frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Looking for 4 Autistic Co-Founders for AI Startup (Equity-Based)

1•au-ai-aisl•3m ago•0 comments

AI-native capabilities, a new API Catalog, and updated plans and pricing

https://blog.postman.com/new-capabilities-march-2026/
1•thunderbong•4m ago•0 comments

What changed in tech from 2010 to 2020?

https://www.tedsanders.com/what-changed-in-tech-from-2010-to-2020/
2•endorphine•9m ago•0 comments

From Human Ergonomics to Agent Ergonomics

https://wesmckinney.com/blog/agent-ergonomics/
1•Anon84•13m ago•0 comments

Advanced Inertial Reference Sphere

https://en.wikipedia.org/wiki/Advanced_Inertial_Reference_Sphere
1•cyanf•14m ago•0 comments

Toyota Developing a Console-Grade, Open-Source Game Engine with Flutter and Dart

https://www.phoronix.com/news/Fluorite-Toyota-Game-Engine
1•computer23•16m ago•0 comments

Typing for Love or Money: The Hidden Labor Behind Modern Literary Masterpieces

https://publicdomainreview.org/essay/typing-for-love-or-money/
1•prismatic•17m ago•0 comments

Show HN: A longitudinal health record built from fragmented medical data

https://myaether.live
1•takmak007•20m ago•0 comments

CoreWeave's $30B Bet on GPU Market Infrastructure

https://davefriedman.substack.com/p/coreweaves-30-billion-bet-on-gpu
1•gmays•31m ago•0 comments

Creating and Hosting a Static Website on Cloudflare for Free

https://benjaminsmallwood.com/blog/creating-and-hosting-a-static-website-on-cloudflare-for-free/
1•bensmallwood•37m ago•1 comments

"The Stanford scam proves America is becoming a nation of grifters"

https://www.thetimes.com/us/news-today/article/students-stanford-grifters-ivy-league-w2g5z768z
1•cwwc•41m ago•0 comments

Elon Musk on Space GPUs, AI, Optimus, and His Manufacturing Method

https://cheekypint.substack.com/p/elon-musk-on-space-gpus-ai-optimus
2•simonebrunozzi•50m ago•0 comments

X (Twitter) is back with a new X API Pay-Per-Use model

https://developer.x.com/
3•eeko_systems•57m ago•0 comments

Zlob.h 100% POSIX and glibc compatible globbing lib that is faste and better

https://github.com/dmtrKovalenko/zlob
3•neogoose•59m ago•1 comments

Show HN: Deterministic signal triangulation using a fixed .72% variance constant

https://github.com/mabrucker85-prog/Project_Lance_Core
2•mav5431•1h ago•1 comments

Scientists Discover Levitating Time Crystals You Can Hold, Defy Newton’s 3rd Law

https://phys.org/news/2026-02-scientists-levitating-crystals.html
3•sizzle•1h ago•0 comments

When Michelangelo Met Titian

https://www.wsj.com/arts-culture/books/michelangelo-titian-review-the-renaissances-odd-couple-e34...
1•keiferski•1h ago•0 comments

Solving NYT Pips with DLX

https://github.com/DonoG/NYTPips4Processing
1•impossiblecode•1h ago•1 comments

Baldur's Gate to be turned into TV series – without the game's developers

https://www.bbc.com/news/articles/c24g457y534o
2•vunderba•1h ago•0 comments

Interview with 'Just use a VPS' bro (OpenClaw version) [video]

https://www.youtube.com/watch?v=40SnEd1RWUU
2•dangtony98•1h ago•0 comments

EchoJEPA: Latent Predictive Foundation Model for Echocardiography

https://github.com/bowang-lab/EchoJEPA
1•euvin•1h ago•0 comments

Disablling Go Telemetry

https://go.dev/doc/telemetry
1•1vuio0pswjnm7•1h ago•0 comments

Effective Nihilism

https://www.effectivenihilism.org/
1•abetusk•1h ago•1 comments

The UK government didn't want you to see this report on ecosystem collapse

https://www.theguardian.com/commentisfree/2026/jan/27/uk-government-report-ecosystem-collapse-foi...
5•pabs3•1h ago•0 comments

No 10 blocks report on impact of rainforest collapse on food prices

https://www.thetimes.com/uk/environment/article/no-10-blocks-report-on-impact-of-rainforest-colla...
3•pabs3•1h ago•0 comments

Seedance 2.0 Is Coming

https://seedance-2.app/
1•Jenny249•1h ago•0 comments

Show HN: Fitspire – a simple 5-minute workout app for busy people (iOS)

https://apps.apple.com/us/app/fitspire-5-minute-workout/id6758784938
2•devavinoth12•1h ago•0 comments

Dexterous robotic hands: 2009 – 2014 – 2025

https://old.reddit.com/r/robotics/comments/1qp7z15/dexterous_robotic_hands_2009_2014_2025/
1•gmays•1h ago•0 comments

Interop 2025: A Year of Convergence

https://webkit.org/blog/17808/interop-2025-review/
1•ksec•1h ago•1 comments

JobArena – Human Intuition vs. Artificial Intelligence

https://www.jobarena.ai/
1•84634E1A607A•1h ago•0 comments
Open in hackernews

Show HN: I'm building a browser for reverse engineers

https://nullpt.rs/reverse-engineering-browser
348•nullpt_rs•4mo ago

Comments

tducret•4mo ago
Very interesting, thanks!

