EvilLang is a proof-of-concept toolset to counter the MC-265322-based side-channel attack, aka the Minecraft translation key vulnerability exploit.
This vulnerability lets a server send translation keys to the client, which resolves them and returns the result. Some "anti-cheat" plugins exploit this to detect whether a player has specific mods installed. The detection logic is fundamentally flawed: a resolved translation key ≠ the corresponding mod installed, since resource packs can define arbitrary translation keys.
This project demonstrates two attack surfaces:
- Poisoning — Inject detection keys with a non-null value into a resource pack, causing innocent players who load it to be falsely flagged as cheaters
- Neutralization — Generate a resource pack covering all locales with
"key":"key"mappings, making key-based detection impossible
EvilLang/
├── res/evillang/latest.txt # Core key set (translation key list)
├── checkin.py # Merge & dedup tool
├── poisoning.py # Poisoning tool
├── neutralization.py # Neutralization tool
└── README.md
Merge keys from input file into res/evillang/latest.txt, auto-deduplicated and sorted.
python checkin.py <input.txt>Inject keys (value "1337") into a resource pack zip. Prefers assets/minecraft/lang/en_us.json, never overwrites existing keys, preserves file timestamps.
python poisoning.py <resource_pack.zip> [remote_keys_url]Output: <original>_poisoned.zip
Generate a resource pack with all locale files, mapping each key to itself ("key":"key"), rendering server-side detection useless.
python neutralization.py [remote_keys_url]Output: neutralizer_<timestamp>.zip
Both poisoning.py and neutralization.py accept an optional remote URL for the key set (plain text, one key per line). They fall back to the local res/evillang/latest.txt when not provided.
This project is for educational and research purposes only. Misuse of this tool to harass players or disrupt servers may violate Minecraft server terms of service. The author is not responsible for any damage caused by this software.