quote='Yalo' pid='20960' dateline='1406925807']
[align=center]
Delving into RuneAgent[/align]
RuneAgent, in all simplicity, is a Javaagent used to find exploits in Runescape private servers. Not going in too deep, it's basic function is to take note of the packets sent whilst functioning a specific client, and to send them right back, kind of like a reflection bot but with less specific parameters. Using the output, you can make skill bots with loops, spawn objects on servers who have no checks, and find countless exploits with teleports, minigames, negative integer spoofing, and force-logs whilst sending the wrong packets at the wrong time.
Setting up RuneAgent isn't a big deal. All we have to do first is create the right configuration script so that RuneAgent can identify which client we are trying to sync with. Without a script that correctly defines (sp2) or (p1) in relation to the client's code, RuneAgent will not be able to tell us the output a server is giving us.
We download RuneAgent 1.3 with RuneTek5 support (377-6xx i think) here:
[align=center]
Getting a hold of Isaaccipher (pisaac1) to make a Config[/align]
__________________________________________________ ___________
These are the methods defined by isaaciphers in a de-obfuscated client.
p1 - WriteWordBigEndian
p2 - WriteWord
p1isaac - CreateFrame
p4 - WriteDWord
ip4 - Method403
p8 - writeQWord
pjstr - WriteString
np1 - Method424
sp1 - Method425
ip2 - Method431
sp2 - Method432
isp2 - Method433
sp4 - No need to define this in our script.
All runescape packets start with an opcode that is in encrypted with an isaaccipher key (pisaac1) then can include a variety of methods. These methods can be renamed, using obfuscation in clients. Since clients are usually obfuscated and rename methods, we have to make edits to our config.js. The CreateFrame method is linked to p1isaac due to runescape's isaaccipher. However, CreateFrame can be renamed. To define the alias of CreateFrame, we would need to make a line in config.js telling RuneAgent that p1isaac ciphers "___" Example:
In any other case, "G" is just the CreateFrame renamed.
- Typical Config.js
- Renamed Client Config.js
As I said, not going in-depth, but you can see the differences in each configuration. A typical client's p1isaac isaaccipher is named "CreateFrame". In a renamed client, it can be named anything in correlation with the obfuscated client, maybe "z" or "X", you just have to find out what that name is. I recommend reading the class with cavaj.exe and comparing deobbed and obbed client classes. If you want more info on Runescape Protocol go here:
[align=center]
Heirarchy and Run.Bat Creation[/align]
Here is the folder Heirarchy with the latest RuneAgent that supports RuneTek 5:
C:\RuneAgent\dist
-RuneAgent.jar
-Run.Bat
Code:
java -Xbootclasspath/a:"RuneAgent.jar";"lib/bcel-5.2.jar";"lib/rsyntax.jar";"client.jar" -javaagent:"RuneAgent.jar"=config.js -jar client.jar
pause
Just use this code for your run.bat.
-Config.js - (Error fix in spoiler)
[spoiler] Use this code in the first line of your JavaScript Config:
load('nashorn:mozilla_compat.js'); //Java 8
[/spoiler]
-Client.jar (Always rename the client your using to Client)
-lib
[spoiler]
RuneAgent uses bcel-5.2 and rsyntax libraries
[/spoiler]
[align=center]
Basic Bug Abuse With RuneAgent[/align]
RuneAgent is now ready to be used. Click the tab Outstream, log actions, and penetration test the server. You can make loops using:
Code:
obj = { run: function () {
for(var i = 0; i < 5000; i++){[/b] < 4999 Times
stream.p1isaac(132)
stream.isp2(3091) //x
stream.p2(2491) //rune essence
stream.sp2(3242) //y
java.lang.Thread.sleep(30000);
stream.p1isaac(132)
stream.isp2(3091) //x
stream.p2(2478) //air altar
stream.sp2(3242) //y
java.lang.Thread.sleep(2000);
println(i);
}
}
}
var r = new java.lang.Runnable(obj);
var t = new java.lang.Thread(r);
t.start(); //Restart
This loop will run less than 5000 times, so 4999 times repetition of runecrafting.
On Ikov:
We can see the output, which can be parsed to see exploitation results.
Whilst using RuneAgent I would recommend trying everything, even though it may seem like the server has patched the exploit. Go for it. There has been lots of exploits found on a countless amount of servers, and RuneAgent is also nice in the creation of packet bots.
-Best Regards, Yalo. Have fun!
P.S. I don't know Java, so if anyone wants tomake an indepth tutorial of searching for renamed methods, feel free.