aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.idea/artifacts/CopyMod.xml8
-rw-r--r--.idea/artifacts/CopyResources.xml8
-rw-r--r--SECURITY.md14
-rw-r--r--src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java5
-rw-r--r--src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java33
-rw-r--r--src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java (renamed from src/main/java/gq/malwarefight/nosession/tweaks/CleanupTweaker.java)2
-rw-r--r--src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java5
-rw-r--r--src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java (renamed from src/main/java/gq/malwarefight/nosession/tweaks/InitialTweaker.java)13
-rw-r--r--src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java5
-rw-r--r--src/main/java/gq/malwarefight/nosession/utils/Utils.java77
10 files changed, 70 insertions, 100 deletions
diff --git a/.idea/artifacts/CopyMod.xml b/.idea/artifacts/CopyMod.xml
deleted file mode 100644
index 14c03c2..0000000
--- a/.idea/artifacts/CopyMod.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<component name="ArtifactManager">
- <artifact name="CopyMod">
- <output-path>$USER_HOME$/AppData/Roaming/.minecraft/mods</output-path>
- <root id="root">
- <element id="dir-copy" path="$PROJECT_DIR$/build/libs" />
- </root>
- </artifact>
-</component> \ No newline at end of file
diff --git a/.idea/artifacts/CopyResources.xml b/.idea/artifacts/CopyResources.xml
deleted file mode 100644
index abf019e..0000000
--- a/.idea/artifacts/CopyResources.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<component name="ArtifactManager">
- <artifact name="CopyResources">
- <output-path>$PROJECT_DIR$/build/classes/main</output-path>
- <root id="root">
- <element id="dir-copy" path="$PROJECT_DIR$/src/main/resources" />
- </root>
- </artifact>
-</component> \ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
index c64722e..7d9b630 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,21 +2,21 @@
## Supported Versions
-Currently all versions are supported.
+Currently, all releaswed versions are supported.
-| Version | Supported |
-| ------- | ------------------ |
-| 1.0.0 | ✔️ |
-| Any nightly branch | ❌ |
+| Version | Supported |
+|--------------------|-----------|
+| 1.0.0 | ✔️ |
+| Any nightly branch | ❌ |
## Reporting a Vulnerability
A vulnerability is currently defined as being able to get the session ID with only a mod that gets loaded after NoSession loads its tweaker.<br>
Vulnerabilities that are out of scope are defined as those that NoSession itself cannot prevent.
-However, if you can produce a patch for an out of scope vulnerability, a bug bounty will be awarded as well.
+However, if you can produce a patch for an out-of-scope vulnerability, a bug bounty will be awarded as well.
The bug bounty is a $5 USD Amazon Gift Card. I might run out, so it's awarded on a first come, first serve basis.
-Report the bug bounty by emailing admin@malwarefight.gq or by sending a DM to PandaNinjas#3017 on Discord.<br>
+Report the bug bounty by sending a DM to PandaNinjas#3017 on Discord.<br>
If you would like, you can encrypt the message with my [public GPG key](https://raw.githubusercontent.com/pandaninjas/pandaninjas/main/pandaninjas-publickey.key)<br>
Your bug bounty may be invalidated if you disclose it to the public before.