For the fingerprinting part, can you explain the difference with the JShelter browser extension (https://jshelter.org/)?

I checked as you did in your demo video with https://demo.fingerprint.com/playground (using JShelter in Firefox). It produces a fingerprint detector report, like so :

{

    "fpd_evaluation_statistics": [
        {
            "title": "Navigator.prototype.plugins",
            "type": "resource",
            "resource": "get",
            "group": "BrowserProperties",
            "weight": 0,
            "accesses": 0
        },
        {
            "title": "MediaDevices.prototype.enumerateDevices",
            "type": "resource",
            "resource": "call",
            "group": "BrowserProperties",
            "weight": 1,
            "accesses": 2
        },
        [...]
}

However, it appears there is no way to display what was actually produced by the browser.

Was this the reason you had to build your own browser? Or is it possible to extend JShelter to do the same?

nullpt_rs•4mo ago
Ooh nice, I haven’t seen this project! I actually tried attempting this as an extension at first but wasn’t able to override page window functions. I’m curious to know how they accomplished this. (edit: I see that I missed the chrome.scripting API facepalm)

Thank you for sharing :)

FWIW I still think a custom browser approach has some benefits (stealth and executing in out of process iframes. could be wrong on the second part, haven’t actually tested!)

leptons•4mo ago
Most of my job is reverse engineering a major website builder company's code so we can leverage their undocumented features. It's often a difficult job but your project could make it easier. I'm sure there are others out there that will find this useful.
codingcodingboy•3mo ago
Sounds interesting, what can you achieve?
tbrockman•4mo ago
Not to comment on the rest of article or the author's goals, but it's absolutely possible to use a content script (dynamically injected into the `main` world, as opposed to the default `isolated`, for example: https://github.com/tbrockman/browser-extension-for-opentelem...) and Proxy's (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...) to hook (most? if not all) Javascript being executed in the webpage transparently.

Which for some functionality would have been a bit more portable and involved less effort.

nullpt_rs•4mo ago
Thanks for sharing some examples! Someone shared a similar project in the other thread. I didn’t realize this at the time of writing haha.

FWIW I still think modifying the browser has some positives wrt stealth and hooking out of process frames (could be wrong on the second part, haven’t actually tested!)

Still good to know though will leave a note in the article :-)

tbrockman•4mo ago
Yeah, there's a pretty overwhelming amount of browser APIs and functionality which isn't always (well-)documented to learn about. If I recall correctly Proxies wouldn't be detectable (seems to be supported by https://exploringjs.com/es6/ch_proxies.html#sec_detect-proxi...) so long as your injected content script runs first (otherwise other code could presumably override the Proxy constructor). You should also be able to hook any embedded frames by setting `target: { ..., allFrames: true }`.
2bird3•4mo ago
To note, there are undocumented detections to even Proxys, for example using `in` operator in v8 (such as `proxiedFunc in 1` for some proxied function). Really cool to see a project like this.
webstrand•4mo ago
How do you use `in` in v8 to detect proxies? I assume its a difference in the exception, but the message and the cause were the same in both direct and proxied `x in 1`.
2bird3•4mo ago
Ah wow, good catch- yeah, you're right, this technique seems to be patched
Retr0id•4mo ago
I have a project (in my rather long project backlog) that involves hooking JS APIs to download youtube videos. I'm worried that if my extension (or a similar extension) gained enough popularity, youtube would start inspecting the relevant JS objects to see if they'd been replaced with proxy instances.

Aside from playing a hooking/patching game of cat and mouse, I don't think this is fully solvable without modifying the browser engine itself - then you can hook things in a way that's completely transparent to the JS in webpages.

nenxk•4mo ago
Was just about to comment this I’ve played that exact cat and mouse game before there’s also another fun way to hook I used to like by doing something like Object.defineProperty on Object.prototype to globally hook onto something and you can do lots of stuff with that it’s pretty useful in user scripts
coolelectronics•4mo ago
could be very useful for my work, nice to see
Matheus28•4mo ago
You can just use Proxy to get around toString shenanigans and prevent any detection whatsoever.
nullpt_rs•4mo ago
Someone mentioned this as well in another comment. Turns out most of this could’ve been done as an extension after all :-)

edit: actually, wouldn’t you still need to override the global you’d like to instrument? At that point, the toString of the modified function would leak your hook.

see: https://gist.github.com/voidstar0/179990efe918d1028b72f292cf...

