Hacker News new | past | comments | ask | show | jobs | submit login
Breakout implemented in JavaScript in a PDF (rawgit.com)
174 points by luu 7 months ago | hide | past | web | favorite | 56 comments

"... custom Adobe JavaScript API has an absolutely gigantic surface area. Scripts can supposedly do things like make arbitrary database connections, detect attached monitors, import external resources, and manipulate 3D objects."

This is horrifying. Why would you ever want to cover this functionality in a read-only document format specification...

This is exactly the reason why in the standardized versions of PDF, PDF/A and the like, Javascript is banned.

Did Adobe not learn from Flash?

From the repository -

"Granted, most PDF readers (besides Adobe Reader) don't implement most of this stuff. But Chrome does implement JavaScript! If you open a PDF file like this one in Chrome, it will run the scripts."


Doesn't work in Firefox for me. Try in Chrome if this is all you see on the first page.

  Move your mouse down here!
  also, README below...

Given that the Firefox PDF reader is implemented in js already, does this not create at least one order of recursion?

Ooh, so can it do this:

Read in browser: "Party agrees to pay twenty dollars for blues lessons."

Printed version: "Party agrees to pay HIS ETERNAL SOUL to learn to play the blues HAHAHA"

Yes. Absolutely. In fact, you can probably do that without Javascript since PDF supports CSS.

WHY though?

Why what?

Why would PDF support CSS? It's a printing format; your PDF is defined over fixed-size pages. There isn't supposed to be any dynamic layout. You make it the way you want it to look, and then that's what it looks like.

> Why would PDF support CSS? It's a printing format

No, it's not. I mean, print fidelity is where it excels, but that's not all it does. PDF Reflow, for instance, is a designed-in feature.

I could do this in PostScript. In the document, or in a PostScript font.

I am thinking about the difference when rendered ("distilled") into PDF. Hmm. I should test this...

This is why Robert Johnson should have stayed away from Adobe formats in his contract negotiations.

The repository for this seems to indicate this only works in Chrome and a few other PDF readers[0]. Perhaps the title should be updated to reflect this.

0. https://github.com/osnr/horrifying-pdf-experiments

Is there any decent alternative standard to PDF that can express the small subset of PDF that normal people care about and expect, and isn’t capable of all this insecure dynamic junk?

PDF/A, the PDF-based ISO standard for document archival.

Hopefully the new DARPA program would have something to say about that https://www.darpa.mil/news-events/2018-08-09


I've just been in this place before

In PoC||GTFO [1], there are a lot of playful file tricks where a PDF is a ZIP file, or an ecrypted volume is a PDF file, etc... I bought the Bible-looking softcovers (Vol. 1 and 2) from No Starch press at B&N, but the PDFs are available online if you want to check them out. Lots of fun! It reminds me of the late 80s reading 2600 magazine in some ways.

  [1]  https://www.alchemistowl.org/pocorgtfo/

In PoC||GTFO you have about 10 of those >D

I wish I could remember where I read this line, but it's lost on me. "We want to hire someone who rewrote Quake to render it's graphics in ASCII, just for the fun of it." (I'm sure I mangled the quote, too.)

I love this, it's hacking for hacking's sake.

aaquake, with aalib. It existed, but it squinted your eyes. Aatv on higher terminal resolutions was almost usable, but once fbtv worked no one cared about that. Ditto with mplayer with fbdev output.

It works in chrome because they bought the source for the foxit pdf toolkit which does support it.

but out of all of the weird stuff in the pdf spec (which is terrible) javascript has got to be the worst.

What, you don't want arbitrary javascript payloads executing on that important legal contract with all your personal details on it? Look, I'm sure whatever underpaid secretary found that contract on the internet definitely audited any and all JS on it.

hours of fun for sure.

even the attempts at restricting stuff to make a saner version (PDF/a) eventually devolve into allowing all the crud back in.

