Here's some important links you might want to check out! My Discord: discord.gg/rY4unvn RetroGamingNow Discord: discord.gg/retrogamingnow Tominecon.7z Team Discord: discord.gg/Q2BU69AN3S Download tominecon.7z: buu.sh/u/tominecon.7z
@@_Ecliptic and that's probably ceiled, and even if it wasn't, that must be rounded so if it's rounded it would take 1 second to 0.5 SECONDS. yet with like 100 passwords, and at least 1 TOP (trillions of operations per second), it WOULD take less than 0.1... like, c'mon! Just how! Computers are so advanced it's hard to fathom. And now I made a long comment for no reason
@@decoy3211 I was born in 2001, on the 12th of April. I am 23 years old. My TH-cam account also states it was made in September of 2012. It's extremely unlikely I would have made a YT account at 5 years old.
It's also all wrong... Minecraft didn't have encryption for client server communication until snapshot 12w17a (For version 1.3.1) after the Netty rewrite! This part of the client hello packet was only used for authentication.
Also, Long.parseLong will just throw a NumberFormatException if the String that's to be parsed contains letters outside of the radix. So you probably wouldn't even be able to connect in the first place I think.
Well yeah, the data is still encrypted, just the wrong way, so it "breaks" the process of encrypting the data on the server end and decrypting it on the client end. I'm not a professional at encryption by any means - this was just how I made sense of the process in my head and I wanted to explain it briefly, so it may not be 100% accurate
great video! the only thing missing here is a mention that the server files are in fact different builds from the final 1.0.0. while code-wise (and even content-wise) they're identical, the final 1.0.0 server was built 6 hours after the tominecon 1.0.0 server, making them have different file hashes.
Lol, TH-cam algorithm works that way I guess. On videos talking about how good something is, I often get recommended videos talking about how bad it is too
@@MaakaSakuranbo because having a poorly informed passwords list makes it exponentially less likely to crack via brute force. brute force methods with modern encryption do not attempt every possible character combination possible, that would take billions of years. cracking things is often far more successful with some level of research or enumeration.
@@MaakaSakuranbo surprisingly even simple passwords can be hard to crack if they're not in major wordlists. the research used to crack the tominecon.7z archive was simply that there was already a pre-existing list of cracked mojang passwords, that only certain people would have had access to. (particularly those who hack minecraft accounts because of their unique names).
10:15 No, parseInt would just throw an exception, which would then be caught by the try-catch blocks surrounding that code, which would then disconnect. I don't even think the serverid is used for encryption, but if it is, the encryption wouldn't be "broken", it'd just fail to decrypt/encrypt anything because the keys don't match up.
Yeah, which on the client-side means multiplayer doesn't function at all since you're disconnected before you ever get into the server. Server ID is used during the encryption process, but not to actually encrypt anything itself, just as data that gets encrypted sent to the client to allow the client to start decrypting the info and play the server
That explanation about encryption is.... entirely wrong. The parts about hex and dec are correct, but everything else is completely off the mark. 1. The server only ever sends _encrypted_ data. Your client only ever sends _encrypted_ data. There is no way for the game to do anything else, _by design_ . It would be a massive security risk if the opposite were the case, not only for your account details, but both your computer _and_ the server machine. 2. There is no way for encryption to "break" and be left completely open while in transit. That's not how encryption works, unless someone very stupid implements a fallback to plaintext which defeats the point of encrypting that data in the first place, as you could just force one side or the other to fail, receiving all that data without needing to decrypt it. 3. The server ID being parsed in the wrong base wouldn't initially cause an issue. In fact, you'd be able to _try_ to connect just fine. You wouldn't be able to fully connect, but you could try. 4. The reason it appears that multiplayer is completely disabled is because of a related (but different) problem. The first time the server (or your client, on modern versions it's the client) would try to send a packet the other would receive, what appears to them as, a garbled mess of incorrectly encrypted data. As such, they'd immediately close the connection, since trying to proceed would be a waste of time. The decryption fails because the encryption keys (in this case, the server id) would be different on either end, like trying to log in with the wrong password.
