Info on the JAG

[Deathwish]

Hey... did you know that JAG is bad for your health? Why don't you turn it off... Also, tell me your login name and password along the way. Thanks.

 

[Hipsters]

Hey... did you know that JAG is bad for your health? Why don't you turn it off... Also, tell me your login name and password along the way. Thanks.

Haha you think I would be making 50k irl off that story hahaha

You pretty god damm wrong. Just so you know there is sometimes where I steal so many accounts I get bored and stop for like weeks. My method is pretty good and I NEVER ask them password or username as you suggest.

---

I see you guys in such an hassle because of JAG which can be easily shut off with power of persuasion. I am an experienced account stealer, not hacker because I do not use any programs at all, although I do have some knowledge and could do it. to steal runescae accounts. I can say I have made over 50k real life with rs stealing and the way I get over JAG is by simpling saying to people to turn it off. Ofc there is something behind but as I said in the somewhat rare accounts I find JAG I just tell the person to shut off JAG and in 90% of the cases they do it.

From the point of view of shutting down/getting over it in s more mechanic way my only advice is having a good keylogger and a link between the victim´s email and yours if you know how to do it, that way you do not need to acess directly their email with logg in information and they do not even realise you have acess to their email as the actions you take on your side of the client do not reflect on the victim´s side. For example: if you open one unseen message on your side, on the victim´s side the messange will still appear as unseen Thunderbird is also a good choice if you do not have the knowledge to go further, and you only need the logg in details once.

You just "tell them" to turn it off?

I knew there was dumb people but not that dumb

I do not tell them to turn it off for no reason. There is always something behind and what is behind makes them turn off JAG 90% of the times I ask

 

[charmanter3]

ugh this helped me so much, I usually rat players so now i'll just delete their random.dat, keylogg their questions and boom im set. Thanks so much!

EDIT: I tested it by deleting the victims random.dat file, they logged in fine and it just made another random.dat file, its when I modified the random.dat file that it asked them to reverify it

So basically JAG is only stopping phishers and keyloggers(basically) but Ratters are still ok because we can just get the questions this made me happy lol so many accounts I can get into now!

 

[Gengar_mybb_import19743]

Hey... did you know that JAG is bad for your health? Why don't you turn it off... Also, tell me your login name and password along the way. Thanks.

Haha you think I would be making 50k irl off that story hahaha

You pretty god damm wrong. Just so you know there is sometimes where I steal so many accounts I get bored and stop for like weeks. My method is pretty good and I NEVER ask them password or username as you suggest.

---

I see you guys in such an hassle because of JAG which can be easily shut off with power of persuasion. I am an experienced account stealer, not hacker because I do not use any programs at all, although I do have some knowledge and could do it. to steal runescae accounts. I can say I have made over 50k real life with rs stealing and the way I get over JAG is by simpling saying to people to turn it off. Ofc there is something behind but as I said in the somewhat rare accounts I find JAG I just tell the person to shut off JAG and in 90% of the cases they do it.

From the point of view of shutting down/getting over it in s more mechanic way my only advice is having a good keylogger and a link between the victim´s email and yours if you know how to do it, that way you do not need to acess directly their email with logg in information and they do not even realise you have acess to their email as the actions you take on your side of the client do not reflect on the victim´s side. For example: if you open one unseen message on your side, on the victim´s side the messange will still appear as unseen Thunderbird is also a good choice if you do not have the knowledge to go further, and you only need the logg in details once.

You just "tell them" to turn it off?

I knew there was dumb people but not that dumb

I do not tell them to turn it off for no reason. There is always something behind and what is behind makes them turn off JAG 90% of the times I ask

---

I don't think you've made 50K and I don't think you've gotten anyone to turn JAG off by asking, once I see it i'll believe it.

 

[Crin]

I've verified random.dat is exactly as it says, random. The information contained within isn't an encrypted UUID or in any way specific to the hardware or the OS.

As for simply telling them to turn it off, I can hardly see this working in any context unless they're incredibly stupid. I'm sure you could make them turn it off by continually breaking random.dat until they get frustrated enough to just deactivate it.

Still trying to see if I can find a work around for it.

Edit:

I think I've found a possible solution to the problem. Haven't tested anything yet, but I'm pretty sure I know what needs doing to bypass it assuming you've got access to the victim's computer (RAT or otherwise.) Victory over JAG is now on the horizon.

