Alleycat BBS

Welcome to the Alleycat BBS

Here you will find links to my programming projects and other stuff that I find interesting.
(This website is 100% hand-coded HTML.)

The latest version of the Kraker Local Proxy Server is finally here!

Installation Walkthrough 👀

News Archive (October 3, 2024)

Send your questions and feedback to my email: 8chananon@mail.com

My Software Projects at 8kun (anonymous forum)

Update - January 4, 2025

It's been a while since the last update. This website has been seeing very little traffic since the flurry of activity generated by the posting of my first web scraping article on Hacker News. That one damn article is still getting more views than the website itself or any of the follow-up articles. Where are all the smart developers and engineers? They can't see the value in what I am offering? Is there some sort of systemic resistance to anything new? Maybe. There is a lot of sunk cost in the traditional infrastructure and tools, such as Puppeteer and proxy servers like Fiddler (commercial product) and mitmproxy (open source). As long as such tools continue to serve their particular purpose (even if only partially), there is little interest in trying something new. Time will tell.

The cracks in the seams will only become more evident as websites get more aggressive about protecting their intellectual property. YouTube is the one to watch right now. They are trying to lock down the site so that there is no alternative to watching videos on YouTube's own platform. The Invidious platform has already been destroyed due to the banning of data center IP addresses. My own remote proxy server, hosted by Vercel and Amazon, is locked out. I patched it to route the requests through secondary proxies which are not banned. That no longer works because the video link is now tied to the IP address used to retrieve the metadata. The only way around that is to stream the video through the proxy but that is not possible with a free account (surely you don't think that I'm spending money on this).

This means that my YouTube player demos (yt-player.htm and yt-extract.htm) must now be considered "abandonware" since they rely on my remote proxy. YouTube is completely unusable without my local proxy server. A long time ago, when I first started working on Alleycat Player (which I originally called YouTube Player), I used Invidious for the video links. I eventually crafted my own code to access YouTube directly using the local proxy. That method still works despite YouTube's multiple attempts to lock everyone out. It will, mark my words, get harder and harder. Hopefully, I will be able to stay on top of it.

Some of you might be wondering what the heck is this Alleycat Player that I keep mentioning. It has been on vacation for over two years. It's time to bring it back. The new version will be modular as opposed to everything packed into a single file. This is necessary because things change, sometimes frequently. The modular format will make it much easier to patch the player whenever sites change their format. With support for over 50 video sites, as well as Internet TV, it is really the only tool like it. Stay tuned.

Alleycat Player also supports a number of pirate websites for those who want the latest movies and TV shows. Ironically, it is the pirates who are the most aggressive about locking down their (stolen) intellectual property. I stay away from the worst ones but it is getting tough. I'm seeing WASM (web assembly) being used by a few sources to encrypt the video links. Though these sources appear to be under the control of a single party, it is just a matter of time till we see more of this. As of now, cracking WASM is impractical but the tools will eventually become available. This is an arms race, after all. Strictly speaking, cracking WASM is not really necessary since there are ways to run the code in a controlled environment in order to extract the video link or, possibly, the decryption key.

I am also seeing more sites hiding behind Cloudflare's bot challenge. This can be bypassed though it adds an annoying extra step to the process. Fortunately, this is not widespread because Cloudflare has been under a lot of pressure from the copyright warriors (I'm still talking about the pirate sites here). Any site hiding behind Cloudflare runs the risk of exposure. Obfuscated Javascript is still a pain in the ass to reverse engineer (I don't have a magic solution) but I've been able to cut the time scale from a few days down to a matter of hours in most cases. The hardest cases (like the case with WASM) can be worked around using a controlled environment.

What is this "controlled environment"? It means modifying the Javascript and running the code in an iframe under a fake domain in order to trap the specific information of interest and transmitting that info via postMessage. I discussed this process in my second web scraping article. This works with Cloudflare and those sites with the nasty WASM. Ideally, this process would be transparent but that's not always possible, depending on what browser restrictions need to be bypassed. As I mentioned somewhere else, I'm fighting the web browser as much as I am fighting the website.

And, puhleeze try out my Kraker Local Proxy Server. It will be worth the time and effort. You need it though you may not realize it yet.

My (awesome) tool for reverse engineering websites: Kraker Mockery installation and instruction manual

Update - October 21, 2024

Part 4 of my series of articles on web scraping is now available. It discusses the problem with fetch and how to fix it.

Web Scraping with your Web Browser: Bad Dog

Part 1: Web Scraping with your Web Browser: Why Not?
Part 2: Web Scraping with your Web Browser: Bot Challenges
Part 3: Web Scraping with your Web Browser: Evil Code

The U.S. TV channels are back on the menu, boys! I had to drop them because the source started putting up a Cloudflare bot challenge. That's possible to bypass with the local proxy but not the remote proxy. The source has dropped Cloudflare or Cloudflare dropped them. I see from the IP address that they are in Ukraine. In Kyiv. Not exactly in the middle of a war zone but close. I suppose they are pretty safe from the copyright warriors there.

You can download the Free TV & Movies Playlist app from here and the playlist from here. You will also need the HLS player to play the videos. If you have Kraker installed then put the files in your Kraker folder. If you run the app from there then it will use the local proxy instead of the remote proxy. For those that don't have or don't want Kraker then click the link below to run it from this website.

Free TV & Movies Playlist -- go here for playlists organized by country

The app has a zoom feature and a brightness control (to compensate for HDR which looks dark and over-saturated when you don't have HDR support). You can select 360p, 480p or 720p. You can load a playlist or save a playlist. The app should be able to load any playlist that you find on the Internet. The playlist is saved with just the channel name and the URL. That is, it cleans up the list, removing the other garbage that makes the playlist very hard to manage in a text editor.

On startup, the app loads a default playlist. As protection from the psychotic copyright warriors, the playlist is encoded. The radio stations in the default playlist are mostly HTTP. If you run the app from this site (which is HTTPS), your browser will likely reject HTTP audio or video.

What can I do to get people to install the local proxy server? There's been a lot of turmoil lately because YouTube changed its code to frustrate tools like youtube-dl and their tactics seem to have had the desired impact. It's hard to tell because nobody's coming out and saying "Hey! We got this!". There's still much bellyaching about the 403 error and some complicated solutions have been devised but I don't know what the success rate is. Anyway, I have not been having any issues with YouTube since they last fiddled around with stuff on August 13.

So I've decided to combine the features of the Free TV & Movies Playlist with the YouTube Player to come up with a new and improved app which not only plays YouTube videos at the higher resolutions but also provides an interface for downloading via FFMPEG. None of this could possibly work without the local proxy server so it's kind of a killer app. The trick with the video playback is running a DASH player module to merge the separate audio and video tracks. For downloading, we need to get FFMPEG to download the files through the proxy server and merge them into a single file that is directly playable in the web browser or an external video player.

Once you have the Kraker proxy server installed, download the following files to your Kraker folder:

this file	yt-download.htm	the YouTube Downloader app
this file	_blank_dash_mpd.txt	template for DASH mpd file
this file	_blank_live_mpd.txt	same as above but for livestreams
this file	dash_player.js	the DASH player module

Run the app and give it a YouTube video ID or full URL to play. Press the "Download" button to get a list of the formats available for download. Click on one of the options and the app will construct a command line that looks like this:

ffmpeg -i http://localhost:8080/!720p.mp4 -i http://localhost:8080/!audio.mp4 -c:a copy -c:v copy vid-720(sGdWkl9M_TY).mp4

All you have to do is open a console where you have FFMPEG installed and paste the command line. The operation will go as fast as YouTube allows since the download speed can sometimes be throttled. I've noticed that YouTube occassionally gives bad metadata which will prevent the video from playing or downloading. Just try again. For downloading, you must re-select your option to refresh the video links in the proxy server.