1. Yes, that's what I'm saying. I said it would be a huge security risk if it let you send the data unencrypted, so instead, it fails to encrypt your data and multiplayer doesn't function. 2. I didn't mean it would unencrypt the data and send it, just that, well, it breaks the encryption, it makes the whole "sending encrypted data" process not function properly. The visual does make it seem more like it actually sends unencrypted data though, I admit. I wasn't really sure how else to visualize that for someone who's not familiar with encryption, which includes most people that have watched this video so far. 3. Also what I tried to say in the video, though maybe I explained it poorly. Connecting to any servers on 1.0 immediately fails. You can enter the IP and press enter, yes, but it never will connect you. 4. Possibly, yeah. I don't know the process for this super well - I was mostly focused on the process of discovering the file, and just wanted to briefly touch on why the difference between 1.0 and tominecon is so important.
@@mcbyt Sorry if that sounded harsh, I did enjoy the video - I'm a CS nerd at heart so the inaccuracy rubbed me the wrong way lol Just about everything to do with encryption is hard to explain, so kudos for giving it a shot :)
@@TheKd8lvt All good (sorry I didn't see this till just now)! I appreciate being held accountable for stuff like this, I never want to be putting the wrong info in videos ofc :)
GGs to Doge who somehow decided to keep the old leaked passwords, then to Dinnerbone who helped have this spread further, and of course, the original user who had sent the real thing and not a decoy.
The fact that it was broken in such a simple way without some expert cia level shit like that methods, along with the only difference of it between the offical 1.0 being 4 characters in the code feels so anticlimactically funny
3:36 Oh my God, I just love seeing other TH-camrs I watch being mentioned in videos, this mystery would have gone in a very different direction if any of you didn't cover it! From the seeds of panoramas, to paintings, now passwords to files.
10:16 no, the data would be encrypted, the encrypted data just wouldn't be able to be read by the server since it didn't have the right decryption key. this would cause the client to be disconnected. also, passwords aren't sent to the server, your Mojang session ID was sent to the server. sending your password unhashed to an unofficial server is a huge no-no.
9:37 : it's not a "server id", it's an encryption key. the code literally says right there that if it fails to parse the "server id" it will stop and say "The server responded with an invalid server key". 10:09 : no, it couldn't. of course it couldn't. where in the world did you get that idea from? right in the oracle docs: Throws: NumberFormatException - if the String does not contain a parsable long. 10:13 : wrong again, the code says right there that if it fails to parse the "server id" it will stop and say "The server responded with an invalid server key". even if it *did* try to communicate without the right key, all of the data between the server and client would be garbled and a connection would never be established. did you run this section by someone who knows anything?
would personally never have guessed the password to be 6 letters and 2 numbers, one would think that would’ve shown up in people’s dictionary attacks by now
Pls stop the clickbait, it's not a "great mystery" or "some mystical code", is just Minecraft 1.0 in password-protected archive with a lame password. A great mystery would be if someone reverse-engeneered the Minecraft binaries and found some advanced and complicated code that send encrypted data to Mojang servers for example. That would 100x more interesting than this nonsense.
well that's not a mystery, that's the truth? It's called analytics and when Microsoft bought they introduced more intrusive logging which you weren't able to disable (I think that changed since then)
The fact we not only cracked the password but learned TONS of stuff about the files is nuts. First, the contents of the file, and the fact it IS different from an actual release of 1.0 Minecraft- albeit very, VERY slightly. And yet that slight change was such a massive problem... quite interesting, honestly. Second, the password, which is amusingly only 8 characters long... go figure. No wonder they were so worried about the password... in fact, using the password strength checker shown earlier in the video, the password for the original file is WEAKER than the password for the decoy! Third, the two things the password was used for. Since it was originally for their email account, it makes sense why it was so worrying. But with that changed, it's a lot safer now. Dinnerbone wasn't kidding when he said that. And fourth, the fact that when many people are curious, nothing can stop them. This was probably the craziest thing that could have happened... but I'm glad that there's finally a concrete end to this saga. (Let's not go trying to crack any more files unless given advance knowledge that it's for an ARG or something.)
Yeah… I can see why no one wanted the password out there in the early days of the hunt (Even the people who claimed to have cracked the password said they probably shouldn’t have done it) if it was the making email password
I can offer a lesser rant XD - there is a password protected zip in the minecraft files - mojang magically finds out about people trying to crack the password, I guess the zip was sending them signals in dreams - lie about how 'boxpig41' password took 10 years to break when in reality it's only 50 minutes with a bruteforce - mojang replaces it with a false zip - 2 other channels trying to leech viewership comes on the story (you know, you could speak about the actual people that cracked it and not a youtube channel handle) - 1 of them has the original file and password finally get cracked (guess they chose to use the 50 minutes brute force this time) - the zip has the same files but with just a parameter missing in one of the functions that is supposed to turn a string to hexadecimal format as if the string FORMAT was the one keeping packet sniffing away and not the ACTUAL string ITSELF
Mojang could probably tell by the constant discussion of this on HackForums and Reddit, this is extremely likely. Explanation he gave here makes sense. Also the password was apparently found by credential stuffing, which, as seen in hashcat on the video, took one second. Also yes the string format requires the string itself to be correct. If the string format is flawed the server wouldn't be able to understand the traffic - however there would be no interesting data that anyone would/could listen to, as it'd just be a "hello?" and the server disconnecting you, or you disconnecting. Whichever comes first
The mystery is not about what was in the file. It was about the process and the excitement of finally answering one of Minecraft most asked questions. You witnessed history. Be proud.
