search

LeagueToolkit / cslol-manager

GNU General Public License v3.0
429 stars 91 forks source link

QoL change: workaround for elevation issues on macOS #72

Closed kernel-dev closed 1 year ago

kernel-dev commented 1 year ago

Before, users would have to manually run the binary contained inside of the app bundle with sudo.

This PR proposes a workaround method for this, where the user is explicitly asked for permission where they enter their root password in order to relaunch the application with root privileges.

Alongside that, it also refuses to initialize the application if it detects that it's running under a Rosetta 1/2 translation layer (in other words, if it's on Apple ARM64 Mac machines).

kernel-dev commented 1 year ago

Might be good idea to split PR into 2 parts One for rosetta detection and one for elevation.

If you prefer that, then I can create two separate branches, yes. 👍

kernel-dev commented 1 year ago

Closing this PR in favor of modularizing the specifics of the two main features implemented into their respective PRs: Apple ARM64 detection and elevation fix.

moonshadow565 commented 1 year ago

Testcase for running patcher in rosetta

Given target.c:

#include <stdio.h>
#include <unistd.h>

extern int answer(void);

int main(int argc, char* argv[]) {
    printf("Hook me: %u %lld\n", (unsigned)getpid(), (long long)(void*)&answer);
    while (answer() != 42) {
        sleep(1);
    }
    puts("Won!");
}

int answer(void) {
    return 69;
}

First compile for intel macos without optimizations to prevent inline optimizations:

cc -target x86_64-apple-macos -O0 target.c -o target.bin

And injector.c:

#include <stdlib.h>
#include <libproc.h>
#include <mach/mach.h>
#include <mach/mach_traps.h>
#include <mach/mach_vm.h>
#include <unistd.h>
char shellcode[5] = { 0xb8, 0x2a, 0x00, 0x00, 0x00, 0xc3 }; // mov eax,0x2a ; ret

int main(int argc, char** argv) {
    int pid = atoi(argv[1]);
    mach_vm_address_t address = atoll(argv[2]);

    mach_port_t task = {};
    task_for_pid(mach_task_self(), pid, &task)

    mach_vm_protect(task, address, sizeof(shellcode), 0, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE | VM_PROT_COPY);
    mach_vm_write(task, address, (vm_offset_t)shellcode, sizeof(shellcode));
    mach_vm_protect(task, address, sizeof(shellcode), 0, VM_PROT_READ | VM_PROT_EXECUTE);
}

Injector can be compiled for either intel or arm. Running injector (as sudo) on target should succefully patch answer func such that it returns 42. Now make it work on rosetta.