Donald Trump 333 Share Posted September 28, 2017 Here is a very simple script to recover any accounts you may have lost the details for BUT they're still in the actual DB client. To use this simply move the jar into the DB scripts folder located within (userdirectory -> DreamBot -> Scripts). Then start the script with the account selected and it will output the details via the debug console. Jar Download: http://www.filedropper.com/passwordretriever Source: import org.dreambot.api.script.AbstractScript; import org.dreambot.api.script.Category; import org.dreambot.api.script.ScriptManifest; @ScriptManifest(author = "Donald Trump", category = Category.MISC, name = "PasswordRetriever", version = 1.0, description = "Outputs selected account password.") public class main extends AbstractScript { @Override public int onLoop() { if (getClient().isLoggedIn()) { log("{---} PasswordRetriever [---]"); log(getClient().getUsername() + ":" + getClient().getPassword()); stop(); } else { log("Waiting to login."); sleep(1000); } return 0; } } Link to comment Share on other sites More sharing options...
Almonds 110 Share Posted September 28, 2017 Thanks for this!!! EDIT: virus total just for anyone else who would take the precautionary measure https://www.virustotal.com/#/url/b9c3735a738eecc3a01dfbbef3966af3108f535b0753cda248e707a534f2672e/detection Link to comment Share on other sites More sharing options...
WillDB 20 Share Posted September 28, 2017 Isn't this manipulating a pretty significant security flaw in the DB client? Link to comment Share on other sites More sharing options...
Almonds 110 Share Posted September 28, 2017 Isn't this manipulating a pretty significant security flaw in the DB client? Might wanna take it off for security reasons, LOL. Someone could use this maliciously. But, then again someone could simply make it themselves in 15 minutes. Link to comment Share on other sites More sharing options...
WillDB 20 Share Posted September 28, 2017 Might wanna take it off for security reasons, LOL. Someone could use this maliciously. But, then again someone could simply make it themselves in 15 minutes. Exactly! The fact that this is possible is pretty worrying... People using local scripts/private scripts are at risk of having their account details stolen. Link to comment Share on other sites More sharing options...
NovaGTX 106 Share Posted September 28, 2017 Exactly! The fact that this is possible is pretty worrying... People using local scripts/private scripts are at risk of having their account details stolen. You do realize that you can decompile a local script to check for malicious code, right? *Edit* Also, any scripter whos worth a damn probably wouldn't waste their time stealing accounts. There's far better money making methods out there if you know what you're doing. Link to comment Share on other sites More sharing options...
distraction 61 Share Posted September 28, 2017 I don't think its a security flaw. They intentionally allow you to access the information. The risk for malicious local/private scripts is known. Link to comment Share on other sites More sharing options...
Dinh 496 Share Posted September 28, 2017 Exactly! The fact that this is possible is pretty worrying... People using local scripts/private scripts are at risk of having their account details stolen. It is not a flaw at all. If they were to remove the method to get your Password once logged in the Username & Password are stored in the Client anyways and could be obtained using Reflection Edit: Yes the official RS Client stores your data Link to comment Share on other sites More sharing options...
Nuclear Nezz 2040 Share Posted September 28, 2017 It's not a security flaw. These are the things we look for in SDN scripts. Private scripts there are much more ways for them to steal your shit, which is why we didn't officially support them. There's too much room for malicious code. The password is a field in the RS client itself, even if we blocked our method, you could still use reflection to just grab the field from the gamepack anyway xd This script in itself (at least, the src code) is not malicious. He's not sending the data anywhere, just logging it for you to visually see. If you're paranoid of the jar being different than the source you see, compile it yourself Link to comment Share on other sites More sharing options...
NovaGTX 106 Share Posted September 28, 2017 It's not a security flaw. These are the things we look for in SDN scripts. Private scripts there are much more ways for them to steal your shit, which is why we didn't officially support them. There's too much room for malicious code. The password is a field in the RS client itself, even if we blocked our method, you could still use reflection to just grab the field from the gamepack anyway xd This script in itself (at least, the src code) is not malicious. He's not sending the data anywhere, just logging it for you to visually see. If you're paranoid of the jar being different than the source you see, compile it yourself This^ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.