Why is the PDF spec so massive?! It would not surprise me if 99.99% of PDF use cases could be covered by 10% of that document or maybe even less...

It's no different from Microsoft Word. 90% of Word's use could be fulfilled by WordPad. I would expect that fewer than 10% of users use 90% of Word's functionality.

Same with the web, some of the rare usecases are important.

The history of Breakout is worth knowing, Steve Wozniak built the game. It was not his concept but by doing the actual hard work of implementing the game in a reduced chipset he 'made' the game and thrashed out some of the finer points of gameplay.

Atari sought him out for this as Steve Wozniak had made a viable version of Pong by reducing the chip count. Although he did a splendid job of getting the chip count minimised for Breakout this design was not good for production so Atari did their own board design but the game played the same, as per Steve Wozniak's version:


I wonder if the Steve Wozniak version has better gameplay than this JS in PDF hack?

Either way it is in the same spirit, the point of Breakout is more about optimising the game to available resources - 'hacking' - than playing the game.

The story I've heard is that it was Steve Jobs that was working for Atari, and he "subcontracted" the work of reducing the chip count to something affordable to his pal Woz, and pocketed 90% of the bonus for accomplishing it.

This is witchcraft... I feel like it is security hole too.... :(

Witchcraft would be if it played after you print the PDF. This is just software. :)

(Though probably it probably is a security hole)

Maybe doable with the right kind of 3D printer?

You need to print it on epaper, hurr~

Funny I just got tasked with updated a PDF form and using JavaScript to validate it.

I have the acrobat/JavaScript API Ref open right now. [0]

[0]https://www.adobe.com/content/dam/acom/en/devnet/acrobat/pdf... for those interested.

My condolences. Having read through part of the PDF spec, I genuinely pity anyone that has to deal with that clusterfuck.

It is really not bad, attitude is important, though.

apart from all the bits where the spec isn't detailed enough and the only way to work out what to do is to look at how acrobat handles it.

Regarding the game itself: since the reflection angle is strictly determined, instead of varying with the place of reflection, the ball path seems to be is fully determined by the initial position and angle of the ball launch (aside from a paddle miss, of course). Specifically, a situation is possible where you bounce the ball in a cyclic path that doesn't strike the last block(s).

Since we're on the topic of PDFs, what tools or libraries do people use for inspecting and modifying em? I have a large collection of PDFs from which I want to extract all the data in order to put it up online and make their information more accessible, but maneuvering the ecosystem has been just a huge headache.

I've used doc2txt to OCR some old book scans, works really well in my experience.


I have some experience in this field. Typically I try to convert it to as many formats as possible and let the search engines take their pick. What is your PDF data about? Feel free to PM.

Even more fun: As I recall (I could be wrong here), there are two different versions of SpiderMonkey in Adobe Reader: the one used here and a version for XFA [1].

[1]: https://en.wikipedia.org/wiki/XFA

I can consistently get the page to crash by quickly scrolling halfway down the first page so that the playing area is just offscreen. Interesting and hard to debug (no console errors). Anyone else able to reproduce? I'm on latest Chrome on OSX 10.13

Nice feat. It broke my browser's (vivaldi) pdf viewer though, I had to restart it to view any other pdf again. Not sure how this happened...

I have made some pretty decent JS PDF apps with Acrobat 7 and a SOAP backend.

Can you share an example? I have never found a way to get a PDF to call back to a server (in a non-exploit PDF)

This article is decent.


Basically, the backend is a SOAP server and the PDF is the client.

So, xml and wsdl, no json.


Great write up though. Appreciated.

Excellent write-up. And when I was done I had -67 lives :-)

Better than NaN or Undefined :)

It seems that 40 is the highest possible score...

First let me point out that i am amazed by the PDF/JS thing.

What grinds my gears is that the game is broken. Lives go negative, boundary check only checks for zero.. such stuff.

Horrifying! Nice job...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact