Projects I've worked on

Games, pentesting tools, vulnerable VMs and more. Anything released pre-2011 is quite old and no longer supported, but I keep it all here for posterity. Unfortunately, the older stuff will only run on MS Windows.

You’re standing in front of a barricade built of stone and rusted steel, a twisted plastic collection tag in your hands. The dizzy nausea you get after teleporting has yet to subside. It’s always worse when there’s a time shift involved.

Causality Couriers: tomorrow’s deliveries, yesterday.

A point-and-click text adventure about a time-travelling delivery service. Made for Ludum Dare #53: “Delivery”.

Released: 9 May 2023

In early 2021, I wrote a tool for pentesting web applications built on Firebase on behalf of iosiro, my employer. Firebase allows you to skip writing a traditional backend for your web application by just having the JavaScript interact directly with a NoSQL database, which introduces exactly the kinds of security risks you would think it does. In a Firebase app, all authorisation logic has to be implemented as database rules, and things you don’t write rules for tend to fall open. For more details, check out the release blog post.

Baserunner lets you load up the configuration of a Firebase app and log in as a regular user. It is intended to help test for areas where rules need to be changed or added. It can be thought of as a generic client for any application that uses Firebase.

Released: 5 May 2021

Most of the styling this website used from August 2015 through May 2019 is available as a Hugo theme. I’ve put it under the MIT licence, so you can do whatever you want with it but don’t hold me responsible or expect support.

Features include random taglines on every page, a shortcode for captions and yellow aside boxes. Due to breaking changes since I switched themes, it is unlikely to work in versions of Hugo newer than 0.55.

The current site theme will be made available in a similar manner when I get tired of it and redo everything again.

Released: 9 April 2020

This is a Linux VM hosting a community blogging website called Trollcave. The website contains a number of vulnerabilities which can be used in conjunction to root the VM (i.e. get access to the root user and read the file /root/flag.txt).

Recommended tools: VirtualBox, Burpsuite, Netcat

Recommended reading: VulnHub on sensible precautions for vulnerable VM deployment

Download links below (.ova file, 883MB) (version 1.2, released 2018-03-21):

Released: 27 November 2017

For numberless aeons I have slumbered in my bed of rock and fire.

Now comes Man, and he is restless and disruptive. Like the ant, he scurries atop the surface above my dwelling place, moving and reshaping sacred rock many times his own size.

I care little for this Man. I would destroy him as I have destroyed others, as an unconscious reflex, but I suspect that he is tasty.

A text game about a volcano god and the society which worships it. Made for Ludum Dare #33: “You are the Monster”.

Released: 23 August 2015
[Twine 2]

A hotseat “multiplayer snake” made as a kind of aid for a bot-programming competition. This game is open source and MIT licensed.

Developed: Q3 2011 | Released: 17 August 2014
[Game Maker 8.1]

There’s a note on your fridge. It’s a piece of white printer paper with letters cut out of a magazine glued onto it. You find that a bit odd, as you thought that kind of thing went out of fashion around the time of the handheld printing press. The note says:


So it appears you’re dealing with aliens. Foreign aliens. Foreign alien Luddites.

A silly CYOA text adventure I made with Inklewriter on a whim one evening.

Released: 26 July 2012

A weird puzzle platformer I made for a retro game competition. Featured on

Released: 24 August 2008
[Game Maker 7]

A puzzle platformer with two characters – one creates blocks, the other destroys them. I made two versions of this – one for a fire and ice themed competition, and another for co-operation themed competition.

Released: 11 November 2007 (original), 24 August 2008 (co-op edition)
[Game Maker 7]

Here are a bunch of projects that didn’t make it very far for various reasons. Some of the code or ideas may be salvageable.

Ruby Lua Table Parser is the result of when I needed to write a parser for Lua tables, because they’re just different enough from JSON objects that you can’t convert them with regex. It’s not fully robust, but I didn’t need it to be.

Open4Comment was to be this site’s public commenting system, but then I implemented webmentions instead.

Templater is a weird project to overengineer filling in textual templates, Madlibs-style. A custom parser and web interface for something that would be better done with sed. It seemed like a good idea at the time.

GameLibrarian was going to be a Steam-style slick interface for my extensive freeware game collection, but I made the mistake of starting it as a Windows Metro app, which ended up being a pretty awful platform for something that needs file access. It may be worth resurrecting one day in a different form. Until then, there’s

Ghostly Kerning is a typesetting plugin for a very early version of the Ghost blogging platform. I no longer use Ghost, and Ghost no longer seems to take plugins (or “apps”, as it once called them). Also Github says this uses a vulnerable version of lodash, so tread with care.

Corporate Synergy Simulator is a training value-add to foster growth and dynamism in your company’s organisational culture. It not only encompasses big-picture thinking by incorporating market-driven coffee-drinking mechanics into the holistic system, but also shifts these goalposts by providing a variety of miniature training add-ons. Written with a friend in GameMaker Studio 1.4 for the Global Game Jam in January 2016.