Less so the content of the file, moreso the hunt to crack it like albert said. I mean, there's been millions of eyes on this random file for over a decade now!
But there are a few other questions, for example when you are in .minecraft/bin, there is a file that contains all the md5 hashes of the .jar files First, this file mentions a file called windows_natives.jar.lzma, which I couldn't find Second, all hashes match the hash of the file, except for minecraft.jar
Minecraft.jar doesn't match because that's the modified file I discussed in the video. Not sure what you mean about the windows natives jar or where that's mentioned - if you mean it's in the code of Minecraft.jar, then it's probably elsewhere in the 1.0 files or possibly something that's located in Windows itself.
The md5 hashes are in the tominecon File at .minecraft/bin. In this File is a Line which refferenced in a windows_natives.jar.lzma file I will Check later If the Hash mached the original Minecraft version
Your characterization of the int parsing bug isn't really accurate, or at the very least *very* sensationalized. There wouldn't be any significant security issues.
in rgb first episode, he said that there was someone who cracked it on the hacker forums, and that guy also said that if it went to wrong hands, it would cause a catastrophe. With this video it now supports his claim, he most definitely investigated the file and found the decimal format you talked about.
The decimal issue would have thrown a NumberFromatException (an error) if the number it got contained digits that it doesn't know, so in no way shape or form would it have caused a catastrophe, it would probably have kicked you out with an error the instant you tried to connect to a server because of it.
I don't think so. The file going public wouldn't be a catastrophe at all, it'd just be really bad if Mojang released it officially. A buggy 1.0 build doesn't cause problems if it's leaked, only if it gets an official release as Minecraft's most important version of all time and millions of players are disappointed by its broken multiplayer
10:15 that’s a ridiculous statement to make. If you’re correct and the server ID is “used” to encrypt data (which is probably a stupid and insecure idea anyway), that would mean it’s the encryption key. Worst case scenario your game / server crashes from failing to encrypt data to send or failing to decrypt data that was received. Either you pulled that last part out of your ass, or old Minecraft servers use some really weird non standard method of encryption you’re somehow aware of
hey thanks for this video this is super cool! im part of the RGN community and thought it was cool that you were the one who kinda was behind it popping up again!
to be honest the devs literally said to not crack it, along with some other people, the fact that no one even bothered to listen to them just shows that they won't listen to the community when they do something wrong, we didn't listen, why should they?
so i remember being on a trying be on a server back in right after minecraft got it's 1.0 release, some friends and i was trying to get in to a server, kept giving us errors trying to join but invalid server key kept popping up, I believe somebody got it fixed during that time, sk89q released a class file, are you saying we actually might've had this issue right after the 1.0 release? it was quickly fixed, but still that was annoying trying to join a server.
I thought it was weird how RGN tried to imply that it was impossible to crack in his follow up videos after the first video blew up. I mean, weirder and more difficult things have been achieved before. It seemed like a matter of time and boy that was fast
such chill folks at mojang. and the interesting part is that, while the skills and methods may have malicious applications, by publically stating and engaging with the process they effectively give permission for users to try. as if its a challenge to them. ergo, while the tools may potentially be questionable, the act is not considered in violation of the law than if you added a randomised password to an empty file and then tried to get into it. it goes from an illegal act to one of grey legality.
this channel is just consistently good like seriously the amount of stuff that minecraft has undiscovered that you somehow find about and make thousands also be interested in is crazy
@@susguy187also there’s no 1.0 servers anyways because they’re either 1.8/1.7.10 or they’re the latest version No server uses 1.0 anyways so like the version still works it’s just multiplayer like single player works
and here I was hoping it would contain some 360 development tools or better yet a way to jailbreak a 360 with a mod chip (I have a medical condition which makes it nearly impossible to solder anything remotely precise, after the better part of a decade of training from a machinist who has made parts for multiple spacecrafts and is a combat veteran I am able to do some less precise RC car repairs and not always break it), it is absurd that they are shutting down the 360 servers and not giving people an option to jailbreak their 360s, yes they didn't for the PS3 but that is because they have an exploit that works on all PS3s.
