Caravaggio, San GerolamoBoth the Java Evil Popups and the more recent SQL Injection Toy posts have been followed by kind requests to see the code.

Furthermore, I routinely receive inquiries about the source code of my most known Firefox extensions (NoScript and FlashGot), sometimes from people graciously accusing me of infringing the GPL which covers both.

I believe the time has come to make them all happy, but...


True hackers won't read further, because the info above is more than enough to obtain all the mentioned source code in a few seconds ;)

Java Evil Popups

As you may recall, there were two demos, one based on LiveConnect, working with Gecko and Opera, and another using a cross-browser
The former doesn't require me to publish any source code, because it's all inside a


It can be easily examined using the View|Source command built-in in every web browser.
The latter may require a little more effort, i.e. using a Java decompiler. A popular choice is JAD, but most of them should work just fine because the


Applet has been compiled targeting the rather old JVM 1.3 and omitting any optimization/obfuscation.
At any rate, for the laziest here's the deal:

  1. import java.awt.*;
  2. import java.awt.event.*;
  3. public class FullScreen extends java.applet.Applet {
  4. private Label l;
  5. private Window w;
  6. private boolean running;
  7. private int clicks;
  8. private String[] messages = new String[] {
  9. "Scary, uh?",
  10. "So you want me to go away...",
  11. "You know I don't have to, but...",
  12. "I'll be nice, just click me one more time :)"
  13. };
  16. public synchronized void start() {
  17. w = new Window(new Frame());
  18. l = new Label("PWND");
  19. l.setFont(new Font("Serif", Font.BOLD, 120));
  20. l.setAlignment(l.CENTER);
  21. l.setForeground(Color.white);
  23. l.addMouseListener(new MouseAdapter() {
  24. public void mouseClicked(MouseEvent me) {
  25. clicked();
  26. }
  27. });
  28. l.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
  30. w.setBackground(;
  31. w.setLayout(new BorderLayout());
  32. w.add(l, BorderLayout.CENTER);
  34. Dimension ss = Toolkit.getDefaultToolkit().getScreenSize();
  35. w.setBounds(0, -128, ss.width, ss.height + 256);
  37. w.setVisible(true);
  39. running = true;
  40. new Thread() {
  41. public void run() {
  42. while(isRunning()) {
  43. try {
  44. EventQueue.invokeAndWait(toFront);
  45. sleep(10);
  46. } catch(Exception ex) {
  47. ex.printStackTrace();
  48. return;
  49. }
  50. }
  51. }
  52. }.start();
  54. try {
  55. w.setAlwaysOnTop(true);
  56. } catch(Throwable t) {
  57. // it was just an attempt, we know this should be forbidden to Applets
  58. }
  59. }
  61. private Runnable toFront = new Runnable() {
  62. public void run() {
  63. w.toFront();
  64. }
  65. };
  67. private synchronized boolean isRunning() {
  68. return running;
  69. }
  71. private synchronized void clicked() {
  72. if(clicks >= messages.length) {
  73. running = false;
  74. w.dispose();
  75. return;
  76. }
  77. if(clicks == 1) {
  78. l.setFont(new Font("Serif", Font.BOLD, 40));
  79. }
  80. l.setText(messages[clicks++]);
  81. }
  82. }

Quite ordinary and rather boring, isn't it? As Hanna Arendt wrote about a much more serious tragedy, the banality of evil...


If you actually opened the SQL Injection Toy page once, you already have all the source code in the cache of your web browser.
As one of the prominent features may hint ("no data sent to servers"), there's no server-side trickery going on.
Actually, all the logic is pure and simple JavaScript. So, again, just use your browser (View|Source) -- if you're the extra-lazy type, also something like this -- and you're set.
It's worth noticing that the most interesting and general-purpose (in the hacking realm) features -- such as fragment-based bookmark persistence, referrer-less navigation or GET-to-POST transcoding -- have been captured in a reusable library: hackademix.js.

NoScript and FlashGot

Ever bothered to install any Firefox add-on?
You may have noticed that most of them come packaged in nice tiny files whose name ends with "


Those are nothing more than ZIP archives. They may (and usually do, like in our case) contain all the source code.
Just download the packages (NoScript here and Flashgot here), rename them changing their extension into "


", then use any compatible utility (such as GNU unzip or the Windows XP built-in compressed folder support) to unpack them and analyze their content.
Readers who are not into Mozilla development may find amusing how NoScript, the merciless JavaScript killer, is almost entirely written in... uh... JavaScript?!

3 Responses to “Hey Dude, Where's Your Code?”

  1. #1 » Pure Java™, Pure Evil™ Popups says:

    [...] Applet based, works in any browser — (source code here) [...]

  2. #2 Java Hunter says:

    Hey Dude,

    It's a really wonderful applet example.
    Need some more examples.

    Good Luck

  3. #3 Adam says:

    FireFox...'the safest browser' ... just got RAPED by this

    good job (Y)

Bad Behavior has blocked 926 access attempts in the last 7 days.