banner
LightNews
mattcoley.bsky.social
Matt Coley
@mattcoley.bsky.social
32 followers 46 following 42 posts
https://github.com/Col-E/
github.com
Posts Media Videos Starter Packs
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · 16d
The good news is, they reverted that 404 -> 403 option, and *some* of our projects updated to use Artifactory first instead of last.
1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · 16d
Artifactory: IT was instructed to prevent crawling, so one thing they did was change Artifactory replying 404 for missing artifacts to replying with 403 (like all other urls on other services they ran)

Result: 403 kills gradle builds, so nobody used artifactory and if they did, they put it last.
1 1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · 16d
I love reading these articles and thinking "Yup, that's us on the job. We're part of the industrial inefficiency complex"

Artifactory set up but nobody uses it? 👍
CI jobs with zero caching? 👍
+ they can recursively spawn other jobs? 👍
+ they can trigger from simple "fix typo" commits? 👍
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · 17d
Free isn’t free: the infrastructure behind open source has real costs, and it’s time we aligned usage with responsibility.

This morning we jointly launch a new blog and open letter on sustainable stewardship.

www.sonatype.com/blog/from-ab...
From Abuse to Alignment: Why We Need Sustainable Open Source Infrastructure
Open source relies on shared infrastructure. Learn why sustainable stewardship is critical to keep ecosystems like Maven Central strong.
www.sonatype.com
1 3
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Sep 8
Now Recaf 4X can inline return values of simple static methods (like a xor string decryption call in this case)
1
Reposted by Matt Coley
gargron.mastodon.social.ap.brid.gy
Eugen Rochko @gargron.mastodon.social.ap.brid.gy · Aug 26
"Sideloading" is the rentseeker word for "being able to run software of your choosing on a computing device you purchased". There is no reasonable case for an operating system developer having a say over what programs you run on your hardware.

#android #google
18 540 410
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Aug 20
Recaf's interactive deobfuscation window now lets you specify how many passes to run. For some obfuscation patterns that can't be one-shot in one linear pass (opaque control flow leading to more opaque control flow repeated N times) increasing the pass count to N+1 reduces it completely.
1 1
Reposted by Matt Coley
johanvos.bsky.social
Johan Vos @johanvos.bsky.social · Jul 28
JavaFX now has a Headless platform.
bugs.openjdk.org/browse/JDK-8... is now Resolved!
Pfew, that took me 1 year, 5 months and 29 days. Goodnight!
#JavaFX #Java
Loading...
bugs.openjdk.org
8 22
Reposted by Matt Coley
mikestabile.bsky.social
Mike Stabile @mikestabile.bsky.social · Jul 11
Australia's decision to require age/identity verification, including facial scans, in order to do a Google search is dystopian.

We're watching the death of an open, anonymous internet, and the gradual takeover of information online by the state — under the guise of protecting children.
Australia is quietly rolling out age checks for search engines like Google
Just as Australians are adjusting to the idea of having their ages checked for social media, age assurance rules are being applied to search engines and many other corners of the internet.
www.abc.net.au
37 660 1.2K
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jul 5
And from my last 🧵 here's the sample that had attributes lying about their lengths being patched automatically (amongst many other tricks).
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jul 5
Updates to how some of the transformers work has cleaned up the output on most obfuscated samples I have. Here's a demo on a Minecraft server plugin getting optimized back to almost perfectly legible source.
1 1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jul 3
Anyways, Recaf will soon support loading these classes so you don't have to go through any of this pain like I did.
The class file, being patched by CafeDude is not able to be loaded into Recaf
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jul 3
The exact line in the Hotspot class file parser responsible for supporting this can be found here: github.com/openjdk/jdk/...

