Most active commenters
  • kuberwastaken(12)
  • iainmerrick(3)
  • myfonj(3)
  • Blikkentrekker(3)

←back to thread

Show HN: I made a Doom-like game fit inside a QR code

(github.com)
531 points kuberwastaken | 34 comments | 18 Apr 25 16:40 UTC | HN request time: 0.206s | source | bottom

I sometimes pick up random projects just because I can, this was one of those times. I made it as a week long project a while back this year but never shared here, so thought to go for it haha.

I created a game inspired by Doom and the backrooms called The Backdooms under 2.4kb in minified html. (for reference, this entire post would be around 1.8kB haha) I had to use a not popular way of using GZip with Zlib headers (had to write my own script for compressing it, also in the repo) to eventually convert it a size 40 QR code that works right in your browser using Decompressionstream API.

This is of course a very oversimplified description of it, using a lot of the same technologies that DOOM had but combining it with infinite seed based map generation in 2.4kb (QR codes can only store 3kb, which includes changing formats) was pretty hard.

Here are some links about it if you want to nerd out and read more:

Repository Link (MIT License): https://github.com/Kuberwastaken/backdooms

A Hosted (slightly improved) version of The Backdooms: https://kuberwastaken.github.io/backdooms/

Game Trailer: https://www.youtube.com/shorts/QWPr10cAuGc

My Linkedin post about it: https://www.linkedin.com/feed/update/urn:li:activity:7295667...

(PS: You'd need something like https://qrscanner.org/ or something that can scan bigger QR codes and put the text data onto your browser to play it)

My Blogs documenting the process and development in detail:

https://kuberwastaken.github.io/blog/Projects/How-I-Managed-... https://kuberwastaken.github.io/blog/Projects/How-I-Managed-...

1. giarc ◴[18 Apr 25 17:19 UTC] No.43730024[source]
I scanned on an iPhone using native QR code scanner and it says "no usable data found".
replies(3): >>43730090 #>>43730091 #>>43730638 #
2. kuberwastaken ◴[18 Apr 25 17:26 UTC] No.43730090[source]
Hey thanks for checking it out! You'd need something like https://qrscanner.org/ because most phones suck at scanning larger QR codes.

Also, it won't work on your phone, can't put in that compatibility with size restraints, sadly.

replies(2): >>43730228 #>>43731224 #
3. pudquick ◴[18 Apr 25 17:26 UTC] No.43730091[source]
data: URI URLs aren't supported in it, it has nothing to do with the size / length of the QR code

For example, this self-contained webpage: <html><body>Hi!</body></html>

encoded is: data:text/html;base64,PGh0bWw+PGJvZHk+SGkhPC9ib2R5PjwvaHRtbD4=

If you paste that into a browser, it will render "Hi!". Very short and easy.

But if you encode is as a QR code, it won't work in this situation.

replies(2): >>43730160 #>>43731124 #
4. kuberwastaken ◴[18 Apr 25 17:34 UTC] No.43730160[source]
I think it's broken for safari but works on chromium based browsers on mobile too. The QR code basically holds the URI URL itself.
replies(1): >>43730217 #
5. pudquick ◴[18 Apr 25 17:40 UTC] No.43730217{3}[source]
I'm saying the primary gateway most iOS users are using for loading a QR code - the camera app - will not present a transition to load your URL in this situation

Whether the resulting HTML game is playable in Safari is a different discussion.

The QR code, as generated, is effectively "not clickable" for most iOS users, unless they are using something other than the most common way to read QR codes on their phone like a 3rd party QR code reading app or similar.

replies(1): >>43730379 #
6. iainmerrick ◴[18 Apr 25 17:41 UTC] No.43730228[source]
You mean the game doesn't work on mobile at all?

What kind of device do you use to scan the QR code, then?

replies(3): >>43730407 #>>43730484 #>>43731327 #
7. kuberwastaken ◴[18 Apr 25 17:56 UTC] No.43730379{4}[source]
That I agree, yes haha
8. lelandbatey ◴[18 Apr 25 17:58 UTC] No.43730407{3}[source]
You do not need to scan a QR code via a physical camera in your hand directly; any general purpose computer can run a QR code parsing program which accepts arbitrary images as input. It's so easy to do that there exist web pages which implement said QR code scanning in JS. Thus, the parent poster has recommended that you save the QR code .png file to your disk and then use such a piece of software, such as the website they linked, to extract the data encoded in that QR code.

