Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
RuneAgent - Beginner Tutorial (RuneTek4)
#1
For the few bug abusers left, and those to come.

Delving into RuneAgent
         


         RuneAgent, in all simplicity, is a Javaagent used to find exploits in Runescape private servers. Not going in too deep, it's basic function is to take note of the packets sent whilst functioning a specific client, and to send them right back, kind of like a reflection bot but with less specific parameters. Using the output, you can make skill bots with loops, spawn objects on servers who have no checks, and find countless exploits with teleports, minigames, negative integer spoofing, and force-logs whilst sending the wrong packets at the wrong time.

          Setting up RuneAgent isn't a big deal. All we have to do first is create the right configuration script so that RuneAgent can identify which client we are trying to sync with. Without a script that correctly defines (sp2) or (p1) in relation to the client's code, RuneAgent will not be able to tell us the output a server is giving us.

         We download RuneAgent 1.3 with RuneTek5 support (317-6xx) here:  RuneAgent 1.3

                      


       
Getting a hold of Isaaccipher (pisaac1) to make a Config
_____________________________________________________________
These are the methods defined by isaaciphers in a de-obfuscated client.

p1 - WriteWordBigEndian
p2 - WriteWord
p1isaac - CreateFrame
p4 -  WriteDWord
ip4 - Method403
p8 - writeQWord
pjstr - WriteString
np1 - Method424
sp1 - Method425
ip2 - Method431
sp2 - Method432
isp2 - Method433
sp4 - No need to define this in our script.

         All runescape packets start with an opcode that is in encrypted with an isaaccipher key (pisaac1) then can include a variety of methods. These methods can be renamed, using obfuscation in clients. Since clients are usually obfuscated and rename methods, we have to make edits to our config.js. The CreateFrame method is linked to p1isaac due to runescape's isaaccipher. However, CreateFrame can be renamed. To define the alias of CreateFrame, we would need to make a line in config.js telling RuneAgent that p1isaac ciphers "___" Example:


[Image: aAxBg.png]

In any other case, "G" is just the CreateFrame renamed.

[Image: aAwgW.png] - Typical Config.js

[Image: aAwyk.png] - Renamed Client Config.js

         As I said, not going in-depth, but you can see the differences in each configuration. A typical client's p1isaac isaaccipher is named "CreateFrame". In a renamed client, it can be named anything in correlation with the obfuscated client, maybe "z" or "X", you just have to find out what that name is. I recommend reading the class with cavaj.exe and comparing deobbed and obbed client classes. If you want more info on Runescape Protocol go here: 
     317 Protocol


                       
Heirarchy and Run.Bat Creation

         Here is the folder Heirarchy with the latest RuneAgent that supports RuneTek 5:

C:\RuneAgent\dist

[Image: aAypE.png]

-RuneAgent.jar
-Run.Bat
Code:
java -Xbootclasspath/a:"RuneAgent.jar";"lib/bcel-5.2.jar";"lib/rsyntax.jar";"client.jar" -javaagent:"RuneAgent.jar"=config.js -jar client.jar
pause
Just use this code for your run.bat.



Config.js 
Use this code in the first line of your JavaScript Config:
Code:
load('nashorn:mozilla_compat.js'); //Java 8

-Client.jar (Always rename the client your using to Client)
-lib


RuneAgent uses bcel-5.2 and rsyntax libraries
[Image: aAyHv.png]






Basic Bug Abuse With RuneAgent

         RuneAgent is now ready to be used. Click the tab Outstream, log actions, and penetration test the server. You can make loops using:
Code:
obj = { run: function () { 
  for(var i = 0; i < 5000; i++){[/b] < 4999 Times
   stream.p1isaac(132)
   stream.isp2(3091) //x
   stream.p2(2491) //rune essence
   stream.sp2(3242) //y
   java.lang.Thread.sleep(30000);
   stream.p1isaac(132)
   stream.isp2(3091) //x
   stream.p2(2478) //air altar
   stream.sp2(3242) //y
   java.lang.Thread.sleep(2000);
   println(i); 
  }
 } 
}
var r = new java.lang.Runnable(obj);
var t = new java.lang.Thread(r);
t.start(); //Restart
This loop will run less than 5000 times, so 4999 times repetition of runecrafting.

         On Ikov:

[Image: aAC8N.png]

         We can see the output, which can be parsed to see exploitation results.


         Whilst using RuneAgent I would recommend trying everything, even though it may seem like the server has patched the exploit. Go for it. There has been lots of exploits found on a countless  amount of servers, and RuneAgent is also nice in the creation of packet bots.

-Best Regards, Yalo. Have fun!
Reply
#2
Nice guide, should help all those people always asking for Runeagent help
Reply
#3
(08-23-2015, 02:51 PM)Mentoes Wrote: Nice guide, should help all those people always asking for Runeagent help

Thanks. Glad someone appreciates this.
Reply
#4
(08-24-2015, 12:14 AM)Yalo Wrote: Thanks. Glad someone appreciates this.

I'm sure plenty of people have/will find it helpful, just a shit load of leechers on this board lol
Reply
#5
This is pretty usefull! Maybe I can use it now Tongue
Reply
#6
guide too stronk ;D
Reply
#7
(08-24-2015, 05:40 PM)ama Wrote: guide too stronk ;D

:D ama too stronk.
Reply
#8
I'm too stronk

(08-25-2015, 05:07 AM)Yalo Wrote:
(08-24-2015, 05:40 PM)ama Wrote: guide too stronk ;D

:D ama too stronk.

I'm too stronk.
Reply
#9
Great guide yalo!
This was very easy to understand, and well thought out.
Reply
#10
This along with a couple youtube videos is exactly what I was looking for. Thank you
Reply




Users browsing this thread: 1 Guest(s)