options...
PoyBoy Posted January 2, 2007 Share Posted January 2, 2007 as far as im concerned, this forum is about learning and exploration. This question is not nefarious sounding at all. Consider this for a second: If Meep had included a disclaimer/"im-not-gonna-do-anything-bad-with-the-rocket-launcher-daddy" in his question, nowhere near as much suspicion would have arisen. That being said, I dont think its the role of the forum members here to be the police. If the questioner is obviously going to missuse any knowledge gained without bothering ot understand what he/she(?) is doing, than I'm all for not telling them a word. Lastly, there is absolutely nothing wrong with giving newcomers (anyone new, in any thread) a little free information. This actually gives those frustrated with learning the fire inside them to keep going and improve themselves. Quote Link to comment Share on other sites More sharing options...
Deveant Posted January 2, 2007 Share Posted January 2, 2007 hmm i suggest a firewall, somethink on the lines of Zone Alarm or Kaspersky this way u can make sure that ur passwords when running the recoveries arnt accessing the internet and sending it off, or if its just a plane MD5, no salt, then get ahold of either a Rainbow Table, or a BF / Dictonary and go at it, if u really wanna be on the safe side. Also i dont see anythink wrong with the OP either, ive often lost my passwords, lucky enough with HL2 i printed of my steam account and keep it in the HL2 box ^_^ Quote Link to comment Share on other sites More sharing options...
VaKo Posted January 2, 2007 Share Posted January 2, 2007 The only thing we mods frown upon is specifically nefarious attacks. The mere possibility of something being used for bad isn't enough to warrant attacking people. Quote Link to comment Share on other sites More sharing options...
waterdude Posted January 3, 2007 Share Posted January 3, 2007 Where does it save the pass or information it gets from the .blob to? It doesn't seem to be working for me. You extract to the steam folder then run it from there, right? Quote Link to comment Share on other sites More sharing options...
CompTech Posted January 3, 2007 Share Posted January 3, 2007 No, you extract to anywhere BUT your steam folder and then run it. It needs the version of steam.dll that comes with it to run correctly. BTW, It's not a simple MD5 hash, I wasn't very clear on exactly how it works in my first post b/c I have looked into it much. But it use the product id to encrypt the password in the blob file. I assume it uses MD5 for some of it from the libraries steam loads on start up. Quote Link to comment Share on other sites More sharing options...
unasoto Posted February 16, 2007 Share Posted February 16, 2007 I think this is a good question. I never thought about what happened to my HL password after I put it in, i'm not going to forget it because its the same one I use for everything else. but this might be a good addy to the switchblade/haksaw thingy lol:) Quote Link to comment Share on other sites More sharing options...
Painkiller667 Posted March 12, 2007 Share Posted March 12, 2007 For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well? So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw? Quote Link to comment Share on other sites More sharing options...
unasoto Posted March 12, 2007 Share Posted March 12, 2007 For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw? There is a big gray line as long as it has some valid use (white hat) your good just try not to pooint out the obvious malicious abilities (black hat) dont make it to easy on the script kiddies ;) Quote Link to comment Share on other sites More sharing options...
sneaky_rupert Posted March 12, 2007 Share Posted March 12, 2007 For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw? There is a big gray line as long as it has some valid use (white hat) your good just try not to pooint out the obvious malicious abilities (black hat) dont make it to easy on the script kiddies ;) I think the fact that he even raised that question tells me he is *at least* on the right track to getting the big picture here. I have no argument to your point, except for the fact that white hats are allowed to be malicious if stated in the agreement with the corporation they are auditing. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.