Jump to content

Steam


meep
 Share

Recommended Posts

I'm a gamer and i was wondering where does my Steam password get saved to .

Cause i have it set to log me in automatically on steam?

can someone also tell me the command in the command line

to get a single REG_SZ file from the reg

for example might be

HKEY_LOCAL_MACHINESOFTWARETest

then the REG_SZ keys name is test

thanks in advance

Link to comment
Share on other sites

cos he lost it ?

happens to me everytime , not on steam tho , but on im's and stuff

(i almost never use msn and have miranda and gaim set to autologin

so if i need to login from somewere else it can happen i dont remember my pass ....)

tho u can just get it reset .... and recieve the mail ...

(thats were if it comes to steami have my 2nd problem ... i no loger have that mail adress i used to register my 1st account cos that host got sold to another one and they didnt transfere the accounts ...)

Link to comment
Share on other sites

if steam is any good it will only remember the hash of the password it sends to authenticate you.

I just realised how stupid this is, if it stores the hash, some one could just take the hash, not know what the password is and insert the stolen hash. So, let me correct this statment ^^

If steam is any good it will use some kind of reversible encryption algorithm (with a predefined key that is not public) to encrypt the hash of the password that is eventually sent to the steam servers.

Link to comment
Share on other sites

It will still not be safe since you will need the correct key to send to the server to be able to log in. If it is encrypted the decryption key and algorithm will be inside the steam application and almost trivial to reverse engineer.

Link to comment
Share on other sites

I don't think your question sounds all that nefarious, so I'll help you in your quest for knowledge. If you should use this to steal others accounts, I hope you get what's coming to you! Otherwise I hope I can help.

Steam stores everything about the users that use a machine in a file called ClientRegistry.blob. This file is located at:

C:Program FilesValveSteamClientRegistry.blob

The password (when you hit "Remember my password") is stored in ClientRegistry.blob. The password is MD5 hashed by steam. But it is possible to find the saved password if you make a call to the steam.dll file to decrypt it, this works because of a serious implementation flaw by Valve.

Luigi Auriemma has already written a hack to decrypt the stored password. Now a history lesson in stolen code. After he wrote this code, someone stole it and wrote a version that decrypted the password and then sent it to them so they could steal every steam account for everyone that used it. Luigi's version IS NOT A TROJAN, but antivirus software will flag it as such because it is a huge chuck of a trojan (again, they stole his code for part of it). You'll have to disable your antivirus for the program to be able to run if it flags it.

This is the decrypter he wrote:

http://aluigi.altervista.org/pwdrec/steampwd.zip

This is his other hacks for decrypting passwords:

http://aluigi.altervista.org/pwdrec.htm

Link to comment
Share on other sites

  • 2 weeks later...

as far as im concerned, this forum is about learning and exploration. This question is not nefarious sounding at all. Consider this for a second: If Meep had included a disclaimer/"im-not-gonna-do-anything-bad-with-the-rocket-launcher-daddy" in his question, nowhere near as much suspicion would have arisen. That being said, I dont think its the role of the forum members here to be the police. If the questioner is obviously going to missuse any knowledge gained without bothering ot understand what he/she(?) is doing, than I'm all for not telling them a word. Lastly, there is absolutely nothing wrong with giving newcomers (anyone new, in any thread) a little free information. This actually gives those frustrated with learning the fire inside them to keep going and improve themselves.

Link to comment
Share on other sites

hmm i suggest a firewall, somethink on the lines of Zone Alarm or Kaspersky this way u can make sure that ur passwords when running the recoveries arnt accessing the internet and sending it off, or if its just a plane MD5, no salt, then get ahold of either a Rainbow Table, or a BF / Dictonary and go at it, if u really wanna be on the safe side.

Also i dont see anythink wrong with the OP either, ive often lost my passwords, lucky enough with HL2 i printed of my steam account and keep it in the HL2 box ^_^

Link to comment
Share on other sites

No, you extract to anywhere BUT your steam folder and then run it. It needs the version of steam.dll that comes with it to run correctly.

BTW, It's not a simple MD5 hash, I wasn't very clear on exactly how it works in my first post b/c I have looked into it much. But it use the product id to encrypt the password in the blob file. I assume it uses MD5 for some of it from the libraries steam loads on start up.

Link to comment
Share on other sites

  • 1 month later...

I think this is a good question. I never thought about what happened to my HL password after I put it in, i'm not going to forget it because its the same one I use for everything else. but this might be a good addy to the switchblade/haksaw thingy lol:)

Link to comment
Share on other sites

  • 4 weeks later...

For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?

So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw?

Link to comment
Share on other sites

For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?

So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw?

There is a big gray line as long as it has some valid use (white hat) your good just try not to pooint out the obvious malicious abilities (black hat) dont make it to easy on the script kiddies ;)

Link to comment
Share on other sites

For those of you that feel this can't be good, and think that he is upto mischief trying to get someone's steam account, then I have this to say. For what reasons then, were the email account and aim account stealers included in the switchblade packages? Having someone's email username and password can prove to be much more useful than having a steam password. So it should either be all legal and moral in here, or let everything go. Since hak5 went the mischievous way, ie in supplieing and promoting the switchblade packages that steal aim and mail accounts, then why not go all the way and steal Steam accounts as well?

So Vako why don't you frown upon the nefariousness of the switchblade and the hacksaw?

There is a big gray line as long as it has some valid use (white hat) your good just try not to pooint out the obvious malicious abilities (black hat) dont make it to easy on the script kiddies ;)

I think the fact that he even raised that question tells me he is *at least* on the right track to getting the big picture here. I have no argument to your point, except for the fact that white hats are allowed to be malicious if stated in the agreement with the corporation they are auditing.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...