Hi,
I'm currently trying to replicate what I assume the real Steam client would be doing when logging in a "remembered" account.
I'm parsing the VDF configs to grab the recently logged in user.
Therefore, from what I can tell, the sentry file should be up to date after having logged in with the real client once beforehand.
This is my script:
const fs = require('fs');
const VDF = require('@node-steam/vdf');
const { enumerateValues, HKEY } = require('registry-js');
const SteamUser = require('steam-user');
const steamPath = enumerateValues(HKEY.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\Valve\\Steam').filter(value => value.name === "InstallPath")[0].data;
// Get the name of the recently logged in account.
const loginUsersFile = fs.readFileSync(`${steamPath}\\config\\loginusers.vdf`).toString();
const accountName = Object.entries(VDF.parse(loginUsersFile).users).filter(([_, user]) => user.mostrecent === 1)[0][1].AccountName;
// Get sentry.
const configFile = fs.readFileSync(`${steamPath}\\config\\config.vdf`).toString();
const sentryFilePath = VDF.parse(configFile).InstallConfigStore.Software.valve.Steam.SentryFile;
const sentry = fs.readFileSync(sentryFilePath);
// Try to login with that information.
const steamUser = new SteamUser();
steamUser.setSentry(sentry);
steamUser.logOn({
'accountName': accountName
});
steamUser.on('loggedOn', details => {
console.log('loggedOn', steamUser.steamID);
});
steamUser.on('error', e => {
console.log('error', e);
});
However, I'm always receiving an error with EResult 5 InvalidPassword.
Directly running against the steam-user source code instead of the NPM package and dumping the SteamUser._logOnDetails shows the following data being sent when calling .logOn(...) (with private information being redacted):
{
account_name: '???',
password: undefined,
login_key: undefined,
auth_code: undefined,
two_factor_code: undefined,
should_remember_password: false,
obfuscated_private_ip: { v4: 0 },
protocol_version: 65580,
supports_rate_limit_response: true,
machine_name: '',
ping_ms_from_cell_search: 20,
client_language: 'english',
client_os_type: 16,
anon_user_target_account_name: '',
steamguard_dont_remember_computer: false,
ui_mode: undefined,
chat_mode: 2,
web_logon_nonce: undefined,
_steamid: undefined,
cell_id: ??,
sha_sentryfile: <Buffer ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??>,
eresult_sentryfile: 1,
machine_id: <Buffer ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ... 105 more bytes>
}
Am I doing something wrong?
What do I need to pass to .logOn(...) to login just with the sentry file?
I also tried a self-generated sentry file by using the steam-user package to do a remembered password/2FA-based login before.
This first password/2FA login attempt succeeds.
However, using the resulting sentry file in the code above afterwards leads to the same error.
Maybe also my understanding is wrong and a loginKey ist always required for passwordless authentication (and sentry is somehow optional?).
If that is the case, how would I obtain such a loginKey from the real client? Are the values of InstallConfigStore.Software.valve.Steam.ConnectCache within the config.vdf the loginKeys? If so, how would I need to transform these hex strings to match the format used by steam-user?
After some investigation, I found out that the loginKey is indeed stored in the InstallConfigStore.Software.valve.Steam.ConnectCache values inside config.vdf. The "encryption" method is known by the real client. Sometimes I could also authenticate with such a decrypted loginKey even without using a sentry and also no 2FA code, but this may also be due to some other configuration (e.g. obfuscated private IP etc.) being identical to the previous attempt. I haven't yet tested enough to figure out what the conditions are for a sentry to be required. TL;DR for me is that the config.vdf seems to be equally worth protecting compared to the sentry file.