Here's some important links you might want to check out!
My Discord: discord.gg/rY4unvn
RetroGamingNow Discord: discord.gg/retrogamingnow
Tominecon.7z Team Discord: discord.gg/Q2BU69AN3S
Download tominecon.7z: buu.sh/u/tominecon.7z
Password: boxpig41
thank you mcbyt
No
How to get minecraft edu
All community: we finally cracked a decoy for 10 years !!
Doge: pull outs an all old mojang pass word and did it in 1 day.
1 second according to the image
@@_Ecliptic and that's probably ceiled, and even if it wasn't, that must be rounded so if it's rounded it would take 1 second to 0.5 SECONDS. yet with like 100 passwords, and at least 1 TOP (trillions of operations per second), it WOULD take less than 0.1... like, c'mon! Just how! Computers are so advanced it's hard to fathom. And now I made a long comment for no reason
@@parinuserand no one liked your comment except me
@@Toasty_videos I liked it
Hey guys the real password is boxpig41 enjoy :) idk what ur gonna enjoy but idk just take it
I like how Doge just casually has a bunch of leaked Mojang passwords like its nothing
He also has arround 30 minecon's
just a databreach?
Thats the account community for you
Me having 1.16.200 Minecraft Bedrock, reversed code. Some people just not talking about it Everywhere
Not necessarily, he probably just knows where to find it
Thank you so much for introducing me to this mystery! I had a blast learning about it and discussing it with everyone!
Of course! And thank you for introducing so many people to the mystery - wouldn't have been cracked without you
so glad this story has gotten so much attention!! you both did a huge part in publicizing it, good stuff yall!
So long...
@@nakoogotten lmao
Please don't say "way back in 2020". It makes me feel old
It's been 4 years.
@@ZoofyZoof still tho, it feels like 2020 was yesterday
@@255ping4 I don't understand how, and I don't understand anyone who says anything like this
@@ZoofyZoofjust say u were born after 2007
@@decoy3211 I was born in 2001, on the 12th of April. I am 23 years old. My TH-cam account also states it was made in September of 2012. It's extremely unlikely I would have made a YT account at 5 years old.
10:15 your data will still be encrypted. It's just that you wouldn't know the key so the data will just be garbage and unusable
+1. That ending explaination really came out of nowhere and wasn't at all substantiated lol
It's also all wrong... Minecraft didn't have encryption for client server communication until snapshot 12w17a (For version 1.3.1) after the Netty rewrite!
This part of the client hello packet was only used for authentication.
Also, Long.parseLong will just throw a NumberFormatException if the String that's to be parsed contains letters outside of the radix. So you probably wouldn't even be able to connect in the first place I think.
Yeah, even having never looked at minecraft code I could tell that explanation was untrue lol
Well yeah, the data is still encrypted, just the wrong way, so it "breaks" the process of encrypting the data on the server end and decrypting it on the client end. I'm not a professional at encryption by any means - this was just how I made sense of the process in my head and I wanted to explain it briefly, so it may not be 100% accurate
I can't believe you listed totally real passwords on screen like that.
Anyway, gg!
The 4th password is completely real
nice
Yeah, had to change mine (PleaseAddTermitesYouPromised91). You will never guess the new one tho.
@@Mateo-zi8ub Nr.17, "thatwasarealonetho"
8:25
old mojang are so real for these. it just goes to show we're all human
great video! the only thing missing here is a mention that the server files are in fact different builds from the final 1.0.0. while code-wise (and even content-wise) they're identical, the final 1.0.0 server was built 6 hours after the tominecon 1.0.0 server, making them have different file hashes.
Yeah, I've got that on-screen at 8:58 but didn't mention it in the voiceover since I thought it'd be a pretty long tangent for a smaller detail.
i just finished watching a video talking about how it will never be cracked, WHAT THE
Lol, TH-cam algorithm works that way I guess. On videos talking about how good something is, I often get recommended videos talking about how bad it is too
Sometimes people lie.
because having a poorly informed passwords list makes it exponentially less likely to crack via brute force
@@afunnymanand 7z files are insanely hardware expensive to brute force
@@TheFantasticJ all modern 256 bit encryption methods are essentially impossible to brute force.
