Just in case anybody wonders about disclosure timelines. Since reporting my issue, I have heard about a related issue reported in November. So there was plenty of time. But even if that wouldn’t have been the case, I still believe the issue is not really exploitable in practice. As I said in the video, even I wouldn’t prioritize fixing this issue :)

Laughed my head off and I'm not even 10 seconds in. The ilmango intro parody was AMAZING.

I love how you divide these videos up with gameplay, hacking and programming! Keep up the good work!

4:47 You can't obtain mending from an enchantment table as it is considered a treasure enchantment. 13:15 Abuse the 3 second invulnerbility after connecting to a server

THANK YOU for explaining the implications of the account migration correctly. I've worked on the anticheat/antibot end in ~2016-18, and the amount of hacked accounts used for cheating and botting are way up in the multiple of millions. Bots auto joining the server, walking to some predetermined spots and spamming private messages to all online users with links/serverips, running for 24/7, while you are banning them every 30-60 second. Hackers just throwing tens or hundreds of accounts against the anticheat to try to figure out settings that it won't detect. The account migration came WAY too late IMO, looking at the madness from the peak times of Minecraft.

"I almost got killed" *loses half a heart

A tip for the future: If you find your self farming ancient debris DON'T use TNT, use beds instead! Beds are way cheaper

In Minecraft 1.8 there really was a bug in the login system, Spigot had tracked the socket address of the connection in the login handler without checking whether the address is zero, you could then reset the IP to "zero" with a TCP reset and trigger a NullPointer in the main thread, this then led to the server closing immediately with "Server closed".

Love seeing ilmango in the description, since I was asking if you know him under your last video. Grüße gehen raus!

gotta say, the xray mod reminds me of good old TeamAvolition griefing videos back in 2011-2012 :) if i remember correctly they were one of the first ones to use/create hacked clients (correct me if im wrong)

my cryptography teacher focused too much on math and I lost interest real quick due to the sheer complexity of all of the math AES uses, but the explanation for ECB and CFB was incredible! I never understood what my teacher was getting at and the diagrams didnt make sense to me (yet somehow I graduated this past spring lmao) but it now is clear. This series is awesome!

Amazing that you also found the same AES vulnerabilities that we found over the years just reading random game code, we don't believe this to be significantly exploitable as you have stated as sure you can modify packets but if you cause any malformed packet your basically done and it only lets you manipulate the stream but they do technically reuse IV and key (they also use the key as IV) between the server and client but in our limited experience with AES CFB you can probably only decrypt the first block but we are not entirely sure because we are not cryptographers but we determined this as something not exploitable in a significant way so we never reported it.

This was a great one! I love the though process and theory , implementation.

4:40 you cant get mending at the enchantment table anyways, you must find it in a loot chest or trade with a villager, or fish in open water (no blocks around, nothing above the water)

Thanks for this videos! i've been really enjoying this playlist. i stayed HOURS yesterday setting thequarry Proxy. and i learned a lot in the process . thanks again man!

once again another amazing vid, loving this series and cant wait to see what else is down the line

I absolutely love this series.

By the way, when you load the world back up, you have a small invincibility window.

Very good job on those videos, learning a lot from them and they motivated me to keep learning programming for a project I would like to do. Thank you very much!

I basically did the “Evil Server” thing a while ago to track stats and do other cool things like creating replays by recording the packets, I got around the Mojang auth server issue by creating a server that dosn’t auth with mojang and I did the auth server side (obviously I used my own account), alternatively you could use two accounts which was what I ended up doing after a while (mostly to get my skin although I discovered a way to get any skin by messing around with the respawn packet), by doing this I was able to read and modify packets, I even wrote some stuff to manipulate packets in python that was stupidly easy to use, basically you could use a decorator to filter packets (including the info inside the packet), I kinda want to revive the project now, it was a lot of fun and now I’m sure I can get around some of the issues I had at the time, the filter chugged if I had to deal with a lot of packages because I basically had no idea about data structures and big O lol.

I can't speak to the similarity of the exploit, but there was a similar attack used by Nodus Session Stealer almost 10 years ago. It doesn't work anymore of course, but this made me remember it :)

I love how the start is IlmangoOverflow! Love these videos keep up the good work!

