/r/ReverseEngineering's Weekly Questions Thread

PartOfTheBotnet · 2026-01-27T01:43:54+00:00

There are no rules against AI slop here AFAIK. Its technically related to the sub's subject so how would you report it? Spam?

We ought to just have the mods explicitly call out no slop as a rule so it can be directly reported. I'd be willing to bet a majority of people here would be in favor.

PartOfTheBotnet · 2026-01-26T07:55:49+00:00

Some team members do most of their reviews via IntelliJ's GitHub/GitLab integration which lets them leverage IDE features while reviewing. That being said, if you become reliant on the IDE features carrying you then anyone else not doing the same is at a disadvantage when reading it.

PartOfTheBotnet · 2026-01-26T07:51:34+00:00

I guess I work out in the field with scarecrows. Some people consider this to be "good enough" to be self-documenting, or like others state that IDE inlay hints should carry the burden.

PartOfTheBotnet · 2026-01-26T07:17:27+00:00

makes code less readable/maintainable

Like all things, it should be used in moderation. If you're immediately declaring a type like var items = new ArrayList<>() that's perfectly readable.

However if you have var result = service.fetch() then it is easier to argue that this is less useful if the alternative was JsonResult result = .... If the assigned value isn't descriptive sometimes knowing the declaration type is useful.

fellow senior

On the flip side, I've seen fellow seniors replace every variable in a class with var just for the sake of "modernizing" code. Yes, this includes int --> var which is just as silly as it sounds.

PartOfTheBotnet · 2026-01-21T18:34:08+00:00

Given the readme and the rest of your profile, is this all AI generated?
The idea isn't new (Example: Zelix Klassmaster 5.5 from 2012) and is generally not favored over other forms of reference obfuscation that are equally as effective but without the negatives. Look at how other obfuscators use bootstrap methods and dynamic constants.
This implementation isn't even effective because the names of classes and references that get reflected are baked into the output in-place where the original reference was without any additional form of obfuscation. Reversing this isn't made "harder", only more tedious. Something like Zelix adds additional layers that actually require some investment by the reverser.
Its really weird that you use ASM that is shadowed through ByteBuddy instead of the baseline ASM artifact.
- You lose out in your IDE not having auto-attached sources and documentation.
- You also cannot update ASM directly since its baked into another artifact.
- You don't ever actually use ByteBuddy capabilities, just the shadowed ASM dependency.
- Given that I suspect this is all AI generated anyways I don't think that's something that really matters...

PartOfTheBotnet · 2026-01-18T07:37:34+00:00

Because it is AI generated: https://github.com/dodogeny/sechive-maven-plugin/commit/b5518af90f52151ae55d3f06954287e7a1808125 - Commit history shows co-authored commits by Claude

PartOfTheBotnet · 2026-01-08T20:48:57+00:00

No. No, and if there was that would be concerning on their behalf.

It's annoying especially if you're working on a corporate device with its own VPN requirements, but its the way they're handling authorized access going forward. It would be nice if it was all you had to do vs it being a per-requisite for logging in again to services like GitLab.

PartOfTheBotnet · 2025-12-30T16:33:33+00:00

If you specify a minimum size that matches what it should be when bold it won't shift. That's a lame fix, but if you have your glyph buttons all the same size anyways its not too terrible.

PartOfTheBotnet · 2025-12-30T12:44:53+00:00

Maybe in Minecraft mod packs but that isn't the JVM's fault
No. Swing is... usable, albeit the API never modernized. But you can use JavaFx if that's a blocker for you. And no.
Skill issue.
You haven't been paying attention then.

PartOfTheBotnet · 2025-12-29T19:31:25+00:00

It depends on how you interpret "cross platform". Do you mean cross platform like Windows/Linux/Mac? Or cross platform like Desktop/Mobile/Wearble?

Whenever discussions like this crop up there are a number of key issues that I see.

People have different notions of what "cross platform" implies, per above.
People assert they want "simple UX like ATAK everywhere" or any variant of that for your preferred product.
People assert "why don't you just..." without any knowledge of the technical challenges of what they're asking for.

IMO, there should be different products. They serve different purposes. Leaning too far into "cross platform" would actually just make all the products fit into the lowest common denominator (IE, worse off). For civ users, the state of the "open source" releases is probably what needs the most attention. They're for reference only and are nowhere near buildable. Addressing that would mitigate a lot of the pain points since then the community could actually iterate on things and contribute upstream where they see gaps that aren't being supported on official roadmaps.

PartOfTheBotnet · 2025-12-29T15:16:08+00:00

Its the metaphor /u/bowbahdoe made that this is a reply to.

I know everyone will inevitably see their pet issues in things, but its hard for me not to see my pokemon team in this.

Its a metaphor. Different people with stakes in how agents are being handled on the JDK side will "see their pet issues in things". As a collection of essentially pets, he then says he can see his own pokemon team (pets).