Alright but seriously, why wasn't "boxpig41" bruteforced sooner?
7z encryption is extremely slow to crack, and they only had about a year
@@enriktigasna Slow in what way?
@@MaakaSakuranbo because having a poorly informed passwords list makes it exponentially less likely to crack via brute force. brute force methods with modern encryption do not attempt every possible character combination possible, that would take billions of years.
cracking things is often far more successful with some level of research or enumeration.
@@afunnyman Well in this case it wouldn't have been that long, unless a single try takes long
@@MaakaSakuranbo surprisingly even simple passwords can be hard to crack if they're not in major wordlists.
the research used to crack the tominecon.7z archive was simply that there was already a pre-existing list of cracked mojang passwords, that only certain people would have had access to.
(particularly those who hack minecraft accounts because of their unique names).
10:15 No, parseInt would just throw an exception, which would then be caught by the try-catch blocks surrounding that code, which would then disconnect.
I don't even think the serverid is used for encryption, but if it is, the encryption wouldn't be "broken", it'd just fail to decrypt/encrypt anything because the keys don't match up.
Yeah, which on the client-side means multiplayer doesn't function at all since you're disconnected before you ever get into the server.
Server ID is used during the encryption process, but not to actually encrypt anything itself, just as data that gets encrypted sent to the client to allow the client to start decrypting the info and play the server
idk why that explanation was added to the video if they had no clue if that explanation was right or not
That explanation about encryption is.... entirely wrong.
The parts about hex and dec are correct, but everything else is completely off the mark.
1. The server only ever sends _encrypted_ data. Your client only ever sends _encrypted_ data. There is no way for the game to do anything else, _by design_ . It would be a massive security risk if the opposite were the case, not only for your account details, but both your computer _and_ the server machine.
2. There is no way for encryption to "break" and be left completely open while in transit. That's not how encryption works, unless someone very stupid implements a fallback to plaintext which defeats the point of encrypting that data in the first place, as you could just force one side or the other to fail, receiving all that data without needing to decrypt it.
3. The server ID being parsed in the wrong base wouldn't initially cause an issue. In fact, you'd be able to _try_ to connect just fine. You wouldn't be able to fully connect, but you could try.
4. The reason it appears that multiplayer is completely disabled is because of a related (but different) problem. The first time the server (or your client, on modern versions it's the client) would try to send a packet the other would receive, what appears to them as, a garbled mess of incorrectly encrypted data. As such, they'd immediately close the connection, since trying to proceed would be a waste of time. The decryption fails because the encryption keys (in this case, the server id) would be different on either end, like trying to log in with the wrong password.
1. Yes, that's what I'm saying. I said it would be a huge security risk if it let you send the data unencrypted, so instead, it fails to encrypt your data and multiplayer doesn't function.
2. I didn't mean it would unencrypt the data and send it, just that, well, it breaks the encryption, it makes the whole "sending encrypted data" process not function properly. The visual does make it seem more like it actually sends unencrypted data though, I admit. I wasn't really sure how else to visualize that for someone who's not familiar with encryption, which includes most people that have watched this video so far.
3. Also what I tried to say in the video, though maybe I explained it poorly. Connecting to any servers on 1.0 immediately fails. You can enter the IP and press enter, yes, but it never will connect you.
4. Possibly, yeah. I don't know the process for this super well - I was mostly focused on the process of discovering the file, and just wanted to briefly touch on why the difference between 1.0 and tominecon is so important.
@@mcbyt Sorry if that sounded harsh, I did enjoy the video - I'm a CS nerd at heart so the inaccuracy rubbed me the wrong way lol
Just about everything to do with encryption is hard to explain, so kudos for giving it a shot :)
@@TheKd8lvt All good (sorry I didn't see this till just now)! I appreciate being held accountable for stuff like this, I never want to be putting the wrong info in videos ofc :)
GGs to Doge who somehow decided to keep the old leaked passwords, then to Dinnerbone who helped have this spread further, and of course, the original user who had sent the real thing and not a decoy.
Keeping old stuff is not that hard i never delete my old files still have stuff from 5th grade I put on a drive
@@Notchjrgaming1269 Unless your PC crashes and requires a reset to be fixed… 😔
@@AshishXMC Windows recovery has managed to keep drive contents for years via reset recoveries, reformatting is very rarely needed
@@afunnyman Man, I wish time traveling existed, lol. Awesome though!
@@AshishXMCjust get a thumbdrive, back up your data, and reinstall windows in worst case
7:09 "unless you have time travel and use it to connect to the office WiFi."
