description = "Around five months ago LiveOverflow started a series called Minecraft:HACKED. He invited everyone to find the server and join, but that was easier said than done."
Around five months ago [LiveOverflow](https://www.youtube.com/c/LiveOverflow) started a series called [Minecraft:HACKED](https://www.youtube.com/playlist?list=PLhixgUqwRTjwvBI-hmbZ2rpkAl4lutnJG). He invited everyone to find the server and join, but that was easier said than done.
## Concept
During one of his earlier videos, LiveOverflow challenged his viewers to find the Minecraft server he was playing on and come join it. At first, this was the only challenge, but as time went on and the server existed for longer, more challenge were added. At first, players had to bypass an algorithm that would kick players who moved like humans, but later on, we had to bypass a popular server plugin. All in all, I had/have a great time playing on the server and learned a lot about how Minecraft works, and how to write mods for it.
## Finding the server
In LiveOverflow's eighth video, [he told his viewers that the server has been opened to the public](https://youtu.be/QradKmQ27JY?t=1246). I immediately started looking for ways to find it. After researching for a while, I found multiple ways to find it, but I thought they would all take a fair bit of time (I'll get back to this later). So, instead of spending time actually learning stuff, I rewatched his videos to see if there would be a clue in there. Luckily it worked out. In [one video](https://youtu.be/Hmmr1oLt-V8?t=28) he blurred the IP inside the terminal, but forgot about the terminal title bar :smile:. I notified him of this, as it was obviously unintended, and the IP was changed shortly after, as many people apparently found it.
{{<figuresrc="/img/posts/liveoverflow-minecraft-server/first_ip_screenshot.png"title="Screenshot of video containing the IP address">}}
### IP change
The IP change happened of the 26th of August. Finding the new IP was going to be a harder challenge, as the change meant there was no way to find the server using the videos. At the time I was looking into it, no new video had been released, after all.
During my research, I came across masscan. This is a piece of software that lets you scan the entire internet, and even does it pretty quickly. This may come as a surprise, but It doesn't support Minecraft packets… I could add support for this, but I would have to get familiar with the code base, and I thought it would over all just be easier to write a python script that interfaces or uses the output from masscan.
I got to work and wrote a script that scans the IP range in which the old IP was located. It starts by using masscan to scan the entire range of IP addresses, and saves it to a file to use later. I then read this file, and request basic Minecraft server information like its MOTD, players and favicon. This information was saved in another file, in which, I could easily search for LiveOverflow. In the end, the new IP only had one digit changed.
_This code is copied from a Jupyter Notebook, so it's not the most efficient and may not even work, the [here for the Github Gist of the Notebook](https://gist.github.com/maikka39/8019e2f1a45e1021fff05bd1e1688e14)_
Later, I found out the physical server was actually the same, and you could also use `traceroute` to find the new server as well.
```txt
traceroute to 176.9.20.201 (176.9.20.201), 30 hops max, 60 byte packets
1 _gateway (10.0.0.1) 1.435 ms 1.407 ms 1.381 ms
2 192.168.2.254 (192.168.2.254) 16.733 ms 16.722 ms 16.712 ms
3 static.kpn.net (195.190.228.90) 17.893 ms 17.882 ms 17.882 ms
4 139.156.98.101 (139.156.98.101) 128.740 ms 128.730 ms 128.720 ms
5 * * *
6 core24.fsn1.hetzner.com (213.239.224.253) 32.245 ms core23.fsn1.hetzner.com (213.239.224.249) 30.209 ms core24.fsn1.hetzner.com (213.239.224.253) 43.727 ms
7 ex9k1.dc6.fsn1.hetzner.com (213.239.229.94) 30.182 ms 19.697 ms 22.575 ms
8 static.205.20.9.176.clients.your-server.de (176.9.20.205) 19.665 ms 22.329 ms 22.306 ms
9 * * *
10 * * *
```
### Third IP change
The “new” IP quickly got leaked, and so a new server had been created. This time, `traceroute` did not yield any useful results, so I used the above script again. The only change I made, was adding all Hetzner ranges to the list of ranges.
### Abuse emails
Not every ISP likes people scanning the internet. I ran the script on both a VPS, and on my home network. Especially the latter was a mistake, though, as I quickly received an email telling me to stop, or I would have my internet cut off. So, If you want to scan the whole internet, don't do it from home :smile:.
{{<figuresrc="/img/posts/liveoverflow-minecraft-server/kpn_abuse.png"title="Screenshot of abuse email (in Dutch)">}}
## Challenges
I had a great time playing on the server. The other players were mostly nice, having to have some technical skills to find the server probably kept most griefers out. What I found most fun about the server, were the challenges, though.