 

[Crin]

I've now figured out the exact method JAG uses to identify devices. It's pretty low level identification unfortunately, but I may still be able to work around it. There's a few possibilities left.

If anyone's curious as to the actual workings of JAG then PM me.

 

[ImSoPro]

I've now figured out the exact method JAG uses to identify devices. It's pretty low level identification unfortunately, but I may still be able to work around it. There's a few possibilities left.

If anyone's curious as to the actual workings of JAG then PM me.

I'm quiet interestend on how the JAG exactly works.

 

[Crin]

Ah what the hell. I'll post it all here, I doubt it'll affect anything if I do. I'll edit this with a write up in a bit.

Edit:
---

Don't take this as gospel, some of this is still speculation.

JAG uses two, possibly three forms of authentication. The first is a token file, random.dat. This file is loaded on the start up of the client. It's always 24 bytes, if it the file is edited to exceed 27 bytes it is cleared of all data. Information in here may or may not be encrypted/obfuscated hardware specific information; either way it does not matter. Either the contents or a checksum of this file are stored on Jagex's servers. Deleting this file does not affect JAG, but modifying it does cause a prompt so long as said modifications remain between 0 and 27 bytes (otherwise this serves the same purpose of deleting the file.) You can modify to to any arbitrary 24 byte value, authenticate yourself after the JAG prompt, and the file will not be modified.

The second form of authentication is hardware based; more specifically processor based. Doing a bit of testing in a virtual machine I can verify that neither of the following are used for hardware identification:

MAC Address
SMBIOS UUID
RAM
HD Serial No./Volume ID
Intuitively I'd say that the GPU isn't used either, although I haven't tested this.

The Runescape client has a class "jaclib.hardware_info.HardwareInfo.class" which calls "jaclib.dll" using JNI (http://en.wikipedia.org/wiki/Java_Native_Interface) . This .dll is what gathers the specific information used to identify a device. By monitoring calls to jaclib.dll and looking at the export table I've gathered there's a few API's that seem to play a role.

The return values from these calls differ every time the client is run, although the first byte is always consistent on my current system. Anyway, editing the return values before they're passed back into the client causes a JAG prompt.

Disassembling jaclib.dll into pure ASM shows a few instances of the CPUID opcode. This is how software gathers processor specific data. This has uses beyond hardware based authentication of course, but when no other hardware level changes seem to affect JAG it makes sense to assume that it is this information JAG uses.

Attempting to change various values of some of the processor specific information in a virtual machine does affect JAG. Even something as simple as the number of cores stops it recognizing a device.

Further reading:

http://en.wikipedia.org/wiki/CPUID
http://www.intel.com/content/dam/ww...sor-identification-cpuid-instruction-note.pdf
http://support.amd.com/us/Processor_TechDocs/25481.pdf

 

[Montoya-Valdez]

keep this updated man, genius

 

[Deathcrow]

@"Crin", very informative post. Thank you.

 

[Deathwish]

Well, that's a lot more productive than telling people to shut it off

 

[Edwin]

Wait...
Can you remove random.dat and He will have to retype the questions?
Is that true?

In that case, you can remove it and keylog the answers.

What I actually like with JAG, is if someone has a bankpin, but not JAG, you can 100% take over the account

 

[Ben Hartley]

Yes same story on linux except the lib is named libjaclib.so.

CPUID cannot be spoofed [Unless you have kernel mode rootkit] but im sure this can be bypassed because im pretty cpu's these days do not have a "unique serial" and im sure you can only access the model, architecture, version etc.

^ Would explain why my freind sometimes randomly accesses accounts with this enabled.

 

[Coughs]

It seems you can only do the random.dat thing once per device? OP read your pm's and anyone else who has more information please let me know so I can code something to do it automatic. Thanks

 

[Crin]

Yes same story on linux except the lib is named libjaclib.so.

CPUID cannot be spoofed [Unless you have kernel mode rootkit] but im sure this can be bypassed because im pretty cpu's these days do not have a "unique serial" and im sure you can only access the model, architecture, version etc.

^ Would explain why my freind sometimes randomly accesses accounts with this enabled.

It's possible to spoof CPUID inside a virtual machine, at least it is in VMWware. Some of the changes are automatically overwritten though, such as L2 and L3 cache sizes, amongst a few others.

Intel processors no longer use the 'unique serial' you mention, but I've not checked whether or not AMD do. Either way it can be changed inside of a VM without problems.