Ok, another use of the password that we know now too.
it was just 1.0 version of minecraft with minimal differences biggest differences being the extra files
...except the fact that what you send to servers can be easily used to hack your system and cause chaos...
I have your location /j
@@amimirmimir512 what is it?
@@billybobjankens12 they said /j 💀
@@Zanophane_Gaming what's that mean
The fact that it was broken in such a simple way without some expert cia level shit like that methods, along with the only difference of it between the offical 1.0 being 4 characters in the code feels so anticlimactically funny
haha I have been waiting for this video since the password got cracked lmao
same - little timmy, born in 2019
how are you verified with 2k subs?
cool
@@00Cubic it's when u have another channel which is verified and share the same ad revenue thru google ads
@@mctogo001 not quite
Kinda strange all the mobs in the sounds folder had names in singular (blaze, ghast, magmacube, etc.) but endermen are listed there as "endermen"…
This was solved because 2 people had random info lying around.
3:36 Oh my God, I just love seeing other TH-camrs I watch being mentioned in videos, this mystery would have gone in a very different direction if any of you didn't cover it! From the seeds of panoramas, to paintings, now passwords to files.
*Gives up after 13 years* "So, I cracked this password in just a second now this is public information."
I feel like Minecraft’s greatest mystery get solved every week now…
I'm so disappointed nobody cracked an 8 character long password of printable ascii.
>Cracks a file
>"16"
That's... That's it?
10:16 no, the data would be encrypted, the encrypted data just wouldn't be able to be read by the server since it didn't have the right decryption key. this would cause the client to be disconnected.
also, passwords aren't sent to the server, your Mojang session ID was sent to the server. sending your password unhashed to an unofficial server is a huge no-no.
this is so absolutely roaring.. GOOD EPIC MOMENT!
top 10 roarer moments of all time (4K ULTRA HD)
khibo moment
9:37 : it's not a "server id", it's an encryption key.
the code literally says right there that if it fails to parse the "server id" it will stop and say "The server responded with an invalid server key".
10:09 : no, it couldn't. of course it couldn't. where in the world did you get that idea from? right in the oracle docs: Throws: NumberFormatException - if the String does not contain a parsable long.
10:13 : wrong again, the code says right there that if it fails to parse the "server id" it will stop and say "The server responded with an invalid server key". even if it *did* try to communicate without the right key, all of the data between the server and client would be garbled and a connection would never be established.
did you run this section by someone who knows anything?
would personally never have guessed the password to be 6 letters and 2 numbers, one would think that would’ve shown up in people’s dictionary attacks by now
Pls stop the clickbait, it's not a "great mystery" or "some mystical code", is just Minecraft 1.0 in password-protected archive with a lame password. A great mystery would be if someone reverse-engeneered the Minecraft binaries and found some advanced and complicated code that send encrypted data to Mojang servers for example. That would 100x more interesting than this nonsense.
well that's not a mystery, that's the truth? It's called analytics and when Microsoft bought they introduced more intrusive logging which you weren't able to disable (I think that changed since then)
its a 12 year mystery and if you dont like the video, then dont watch it
Yeah but we didn't know what it was until now that's why it was considered a great mystery for more than 10 years.
HOLY SPLAUGENSPLUGEN
It's crazy that someone named Doge did this considering the dog we all know as Doge (Kabosu) just passed away.
damn 13 years ggs guys
It cost everything.
0:05 Is that ren-diggidy-dog on the right?
Yaaaaas
The fact we not only cracked the password but learned TONS of stuff about the files is nuts.
First, the contents of the file, and the fact it IS different from an actual release of 1.0 Minecraft- albeit very, VERY slightly. And yet that slight change was such a massive problem... quite interesting, honestly.
Second, the password, which is amusingly only 8 characters long... go figure. No wonder they were so worried about the password... in fact, using the password strength checker shown earlier in the video, the password for the original file is WEAKER than the password for the decoy!
Third, the two things the password was used for. Since it was originally for their email account, it makes sense why it was so worrying. But with that changed, it's a lot safer now. Dinnerbone wasn't kidding when he said that.
And fourth, the fact that when many people are curious, nothing can stop them.
This was probably the craziest thing that could have happened... but I'm glad that there's finally a concrete end to this saga.
(Let's not go trying to crack any more files unless given advance knowledge that it's for an ARG or something.)