That is how you can use nearly any general-purpose computer to scan a QR code.

replies(2): >>43730493 #>>43732524 #
9. kuberwastaken ◴[18 Apr 25 18:09 UTC] No.43730484{3}[source]
Nope it doesn't, you can use any QR code scanner that takes image input! I would've loved to include smartphone controls but that would take a LOT of extra bandwidth.
10. kuberwastaken ◴[18 Apr 25 18:10 UTC] No.43730493{4}[source]
Indeed! Thank you for explaining this in a way better way :)
11. Jerry2 ◴[18 Apr 25 18:27 UTC] No.43730638[source]
I'm kinda relieved that it doesn't work on an iPhone. I often scan codes posted around to save the time typing URLs and running arbitrary code by just scanning a QR code freaks me out.
replies(4): >>43731023 #>>43731499 #>>43731599 #>>43734840 #
12. kuberwastaken ◴[18 Apr 25 19:09 UTC] No.43731023[source]
Ironically, I actually wrote a blog about how casually we do this and how dangerous it's become lol https://kuberwastaken.github.io/blog/Technology/QR-Codes-and...
replies(2): >>43731130 #>>43734646 #
13. myfonj ◴[18 Apr 25 19:23 UTC] No.43731124[source]
You don't even need the base64 encoding for dataURIs: just throw the text payload after mime-type and a comma:

    data:text/html,<!doctype html><title>Hi!</title><p>Hello.
This is also a valid self-contained HTML document. You have to add `;charset=utf-8`, if you need to go beyond ASCII, and for some browsers watch for URI-encoding of some syntactically significant characters (like `#` and `%`, `?`).

Base64 is indeed good to be "safe" and/or somewhat 'conceal' the payload, but it also makes it larger by 1/3 (every three bytes of input become four characters of the base64 output). So taking the risk some devices would not like raw "ASCII dataURI", the QR of the backrooms QR could shave off 738 bytes.

BTW, this is my "HTML sandbox" for testing stuff in a browsers that I summon daily through keyword bookmark to test simple stuff:

    data:text/html;charset=utf-8;verbatim,<!doctype html><html style="color-scheme:dark light"><title>HTML sandbox 2.0.6</title><meta name=viewport content=width=device-width,initial-scale=1><body style=margin:0;display:flex;height:100vh onload="OT=(DC=document).title,H=(L=location).hash.slice(1)||'',RX=/(^data:.+?(;verbatim)?,)?([^]*)/,A.value=H.match(RX)[2]?H:decodeURIComponent(H)||A.value;T=W=0;E=RegExp('^'+(D='data:text/html;charset=utf-8,'));F=()=>{if(W!=(V=A.value))W=V,M=V.match(RX),I.src=M[2]?V:(M[1]||D)+encodeURIComponent(M[3]),DC.title=NT=((TM=V.match(/<title\b[^]*?\x3E([^]*?)<\/title\b/m))&&(NT=TM[1])&&(NT=NT.trim())&&(DC.title=NT+' @ '+OT))||OT};F()"><textarea autocapitalize=off style=resize:horizontal;width:50vw autofocus id=A onkeyup=clearTimeout(T);T=setTimeout(F,400) onblur=try{history.pushState({},NT,'\u0023'+(S=I.src.replace(E,'')))}catch(e){L.hash=S}><!doctype html><html lang="en" style="color-scheme: dark light;">%0A<meta name="viewport" content="width=device-width, initial-scale=1">%0A<title>%0A%0A</title>%0A<style>%0A%0A</style>%0A<body>%0A%s%0A<script>%0A%0A</script>%0A</textarea><iframe style=border:0;flex-grow:1;width:0 id=I>
replies(2): >>43733002 #>>43737222 #
14. ◴[18 Apr 25 19:23 UTC] No.43731130{3}[source]
15. ascorbic ◴[18 Apr 25 19:36 UTC] No.43731224[source]
fwiw, it works fine with the Pixel's built-in QR code scanner. It recognises it as text, not a URL, but it can copy to clipboard and then pasting in the browser works. Obviously I then die immediately because none of the controls work, but you can't have everything.
replies(1): >>43731360 #
16. kuberwastaken ◴[18 Apr 25 19:52 UTC] No.43731327{3}[source]
Hey just wanted to update, I Managed to add kind of some mobile touch support here, so if you get an alternate chromium based browser, you can put in the URI to play on mobile too!
replies(1): >>43732494 #
17. kuberwastaken ◴[18 Apr 25 19:56 UTC] No.43731360{3}[source]
Hey just wanted to update, crazy timing but I Managed to add kind of some mobile touch support here because of a recent PR to FURTHER optimize it (crazy), so you can actually play it now if you figure out the controls lol
18. Blikkentrekker ◴[18 Apr 25 20:15 UTC] No.43731499[source]
It runs inside a web browser though. This is no different from visiting an arbitrary link and running whatever arbitrary code in the Javascript sandbox of that link and one already knows a q.r. code an take one to an arbitrary link.
replies(2): >>43731886 #>>43734818 #
19. recursive ◴[18 Apr 25 20:28 UTC] No.43731599[source]
Wait until you hear about javascript on web sites.
20. dylan604 ◴[18 Apr 25 21:08 UTC] No.43731886{3}[source]
This QR code does. But what about a QR using similar designed by someone less honorable? With QR codes, you have no idea what will happen until you scan it. At that point, it could be too late
replies(1): >>43734810 #
21. iainmerrick ◴[18 Apr 25 22:41 UTC] No.43732494{4}[source]
Nice one!
22. iainmerrick ◴[18 Apr 25 22:45 UTC] No.43732524{4}[source]
Or... use a URL.

