Steam

[meep]

I'm a gamer and i was wondering where does my Steam password get saved to .

Cause i have it set to log me in automatically on steam?

can someone also tell me the command in the command line

to get a single REG_SZ file from the reg

for example might be

HKEY_LOCAL_MACHINESOFTWARETest

then the REG_SZ keys name is test

thanks in advance

[Freakish]

I'm a gamer and i was wondering where does my Steam password get saved to .

Cause i have it set to log me in automatically on steam?

Why do you need to find where "your" password is saved?

[DLSS]

cos he lost it ?

happens to me everytime , not on steam tho , but on im's and stuff

(i almost never use msn and have miranda and gaim set to autologin

so if i need to login from somewere else it can happen i dont remember my pass ....)

tho u can just get it reset .... and recieve the mail ...

(thats were if it comes to steami have my 2nd problem ... i no loger have that mail adress i used to register my 1st account cos that host got sold to another one and they didnt transfere the accounts ...)

[Sparda]

if steam is any good it will only remember the hash of the password it sends to authenticate you.

[jool]

He obviously just wants to steal someones account because if he wasn't a complete tool and really was interested it wouldn't be difficult to find.

[Sparda]

if steam is any good it will only remember the hash of the password it sends to authenticate you.

I just realised how stupid this is, if it stores the hash, some one could just take the hash, not know what the password is and insert the stolen hash. So, let me correct this statment ^^

If steam is any good it will use some kind of reversible encryption algorithm (with a predefined key that is not public) to encrypt the hash of the password that is eventually sent to the steam servers.

[jool]

It will still not be safe since you will need the correct key to send to the server to be able to log in. If it is encrypted the decryption key and algorithm will be inside the steam application and almost trivial to reverse engineer.

[Sparda]

Ye, there is no real way to store a password (or a password hash) that it could not be get back.

[CompTech]

I don't think your question sounds all that nefarious, so I'll help you in your quest for knowledge. If you should use this to steal others accounts, I hope you get what's coming to you! Otherwise I hope I can help.

Steam stores everything about the users that use a machine in a file called ClientRegistry.blob. This file is located at:

C:Program FilesValveSteamClientRegistry.blob

The password (when you hit "Remember my password") is stored in ClientRegistry.blob. The password is MD5 hashed by steam. But it is possible to find the saved password if you make a call to the steam.dll file to decrypt it, this works because of a serious implementation flaw by Valve.

Luigi Auriemma has already written a hack to decrypt the stored password. Now a history lesson in stolen code. After he wrote this code, someone stole it and wrote a version that decrypted the password and then sent it to them so they could steal every steam account for everyone that used it. Luigi's version IS NOT A TROJAN, but antivirus software will flag it as such because it is a huge chuck of a trojan (again, they stole his code for part of it). You'll have to disable your antivirus for the program to be able to run if it flags it.

This is the decrypter he wrote:

http://aluigi.altervista.org/pwdrec/steampwd.zip

This is his other hacks for decrypting passwords:

http://aluigi.altervista.org/pwdrec.htm

[burn]

good luck with that :)

[bommaboy2789]

y not before u lose it send urself an email or somthing if ur gonna lose it also go to the steam website and see if u can find anything on pw revovery

[steaknuggetz]

I might be new to Hak5 forum but I wasn't born yesterday. I really think he has some "mischievous" tasks planned if he wants to know where "his" steam password is stored.

[PoyBoy]

as far as im concerned, this forum is about learning and exploration. This question is not nefarious sounding at all. Consider this for a second: If Meep had included a disclaimer/"im-not-gonna-do-anything-bad-with-the-rocket-launcher-daddy" in his question, nowhere near as much suspicion would have arisen. That being said, I dont think its the role of the forum members here to be the police. If the questioner is obviously going to missuse any knowledge gained without bothering ot understand what he/she(?) is doing, than I'm all for not telling them a word. Lastly, there is absolutely nothing wrong with giving newcomers (anyone new, in any thread) a little free information. This actually gives those frustrated with learning the fire inside them to keep going and improve themselves.

[Deveant]

hmm i suggest a firewall, somethink on the lines of Zone Alarm or Kaspersky this way u can make sure that ur passwords when running the recoveries arnt accessing the internet and sending it off, or if its just a plane MD5, no salt, then get ahold of either a Rainbow Table, or a BF / Dictonary and go at it, if u really wanna be on the safe side.

Also i dont see anythink wrong with the OP either, ive often lost my passwords, lucky enough with HL2 i printed of my steam account and keep it in the HL2 box ^_^

[VaKo]

The only thing we mods frown upon is specifically nefarious attacks. The mere possibility of something being used for bad isn't enough to warrant attacking people.

[waterdude]

Where does it save the pass or information it gets from the .blob to? It doesn't seem to be working for me. You extract to the steam folder then run it from there, right?

[CompTech]

No, you extract to anywhere BUT your steam folder and then run it. It needs the version of steam.dll that comes with it to run correctly.

BTW, It's not a simple MD5 hash, I wasn't very clear on exactly how it works in my first post b/c I have looked into it much. But it use the product id to encrypt the password in the blob file. I assume it uses MD5 for some of it from the libraries steam loads on start up.

[unasoto]

I think this is a good question. I never thought about what happened to my HL password after I put it in, i'm not going to forget it because its the same one I use for everything else. but this might be a good addy to the switchblade/haksaw thingy lol:)

[Painkiller667]

For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?

So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw?

[unasoto]

For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?

So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw?

There is a big gray line as long as it has some valid use (white hat) your good just try not to pooint out the obvious malicious abilities (black hat) dont make it to easy on the script kiddies ;)

[sneaky_rupert]

For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?

So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw?

There is a big gray line as long as it has some valid use (white hat) your good just try not to pooint out the obvious malicious abilities (black hat) dont make it to easy on the script kiddies ;)

I think the fact that he even raised that question tells me he is *at least* on the right track to getting the big picture here. I have no argument to your point, except for the fact that white hats are allowed to be malicious if stated in the agreement with the corporation they are auditing.