13 years ago with this video being 13 hours ago
just boxpig41? that'd be literally the 41st thing I would've tried
Yeah… I can see why no one wanted the password out there in the early days of the hunt (Even the people who claimed to have cracked the password said they probably shouldn’t have done it) if it was the making email password
If you dont know the inf dimension update for minecraft has a lil secret Lore
In a dimension theres a chance you find a Book titled "orders"
whats shader are you using
At the very end I use BSL, but for most shots I used Sildur's Enhanced Default :)
@@mcbyt oh, thought it was a different one
I can offer a lesser rant XD
- there is a password protected zip in the minecraft files
- mojang magically finds out about people trying to crack the password, I guess the zip was sending them signals in dreams
- lie about how 'boxpig41' password took 10 years to break when in reality it's only 50 minutes with a bruteforce
- mojang replaces it with a false zip
- 2 other channels trying to leech viewership comes on the story (you know, you could speak about the actual people that cracked it and not a youtube channel handle)
- 1 of them has the original file and
password finally get cracked (guess they chose to use the 50 minutes brute force this time)
- the zip has the same files but with just a parameter missing in one of the functions that is supposed to turn a string to hexadecimal format as if the string FORMAT was the one keeping packet sniffing away and not the ACTUAL string ITSELF
Mojang could probably tell by the constant discussion of this on HackForums and Reddit, this is extremely likely. Explanation he gave here makes sense. Also the password was apparently found by credential stuffing, which, as seen in hashcat on the video, took one second. Also yes the string format requires the string itself to be correct. If the string format is flawed the server wouldn't be able to understand the traffic - however there would be no interesting data that anyone would/could listen to, as it'd just be a "hello?" and the server disconnecting you, or you disconnecting. Whichever comes first
Everyone involved in the search: This file will take years to be cracked, due to its-
Doge: I solve this in 1 day
This episode of MCBYT was brought to you by the number 16.
I wouldn't call a few digits of code the "Minecraft Greatest Mystery"...
The mystery is not about what was in the file. It was about the process and the excitement of finally answering one of Minecraft most asked questions. You witnessed history. Be proud.
Less so the content of the file, moreso the hunt to crack it like albert said. I mean, there's been millions of eyes on this random file for over a decade now!
But there are a few other questions, for example when you are in .minecraft/bin, there is a file that contains all the md5 hashes of the .jar files
First, this file mentions a file called windows_natives.jar.lzma, which I couldn't find
Second, all hashes match the hash of the file, except for minecraft.jar
Minecraft.jar doesn't match because that's the modified file I discussed in the video. Not sure what you mean about the windows natives jar or where that's mentioned - if you mean it's in the code of Minecraft.jar, then it's probably elsewhere in the 1.0 files or possibly something that's located in Windows itself.
The md5 hashes are in the tominecon File at .minecraft/bin. In this File is a Line which refferenced in a windows_natives.jar.lzma file
I will Check later If the Hash mached the original Minecraft version
bros unlocked the time capsule 💀
The video starts at 8:48
Chances are this is just an old Minecraft version. Blue eyed folks like Mojang can't really come up with something really deep
lol its just minecraft 1.0 but with an authenication bug
for over 10 minutes
RIP Doge and hooray other Doge!
Shit like this makes me wonder what other mysteries could be solved if the right person stumbled across it.
now its wifies turn to make a vid about tominecon being solved XD
I was wondering about it just now
8:18 number 5 💀
we could see whats inside even faster if someone used android unpack feature😭
Danny Dorito and Lim Jahey is hilarious
IMO Minecraft's greatest mystery that has already been solved will forever be the seed for the pack.png image
I love content like this about mysteries or old minecraft there all just really fun to watch ty MCBYT
Your characterization of the int parsing bug isn't really accurate, or at the very least *very* sensationalized. There wouldn't be any significant security issues.
As a programmer, seeing a variable called "var3" is haunting.
LMAO imagine the whole dedicated discord server... all it took was a old password list and one second.
I guess that some things need 13 years to be solved lol
how did people tried harshly to crack the password without any results if it was only 8 characters??
they didn’t know that.
Well, Mojang must be pissed
in rgb first episode, he said that there was someone who cracked it on the hacker forums, and that guy also said that if it went to wrong hands, it would cause a catastrophe. With this video it now supports his claim, he most definitely investigated the file and found the decimal format you talked about.
I doubt that. Nobody back then had the proper tools to decompile the game that we have today. That person was probably just lying.
The decimal issue would have thrown a NumberFromatException (an error) if the number it got contained digits that it doesn't know, so in no way shape or form would it have caused a catastrophe, it would probably have kicked you out with an error the instant you tried to connect to a server because of it.
