Info on the JAG

[Crin]

Hello all.

As we're all aware JAG is proving to be somewhat problematic in our line of work. It's been released for over a month, and nobody seems to be saying much about it. I only returned to RS hacking a little under a week ago, and it's already become more than an annoyance.

Here's what I know so far:

It uses a combination of methods to verify the device logging in. If any of these are found to be incongruous with the details stored on their server, the login fails and the user receives the "This account is protected by the Jagex Account Guardian" prompt.

It definitely uses hardware specific information for verification purposes. I'm uncertain as to the limitations of a Java applet for this purpose; it's not my area.

It also uses a file named 'random.dat' to authenticate the device. On Windows 7 I found this under "%USERPROFILE%/random.dat" and on Linux "/home/random.dat". It contains 24 bytes of application specific data that's loaded by the game upon launch. If this file is modified or deleted the user will get the JAG prompt, regardless of everything else being consistent.

I've verified it's hardware based by a simple trial and error test. I copied "random.dat" from my desktop to my laptop, attempted to log in to the game, and received a JAG prompt. I then took the hard drive from my laptop, put it back in to my desktop PC, and managed to log in successfully. Nothing was changed, so there's certainly some hardware specific information being used to authenticate.

Jagex are pretty smart with their security, so I'd not be surprised if IP geolocation is used as well. For example, if I took my PC to Saudi Arabia and attempted to log in I'd get a JAG prompt too.

So far it seems pretty secure, but it's definitely not unbeatable. It thwarts phishing/keylogging attacks, so if it is bypassable the victim will need to be on a RAT.

The only current way I can think to get around this, assuming the victim doesn't leave their computer, is to delete random.dat, watch them type in their recovery questions, and then repeat this process until you get all five. This assumes you can get into their emails, but if you've got them on a RAT this shouldn't be a problem.

Anyway, does anyone have any more information on this? There's been a few threads but they're over a month old, hence why I made a new one.

Crin

 

[Ironhide]

Good Information, Was an interesting read actually. I don't really play RuneScape, Getting into LoL now. So I have no idea really what JAG does or how secure it s haha.

 

[Pichu]

I actually read it...Thats good info,thanks.

 

[Ben Hartley]

Yeah uses hwid but sayin that my freind @"CARDER" sometimes accesses accounts with this enabled somehow.

 

[Crin]

A system is generally only as secure as an individual's willpower to circumvent the security. On that note, I'll see if I can figure out how exactly JAG operates and how to work around it. If I do figure it out I'll post a guide here.

@slack3r

I was vaguely under the impression Java couldn't get HWID's, at least not through an applet. That might have changed though. Reverse engineering isn't really my background, but I'll see if I can figure out exactly what it's using to authenticate.

If anyone's figured it out I'm likely willing to pay for it.

 

[Ben Hartley]

A system is generally only as secure as an individual's willpower to circumvent the security. On that note, I'll see if I can figure out how exactly JAG operates and how to work around it. If I do figure it out I'll post a guide here.

@slack3r

I was vaguely under the impression Java couldn't get HWID's, at least not through an applet. That might have changed though. Reverse engineering isn't really my background, but I'll see if I can figure out exactly what it's using to authenticate.

If anyone's figured it out I'm likely willing to pay for it.

You can if you have a signed applet like runescape does

Ima look into it now.

 

[Adam]

I was cleaning hundreds of accounts using NVPN with a dynamic IP setup. The server location was always in Los Angeles and the Geolocation of the IP was always in LA. When I would get 5 minute logged I would disconnect and reconnect to change my VPNs IP. I noticed that every 50 or so times I did this it would activate JAG on my personal account.

 

[Crin]

Makes sense with a signed applet I suppose. I'll look into it too and update this if I find anything. I'm surprised there's been little said about it, since it's a pretty big problem for people like us.

@Adam

It probably uses IP to some extent, I've read that when it came out there were issues for people with dynamic IP's. It's not a huge problem if it is IP, I think most RAT's these days have the option to use the slave as a proxy.

 

[Adam]

Makes sense with a signed applet I suppose. I'll look into it too and update this if I find anything. I'm surprised there's been little said about it, since it's a pretty big problem for people like us.

@Adam

It probably uses IP to some extent, I've read that when it came out there were issues for people with dynamic IP's. It's not a huge problem if it is IP, I think most RAT's these days have the option to use the slave as a proxy.

I'm sure it also uses your ISP to determine whether or not to lock the account.

 

[Crin]

Not sure why they'd use ISP, but it'd be possible of course. Security wise a simple script to calculate the lat/long differences between the location of two IP's would be better. Maybe they do both.

Either way it's a sad state of affairs when a game has better security than my bank account.

