Closed tejasmanohar closed 7 years ago
avaidyam
commented
7 years ago I'm not @CodaFi but the answer is somewhat simple: dump the SkyLight.framework and examine the symbols. Then you can look them up in AppKit.framework disassembly and figure out what parameters are passed. Then maybe mess with them a little bit to confirm your finding. Another way is to look at the assertion strings (i.e. "parameter
tejasmanohar
commented
7 years ago Yep! Figured out some of it through playing around more
noah-nuebling
commented
3 years ago Hey guys, I'm interested in the CGSEventTapCreate and CGSPostMouseEvent functions which I saw in the list of missing functions which @avaidyam kindly provided in #3.
I've looked at all the binaries in the /System/Library/PrivateFrameworks/SkyLight.framework folder, using the nm and class-dump command-line tools, but I couldn't find anything interesting. I feel like I'm not looking at the right binaries.
Do you guys have any idea what I might be doing wrong?
Thanks!
avaidyam
commented
3 years ago Class-dumping likely won't help as these are C functions. They have also been renamed internally from CGS to SLS so that may help you find them.
noah-nuebling
commented
3 years ago Hey @avaidyam, thanks for getting back, and for the tips!
Class-dumping likely won't help as these are C functions
That makes sense, thanks for the heads up.
I ran nm again on all binaries in the Skylight framework using
nm -ao /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/**.
It yields absolutely nothing interesting. Using the -m argument you can see that all the functions it does find are externally defined.
So my conclusion here is that either:
/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/. So I'm looking in the wrong place.
CursorAsset, CursorAsset_base, WindowServer, WSInfo and AquaAppearanceHelper. None of them sound like they should contain the main source code for the Skylight framework.So my questions are:
CGS... or SLS...functions, and what were the binaries called?CGS... function names still work now that they've been renamed to use SL as prefix?Again, thanks!
Not sure how relevant this is, but I also tested the IDA Pro disassembler and compared the results against the nm command-line tool.
I tested on the binary at /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer.
Taking a look at the Functions window in IDA Pro, it did find some extra functions which nm didn't. But they all had names that just consist of sub_ followed by random letters and numbers. Other than that the functions found by nm and IDA were identical. According to Google, these sub_ function names are generated by IDA when no function name is available in the binary.
So my conclusion was that nm should catch all function names in a binary.
noah-nuebling
commented
3 years ago I just found something very interesting.
There's a file which seems to contain all the Skylight function names at /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/PrivateFrameworks/SkyLight.framework/SkyLight.tbd
Lots of new stuff in there.
noah-nuebling
commented
3 years ago Okay I found somewhat of a solution.
Binaries of system libraries can't be found in the file system anymore in Big Sur. Instead you have to extract them from a cache.
noah-nuebling
commented
1 year ago Also, I just found out, in order to link some (most? / all?) of the functions prefixed with SLS (which you can find in the SkyLight.tbd file I mentioned above) you have to set the -undefined and dynamic_lookup linker flags on your project. (In that order)
It should look like this:
Out of curiosity, how did you get these files? Decompiled something?