The code is so old it predates OpenJDK's git history. No, not moving to GitHub. Git. This code has been around since before they migrated to using VCS/Git. At least 18 y/o.
A screenshot of classfile/classFileParser.cpp - line 2394 This shows the parser ignoring discrepancies in a Code attribute's reported size when verification is disabled. Showing the git blame for this line shows that it belongs to the first commit in the project.
1 1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jul 3
Here's the reported length in the attribute vs a hex viewer annotated with the relevant locations showing the discrepancy.
The AttributeReader for a "Code" attribute shows its expected content length is 163 bytes A hex view of the class. A red rectangle shows where the Code attribute begins. An orange rectangle shows where the Code attribute reports it will end at (but is wrong). A blue rectangle shows where the Code attribute actually ends (26 bytes after the reported end). This discrepancy is supported because Hotspot's JVM source 'classfile/classFileParser.cpp' ignores the reported length for methods when launching Java with -noverify or -Xverify:none.
1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jul 3
The sample here reports the Code attribute has 163 bytes. But if you read the attribute fully (with spec complaint parsing) then you see that it actually is 189 bytes.

The trick here is for any Code attribute on a method, you shift your read buffer index to the actually red position.
1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jul 3
Honestly, fuck Hotspot sometimes. A method body can just *lie* about how long its data is. Obviously nobody who makes a class parser is going to be keen on this until they see it in the wild. Does the spec say anything about this? Of course not!
I spent the whole day wondering why my parser wasn't reading this class only for it to be a hotspot implementation "feature" of -noverify/-Xverify:none
1
Reposted by Matt Coley
mrphrazer.bsky.social
Tim Blazytko @mrphrazer.bsky.social · Jun 27
The slides from our @reconmtl.bsky.social talk, "Breaking Mixed Boolean-Arithmetic Obfuscation in Real-World Applications" (CC @nicolo.dev ), are now online!

Slides: synthesis.to/presentation...

Plugin: github.com/mrphrazer/ob...
5 12
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jun 22
We're in the annoying/grift phase of AI hyped slop. You can toss something together, put it up on vercel, and paint the sleek "AI powered" marketing over the site, to make yourself a low-investment high return product. This "success" furthers the AI hyped slop bubble and encourages others to cash in
2
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jun 22
And most often, people don't care either. A lot of people using AI for code-gen are making low-stakes applications. Nobody cares if there's a security hole in a personal program, or if its a bit slow. When your app is simple and doable with common tech stacks it can get a fair portion done for you.
1 1
Reposted by Matt Coley
johanvos.bsky.social
Johan Vos @johanvos.bsky.social · Jun 21
Getting tired of the "AI can generate code much faster than you" slogan. Most often, the problem is not generating code. The hard part is understanding the code. What is it doing, how and why? And is that what you expect it to do?
3 1 9
Reposted by Matt Coley
johanvos.bsky.social
Johan Vos @johanvos.bsky.social · Jun 5
Headless JavaFX platform passes almost all tests, with remaining failures being understood.
Time to bring this to the next step: mail.openjdk.org/pipermail/op...
99% success
3 5
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jun 20
If something terrible pops out at YOU feel free to open an issue. I have some scattered TODO comments but mostly for things that don't immediately affect my use cases (and thus I am putting off fixing until later)
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jun 20
github.com/Col-E/BentoFX I probably will make more drastic changes somewhere down the line, but everything that irked me with the prior implementations is solved. So until I stumble upon something else that bugs me...

Anyways, if nothing terrible pops out at me, I may call this 1.0.0
GitHub - Col-E/BentoFX: A docking system for JavaFX
A docking system for JavaFX. Contribute to Col-E/BentoFX development by creating an account on GitHub.
github.com
1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jun 20
Alright, I rewrote my #JavaFX docking framework, BentoFX, from scratch (again) after incorporating it into multiple projects and learning what the pain points were with the existing architecture.

Here's what Bento looks like in practice:
Bento is used in Recaf to create the regions seen in the application UI. On the left there is a file tree with a tab titled "Workspace". On the bottom there is a logging console with a tab titled "Logging". In the center of the app is the display holding multiple tabs for classes decompiled by Recaf. In the currently selected tab's content there are "side-tabs" which show additional information about the class, like the fields and methods declared and inheritance structure. A similar view to the prior image, except the workspace, logging, and tool tab displays have been collapsed to maximize real estate for the primary display holding decompiled classes.
1 1 3
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · Jun 1
1
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · May 29
Just do the entire JavaFX UI in a single Canvas that renders ImGUI 🥺
1