Fixed a bunch of exploits in WebTiles today.
Apparently, a worm was created that spread around the tiles:
It escaped JS sandbox with XSS and replicated itself whenever someone pressed on infected tile. Unintentionally, I stopped the worm from spreading by fixing one of the exploits, so it thankfully only spread to around 70 tiles. The worm also unintentionally made all JS and CSS become inlined, removed indentation, and made JS stop working due to the error in it’s code after patching.
When examining it’s code, I at first thought it was the usual obfuscation, but it ended up being an actual VM made of a couple of functions/opcodes:
0x00 read
0x01 call
0x02 sum
0x03 new
0x04 call with 2 args
0x05 call with 3 args
0x06 call with 4 args
0x07 read and call with 2 args (?)
When I saw the VM, I immediately realized it was DayDun behind this. And then I decoded the strings in it, and saw his domain. I finished one of his puzzles like 5 years ago, involving a similar JS VM.
█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
We played Yume 2kki today. Planned for it month(s) ago, and January 15 finally came. Ended up following █████████████, since it was his birthday. Didn’t really visit any cool new places though. It’s getting harder to get a cool adventure on 2kki.
Added upvoting and downvoting to WebTiles at the end of the day.