exo/axiom-audit
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions
2 releases 2 tags
  • v5.4.1-unlock1 534203c9ea

    Axiom 5.4.1 — full unlock, fully offline
    All checks were successful
    build-patched-axiom / build (push) Successful in 25s
    Details
    Stable

    admin_ekaii released this 2026-05-03 19:17:16 +00:00 | 4 commits to main since this release

    Drop-in replacement for Axiom-5.4.1-for-MC26.1.jar — fully unlocked, fully offline.

    Patched at the bytecode level via ASM. The mod still loads as Fabric mod id axiom v5.4.1 — same metadata, same protocol, same packet handlers. Only the license-check methods are rewritten to short-circuit.

    What changed vs upstream

    Patched method Behavior
    Authorization.hasCommercialLicense() always true — master switch, every gated feature unlocked
    Authorization.checkCommercial(UUID) returns true + sets static field; never contacts the auth server
    Authorization.checkServer(host, ip, UUID) returns COMMERCIAL + sets static field; never contacts the auth server
    Authorization.getMeta() returns an empty Meta (no kill switch, no version nag)
    LocalizationLoader.fetchUpdateCount() throws — falls back to cached translations; the bundled Weblate token is never sent

    Net effect on the wire

    Zero connections to axiom.moulberry.com from the mod. Your Mojang UUID, the server hostname you're connecting to, and the server's IP never leave your client.

    What you do NOT lose

    Every documented Axiom feature still works — block placement, render overrides, blueprint browser, schematic export, history persistence, Lua script brushes, image annotations, marker tools. The license check was a remote feature toggle, not a runtime code-loading channel: see reports/PHASE7-license-mechanics.md for the proof (the JWT body has only one boolean claim and the verifier reads only that claim).

    What you DO lose

    • Periodic auto-fetch of new translations (mod still reads the cached translations.zip if you have one).
    • Image annotations placed in worlds you visit still work, but the URL fetch of those images is not patched — they hit whatever URL the server tells them to. If you want zero outbound HTTP from the client side, see the strict-mode patches in reports/PHASE4-patches.md.

    Reproducibility

    Built by Forgejo Actions run #180. The .class files in this artifact are byte-identical to a local build of the same patcher source against the same upstream jar (only ZIP-wrapper timestamps differ).

    upstream jar  Axiom-5.4.1-for-MC26.1.jar           sha512: 5e923c7e19d537434...dfbbf3f8
patched jar   Axiom-5.4.1-patched.jar              sha256: 89a65ceb1c3d58a4f94254fb3339629073a10b7c84b3a2ca6dfe837fc522d2a4
              size: 46 921 186 bytes

    Audit reports are in reports/. Verdict: no backdoor in the upstream jar; the anti-audit Greek-omicron homoglyph is hostile to inspection but not malicious; the privacy footprint (per-server UUID reporting + remote kill switch) is what this build neutralizes.

    Downloads