I love this series, that intro is awesome hahaha

This series keeps getting better and better

This series inspired me to learn java. :) Keep up the amazing Videos!

really good episode! i love the series. the ending was truly minecraft youtuber cliche

haha immediately got the ilmango reference... loving the series.

Love this kinda explaining ... So easy to understand ... Thanks you I really mean it

That intro was the best crossover I've ever seen

Before watching this video I watched two of ilmango's videos and I had another one I was planning to watch later, so I was very confused when I clicked this video's tab, haha!

dude i love you. just handing out free education to anyone and including your non-biased views. thank you!!

Had a lot of fun watching this :)

that ilmango intro caught me off guard. great video as always lol

Love the ilmango-inspired intro!

I love these videos because they are exactly at my level while being entertaining too!

LOL tat intro! gota love ilmango :)

LOVING these videos!

the ilmango intro, lmao

7:14 On the topic of botting servers and using throwaway accounts, it's a pretty big issue for smaller servers (i would argue an even bigger issue) as well. I used to mod a minecraft server that has now shut down, and there were at least 10 different times where the server got botted that I know of (only played on the server for around a year, but there were definitely more than 10 from before). Our discord server also got botted multiple times (either accounts spamming channels or DMing everyone on the server with advertisements for other servers) because of how easy it is to make a discord account. It used to be pretty major, and I believe that migrating to Microsoft accounts would help a lot, but of course that wouldn't get rid of it entirely. EDIT: we also had a lot of cases where people would be hacking on throwaway accounts, on bigger servers like Hypixel there's a pretty big chance that the account is already banned since someone else already used it, but on smaller servers that chance is way lowered. Our rules were that you could have up to 5 different accounts linked (accounts get linked if their on the same ip) before you got IP banned, but only sr. mods could IP ban so us normal mods would end up having to ban people 10+ times until a sr mod got on.

Great series! 10/10

I got so confused at the intro, wasn't expecting an ilmango intro. But i guess you found technical minecraft, ill just say welcome

I actually got banned from hypixel because someone hijacked my account, they also changed the password. Luckily I could reset it with my email. Definitely taught me a lesson😁

Not sure if you fixed this or not but with your Xray code you showed in your video it looks like you are rendering block faces that are occluded by other Xray blocks. Probably should check for that to increase performance, even though it shouldn't be super noticeable due to ore being infrequent, but its something to keep in mind.

i love this series

Just seeing that il mango intro is a quality warranty

One lil thing: in TheAltening, nfa or non full access normally get blocked in a very short time, while with full control accounts it is basically impossible to find your account blocked. The price increase was not because of the migration, but because of reliability

Du hast dir bei dem Intronachbau sogar so viel Mühe gegeben, dass die Mini-Logos exakt gleich sind xD I love it.

Haha love the mango intro!!!

I wish computer programming classes were taught like this when I went to school for networking. It would hsve made things a LOT more interesting. And practical, as you'd see the results from what you ve done in a real world example

6:17, the chats are not from botting at all ! Just plugins on a Minecraft server !

You got me with the ilmango in show you evil evil man

Now THIS is the kind of hacking I was expecting from LiveOverflow! Great!

Last episode was a lovely credit for LogicalGeekBoy, now a beautiful tribute to Ilmango - which of my other favourite Minecraft content creators are you also a fan of?

6:15 if anyone was confused those are messages the server is sending not actual accounts (that's why they're colored, the server plugins are their origin)

I see that LiveOverflow has met IlMango, very nice :D

I love this series

Love the intro lmao

the intro had me so confused I thought I was watching ilmango for a sec

That is one really great thumbnail!

damn i thought i watched the wrong channel since i also a fan of ilmango for their amazing farm build and the explanation on how it works

i liked this video with all my alts just because of the intro

The Mojang account was really security through obscurity. I lost my email for my Mojang account 3 times, one time I got my account back through some back and forth with the support. The other two times the support sent a link for email recovery, like password recovery but for the email so you could change the email for the account. So you changed the email to a known email and then did a regular password reset. That email change thingy were quite difficult to find on your own though but like... Geeeze

cool video, didn't watch it yet but the title suggests it's gonna be awesome

love the intro hah

Just 6 minutes left! It will be the longest 6 minutes of my life

Nice intro :)

God i love these videos!

