Open source MOC3 to CMO3 converter?

[Ronsor]

While you had said you were not likely to release the code, and Live2D had stirred a bit of drama a few years ago, at this point both MOC3 and CMO3 formats have been publicly documented with at least one working parser for each. I do not think there would be much trouble now.

[UlyssesWu]

I'm afraid I never said I'd open source this piece of code. The moc3 code was open-sourced from beginning but the cmo3 code is not. Considering the time and effort I have spent on that (much more than moc3) it's not an easy decision for me to open-source that for now.

If you want to prove you can do some real original work (better than "a deeply flawed and potentially unfixable piece of software") other than that unsuccessful "CVE", go ahead and make an open-source one by yourself. However, it's obvious that your "100% legal, FOSS reimplementation of Cubism Core" won't be able to clone cmo3 implementation because with basic inspection of cmo3 you'd have realized it's just a simple serialization of Java objects, while your OpenL2D - if it's not a simple clone of inochi - was not written in Java but D (just like inochi).

And I think you already know you don't have to clone cmo3 if you really want to make your L2D system. You can make your own project format (if it's not .inx), as long as you can compile the project file to a moc3 file. I have no idea why you'd be interested in moc3 to cmo3. Try finding another "CVE"? You won't need this, either.

[Ronsor]

Fair enough. I have had a peek at the main.xml and noticed the Java objects, although they shouldn't be a significant hurdle. As an example, being serialized Python objects, there are JS parsers for Python's pickle format. Up until now I had only focused on the MOC3 loading, and not CMO3.

I'm honestly more interested in converting CMO3 (and possibly exported MOC3 files) to a more sane project format I'm in the process of defining.

Also, the OpenL2D code is completely original, not copied from Inochi. It's also very incomplete; I sort of want to start over now that I understand the formats better.

[UlyssesWu]

the OpenL2D code is completely original, not copied from Inochi. It's also very incomplete; I sort of want to start over now that I understand the formats better.

That's right, since the "OpenL2D" are ONLY some model format code till now, no one would expect to see such code in Inochi. It's a nice timing for you to start over, since if you continue with those code you may have to start copying from Inochi. No? Then tell me a convincing reason why you choose D - a language you never commited before. You already know that a JVM language will be much easier to handle moc3 or cmo3.

---

almost certainly possible to execute arbitrary code --- 2023-03-03 bad actors could easily take advantage of these vulnerabilities in order to deploy spyware on unsuspecting users’ computers --- 2023-03-03 You should support free, open alternatives to Live2D’s software --- 2023-03-03 (Yeah, like something with a few lines of original parsing code?) As of now, I have not found a way ... however, code execution may still be possible --- 2023-03-06 (wow, isn't it easily? Have you found a way after another 5 months?) they shouldn't be a significant hurdle --- 2023-08-21

Trash Talk is cheap, show me the result. Even a baby can crack a toy, that doesn't mean he/she can make a better one.

[LunaTheFoxgirl]

Just want to chime in and say that I'd prefer if you don't use Inochi2D to try to roast or demotivate people from pursuing projects. @UlyssesWu

I don't personally have any interest in Live2D or implementing that format, but demotivating people before they even get something off the ground is imho bad form.

[UlyssesWu]

@LunaTheFoxgirl I checked my words, I believe I didn't say any bad words about Inochi2D. I just mentioned it, because he mentioned it in his "report".

Ronsor's "CVE" was drawing everyone's attention in the past, even the L2D official have to released a patch to "fix" it. Just because his words like "almost certainly possible to execute arbitrary code". But is it real? He couldn't prove it to be actually exploitable till now - even after this discussion. If he cannot prove it, he was just using a fake "CVE" trying to get famous. That's why I, and perhaps others like https://github.com/OpenL2D/moc3ingbird/issues/2 , feel unhappy. And that's why I don't believe he would actually create a "100% legal, FOSS reimplementation of Cubism Core", because he had made a gimmick before and never achieve it actually, and now he is making another one.

If you don't like my words, I'd suggest you should read his words before mine. For example this: "a deeply flawed and potentially unfixable piece of software". Keep in mind that in this article he also mentioned Inochi2D. Should I say, I'd prefer if he didn't use Inochi2D to try to roast or demotivate the L2D devs from pursuing projects? 🤣

[LunaTheFoxgirl]

I very much agree that the CVE was both silly in its presentation, functionality and the way Ronsor "disclosed" it was inappropriate.

OTOH, you can be nicer about that.

[UlyssesWu]

Why should I "be nicer" while he never admits about the fact of his "CVE" and that "report" with so many exaggerated descriptions is still there without corrections, misleading more people every day? When you ask me to "be nice" to someone who posts fake CVEs, isn't it unfair for real security researchers? I would "be nice" for honest mistakes. But never for gimmick. Don't be sanctimonious. For justice!

[v1ckxy]

So after all of this noise and fuzz, nobody released a decompiler. A lot of talk, one complaining about security but nothing shown, the company in a typical jway crying "please don't decompile our format mimimi it's all ours" -as any kind of law outside japan will protect that- and, after all this time... that's all folks

In the end, nobody moved a finger.

funny and ironic in equal parts, tbh.