I’ve recently been engaging in some tomfoolery to acquire a list of 51 million Minecraft: Java Edition player UUIDs (out of ~61 million total existing UUIDs). This blog post will explain exactly what I did to make this list.

Abusing the Mojang API with IPv6

Mojang has an internal API (documented by the community at wiki.vg) which the game uses to convert player usernames to UUIDs and to obtain information about player UUIDs. Mojang also allows anyone to use the API for their own purposes, but with ratelimits (about 10 requests per IP per second).

In 2020, tired of every search engine seemingly having suboptimal results and missing the instant answers I wanted, I decided to make a search engine for myself. I knew making a general-purpose web search engine from scratch by myself was infeasible, so instead I opted to make a meta-search engine, which aggregates results from other web search engines. First I tried forking Searx, but it was slow and the old Python codebase was annoying to work with.

matscan is a Minecraft bot that joins potentially vulnerable Minecraft servers and sends a message in chat to inform the admins.

How should I secure my server?

It should’ve told you in its long chat message but some servers might cut it off:

• If the server was meant to be private then enable a whitelist.
• If the server is offline-mode then enable online-mode in the server.properties or install a plugin such as AuthMe.
• If the server has an exposed BungeeCord backend, firewall it, install BungeeGuard, or switch to Velocity.
• En

Gemini is a protocol similar to HTTP, in that it’s used for transmitting (mostly) text in (usually) a markup language. However, one of the primary goals of Gemini is simplicity. Requests are always a single TLS/TCP connection with the route, and a correct response looks like 20 text/gemini\n\rhello world\n. Additionally, Gemini uses a language called “Gemtext” as its markup language. It’s kind of like Markdown, but even simpler. Every line can only contain a single type of data, so for example you can’t have links in the middle of text. Read the Gemini spec if you’re interested.

Translating HTML to Gemtext

Anyways, so I decided to make my website support t

For several years I’ve occasionally logged onto Shodan and searched for Minecraft servers. I just join, look around, and maybe leave a sign for the server owner. I’d also occasionally heard stories about people making their own Minecraft server scanners.

A while ago, on April 1st 2022, cybersecurity YouTuber LiveOverflow uploaded a video titled “I Spent 100 Days Hacking Minecraft”. Despite being uploaded on April Fools’, the video and seri

A couple years ago when I was creating the matdoes.dev blog I wrote a somewhat powerful markdown system with Regex to allow me to more easily write blog posts. Although I’ve barely written any posts, I’m still proud of it. Also this post is mostly just reference for myself, lol. I present: matdown™

Relative anchor: [matdoesdev](/blog) matdoesdev

External anchor: [matdoesdev](https://matdoes.dev) matdoesdev (

I wrote this story on the Hypixel Forums a while ago, but I realized it would be a good idea if I posted it on my blog too.

Intro

ReportScammers was a robot on the Hypixel SkyBlock Forums that automatically replied to posts where people were complaining that they got scammed. It all started on April 27th, 2020. I was bored and wanted to make a Hypixel Forums bot. At first, I wasn’t sure what I wanted it to do. Then I thought, “what’s a task that humans do often that could be easily automated?”: complaining about people getting scammed, of course.

madcausebad11

I didn’t do anything with this idea until a couple weeks later on May 14th, when I remem

So a few days ago my friend Slip got a DM on Discord from this “Twitch” bot asking him to invite it to my servers as well as to join theirs. The message the bot said claimed that Discord and Twitch had partnered up to give its users free Nitro Games and free Twitch Prime.

It obviously looked fake, so Slip created a testing server and added me and some friends to help. Upon joining, the fake Twitch bot DMed everyone in the server with the same message as it sent to Slip. It looked like some sort of social engineering worm, but it hadn’t done anything bad yet, so we revoked the bot’s perms and left it in the server.

When I joined the server it linked, it looked like some sort of bad giveaway server with giveaway channels, and even a rules and TOS channel.

A domain hack is a domain in which both the top level domain (TLD) and the second level domain (SLD) are combined to make up a word or phrase. For example, matdoes.dev is a domain hack for mat does dev. Domain hacks are not security-related and they are completely legal.

Most domain hacks use country code top level domains (ccTLDs), for example, .it is for italy, .am is for Armenia, etc. Some companies even purchase their own custom TLDs from the Internet Assigned Numbers Authority in order to create a hack for their domains. Most notably is goo.gle, which was created by Goog