Back to Blog
Mod Integrity
7 min read

Mod Tampering Detection: Why SHA-1 Hash Verification Is the Only Way to Catch Modified Cheat Clients

Renaming a JAR file is trivial. A player can rename Wurst to sodium-mc1.20.4-0.5.8.jar and most staff tools pass it. Hash-based verification is the only reliable defence.

What Is a SHA-1 Hash?

A SHA-1 hash is a 40-character fingerprint generated from the exact binary content of a file. Change even a single byte in a JAR and the hash changes completely. Two files with the same name but different code will have different hashes. A legitimate Sodium JAR and a Wurst JAR renamed to look like Sodium will never share a hash — there is no way for a cheater to produce the same hash as a legitimate file.

How Audit AC Uses Modrinth's Database

Modrinth, the largest open-source Minecraft mod repository, exposes a public API that returns hash information for every version of every mod they host. Audit AC computes the SHA-1 hash of every .jar in the player's mods folder, queries the Modrinth API and a supplementary Megabase cross-reference, then returns one of five classifications: Verified, Tampered, Unknown, Cheat, or Disallowed.

Reading a Tampered Mod Report

When tampering is detected, the dashboard shows the expected file size from Modrinth vs the actual size found on disk, the difference in KB, a link to the legitimate mod page for direct comparison, and the ALERT reason. A 50+ KB difference is almost certainly an injected payload. Marginal differences of 1–3 KB may indicate a cracked or repackaged version.

ALERT: File size mismatch vs official Modrinth release.
Expected: 892 KB
Found:    944 KB
DIFFERENCE: 52 KB

What to Do When Tampering Is Detected

Do not accept the 'I got it from a friend' excuse — legitimate mods from official sources always hash-verify correctly. Check the download source field: Audit AC reports where the mod was sourced from when that metadata is available, and third-party sites are a red flag. Use the Modrinth link in the dashboard to compare version, author, and changelog directly.

Parallelized for Speed

Because a typical player might have 50+ mods installed, Audit AC runs all hash lookups concurrently using multi-threaded workers. The entire scan — including Modrinth API resolution for 50+ mods — completes in seconds, not minutes. Speed matters when a player is waiting on a screenshare call.

E
errcruze
Lead Developer, Audit AC
Share on X