this post was submitted on 17 Sep 2023
51 points (89.2% liked)

Programming

17405 readers
61 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 30 points 1 year ago* (last edited 1 year ago) (2 children)

So much website JavaScript these days is just poor design, tracking, and bloat.

[–] [email protected] 7 points 1 year ago (1 children)

And it will get worse with WASM. At least now we can see the entirity of the code and even patch it if required, and WASM might make that way harder.

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (2 children)

I'd argue that having a sandbox that can run binaries with a limited and customizable feature set is actually a good thing for the web. I think there are more technically competent solutions, but the fact that WASM is available on virtually every machine and os, makes it pretty powerful.

If implemented right WASM might speed up our web apps, keep the browser sandbox that is actually quite nice, and run on pretty much any machine. If they open sourced the code, that'd be even better.

Between minified js and WASM, I think I'd take WASM (I can't understand minified js anyway). Between a pure html site and WASM, I think I'd take the pure html site (but I don't think we will be living in that world anytime soon).

[–] [email protected] 3 points 1 year ago (2 children)

The difference between minified JS and WASM is that you can un-minify one with relatively good results, whereas decompiling WASM is similar to decompiling normal binaries - pretty hard to read. This means that even experienced users can't really understand or change WASM binaries.

[–] [email protected] 3 points 1 year ago (1 children)

Hmm i guess I just haven't spent enough time trying to parse unminified js.

I still would think though, if the code is simple enough to understand when you unminify the js, equivalent code should be similarly simple to understand if it's wasm passed through IDA.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

You lose way more information during compilation than you do during minification. This makes reversing the latter much easier than the former.

Remember that JS is much, much higher level than WASM is. Each language will have their own special behaviours and constructs when compiled to WASM, so reversing an algorithm can look completely differently depending on the source language and environment.

[–] [email protected] 2 points 1 year ago

Ya, okay that is understandable.

To be honest I have never tried a wasm reversing challenge. I may need to give it a shot.

[–] [email protected] 3 points 1 year ago (1 children)

For WASM you can probably use tools like ghidra to decompile and read.

Minified js not a lot better then raw ASM, single letter names and crazy optimisation patterns will make your life hell. Patching both I think is out of the question, maybe just inject some new js that interact with the DOM.

Did a bit of reverse engineering on binaries in my life, and also spent too much time reading the youtube minified js. Both are hard as hell.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

For WASM you can probably use tools like ghidra to decompile and read.

Sure, as I said it's similar to decompiling normal binaries, which is hard to read (even when you're used to it).

Minified js not a lot better then raw ASM, single letter names and crazy optimisation patterns will make your life hell. Patching both I think is out of the question, maybe just inject some new js that interact with the DOM.

I'm not talking about reading minified JS. I'm saying: un-minifying JS gets you a way more readable result than decompiling native binaries does. I've done both more than often enough to know this difference well.

I've written mods and patches for dozens of minified sites, and it's never been too hard. I've written mods and patches for native applications, and it's waaaay harder - even just finding free space in the binary where you can inject your code and jump to/from is annoying, let alone actually writing your changes in ASM. All of this is immediately solved even with minified JS.

[–] [email protected] 2 points 1 year ago (2 children)

The problem with sandboxes is that there isn't a perfect prision. Eventually, ways will be found to break out of it, and there will be bad actors that will take advantage of such.

[–] [email protected] 2 points 1 year ago

I completely agree.

However, I still would rather have all the websites I visit pass through my browser's api than be making straight syscalls.

I think it's not perfect security but a good line of defense.

[–] [email protected] 2 points 1 year ago

I'll grant that COM, ActiveX, and Adobe/Shockwave Flash turned out to be security nightmares.

But maybe it'll be fine this time.../s

It's technically possible that widespread use of hallucination-prone AI code-assist is the quality control tool that was missing in the several previous attempts...

[–] [email protected] 10 points 1 year ago (1 children)
[–] [email protected] 8 points 1 year ago

33% down, 100% to go you mean?

[–] [email protected] 8 points 1 year ago

TL;DR, from what I can tell: Dropbox was using a JS bundler that didn't support code-splitting or tree-shaking (y'know, the staples of modern JS bundling) and swapped to one that does. Not that there aren't plenty sub-optimal components in code I work on, at home and at work, but there's nothing revolutionary going on here.

[–] [email protected] 1 points 1 year ago

I did this in like 2017 on my first react app. Thought this would be standard practice by now...