Update - September 2, 2024 - This is a killer app if ever there was one. Kraker Mockery is now available. This is a tool for website analysis. It uses the Kraker proxy server and a small secondary server along with a browser app to monitor the activity on a website and optionally save the content. It is fast and responsive, unlike some other tools that I've seen (which will go unnamed). This is a superior replacement for the browser's developer tools, especially since some websites block the devtools using the "debugger" command and other more devious tricks. You don't have to keep the web page open in order to inspect it. Run the page, gather the data, close the page and study the results (even the DOM can be preserved). This is excellent for sites which would otherwise consume a lot of your CPU and memory for nothing.

The biggest advantage is that, unlike other tools, Mockery allows you to open tabs in the browser to see the results. No squinting to try to grok what's there. You can also keep multiple tabs open for reference. Maximum visibility and accessibility is key to getting work done.

This tool is what I use to hack pirate websites, some of which have some pretty evil Javascript obfuscation. What's the trick for working through the obfuscation? Get this tool and find out. The manual has everything to get you going.

Kraker Mockery installation and instruction manual

Kraker Local Proxy Server basic features:😺

configurable DNS manager with support for DNS-over-HTTPS
ability to route specific domains over a Socks5 or HTTP proxy
use Tor, I2P and normal Internet with the same web browser
ability to pin the SSL certificate for sensitive domains
observe and modify HTTP requests and responses

You might get the idea that the purpose of the proxy server is to support your web browser. That's true. It is also for developers. The last feature listed above supports the analysis and reverse engineering of complex websites in order to scrape data from them. I use a special tool that I call Kraker Mockery which works with the proxy server and the web browser to help me figure out how to scrape a site to get video links. Alleycat Player can then use the proxy server to bypass browser restrictions to find and play the videos.

Some additional features:

access to the local file system
websocket for global messaging
cryptographic support for RSA and AES
ability to mimic websites to fool the browser

That last item can be especially useful to bypass security measures meant to block bots (like the Cloudflare bot fight mode). You can steal cookies. You can hijack code from a website and run it in your own app. The sky is the limit.

If you have used man-in-the-middle (MITM) proxies like Fiddler, Charles or HTTP Toolkit then I have to tell you that Kraker is not the same. Kraker is meant to be always online and it only intercepts HTTP requests on demand. It is not a tool that you only run as needed. You need it all of the time.

Kraker has a very small memory footprint. It is 15 to 25 megabytes, depending on usage patterns. It runs under Node.js and, as far as I can tell, it is bulletproof (crossing fingers, kek).

The Internet is getting tougher and more user-unfriendly😾

As we've seen with YouTube's crackdown on ad blockers (the reason for the existence of my YouTube demo player), website operators are getting more desperate for revenue and they are also looking for ways to lock you in. The unfortunate thing is that the "security features" written into our web browsers are being used against us. Maybe that was always the intent though I'm sure that the developers who work hard to maintain the code bases we all depend on are innocent of this. Historically, developers have always been liberty-minded and they would be offended by the idea that they are the unwitting pawns of "The Man" whom they have always fought against. Yeah, I'm giving them the benefit of the doubt but, at the same time, I'm sure that many of them behave exactly like tyrants when the shoe is on their foot. For example, the push for every site to be HTTPS has these same "liberty-minded" developers acting like gate-keepers who look down on anyone who prefers to just use HTTP. What kind of neanderthal uses HTTP? Are you not concerned for the safety of your users? Ah, the old "safety" excuse. It's for the kids, right? The truth is that HTTPS is unnecessary for most websites and it is another tool in the toolbox of those who would limit free speech.

The primitive state of copyright laws in an age of unlimited access to information is another sore point. The gate-keepers would love for you to pay for every word you read but it is difficult to contain information which wants to be free. Nevertheless, they keep trying and they will do anything to make you dependent on them. Paywalls are just one small part of that. Now, I don't begrudge people for wanting to get paid for their work. I respect paywalls and I would never consider hacking into a server to steal someone's property. However, I do begrudge attempts to leverage my own machinery against me.