I'm sure the number of people who've ever scanned a QR code on a desktop computer is more than zero, but not much more.

replies(1): >>43732566 #
23. kuberwastaken ◴[18 Apr 25 22:50 UTC] No.43732566{5}[source]
I think I myself brought that number into early triple digits, but I do also have a hosted version if you're interested!

The reason for doing this project isn't practicality, it's because I can

24. reaperducer ◴[19 Apr 25 00:07 UTC] No.43733002{3}[source]
I think I'm going to find this useful.

Duck browser doesn't allow it to be saved as a bookmark, but Safari is fine with it.

replies(1): >>43733440 #
25. myfonj ◴[19 Apr 25 01:29 UTC] No.43733440{4}[source]
Yeah, sadly, top-level dataURIs are increasingly neglected and banished from browsers, mainly because they were misused for scams in the past; for example no modern browser allows navigating to top-level dataURI by clicking a link. Only bookmarks, manual entry, and external invocation (share) work (sometimes).

Anyway, I have put some remarks and docs for that thing into https://gist.github.com/myfonj/c8ce74bf549e19600026ce9022388... , if you are interested.

By the way, this "Backrooms" can also work from non-base64 URI and as such is significantly smaller (https://github.com/Kuberwastaken/backdooms/pull/3#issuecomme...)

replies(1): >>43734497 #
26. kuberwastaken ◴[19 Apr 25 05:50 UTC] No.43734497{5}[source]
Awesome stuff! I'll play around with it in a bit!

Thanks for sharing :)

replies(1): >>43738337 #
27. Valodim ◴[19 Apr 25 06:29 UTC] No.43734646{3}[source]
The content is good, but fyi the last third or so had a distinct ai padding vibe
replies(1): >>43734761 #
28. kuberwastaken ◴[19 Apr 25 07:05 UTC] No.43734761{4}[source]
AI padding vibe?
replies(1): >>43734921 #
29. Blikkentrekker ◴[19 Apr 25 07:21 UTC] No.43734810{4}[source]
As far as I know the only form of code execution they support is by the URL datatype which carries the same risks as wel already mentioned anyway.
30. Blikkentrekker ◴[19 Apr 25 07:23 UTC] No.43734818{3}[source]
That said, I wouldn't mind an upgrade to the standard of say say if the link be printed above the code in human readable form in some way, the reader would refuse to open it, or at least be configurable to refuse to open it if they not match.
31. berkes ◴[19 Apr 25 07:30 UTC] No.43734840[source]
How is this different from opening any website through a QR code, that will then run "arbitrary code"?
32. poilcn ◴[19 Apr 25 07:52 UTC] No.43734921{5}[source]
I kinda see that too. Basically, the way some authors use to increase content size with redundant words is the default behavior for Ai chats plus all the disclaimers to avoid possible litigations or negative public image.
33. ◴[19 Apr 25 15:52 UTC] No.43737222{3}[source]
34. myfonj ◴[19 Apr 25 18:26 UTC] No.43738337{6}[source]
My pleasure :] N.b., if you'd like to try fiddling with Backdooms in that Sandbox, either use the "original" HTML payload (with or without `data:text/html,` prefix in the content), or use "verbatim" (`data:text/html;verbatim,` prefix) when trying that last dataURI payload from the comment, otherwise all `%23` would be double encoded, so you'd get wrong colours. ";verbatim" turns off implicit URI Encoding. (It is not part of the tech, just my hacky hatch to be able to test both "true" dataURIs that can be used "verbatim" in URLs, or have convenience of auto-encoding, but have to extract sandbox iframe resulting payload afterwards, for "ejecting" the "project".