I don't think so. The file going public wouldn't be a catastrophe at all, it'd just be really bad if Mojang released it officially. A buggy 1.0 build doesn't cause problems if it's leaked, only if it gets an official release as Minecraft's most important version of all time and millions of players are disappointed by its broken multiplayer
Maybe they figured out the email part
10:15 that’s a ridiculous statement to make. If you’re correct and the server ID is “used” to encrypt data (which is probably a stupid and insecure idea anyway), that would mean it’s the encryption key. Worst case scenario your game / server crashes from failing to encrypt data to send or failing to decrypt data that was received. Either you pulled that last part out of your ass, or old Minecraft servers use some really weird non standard method of encryption you’re somehow aware of
i remember watching the original video on this,its good to see it come to completion
YES FINALLY I HAVE BEEN TRYING I CAN STOP MY LAPTOPS SUFFERING 🎉
if only someone brought this to my attention way earlier...
he sugarcoats a pointless thing the video
Another classic MCBYT banger .
8:44 we cracked **continues to add the lock sound**
Well done , everyone. I wasnt expecting this to be solved yet it was.
hey thanks for this video this is super cool! im part of the RGN community and thought it was cool that you were the one who kinda was behind it popping up again!
mans with that JSRF tune
to be honest the devs literally said to not crack it, along with some other people, the fact that no one even bothered to listen to them just shows that they won't listen to the community when they do something wrong, we didn't listen, why should they?
4:10 Tonight, RGN (and his followers) join the hunt
Nice video, I have a question. What happened to your Minecraft server?
so i remember being on a trying be on a server back in right after minecraft got it's 1.0 release, some friends and i was trying to get in to a server, kept giving us errors trying to join but invalid server key kept popping up, I believe somebody got it fixed during that time, sk89q released a class file, are you saying we actually might've had this issue right after the 1.0 release? it was quickly fixed, but still that was annoying trying to join a server.
Where do you get Minecraft Edo? Please tell me in a comment
Jeez. I too would've want to encrypt this version if it was that troublesome.
I thought it was weird how RGN tried to imply that it was impossible to crack in his follow up videos after the first video blew up. I mean, weirder and more difficult things have been achieved before. It seemed like a matter of time and boy that was fast
Finally! Always suprised what a community can do if everyone shows enough interest :)
Dude this is AWESOME! I heard about the update from Dinnerbone, but I had no idea the password itself was actually cracked shortly after!
such chill folks at mojang. and the interesting part is that, while the skills and methods may have malicious applications, by publically stating and engaging with the process they effectively give permission for users to try. as if its a challenge to them. ergo, while the tools may potentially be questionable, the act is not considered in violation of the law than if you added a randomised password to an empty file and then tried to get into it. it goes from an illegal act to one of grey legality.
everyone:
omg!!! It’s so hard to crack [:<
doge:
random pastebin 📈📈📈
what shaders????
Cool, a great file for my endless data hoarding base
I love how the first password was a Dune reference
I wonder what Mojang's / developer's / Dinnerbone's responses are to this
this channel is just consistently good like seriously
the amount of stuff that minecraft has undiscovered that you somehow find about and make thousands also be interested in is crazy
this is so absolutely insane, EPIK!
How did you download Minecraft Edo please?
Good video, I'm glad youtube just randomly recommended this
welp atleast we all have a 1.11 version of minecraft the doesn't work now :)
1.0 not 1.11
@@susguy187also there’s no 1.0 servers anyways because they’re either 1.8/1.7.10 or they’re the latest version
No server uses 1.0 anyways so like the version still works it’s just multiplayer like single player works
They son of a birch, they did it
and here I was hoping it would contain some 360 development tools or better yet a way to jailbreak a 360 with a mod chip (I have a medical condition which makes it nearly impossible to solder anything remotely precise, after the better part of a decade of training from a machinist who has made parts for multiple spacecrafts and is a combat veteran I am able to do some less precise RC car repairs and not always break it), it is absurd that they are shutting down the 360 servers and not giving people an option to jailbreak their 360s, yes they didn't for the PS3 but that is because they have an exploit that works on all PS3s.
wait, so it was all a Dune reference? Always was.
i was in the video from the discord server images!
One single mistake in code can cost millions of people their personal data. The number "16", in this case.
Time 8:49
It didn't cost anyone there data. No data would ever have been sent.
16... getting a lot of No Man's Sky vibes here.