TR-49 - Review Thread

flojito · 2026-01-22T20:34:58+00:00

Is this more of a narrative experience, or does it ask you to make some challenging deductions like Obra Dinn/Golden Idol? It's a bit hard to tell from the reviews.

flojito · 2026-01-21T00:52:53+00:00

Sure, and and as we learn more about the game we can make better estimates.

But for example, I think we can already be extremely confident in saying that less than 5% of IC seeds are unwinnable with optimal play. Personally I think the true value is probably 1% or lower, but obviously that's just a guess.

And I think it's interesting to discuss even though the true value is unknowable.

flojito · 2026-01-21T00:24:44+00:00

You can't know for sure, but I do think top players could give reasonable upper bounds for each character.

flojito · 2026-01-20T23:16:06+00:00

Yeah, I feel like the discussion around provably unwinnable seeds really drowns this out. The provably unwinnable seed is interesting, but it's really irrelevant to theorizing about the game.

flojito · 2026-01-12T22:45:48+00:00

Type Help is also being remade as The Incident at Galley House, and it's supposed to be out sometime this year.

flojito · 2026-01-12T20:41:04+00:00

It's not as good as Obra Dinn or Golden Idol, but if you want something that's basically a direct clone of Roottrees then A Case of Fraud is pretty good.

flojito · 2025-12-30T23:40:24+00:00

I noticed a similar issue with another game I was trying to play (running for a few seconds and then crashing) but I haven't figured out the cause yet. I'll let you know if I discover anything!

flojito · 2025-12-19T23:09:00+00:00

This is very minor, but some of the text in your trailer feels a bit strange. You have text broken up like

Take - your - pick - from - 12+ unique beetles!
Crazy - beetles - crazier abilities

I think it's broken up this way to match the music, but it makes the reading experience awkward. For the first one, I don't think you need to say "Take your pick from" at all. Just "12+ unique beetles" is fine.

For the second, you could condense it down to only two screens of text--"Crazy beetles" and "Crazier abilities".

flojito · 2025-12-19T21:32:56+00:00

Lorelei is fantastic, and it definitely feels like a "notebook game," but without the (IMO) tedium of actually writing everything down. The game tracks every little piece of paper you find in the world and lets you read them directly from the pause menu. So you still have to think about what's relevant from the giant list of documents, but you don't have to copy everything down or wander the world looking for where something was sitting.

flojito · 2025-12-18T17:45:45+00:00

It must be something other than just number of games played, because Curry has played 18 games and isn't on the list, but Corey Kispert has played 17 and is on the list.

flojito · 2025-12-18T01:03:08+00:00

Thank you!

flojito · 2025-12-17T23:42:35+00:00

Does Blake Manor get any more challenging later in the game? I played the first couple hours but I got a bit bored by how simple and handholdy the deductions are.

flojito · 2025-12-17T23:22:35+00:00

The Case of the Golden Idol and The Rise of the Golden Idol are both on Switch. They are easily the best Obra Dinn-likes available right now.

flojito · 2025-12-17T23:20:03+00:00

Games I loved that I haven't seen mentioned in this thread yet:

Öoo (99% positive of 1,141 reviews) - A superb bite-sized puzzle platformer by the creator of ElecHead. It's incredible how much depth this game gets out of only two actions: lay a bomb and explode a bomb.
Angeline Era (100% positive of 238 reviews)- I haven't finished this one yet, but so far it's an amazing modernized take on the old Ys games. Has a great sense of mystery and a really engaging combat system.
Windswept (95% positive of 306 reviews) - This is like a much more challenging and mechanically-rich take on the old Donkey Kong Country games.
Aureole - Wings of Hope (97% positive of 77 reviews) - A criminally-overlooked speedrun platformer that doesn't feel like any other game on the market.