 

[Ben Hartley]

Have you tryed doin anythin with MAC address?

rat's are not a option (You will really sit there and wait till they leave pc xD?) & the proxy shit does not bypass nat.

Ofc theres many work arounds but not worth to spend your time because of the current price of runescape mills.

Wouldnt it be more valid to write a small shit to delete random.dat & kill java.exe then record there answers?

Oh and most banks have much more security than this (send codes to your mobile etc) and they are still fucked daily.

Its a matter of money

 

[Crin]

Changed my MAC address and I can still log in fine, no JAG prompt.

Deleting random.dat and recording their answers will work, but imagine doing that if you have hundreds of victims. I'm sure it could be automated, but it's not the best way to go about it.

I'm sure whatever it is that they use to identify the device can be spoofed on the API level. The first step is finding out what exactly it is they're using as a UID.

And as for money, I've made quite a bit from this game and stand to make a lot more if I can get around this stupid JAG shit.

 

[Adam]

To be completely honest I don't think a work around is need if you are spreading on a massive scale. JAG has been out for around 2 months so I would assume all the currently active players who have added it are the only ones who will add it unless they are hacked. If a person didn't spend 5 minutes to add it when Jagex was pushing it hard they aren't likely to do it now.

From cleaning shit loads of logs from phishing I think only 15-25% of players use JAG.

You have to add in the fact that it sends an email to you to get the link to type in the answers. It's impractical for there to be any bypass for phishing because of the email.

 

[Crin]

A workaround is always useful, and at the very least I'll learn something in the process of trying to find one.

Even if it's only a small percentage of people using it, the ones who do use it are probably the ones with the most money. Generally, at least.

The client seems to load a lot of hardware specific information into memory including the MAC address so I'm going to mess around with this and see if it's related to JAG.

 

[Cannabis]

If you could get a keylogger that grabs their IP and find a stealer for the random.dat info, I wonder if that would work.

 

[Crin]

If you could get a keylogger that grabs their IP and find a stealer for the random.dat info, I wonder if that would work.

Yeah, that would work. You'd still need to grab whatever hardware specific information JAG uses, but a keylogger should have no issues with that.

Then it's just a case of injecting it into the return value of a method call in the client. There's a few programs that can do this, so I'll look into it.

 

[Ben Hartley]

If you could get a keylogger that grabs their IP and find a stealer for the random.dat info, I wonder if that would work.

Yeah, that would work. You'd still need to grab whatever hardware specific information JAG uses, but a keylogger should have no issues with that.

Then it's just a case of injecting it into the return value of a method call in the client. There's a few programs that can do this, so I'll look into it.

random.dat is uploaded every time you enter your account, unless there dumb they would check the contents of random.dat to see whether it compares to your os.

 

[eXero]

I still think someone is a ways off of beating JAG, as jagex is probably constantly updating it.

 

[Hipsters]

I see you guys in such an hassle because of JAG which can be easily shut off with power of persuasion. I am an experienced account stealer, not hacker because I do not use any programs at all, although I do have some knowledge and could do it. to steal runescae accounts. I can say I have made over 50k real life with rs stealing and the way I get over JAG is by simpling saying to people to turn it off. Ofc there is something behind but as I said in the somewhat rare accounts I find JAG I just tell the person to shut off JAG and in 90% of the cases they do it.

From the point of view of shutting down/getting over it in s more mechanic way my only advice is having a good keylogger and a link between the victim´s email and yours if you know how to do it, that way you do not need to acess directly their email with logg in information and they do not even realise you have acess to their email as the actions you take on your side of the client do not reflect on the victim´s side. For example: if you open one unseen message on your side, on the victim´s side the messange will still appear as unseen Thunderbird is also a good choice if you do not have the knowledge to go further, and you only need the logg in details once.

 

[Gengar_mybb_import19743]

I see you guys in such an hassle because of JAG which can be easily shut off with power of persuasion. I am an experienced account stealer, not hacker because I do not use any programs at all, although I do have some knowledge and could do it. to steal runescae accounts. I can say I have made over 50k real life with rs stealing and the way I get over JAG is by simpling saying to people to turn it off. Ofc there is something behind but as I said in the somewhat rare accounts I find JAG I just tell the person to shut off JAG and in 90% of the cases they do it.

From the point of view of shutting down/getting over it in s more mechanic way my only advice is having a good keylogger and a link between the victim´s email and yours if you know how to do it, that way you do not need to acess directly their email with logg in information and they do not even realise you have acess to their email as the actions you take on your side of the client do not reflect on the victim´s side. For example: if you open one unseen message on your side, on the victim´s side the messange will still appear as unseen Thunderbird is also a good choice if you do not have the knowledge to go further, and you only need the logg in details once.

You just "tell them" to turn it off?