### Bot movement challenge
After some time playing on the server, the first challenge was released. As LiveOverflow explained in [this video](https://www.youtube.com/watch?v=WEMOCFe4EFE), if you move on the server, without rounding your player position to 1/100th, you get kicked with the following message:
{{<figuresrc="/img/posts/liveoverflow-minecraft-server/human_movement_kick_message.png"title="Human movement kick message">}}
#### Writing a Fabric mod
Where do you even get started with solving this challenge? I didn't have any Minecraft modding experience, but had heard about [Fabric](https://fabricmc.net/). I downloaded [an example mod](https://github.com/FabricMC/fabric-example-mod) from their GitHub, and got it to intercept `PlayerMoveC2SPacket`. These are the packets your Minecraft client sends to the server, so it knows where you are.
Unfortunately, I don't have my original code anymore, so I can't give any code snippets for this part. I _can_ explain the business logic, though.
#### Moving like a bot
You might say this is a straightforward challenge, but you might be surprised. This is because the naive approach of simply multiplying a coordinate by one hundred, rounding it, and then dividing it by one hundred again will only work some of the time. The reason for this is [how floating-point numbers work](https://en.wikipedia.org/wiki/Floating-point_arithmetic). You might have heard about the classic meme that `0.1` + `0.2` equals `0.30000000000000004`. We humans work in base 10, but computers work in base 2, and not all base 10 numbers can efficiently be represented in base 2. Our mod will not work when we're sending a number that's rounded down to, for instance, x.9999999, as casting that to an int would result into a non-rounded number. The easiest way to fix this is by adding the following step:
This will get the first exact floating-point number after the given number. We can then pass the x and/or z value of the current coordinate to this method, and replace the value with the result.
### Club Mate challenge
#### Original version
Some time after the bot movement challenge, a new challenge was released. This time, we had to open a chest in a protected area. Part of the challenge was actually finding it, I stumbled across it by accident, but a hint was otherwise also given [at the end of the bot movement video](https://www.youtube.com/watch?v=WEMOCFe4EFE).
Upon entering the area, you're teleported to a floating island and greeted with a message;
This challenge had some unintended solutions. I'll get to the intended one later, but let's first solve it the easy way :smile:.
When looking at the given pseudocode, we can see we're only teleported back on a `PlayerMoveEvent`. As LiveOverflow [later showed in a video](https://www.youtube.com/watch?v=RDkWagIW6gw), many people found bypasses to it. My solution was to throw an Ender Pearl into the region, and then immediately block all outgoing movement packets. This way the server teleports us into the region, which does not trigger a `PlayerMoveEvent`, after which, we can open a chest. A message is also sent in chat after opening the chest;
After LiveOverflow noticed the unintended solutions, he used the plugin WorldGuard instead of his own. This made the challenge quite a bit harder, as silly things like throwing an Ender Pearl don't work.
After reading lots of [Paper source code](https://github.com/PaperMC/Paper), I came across the following code:
```java
// Prevent 40 event-calls for less than a single pixel of movement >.>
In short, this code means we can move around a tiny bit before a `PlayerMoveEvent` is sent. This caught my interest, as I thought there might be a way to change the `lastPos`. After reading more code, I found out there was!
If we send a position that is far away, like x+100, y+100, the player will be teleported back before the `PlayerMoveEvent` gets sent. During this teleport action, `lastPos` get set to the position the player had before the “far away packet” was sent.
```java
public void handleMovePlayer(ServerboundMovePlayerPacket packet) {
// ...
// d11 and d10 contain a difference in player position
if (d11 - d10 > Math.max(f2, Math.pow((double) (org.spigotmc.SpigotConfig.movedTooQuicklyMultiplier * (float) i * speed), 2)) && !this.isSingleplayerOwner()) {
This method was very slow, however. After taking another look at the [WorldGuard source code](https://github.com/EngineHub/WorldGuard), I noticed that it checks whether the player actually moved a block;
```java
public void onPlayerMove(PlayerMoveEvent event) {
Location from = event.getFrom();
Location to = event.getTo();
if (from.getBlockX() == to.getBlockX()
&& from.getBlockY() == to.getBlockY()
&& from.getBlockZ() == to.getBlockZ()) {
return;
}
// ...
}
```
This check means we only have to actually prevent a `PlayerMoveEvent` when we are changing from one block to another. The final code for which can be found in [my GitHub repo](https://github.com/maikka39/MinecraftClient).
## Conclusion
As of writing this, these are all the challenges I'm aware of. I'll update this post when more challenges are added.