How to detect the undetectable hacked client Aristois

Thomas Marchand
2 min readJun 18, 2019

--

A propaganda image from https://aristois.net/

My name is Thomas and I have been developing a solution called HackedServer during three years with the aim of fighting hacked clients on Minecraft. My strategy is to analyze a particular packet related to the identity of a minecraft client. It is quite possible to create a client that would not distinguish with a normal client however the task is complex and the developers often make mistakes, my job is to find them.

What was my approach?

I started by downloading the cheat in question from the official website. In the past I was spending hours decompiling the cheats to find something, now the process is a bit faster: I just installed HackedServer on a fresh spigot server and enabled the hard logging option in the settings.

I then logged in the server several times with aristois and minecraft vanilla (the official version of minecraft, without any mods). Here is what I got:

We see that a message is sent to the channel “minecraft:brand” every time but it is not the same when using Minecraft Vanilla or Aristois. All I need to do is ask hackedServer to send an alert when it finds the aristois message.
I had the opportunity to chat with an Aristois administrator and apparently this String is related to Easy Minecraft Client, a framework for modifying Minecraft code. It is used almost exclusively by Aristois and other hacked clients. Spotting players using EMC should help the staff to find cheaters.

We can customize the message to help the staff:

If you learned something from this article, I would highly appreciate if you support me by pressing the 👏 button. Thanks for reading!

--

--