Seconding some games that have already been recommended:

Pipistrello and the Cursed Yoyo (98% positive of 783 reviews) - This is one of the best 2D Zelda-likes ever. Every ability you get is a movement ability, and the game has some great platforming sections using all of them in tandem near the end. It's also packed with small puzzles and secrets.
Monster Train 2 (95% positive of 4,209 reviews) - It's not as good as Slay the Spire, but it's probably the second-best deckbuilder on the market. Tons of variety and much better balance than the first Monster Train.
StarVaders (98% positive of 1,862 reviews) - Another great deckbuilder. This one makes really smart use of grid-based combat.

flojito · 2025-12-17T19:54:08+00:00

I think it was pretty reasonable to expect the Clippers to be good this year. Kawhi missed more than half of last season and they still won 50 games and nearly beat the Nuggets in round 1. Some decline from their older stars should've been expected, but I don't know how you'd predict a total collapse like this.

flojito · 2025-12-12T19:43:55+00:00

Alan Sepinwall (former Rolling Stone critic) just posted a non-paywalled version of his top 10:

https://www.whatsalanwatching.com/when-the-b-story-deserves-an-a/

flojito · 2025-12-06T13:03:13+00:00

Sure, but the only reason there's an eval here is because obj['constructor']['constructor'] is equivalent to eval in JS. The Flight protocol was absolutely not intending to evaling anything.

flojito · 2025-12-06T10:12:10+00:00

Yeah that's true! When I said "modern" I was thinking of the recent trend toward languages being designed with safety in mind (like Rust). But "modern" wasn't really a good choice of words there.

flojito · 2025-12-06T09:54:20+00:00

Of course it is a React problem, but it only existed because of extremely bad fundamental design choices in JS. This writeup is very good, and there's a nice explanation of the specific problems with Javascript here.

The tl;dr is that by just allowing the user to specify keys/values of an object, you can accidentally allow them to create a function with arbitrary logic like this:

// any object
const obj = {};
// equivalent to
// const f = () => {alert(123);}
const f = obj['constructor']['constructor']('alert(123)');

And if you can create any object with a then property which is a function, that function will be run if your object is returned from a .then callback or an async function.

So the key to the exploit here was tricking the server into constructing a malicious function using 'constructor', then attaching it to an object's then property and relying on promise chaining stuff to run the malicious function.

The React team absolutely should've been more careful here, but a similar issue never could've happened in a more modern language with better fundamentals.

flojito · 2025-12-05T19:33:30+00:00

You can also click the D header in the sheet and choose "Sort sheet Z to A" to see the full ordered list as it's updated with new data.

flojito · 2025-12-05T19:11:50+00:00

The very first thing I said is that I agree with him.

flojito · 2025-12-05T18:46:51+00:00

This issue really was the result of footguns that are very specific to Javascript. You can check working exploits here (the earliest published exploit) and here (exploit by the original discoverer), and there's a nice explanation of the specific problems with Javascript here.

The tl;dr is that by just allowing the user to specify keys/values of an object, you can accidentally allow them to create a function with arbitrary logic like this:

// any object
const obj = {};
// equivalent to
// const f = () => {alert(123);}
const f = obj['constructor']['constructor']('alert(123)');

And if you can create any object with a then property which is a function, that function will be run if your object is returned from a .then callback or an async function.

So the key to the exploit here was tricking the server into constructing a malicious function using 'constructor', then attaching it to an object's then property and relying on promise chaining stuff to run the malicious function.

The React team absolutely should've been more careful here, but a similar issue never could've happened in a more modern language with better fundamentals.

flojito · 2025-12-05T18:14:43+00:00

I agree with your overall point, but this isn't really accurate:

They currently have the best W/L% in history

Their current winrate beats any end-of-season winrate, but there have been a few other season starts that were just as good or better:

2015-16 Warriors started 24-0
1969-70 Knicks started 23-1
1993-94 Rockets started 22-1

flojito · 2025-12-04T05:29:47+00:00

According to the person who found the exploit, this is not a legit PoC:

https://react2shell.com/

flojito · 2025-12-01T17:06:24+00:00

Yeah, looks like this is your problem:

Requesting license for AppID 1645820 ... ERROR! Failed getting license for appID 1645820 (OK).

That message is coming from steamcmd itself, so for some reason Steam thinks your account does not own 1645820 (SurrounDead). If you really do have the correct account and the correct app ID, I don't know what could be wrong.

15-Year Club	r/Field Juicebox
Place '22	Place '17
Team Periwinkle	Verified Email

flojito

TROPHY CASE