Just a thought

#1

.

#2

You would have to edit the client anyway, at minimum to change the RSA keys in the client so that your proxy could communicate with it. And if you have to edit the client at all, you might as well just stick with only editing the client.

edit: this thread has a lot of info related to this:

#3

The ISAAC seeds are sent in the RSA’d login block, as I understand it.

EDIT: Though I don’t have a clue how they’re generated, honestly, but anything you could do that would influence that is gonna be a nasty hack or editing the client, surely.

#4

Why couldn’t I just bruteforce the private RSA key?

#5

go on then

#6

lol didn’t realise the key was fucking 4096 bit - this won’t due =/
I’ll ask alex levinson to try cracking it on his tesla gpu lol

#7

How does bootstrapping work exactly?

ISAAC seeds are generated with calls to Math.random(), which uses an underlying java.util.Random instance.
Obviously these are only pseudo-random and thus deterministic, so if you modified it to dump its seed somewhere then you would be able to determine the ISAAC seeds without modifying the Runescape client directly and without trying to discover their private key.

With that said, I don’t know how to apply this idea. :stuck_out_tongue: I’ve never played with having a custom class loader load my entire application into memory.

#8

[quote=“Lothy, post:7, topic:363348”]How does bootstrapping work exactly?

ISAAC seeds are generated with calls to Math.random(), which uses an underlying java.util.Random instance.
Obviously these are only pseudo-random and thus deterministic, so if you modified it to dump its seed somewhere then you would be able to determine the ISAAC seeds without modifying the Runescape client directly and without trying to discover their private key.

With that said, I don’t know how to apply this idea. :stuck_out_tongue: I’ve never played with having a custom class loader load my entire application into memory.[/quote]In this case I guess bootstrapping would just refer to a regular serversocket or equivalent.

Are you certain that it uses java.util.Random? if so, that’s a viable approach to retrieving the seeds (Sorry for all my ignorance in regard to the client… I have a few things on the go so I haven’t gotten a chance to take a look at it)

#9

or you could just read the seed from memory

i think bruteforcing their private key is obviously the better option here

#10

Getting the ISAAC key isn’t the problem, you can’t do anything at all without modifying the RSA key in the client, and if you are going to do that, you can do anything else as well (like setting it up to grab the key).

#11

the private key is somewhere between 1 and 2^4096

#12

Why not? (Assuming you’re willing to modify Math.random() and keep up with the bitchwork of syncing ISAAC)

#13

if im not mistaken you would be lacking the seed no?

#14

[quote=“Miss Silabsoft, post:13, topic:363348”]if im not mistaken you would be lacking the seed no?[/quote]not if you hooked math.random(), or atleast thats my understanding (which is basic due to a lack of empirical knowledge lol)

#15

[quote=“Mopman, post:12, topic:363348”][quote author=Moparisthebest link=topic=459603.msg3363553#msg3363553 date=1286593962]
you can’t do anything at all without modifying the RSA key in the client
[/quote]

Why not? (Assuming you’re willing to modify Math.random() and keep up with the bitchwork of syncing ISAAC)[/quote]

Because the first part of the connection (username, password, isaac key) is encrypted with RSA, I suppose you could just forward that part directly on to the server though.

But also the client does send what returns from Math.random() to the server for analysis, so making it return a static value would be detected and probably get you banned.

#16

so don’t make it return a static value just a predetermined one

i do have to wonder why youd be willing to modify math.random if you want to be an on the wire bot though

#17

[quote=“Moparisthebest, post:15, topic:363348”][quote author=Mopman link=topic=459603.msg3364822#msg3364822 date=1286681393]

Why not? (Assuming you’re willing to modify Math.random() and keep up with the bitchwork of syncing ISAAC)
[/quote]

Because the first part of the connection (username, password, isaac key) is encrypted with RSA, I suppose you could just forward that part directly on to the server though.

But also the client does send what returns from Math.random() to the server for analysis, so making it return a static value would be detected and probably get you banned.[/quote]Well a dirty hack might be to keep the client alive and continuing to accept pings while its actually disconnected from the server, then forge the new login packet from the proxy and make math.random() return the seeds that were generated via the proxy (so the client will have same ones obv)

#18

tl;dr: a pure proxy bot is not possible unless you obtain their private exponent (which changes every update)

otherwise, you can

[ul][li]read the seed from memory and forward the login block[/li]
[li]replace the public key in the client with your own, decrypt, encrypt again with original key[/li]
[li]patch Math.random() to force a specific seed[/li][/ul]

all of these require some sort of modification, you either need to modify the client or be able to read from/attach to the jvm, which requires presence on the machine running the client

it makes more sense to me to just stick to a ‘traditional’ bot at this point considering you are already needing to modify the client or manipulate the jvm, not to mention it’s a lot of work to keep up to date unless you have some fairly robust utilities