Hidden message into .WASM file

[luc4smoreira]

Godot version

3.5

System information

Mac Mini Apple M1, GLES2

Issue description

I exported a simple project to HTML5(Runnable) and I was analysing the results. The webassembly file with extension .wasm has about 14MB. Just for curiosity I decided to open the file with my text editor, I know it is a compiled file and I can´t read it this way. But at the end of the file I found a strange code with a kind of conspiracy text. Look at this part of the code:

> 
> Math.random()contemporary United Statescircumstances.appendChild(organizations<span class=""><img src="/distinguishedthousands of communicationclear"></div>investigationfavicon.ico" margin-right:based on the Massachusettstable border=internationalalso known aspronunciationbackground:#fpadding-left:For example, miscellaneous&lt;/math&gt;psychologicalin particularearch" type="form method="as opposed toSupreme Courtoccasionally Additionally,North Americapx;backgroundopportunitiesEntertainment.toLowerCase(manufacturingprofessional combined withFor instance,consisting of" maxlength="return false;consciousnessMediterraneanextraordinaryassassinationsubsequently button type="the number ofthe original comprehensiverefers to the</ul>
> </div>
> philosophicallocation.hrefwas publishedSan Francisco(function(){
> <div id="mainsophisticatedmathematical /head>
> <bodysuggests thatdocumentationconcentrationrelationshipsmay have been(for example,This article in some casesparts of the definition ofGreat Britain cellpadding=equivalent toplaceholder="; font-size: justificationbelieved thatsuffered fromattempted to leader of thecript" src="/(function() {are available
>   <link rel=" src='http://interested inconventional " alt="" /></are generallyhas also beenmost popular correspondingcredited withtyle="border:</a></span></.gif" width="<iframe src="table class="inline-block;according to together withapproximatelyparliamentarymore and moredisplay:none;traditionallypredominantly&nbsp;|&nbsp;&nbsp;</span> cellspacing=<input name="or" content="controversialproperty="og:/x-shockwave-demon

There is a big text with this strange content inside my .WASM file, not related to my "Hello World" project. So, I decided to look for some .WASM file on the internet. I went to itch.io and searched for Godot games. I donwloaded the WASM file from a random project made with godot and i found the same piece of code using my text editor.

I think there is a hidden feature with a very sensitive content. Is this a kind of joke or an easter egg?

Steps to reproduce

1. Start a simple project with Godot 3.5

2. Export it to HTML5(Runnable)

3. Open the folder with the exported files

4. select the file with extension .wasm (about 14MB) and open it with a text editor

5. Go to the file at the position about 90% check the text inside it.

Minimal reproduction project

N/A

[Calinou]

This text (or parts of it) is not present anywhere in the codebase, so it must be added by something else (perhaps Emscripten or Closure Compiler).

Can you see the message in https://gdscript-online.github.io/index.wasm? I've looked around in both Firefox and ImHex but can't find it. This is a project using a custom HTML5 export template for Godot 3.4.2 (as of writing).

You could try compiling an HTML5 export template from source and see if it's still present, even when building with target=debug and not using Closure Compiler.

Lastly, it's worth checking if you can still spot the text when using another PC on another Internet connection. A MITM attack could modify the content of the response, although this is harder to do when using HTTPS (but not impossible with certain antivirus programs effectively acting as a MITM on any connection).

[luc4smoreira]

Can you see the message in https://gdscript-online.github.io/index.wasm? I've looked around in both Firefox and ImHex but can't find it. This is a project using a custom HTML5 export template for Godot 3.4.2 (as of writing).

I tried to find some hidden message here " https://gdscript-online.github.io/index.wasm" but didn´t find anything

I also downloaded the WASM file from a random project, like this project here:

https://jontopielski.itch.io/feather-park

The URL for the file is here: https://v6p9d9t4.ssl.hwcdn.net/html/6581665/FeatherParkWeb/index.wasm

So, there is the same strange text.

We can check more projects here, https://itch.io/games/made-with-godot

I am wondering how to enable this message to popup inside the project, because it looks it is connect to some kind of HTML code.

[gotnospirit]

The text is in the export template zip, file godot.wasm

[Zireael07]

I did a GitHub search and it seems that brotli is at fault: https://github.com/search?l=JavaScript&q=mainsophisticatedmathematical&type=Code

All search results I scrolled through seem to be from 2021 and 2022.

[lyuma]

Looks like a compression dictionary to me. It's just seeding the compressor with common text, which probably includes conspiracy theories as well as random HTML elements :-p

Godot could build its own dictionary perhaps based on real world usage but then it wouldn't be compatible with standard implementations probably.

[Zireael07]

GitHub search would agree with you, as 99% of non-JS results ARE in file called dictionary.bin (again, from brotli)

[Calinou]

This appears to be from Brotli indeed, as the Brotli library was added for decoding WOFF2 fonts in Godot 3.5. Godot 3.4 only supported WOFF1, which is why it doesn't appear in the GDScript Online WASM.

Thanks @Zireael07 and @lyuma for resolving the mystery :slightly_smiling_face:

[luc4smoreira]

Now everything makes sense.

Here's a full dump of the contents of the Brotli dictionary:

Contents of the Brotli dictionary (JSON encoded)

Here is a discussion about this: https://news.ycombinator.com/item?id=27159506