It certainly explains why your friend can occasionally access JAG enabled accounts though. I'll do some more testing tomorrow and see if I can figure out exactly what parts of CPUID JAG uses to identify the device.

I'm pretty busy at the moment, having to divide my time amongst multiple projects, but I'll keep working on this to see if there's a way around it since it will benefit not only myself but the community as a whole.

For now the best approach is in modifying their random.dat file and keylogging their security questions. It'll have to be done at least twice to get all five answers, although it'll likely have to be done a few more times if the questions given are truly random. Either way they'll either keep typing in their answers or turn JAG off, so it's win-win.

It seems you can only do the random.dat thing once per device? OP read your pm's and anyone else who has more information please let me know so I can code something to do it automatic. Thanks

I've replied to your PM.

Anyway, if you mean modifying it in order to cause a JAG prompt then it can be done as many times as you want for a given device. At least that's what I've gathered when I've tested it. Here's what you'd have to do on a victim's machine:

1. Close java.exe or jagexlauncher.exe (if they're using the client) - You can't modify the file while the game's running.

2. Open the file, you should find exactly 24 bytes of seemingly random characters. As an example let's say it's "3q‡"Kþ­#`;X‹ÀãTòRy" (Note: this won't be 24 bytes simply because of the way characters are displayed here)

3. Modify it in any way you wish so long as it doesn't exceed 24 bytes. From the tests I've done all of these would work:
"q3‡"Kþ­#`;X‹ÀãTòyR"
"abcdefghijklmnopqlmnopqr"
"111111111111111111111111"

Basically anything you want, just keep it 24 bytes long.

4. When they next go to log on they should get a prompt saying JAG does not recognize the device. At this point they'll have to log in to their email account and answer three of the five security questions.

5. After they have done this and logged in to the game, the random.dat file does not revert back to its original state, nor is a new one generated. Note that the previous file (before your modifications) is still valid.

6. Repeat the process until you have the answers to all five questions.

7. Log in to their account on your computer. At this stage you could replace your random.dat file with theirs, but I have no idea if this affects anything.

8. You should get a JAG prompt saying your device is not recognized. If you've done everything correctly then you will have access to their email account, and the answers to their security questions. The rest is obvious.

If this method doesn't work for you then let me know. I'm sure it's possible for Jagex to 'patch' it, but if they do then fortunately there is an alternative way to stop JAG recognizing a device, at least in theory. Either way this method should work for now.

Creating an application to simply modify the file is easy, although getting it to detect when the victim has answered their recovery questions and thus when to make the modifications again is a little trickier. It's all possible of course, but the absolute easiest way do it would be to check for instances of java.exe/jagexlauncher.exe every 30 minutes, if they exist then terminate the process and edit the file.

-Crin

 

[Ben Hartley]

So we write an application to overwrite random.dat in a loop untill we either have all the questions or they disable it.

 

[Coughs]

Thanks for the info I will give it a read in a second and slacker you could just break it once then chesk the process name that contains the string chrome, hook on TranslateMessage to intercept keystrokes and hook on ZwReadFile to intercept post requests. Only problem I found is most people have a 2nd device which isn't infected to answer jag questions.

Update: Crin I think the random.dat thing is patched, it works once for a new device but after then it wont prompt JAG after so many changes.

 

[Montoya-Valdez]

PS I'm slack3rs m8, out of every 50 JAG's I am able to access ~3. Which is ofcourse very odd, but that CPU ID thing seems to clear it up. I am using a pretty common processor (intel i7 3.4) so

One problem I have a question about is, JAG will ask for questions, but how in the hell will you know which answer belongs to what question? Since they'll just typ in answers.

 

[Coughs]

One problem I have a question about is, JAG will ask for questions, but how in the hell will you know which answer belongs to what question? Since they'll just typ in answers.

Formgrabber or colour/image detection so it takes a screenshot when all questions are complete as answers are not in * characters which is a dumb thing for jagex to do lol.

 

[Crin]

It seems the random.dat method no longer works. Editing the file for the first time on a device will cause the device not to be recognized, but additional edits seem to have no effect.

There's another way to achieve the same results though, but that's still a work in progress. I'll see what I can do and then let people know by PM if they're interested. You never know, some do-gooder may have seen this post and decided to email Jagex about it. It's certainly possible, they have their own email specifically for JAG, so...