Jump to content
McKay Development

RSA encryption (Steam login request | https://steamcommunity.com/login/dologin/ )


Ben
 Share

Recommended Posts

I know this it not the rigth topic for this forum. But i thought you ,McKay or somebody else could help me. I try to login to steam via httprequest. For examlpe to emulate a login to a third party site to get the cookies for the site. I got everythink working so far but when i do the login i get invalid pw or username. I think the error is that I dont encrypt the password right. But i cant find a solution online. There are some topics in forums but nobody answers them. Here are some post that you know what i mean. 

https://stackoverflow.com/questions/27090326/php-steam-bot-how-to-login-to-page-using-rsa 

 

Link to comment
Share on other sites

I guess it dosnt work that well xD. In the brwoser steam does these transver requests and i also found them in the java script i got from steam but i cant understand the functions. Can someone help me maybe you see somethink i didnt get. 

these are the requests from the browser

image.png.8ecb4223e1587470e789da8a32782596.png

and here are the methodes 

CLoginPromptManager.TransferLogin = functionrgURLsparametersfnOnComplete )
{
    var bOnCompleteFired = false;
    var fnFireOnComplete = functionbSuccess )
    {
        if ( !bOnCompleteFired )
            fnOnCompletebSuccess );
        bOnCompleteFired = true;
    }
 
    var cResponsesExpected = rgURLs.length;
    $J(window).on'message'function() {
        if ( --cResponsesExpected == 0 )
            fnFireOnCompletetrue );
    });
 
    for ( var i = 0 ; i < rgURLs.lengthi++ )
    {
        var $IFrame = $J('<iframe>', {id: 'transfer_iframe' } ).hide();
        $J(document.body).append$IFrame );
 
        var doc = $IFrame[0].contentWindow.document;
        doc.open();
        doc.write'<form method="POST" action="' + rgURLs[i] + '" name="transfer_form">' );
        for ( var param in parameters )
        {
            doc.write'<input type="hidden" name="' + param + '" value="' + V_EscapeHTMLparameters[param] ) + '">' );
        }
        doc.write'</form>' );
        doc.write'<script>window.onload = function(){ document.forms["transfer_form"].submit(); }</script>' );
        doc.close();
    }
 
    // after 10 seconds, give up on waiting for transfer
    window.setTimeoutfunction() { fnFireOnCompletefalse ); }, 10000 );
};
 
CLoginPromptManager.prototype.OnTransferComplete = function()
{
    if ( !this.m_bLoginTransferInProgress )
        return;
    this.m_bLoginTransferInProgress = false;
    if ( !this.m_bInEmailAuthProcess && !this.m_bInTwoFactorAuthProcess )
        this.LoginComplete();
    else if ( this.m_bEmailAuthSuccessfulWantToLeave || this.m_bTwoFactorAuthSuccessfulWantToLeave)
        this.LoginComplete();
};

 

Link to comment
Share on other sites

It worked for a while but now i get the invalid pw error again. Am i doing something wrong? 

function get_rsa_key(){
    return new Promise((resolve,reject)=>{
        fetch("https://steamcommunity.com/login/getrsakey/", {
            "headers": {
            "accept": "*/*",
            "accept-language": "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7",
            "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
            "sec-fetch-dest": "empty",
            "sec-fetch-mode": "cors",
            "sec-fetch-site": "same-origin",
            "x-requested-with": "XMLHttpRequest",
            "cookie": sessionid+"; "+steamCountry+"; "+sessionidSecureOpenIDNonce
        },
        "referrer": "https://steamcommunity.com/openid/login?openid.ns=.......,
        "referrerPolicy": "strict-origin-when-cross-origin",
        "body": "donotcache="+Date.now()+"&username=****",
        "method": "POST",
        "mode": "cors"
        })
        .then(res => res.json())
        .then(json => {
            var key = new RSA();
            key.setPublic(json.publickey_modjson.publickey_exp);
            pwhex2b64(key.encrypt("*********"))
            resolve(pw)
        })
    })
}
 
function do_login(encryptedPassword,steamguard_code){
    return new Promise((resolve,reject)=>{
      var code = steamguard_code || ""
    fetch("https://steamcommunity.com/login/dologin/", {
        "headers": {
          "accept": "*/*",
          "accept-language": "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7",
          "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
          "sec-fetch-dest": "empty",
          "sec-fetch-mode": "cors",
          "sec-fetch-site": "same-origin",
          "x-requested-with": "XMLHttpRequest",
          "cookie": sessionid+"; "+steamCountry+"; "+sessionidSecureOpenIDNonce+"; timezoneOffset=3600,0"
        },
        "referrer": "https://steamcommunity.com/openid/login?openid.ns=.........",
        "referrerPolicy": "strict-origin-when-cross-origin",
        "body": "donotcache="+Date.now()+"&password="+encryptedPassword+"&username=****&twofactorcode="+code+"&emailauth=&loginfriendlyname=&captchagid=-1&captcha_text=&emailsteamid=&rsatimestamp="+timestamp+"&remember_login=false",
        "method": "POST",
        "mode": "cors"
      })
      .then(res => res.json())
    .then(json => {
        timestamp=json.timestamp
        console.log(json)
        //steamLoginSecure = json.headers['set-cookie'][0].slice(0,json.headers['set-cookie'][0].indexOf(";"))
        //console.log("Do login : "+JSON.stringify(json))
        resolve()    
    })
      .catch(error=>{
          console.log(error)
          reject(error)
      })
    })
}
 
Edited by Ben
Link to comment
Share on other sites

 

Hi so finally found what i was looking for. I just need the Cookies you get from oAuthLogin() but for that i need steamguard and the oAuthToken but those i get from the login methode. But i dont login via Community. I log in via node steam user and than do the setCookies(). Is there a way to do it the other way? Login via Community and set Cookies in User? Or is there an other way to get the Cookies?

 

 

Edited by Ben
Link to comment
Share on other sites

Is there anythink special about the rsa key request? specially with the dates? I still get the invalid password or username error. But the encrypted password looks fine. I was wondering if the rsa key was correct and tryed to play around with the donotcache dates. (UTC or my local time etc.) But sadly still no luck

Link to comment
Share on other sites

But the error must be there. I recreated the Browser requests using Postman and let everything the same exept of the password. This i encryted again with the new rsa key and than pasted this together with the new timestamp in the body of the dologin request. I know i am probably annoying you but i have been working on this for so long. Once it worked a little bit. I just used your code and added in the cookies that i had to sent with the rsa- and loginrequests. But i only got the steamLoginSecure and steamMachineAuth but not the steamRememberLogin Cookie. And i had another Question i never tried it but can you just use the cookies u got from the steam Login for the 3rd party login? Since they are also for every steamsite the same

Link to comment
Share on other sites

Your issue is probably that you aren't urlencoding the payload. I'm not super familiar with the fetch API you're using but I would be very surprised if it didn't have a mechanism to send an application/x-www-form-urlencoded request payload without having to encode it manually as you're doing.

And yes, Steam login cookies that you acquire from any source can be used on all Steam properties.

Link to comment
Share on other sites

  • 2 weeks later...

Hi so I know I probybly annoy you with this loggin questions but do you know anythink about this login request:

 image.png.6a3c0d76316ccf307386daa6cf24a960.png

and espacially about the parameters it contains?

image.png.b289b8ed3b458b80a49150caadb08225.png

I really hope you can help me since this is probably the last and biggest challenge i have got left

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...