Regardless, I do have some interesting ideas that should hopefully make my pain of compiling Chromium for 3 hours worth it though :p

Cheat Engine for site scripts? Who knows. Mostly just using this as an opportunity to learn some browser internals so id say it still paid off :)

coolelectronics•4mo ago
Your example proxies the console object, the intended way in this case is to make a proxy from the log function itself and use the apply hook

toString will be called on the Proxy and not your hook so it won't reveal anything

nullpt_rs•4mo ago
D'oh! You are correct :-) Good catch and thanks for teaching me something!
kachapopopow•4mo ago
no you cannot since you can throw an exception and your proxy will be leaked leading to a detection.
Matheus28•4mo ago
How are you gonna throw an error inside Array.prototype.push?
kachapopopow•4mo ago
https://abrahamjuliot.github.io/creepjs/tests/proxy.js
tylerlh•4mo ago
Very cool, thanks for sharing. I would love to see this show up as an OSS project. I know a few people who would likely enjoy being able to contribute if that's something you'd be looking for.
horseradish7k•4mo ago
feature request: allow setting breakpoints without having obfuscator debugger statement loops get in the way
nullpt_rs•4mo ago
I actually wrote a separate blog post about this! Changing the debugger keyword :) see: https://nullpt.rs/evading-anti-debugging-techniques
kundi•4mo ago
Interesting tool. Would love to contribute
codeulike•4mo ago
resworb nwo ym detnaw syawla ev'i dna reenigne esrever a m'I
dotancohen•4mo ago
This isn't rot13.

EDIT: Oh, it took me a minute!

egberts1•4mo ago
Abj vg vf.
dlcarrier•4mo ago
.ƨbɿɒwʞɔɒd ɘɿɒ ƨɿɘɟɟɘl ɿuoY
codeulike•4mo ago
noitcelfer diova ot yrt I edoc ym nI
NetOpWibby•4mo ago
This is neat but it also makes me uncomfortable to see just how much fingerprinting is done these days. TikTok is creepy but I'm sure they aren't the worst.
3abiton•4mo ago
This is such an eye opening, and really interesting. It reminded me of projects like XprivacyLua that "expose" the different calls and request from android apps. Great work!
paulhodge•4mo ago
Neat investigation but I didn’t totally follow how the project would be useful for reverse engineering, it seems like a project that would mostly be useful for evading bot checks like web scraping or AI automation.
userbinator•4mo ago
...and power users. This is a browser that acts in the interests of the user, something that the mainstream authoritarian technocracy is actively trying to destroy and has been ever since they removed "View Source" from its customary place.
MaxLeiter•4mo ago
"toString theory" is an incredible title for that section
kachapopopow•4mo ago
For anyone that doesn't want to maintain a fork of chromium, just download the PDB and hook it at runtime for spoofing and/or dumping call logs. For hook itself just add your dll as a dependency in the PE structure.
gpvos•4mo ago
That sounds like a Windows-only approach though.
kachapopopow•4mo ago
pdb's exist for all builds of google chrome.
gpvos•4mo ago
Interesting! No PE structures though, I suppose.
kachapopopow•4mo ago
PE is only used for loading the dll, same works on linux.
gpvos•3mo ago
I thought Linux uses ELF to load dlls.
kachapopopow•3mo ago
ELF and PE are functionally the same, instead of DLL's you load SharedObject as your injeciton method, but you don't need that at all since you can inject libraries in linux since it's a built-in feature.
Alifatisk•4mo ago
Love this blog, still waiting on part 2 of Reverse Engineering Tiktoks VM
sagistrauss•4mo ago
Nice work! Check out visible v8: https://github.com/wspr-ncsu/visiblev8 for inspiration on using the V8 debug logs.
whazor•4mo ago
I would love to be able to see IFrame and BroadcastChannel communication
bobajeff•4mo ago
I am amazed what you've accomplished here: adding your own custom CDP domain. Years ago I gave up on trying to hack Chromium (I wanted to learn how to add back Manifest Version 2 support before it got removed.).

Build times were way longer on my potato hardware. Since then I haven't touched much C++.

juros•4mo ago
It would be dangerous if this tool fell into the wrong hands.

Where's the wait list?

evertedsphere•4mo ago
In the past I've considered forking Chromium so every asset that it downloads (images, scripts, etc) is saved somewhere to produce a sort of "passive scraper".

This article made me consider creating a new CDP domain as a possible option, but tbf I haven't thought about this problem in ages so maybe there's something less stupid that I could do.

dunham•4mo ago
It's not quite the same, but in the past I've written (in python) scrapers that run off of the cache. E.g. it would extract recipes from web pages that I had visited. The script would run through the cache and run an appropriate scraper based on the url. I think I also looked for json-ld and microdata.

The down sides were that it only works with cached data, and I had to tweak it a couple of times because they changed the format of the cache keys.

debazel•4mo ago
Ha, I've had the exact same thought before as well, but due to lack of experience and time constraints I ended up using mitmproxy with a small Python script instead. It was slow and buggy, but it served it purpose...

While searching for a tool I found several others asking for something similar, so I'm sure there are quite a few who would be interested in the project if you ever do decide to pick it up.

fjfjf•3mo ago
skibbiddi bum bum
fjfjf•3mo ago
bum bum bum bum bum
fjfjf•3mo ago
skibbiddi
fjfjf•3mo ago
cunt
fjfjf•3mo ago
yo shut up
izzqz•3mo ago
For patching js methods its more reliable to use Proxy object https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...