Woud it be possible to bruteforce a series of bytes one byte at a time which encrypted happens to match the xor of the previous byte so you get the desired result? im sure its not possible to get every combination of bytes via this method (if it is even possible, i dont have much clue about innerworkings of encryption algorithms) but there might be some things that are possible?

I laughed so hard with the intro. LOL

Let’s friking goooooo

That intro almost made question if I even clicked the right thumbnail lol

you should add a fast mine mudule for your hacked client. since it makes it much easier to mine/collect new blocks such as obsidian

At the beginning I thought that KZbin stuffed up the id, and I was watching another subscriber XD

I remember session stealers back in beta. Awesome times honestly lol

when you log in a world, you have a few seconds of invulnerability, even if you felt in lava, you'd have ample time to fly away and just take fire damage once the invulnerability worn off

Haha that intro!

You have NO IDEA how off-guard that intro caught me

I was really confused, I thought I clicked on a LiveOverflow video and then the ilmango intro plays xDD

Have you tried any fuzzer (e.g. Jazzer) to see if you can find any evil packages that could cause ”fun” behaviour? Been thinking of this but haven’t taken any time do dig in the code for where to jack in the fuzz data.

That ilmango intro killed me

OMG THE ILMANGO INTRO 🤣🤣🤣😆🤣

12:54 for as interesting as this dive into the network protocol is and as good as the plot device your fly hack failing over lava is,.. .. as some experienced Minecraft players know: upon connecting to a world, local or remote, the player is given a brief period of invincibility. ~~ This can be abused. ~~ You could repeatedly connect and disconnect, swimming fractions of a block at a time between disconnections and get to safety.

I was so confused by the ilmango intro that I had to make sure I clicked the right video

That intro caught me off guard lmao

i dont know why but the shot at 0:35 is SO funny to me

This intro destroyed me. I burst out laughing HAHAHA

Woah, the intro on this video SERIOUSLY short circuited my brain.

Well, I think you missed out on crypto education on this video. This is a perfect example for two basic crypto issue: - You don't only want confidentality, you also want authenticity. (For the audience: Authenticity works by sending a value that binds the message to a shared secret. As the MITM attacker wouldn't have the shared secret, it can change the message, but it can't know how to update the authenticity information.) - You don't roll your own crypto, you use an established protocol. As this is about securing stream connections, you shouldn't roll your own AES-CFB8 based encryption protocol, but just use TLS. And guess what: TLS didn't forget about authenticity, and after years of exploits and fixes, TLS finally got authenticity right.

Interesting; I used the same AES trick in a recent CTF-like challenge

a little bit disappointed you didnt do something fancy to escape the lava, very interesting vulnerability though. funnily enough there were attacks with similar difficulty pulled off rather frequently back in minecrafts infancy so i honestly wouldnt be surprised if it couldve been used back then actually now that i think about it if one were to register typo domains for big servers they _could_ actually have a shot at pulling this off. not to say you shouldnt have included it though, as you said theyve had time to look at it. just think we might actually see (or not see) this used especially since minecraft to the best of my knowledge doesnt use SSL (mojang should implement that along with the enhanced cryptography theyre adding in 1.19) on the topic of the 1.19 cryptography stuff, i would like to see a regular style video going over how that works. nobodys really said anything about how thats implemented yet, just that "chat messages are signed now" and "this is good for security" (which it probably is assuming theyve done it well, but maybe you might find something if you look in to it like you did here)

Very good video. Your x-ray mod reminded me of other old hacked client mods that might be fun to replicate. 1- Waypoints, like your base. Old mods seemed to use a line drawn on screen towards that waypoint. 2 - minimap There are a bunch of old things that could be fun to reproduce.

“Turns out they were all empty”. We’ve all had this letdown Each and every minecrafter has had this letdown

Haha the ilmango intro

people do build hacked clients for hypixel specifically, to bypass its anticheat. so not only do the fake hackers have access to several accounts, they can cheat for much longer than you'd expect. so thank gosh for the migration.

YES

27:33 the most unimpressed herobrine encounter in the history of minecraft

Man, if Java wasn’t so finicky with compilation i would attempt to do this. Great job, and it’s cool that you’re making your own hacked client.

The intro got me LMAO

Herobrine looking down on you at the end like a God can only make me feel a big awe towards him

how about trying to make/modify items (like you said you wanted mending)