Hello all.
As we're all aware JAG is proving to be somewhat problematic in our line of work. It's been released for over a month, and nobody seems to be saying much about it. I only returned to RS hacking a little under a week ago, and it's already become more than an annoyance.
Here's what I know so far:
It uses a combination of methods to verify the device logging in. If any of these are found to be incongruous with the details stored on their server, the login fails and the user receives the "This account is protected by the Jagex Account Guardian" prompt.
It definitely uses hardware specific information for verification purposes. I'm uncertain as to the limitations of a Java applet for this purpose; it's not my area.
It also uses a file named 'random.dat' to authenticate the device. On Windows 7 I found this under "%USERPROFILE%/random.dat" and on Linux "/home/random.dat". It contains 24 bytes of application specific data that's loaded by the game upon launch. If this file is modified or deleted the user will get the JAG prompt, regardless of everything else being consistent.
I've verified it's hardware based by a simple trial and error test. I copied "random.dat" from my desktop to my laptop, attempted to log in to the game, and received a JAG prompt. I then took the hard drive from my laptop, put it back in to my desktop PC, and managed to log in successfully. Nothing was changed, so there's certainly some hardware specific information being used to authenticate.
Jagex are pretty smart with their security, so I'd not be surprised if IP geolocation is used as well. For example, if I took my PC to Saudi Arabia and attempted to log in I'd get a JAG prompt too.
So far it seems pretty secure, but it's definitely not unbeatable. It thwarts phishing/keylogging attacks, so if it is bypassable the victim will need to be on a RAT.
The only current way I can think to get around this, assuming the victim doesn't leave their computer, is to delete random.dat, watch them type in their recovery questions, and then repeat this process until you get all five. This assumes you can get into their emails, but if you've got them on a RAT this shouldn't be a problem.
Anyway, does anyone have any more information on this? There's been a few threads but they're over a month old, hence why I made a new one.
Crin
As we're all aware JAG is proving to be somewhat problematic in our line of work. It's been released for over a month, and nobody seems to be saying much about it. I only returned to RS hacking a little under a week ago, and it's already become more than an annoyance.
Here's what I know so far:
It uses a combination of methods to verify the device logging in. If any of these are found to be incongruous with the details stored on their server, the login fails and the user receives the "This account is protected by the Jagex Account Guardian" prompt.
It definitely uses hardware specific information for verification purposes. I'm uncertain as to the limitations of a Java applet for this purpose; it's not my area.
It also uses a file named 'random.dat' to authenticate the device. On Windows 7 I found this under "%USERPROFILE%/random.dat" and on Linux "/home/random.dat". It contains 24 bytes of application specific data that's loaded by the game upon launch. If this file is modified or deleted the user will get the JAG prompt, regardless of everything else being consistent.
I've verified it's hardware based by a simple trial and error test. I copied "random.dat" from my desktop to my laptop, attempted to log in to the game, and received a JAG prompt. I then took the hard drive from my laptop, put it back in to my desktop PC, and managed to log in successfully. Nothing was changed, so there's certainly some hardware specific information being used to authenticate.
Jagex are pretty smart with their security, so I'd not be surprised if IP geolocation is used as well. For example, if I took my PC to Saudi Arabia and attempted to log in I'd get a JAG prompt too.
So far it seems pretty secure, but it's definitely not unbeatable. It thwarts phishing/keylogging attacks, so if it is bypassable the victim will need to be on a RAT.
The only current way I can think to get around this, assuming the victim doesn't leave their computer, is to delete random.dat, watch them type in their recovery questions, and then repeat this process until you get all five. This assumes you can get into their emails, but if you've got them on a RAT this shouldn't be a problem.
Anyway, does anyone have any more information on this? There's been a few threads but they're over a month old, hence why I made a new one.
Crin