search

MrKinau / FishingBot

1.8 - 1.20.6 Fishing bot for Minecraft
GNU General Public License v3.0
321 stars 67 forks source link

rat #241

Closed Benjamacs1 closed 2 months ago

Benjamacs1 commented 3 months ago

when I looked threw the bot it showed multiple suspicious things such as token grabbers/loggers etc. please explain

MrKinau commented 3 months ago

Please be free to point out, which parts of the code looks "suspicious" or like a "token grabbers/logger" and I'll explain you what's the code for

Benjamacs1 commented 3 months ago

okie dokie 1s

Benjamacs1 commented 3 months ago

this is kinda weird

package systems.kinau.fishingbot.auth;

import lombok.Getter; import lombok.RequiredArgsConstructor; import lombok.Setter; import lombok.ToString;

import java.security.PrivateKey; import java.security.PublicKey; import java.util.UUID;

@RequiredArgsConstructor @ToString public class AuthData {

**@Getter private final String accessToken;
@Getter private final String uuid;
@Getter private final String username;
@Getter @Setter private ProfileKeys profileKeys;**

@RequiredArgsConstructor
@Getter
public static class ProfileKeys {
    private final PublicKey publicKey;
    private final String publicKeySignature;
    private final PrivateKey privateKey;
    private final long expiresAt;
    private final UUID chatSessionId = UUID.randomUUID();
}

}

I bolded the code that I think is suspicious and there is more but I have to find it again

Benjamacs1 commented 3 months ago

no sorry this is the party of the code

@Getter private final String accessToken; @Getter private final String uuid; @Getter private final String username; @Getter @Setter private ProfileKeys profileKeys;

MrKinau commented 3 months ago

The AuthData you are referring to is an object used to store the minecraft credentials. It is filled with either bogo values if offline mode (cracked) is selected or with the accessToken which is retreived by the MSAuthenticator or the OneSixAuthenticator (if used in MultiMC/Prism). The data is not send to any remote server, it remains on your device (in memory). Every other parts of the data is the current minecraft user UUID, the minecraft user name, the RSA Keys used for chat signing. If you have any questions about these feel free to ask.

MrKinau commented 3 months ago

The AuthData you are referring to is an object used to store the minecraft credentials. It is filled with either bogo values if offline mode (cracked) is selected or with the accessToken which is retreived by the MSAuthenticator or the OneSixAuthenticator (if used in MultiMC/Prism). The data is not send to any remote server, it remains on your device (in memory). Every other parts of the data is the current minecraft user UUID, the minecraft user name, the RSA Keys used for chat signing. If you have any questions about these feel free to ask.

To be more exact: parts of the data is shared with the specified server to be able to connect to it (e.g. username, uuid, chat keys)