Search results

Their source is obfuscated using Allatori (http://www.allatori.com/) so I can't see the decryption/encryption method. All I can tell you is it's hardware based. It could use one or more of many hardware based identifiers as there's no standardised HWID algorithm. It could also use the PC name...

If you still need help with this then send me a PM. I'll need either the .java/.class/.jar file though so I can see what's wrong with it.

Since the software will need to be able to get the password back from that, it's not a hash of any kind. The sites listed above won't help. A good resource I use for determining hash types is this: http://www.insidepro.com/hashes.php I did a bit of searching and I can't find any solid...

I've tested this and it seems to have no effect.

Ahh, the things people do when they think nobody is watching. :)

RE: f*ck my LIFE Do you have him on a RAT or do you simply have his username and password?

@slack3r I'll send you a PM with my contact details now. :)

It seems the random.dat method no longer works. Editing the file for the first time on a device will cause the device not to be recognized, but additional edits seem to have no effect. There's another way to achieve the same results though, but that's still a work in progress. I'll see what I...

It's possible to spoof CPUID inside a virtual machine, at least it is in VMWware. Some of the changes are automatically overwritten though, such as L2 and L3 cache sizes, amongst a few others. Intel processors no longer use the 'unique serial' you mention, but I've not checked whether or not...

Last time I looked into this it was encrypted using something hardware based as the key. A few people seem to know, but not many seem to want to say.

Ah what the hell. I'll post it all here, I doubt it'll affect anything if I do. I'll edit this with a write up in a bit. Edit: --- Don't take this as gospel, some of this is still speculation. JAG uses two, possibly three forms of authentication. The first is a token file, random.dat...

I've now figured out the exact method JAG uses to identify devices. It's pretty low level identification unfortunately, but I may still be able to work around it. There's a few possibilities left. If anyone's curious as to the actual workings of JAG then PM me.

I've verified random.dat is exactly as it says, random. The information contained within isn't an encrypted UUID or in any way specific to the hardware or the OS. As for simply telling them to turn it off, I can hardly see this working in any context unless they're incredibly stupid. I'm sure...

Simple test: Took a random string "testpassword123" and transliterated it to Cyrillic characters, "тестпассворд123". Tried to change the password of an account to that, and it tells me the password is an invalid length. Some more testing gave me "The password you entered contained an...

Yeah, that would work. You'd still need to grab whatever hardware specific information JAG uses, but a keylogger should have no issues with that. Then it's just a case of injecting it into the return value of a method call in the client. There's a few programs that can do this, so I'll look...

A workaround is always useful, and at the very least I'll learn something in the process of trying to find one. Even if it's only a small percentage of people using it, the ones who do use it are probably the ones with the most money. Generally, at least. The client seems to load a lot of...

Changed my MAC address and I can still log in fine, no JAG prompt. Deleting random.dat and recording their answers will work, but imagine doing that if you have hundreds of victims. I'm sure it could be automated, but it's not the best way to go about it. I'm sure whatever it is that they...

Not sure why they'd use ISP, but it'd be possible of course. Security wise a simple script to calculate the lat/long differences between the location of two IP's would be better. Maybe they do both. Either way it's a sad state of affairs when a game has better security than my bank account.

Makes sense with a signed applet I suppose. I'll look into it too and update this if I find anything. I'm surprised there's been little said about it, since it's a pretty big problem for people like us. @Adam It probably uses IP to some extent, I've read that when it came out there were...

A system is generally only as secure as an individual's willpower to circumvent the security. On that note, I'll see if I can figure out how exactly JAG operates and how to work around it. If I do figure it out I'll post a guide here. @slack3r I was vaguely under the impression Java...