jesterret/SteamUserAuthToken

Generated auth ticket is not valid

Alexeyt89 opened this issue · 2 comments

After recent updates tokens generated with the GetAuthSessionTicket are not valid. Looks like the process was changed a little. Now it doesn't accept obfuscated ip addressess, but requires some "random" value. It worked if zeros were set, but now the value is validated on steam side, if it is 0 or any random value, the token is considered to be invalid.
Here is the steam response if such a token is sent to steam via BeginAuthSession:
OnValidateAuthTicketResponse -> (m_eAuthSessionResponse == k_EAuthSessionResponseAuthTicketInvalid).

I opened steamclient.dll and steamclient.so in IDA and the lines for appending ip addresses, which looked like this (F5 in IDA):

sub_6DFC90((int)&v23, 0x18u);
sub_6DFC90((int)&v23, 1u); // write 1
sub_6DFC90((int)&v23, 2u); // write 2
v10 = sub_33F16C(v19); // get IP1
sub_6DFC90((int)&v23, v10); // write IP1
v11 = sub_33F142(v19); // get IP2
sub_6DFC90((int)&v23, v11); // write IP2
v12 = sub_86E550();  // Plat_MSTime

now look like this:

sub_388CC050((int)&v26, 0x18u);
sub_388CC050((int)&v26, 1u); //write 1
sub_388CC050((int)&v26, 2u); //write 2
SecureRandomBytes((int)&v29, 8); //?
sub_388CB300(&v26, (int)&v29, 8); //?
v15 = Plat_MSTime();

The function can be found by scanning the *.dll and *.so for these text lines in IDA:

"GetAuthSessionTicket called but no app ownership ticket available "
"GetAuthSessionTicket called with buffer too small for ticket "
"Assertion Failed: k_EBeginAuthSessionResultOK == eResult"

Here are 5 valid tokens generated via game client for 730 appid:
valid_tokens.txt
The tokens were generated from the same game client with interval of ~10-15 seconds. Note, what was IP-addresses is now random bytes.

steamclient.zip

Thanks, will look into it, but, considering that the data is random now, I don't see how they would validate it when it's anything other than zeroes.
I was actually intending to parse app ownership token since it also contained ips, so now I wonder if they changed that too!

Hi, it should be fixed now.
Also enabled possibility of replacing the behaviour in the future if it changes :)
Thanks again!
As a side note, app ownership token still contains both local and public ip, so I wouldn't recommend sharing them ;)