I use a web browser to gain access to information and I despise those who would use its built-in software features as a bludgeon to keep me away from information that wants to be free. Put up a paywall if you like. However, if your business model requires you to shove ads in my face or to steal processing cycles from my CPU, then you are an enemy. It is difficult for most people to comprehend the many ways that web browsers actually work against them because somebody running a website wants to make sure that they stay inside the curated garden and not wander afield. A very simple example is copying an image or some text which can be blocked by the browser in response to a server setting or some CSS or whatever. I'm sure you've seen this sort of trick from time to time. Using the developer toolbox can sometimes work but there are nastier tricks that can prevent even that.

My position is this: if I can see it or hear it in my web browser then I should be able to copy it or download it. I allow some slack for the likes of Netflix because they're not pretending to offer "free access" to anything. They demand my money up front and I respect that. YouTube does not get the same respect. If it plays in my browser without money changing hands then I'm the one in control, not YouTube. They can scream about "copyright theft" all they like. If they don't want me to share then they shouldn't be allowed to share either. Keep your crap in a vault somewhere but don't expect me to be nice when you offer "free access" and then bitch about me taking that literally.

Some readers might note a smidgeon of hypocrisy when I say that I respect paywalls but, at the same time, I help myself to movies and TV shows from websites which are clearly guilty of copyright theft since the material is not normally available without paying. I won't argue the point. I'm a hypocrite but I like free stuff. The irony is that some of these pirate websites are even more stingy with their "free access" than YouTube. It's a battle and a half sometimes to liberate material which was stolen in the first place. There's plenty of room for hypocrites on the copyright bandwagon.

My mission is simple. It is to liberate that which is supposedly "free" but is being kept not free by virtue of the features that are present in the web browser. If I want to watch a video on my own equipment under my own terms and conditions then I ought to be able to do that. If it means "breaking" the web browser to liberate the material then I will create the tools to do that. I'm not in any position to modify and compile the browser code. That would be too large of a task. I have to somehow work both outside of and within the browser. This is the point of building a proxy server which I can run on my own system and which will conform to my own needs. The proxy server acts as an intermediary between the website which wants to block my access and the browser which needs to be told to shut up and let me go about my business.

Then all I have to do is write some HTML and some Javascript to tell the browser to go get what I want from where I want without any bullshit. That's it in a nutshell. I invite you to follow me on my journey. Liberate your browser from the tyranny of the Internet.

A brief history of the Alleycat BBS🐈

The name comes from an old project I started in 1981 called "Alleycat BBS". This is of nostalgic value to me.

The Alleycat BBS (Bulletin Board System) has disappeared into the fog of history. Nothing can be found about it in any archive. It was small with just 200 to 300 users. The computer which hosted it was also small. It was an Ohio Scientific Superboard with 8K of memory (later upgraded), a one-Mhz 6502 CPU and a 300-baud modem with a home-made phone pickup device. The code was written with a home-brew OS and a very basic machine code assembler. The service ran for three years and enjoyed a solid reputation. The name "Alleycat" was fondly regarded and, no doubt, persists in the minds of its former users. It seems only fitting to bring the name back to life.

The term "Bulletin Board System" has fallen out of favour over the years. While the boards of today are certainly more sophisticated than the boards from the 1980's, there is little difference in terms of the intended function. Posting messages and replying to messages is a tradition that goes back to the stone age of computers.

Links to my other Internet sites:

My board on 8kun (also called "Alleycat BBS"). My repositories: Internet Archive - GitHub

Due to some sort of mishap at Internet Archive, my username has changed from 8chanAnon to 8chanAnon2. My account was deleted and I had to recreate it. I asked whether my original username could be restored and I got a terse negative response. Awesome customer service. Not a finger lifted to resolve their own screw-up. Also, some time ago, my Europa item got hit with a login requirement when the view count reached 5000. Not a good look.

View counter is provided by HITS.