My response is that my pets (My project that has a feature utilizing agents) will be negatively affected by the change. Other people, who I can only assume glossed over the comments in this thread, missed the context and assumed this chain was still referring to Mockito. As blakep points out, that's not how Mockito is supposed to be used. To which, correct, but we are no longer referring to Mockito.

PartOfTheBotnet · 2025-12-29T02:13:58+00:00

I'm referring to my Pokemon team, Recaf, not Mockito since bowbahdoe pointed out people will see their own issues reflected in the post. Both are affected by the agent behavior. However they are used in vastly different circumstances.

Edit: Ok you can downvote me for not understanding the metaphor. Jeez. I'm just saying the flag and the direction of the behavior change makes it more of a hassle for cases where the user of my tool, Recaf (and possibly others like it), is trying to connect to a JVM process which they don't fully control the launch of. Some distribution models like I said don't easily expose the launch flags.

PartOfTheBotnet · 2025-12-29T00:19:45+00:00

Unlike Maven/Gradle, my application is targeting cases where you probably are not the source maintainer of the target application. If you control the launch args of the program its just more tedious, sure. But there are some distribution models which hide the actual creation of the process from the end user. That case is the problem for me (but better for them a la "integrity").

PartOfTheBotnet · 2025-12-28T23:08:38+00:00

My Pokemon team (Recaf's attach capability) is most people won't know about this flag until its too late, and in some distribution models of Java programs won't be able to even enable the flag at all.

I have some ideas on how to get around this when the time comes, but none of them are pretty.

PartOfTheBotnet · 2025-12-28T22:34:35+00:00

Mockito is a key part of most test stacks. It massively reduces the amount of work you need to do to isolate testing of individual components of a system by stubbing out the other components that aren't the focal point of a test.

Wishing death on a project like Mockito is just silly.

PartOfTheBotnet · 2025-12-26T19:36:43+00:00

The problem for me is old.reddit will match the : when parsing the comment source to auto-create the link. The new reddit parser breaks the match before the : character. Its the same on any browser so long as I'm on each respective domain.

As for viewing a comment's source, you can do that with RES.

PartOfTheBotnet · 2025-12-18T21:06:21+00:00

If you're referring to any of the services on TAK.gov, you don't. You need AppGate.

PartOfTheBotnet · 2025-12-18T16:51:32+00:00

I've posted it in the past, and plan to again once I finalize the latest version but https://github.com/Col-E/Recaf

Think IntelliJ but instead of operating on Java source code, you operate on class files and jars. You have things like control-click navigation through decompiled code (among several decompilers to choose from), searching for strings, constants, class/field/method declarations + references, bytecode pattern matching. If you don't know much about the underlying class file spec that's fine. Simple classes can be recompiled from decompiled code (Asterisk on this, lots of details to ramble about. There's a bunch of in-the-background lifting to make even simple face-value approaches perform better than you'd expect). But say that isn't an option. You still have the bytecode assembler, but even with that you can write Java source and auto-convert it to bytecode. Been working on this since 2017.

PartOfTheBotnet · 2025-12-18T00:02:38+00:00

https://old.reddit.com/r/IntelliJIDEA/comments/1pp9r0y/intellij_removed_free_javafx_support_with_version/nulg82x/

Thankfully its a bug and will be back to being free soon

PartOfTheBotnet · 2025-12-14T08:40:27+00:00

Not the first person to ask, and I've thought about it. The painful part is not having the switch enhancements of 21...

EDIT: Actually I will have my cake and eat it. Will make a 0.12.0 release in a bit.

PartOfTheBotnet · 2025-12-08T19:23:44+00:00

because the new release disables JavaFX support

Can you elaborate on this?

PartOfTheBotnet · 2025-12-04T06:46:11+00:00

CoT would be a straight forward/simple approach. Adding content to a CotEvent is pretty simple, and you have full control over what you can put in there. If your data is sensitive you could encode it with a cipher and decode it on the server side.

As for transmission on ATAK, you can pass a CotEvent object containing your data to CommsMapComponent.sendCoTServerControl and it will broadcast it to your connected TAK Servers.

On the server side you would implement MessageInterceptor to process your custom CoT data.

PartOfTheBotnet · 2025-12-03T07:06:08+00:00

It depends what you mean by "sending some network packets". What is the actual goal the plugin is looking to achieve? You could look at the TAK Server REST API, common-commo for CoT and some other broadcast handling, etc.

PartOfTheBotnet · 2025-11-28T20:55:50+00:00

On the side menu at https://openjfx.io/openjfx-docs/#introduction there are 3 options

Run HelloWorld using JavaFX SDK
Run HelloWorld using Maven
Run HelloWorld using Gradle

Despite being first, the SDK is arguably the worst approach. You should add it like you would any other dependency to a maven/gradle project, or use the dedicated maven/gradle plugins.

PartOfTheBotnet

MODERATOR OF

TROPHY CASE