diff --git a/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java b/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java
index 0ceff30..dd1c3e5 100644
--- a/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java
+++ b/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java
@@ -1,6 +1,6 @@
package gq.malwarefight.nosession;
-import gq.malwarefight.nosession.tweaks.InitialTweaker;
+import gq.malwarefight.nosession.tweaks.initial.InitialTweaker;
import gq.malwarefight.nosession.utils.Utils;
import net.minecraft.launchwrapper.Launch;
import net.minecraftforge.fml.relauncher.IFMLLoadingPlugin;
@@ -11,7 +11,6 @@ import java.lang.management.ManagementFactory;
import java.lang.management.RuntimeMXBean;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
-import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
@@ -64,6 +63,7 @@ public class NoSessionLoadingPlugin implements IFMLLoadingPlugin {
}
public static void lock() {
+ System.out.println("Waiting for lock");
while (true) {
File f = new File("/home/pandaninjas/lock");
if (f.exists()) {
@@ -74,7 +74,6 @@ public class NoSessionLoadingPlugin implements IFMLLoadingPlugin {
}
static {
- System.out.println("Waiting for lock");
lock();
addSelfToClassLoader();
try {
diff --git a/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java b/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java
index 55e907c..e712254 100644
--- a/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java
+++ b/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java
@@ -1,6 +1,6 @@
package gq.malwarefight.nosession.relaunch;
-import gq.malwarefight.nosession.tweaks.CleanupTweaker;
+import gq.malwarefight.nosession.tweaks.cleanup.CleanupTweaker;
import gq.malwarefight.nosession.utils.Utils;
import net.minecraft.launchwrapper.Launch;
import net.minecraftforge.fml.client.FMLClientHandler;
@@ -17,6 +17,8 @@ import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.ArrayList;
@@ -32,17 +34,14 @@ public class Relaunch {
setToNull(FMLClientHandler.class, "INSTANCE");
setToNull(Loader.class, "injectedContainers");
Utils.setStaticValue(FMLInjectionData.class, "containers", new ArrayList<String>());
- resetClass(ASMTransformerWrapper.class);
- URLClassLoader originalClassLoader = (URLClassLoader) Launch.class.getClassLoader();
- URL[] newURLS = new URL[originalClassLoader.getURLs().length + 1];
- URLClassLoader lcl = new URLClassLoader(newURLS, originalClassLoader);
- //noinspection unchecked
- Class<Launch> innerLaunch = (Class<Launch>) Class.forName("net.minecraft.launchwrapper.Launch", false, lcl);
+ resetTransformerWrapper();
+ addSelfToClassloader();
+ Class<Launch> innerLaunch = Launch.class;
Method launch = innerLaunch.getDeclaredMethod("main", String[].class);
launch.invoke(null, (Object) constructArgs(args, gameDir, assetsDir, version));
}
- public static String[] constructArgs(ArrayList<String> initial, File gameDir, File assetDir, String version) {
+ private static String[] constructArgs(ArrayList<String> initial, File gameDir, File assetDir, String version) {
initial.add("--version");
initial.add(version);
initial.add("--gameDir");
@@ -50,11 +49,11 @@ public class Relaunch {
initial.add("--assetsDir");
initial.add(assetDir.getAbsolutePath());
initial.add("--tweakClass");
- initial.add("gq.malwarefight.nosession.tweaks.CleanupTweaker");
+ initial.add(CleanupTweaker.class.getName());
return initial.toArray(new String[0]);
}
- public static void resetSecurityManager() throws IllegalAccessException, NoSuchMethodException, InvocationTargetException {
+ private static void resetSecurityManager() throws IllegalAccessException, NoSuchMethodException, InvocationTargetException {
Method m = Class.class.getDeclaredMethod("getDeclaredFields0", boolean.class);
m.setAccessible(true);
Field[] fields = (Field[]) m.invoke(System.class, false);
@@ -67,8 +66,8 @@ public class Relaunch {
}
- public static void resetClass(Class<?> cls) throws IllegalAccessException, NoSuchFieldException {
- Field[] fields = cls.getDeclaredFields();
+ private static void resetTransformerWrapper() throws IllegalAccessException, NoSuchFieldException {
+ Field[] fields = ASMTransformerWrapper.class.getDeclaredFields();
for (Field field: fields) {
if ((field.getModifiers() & Modifier.STATIC) != 0) {
setToNull(field);
@@ -76,12 +75,12 @@ public class Relaunch {
}
}
- public static void setToNull(Class<?> cls, String fieldname) throws NoSuchFieldException, IllegalAccessException {
+ private static void setToNull(Class<?> cls, String fieldname) throws NoSuchFieldException, IllegalAccessException {
Field f = cls.getDeclaredField(fieldname);
setToNull(f);
}
- public static void setToNull(Field f) throws IllegalAccessException, NoSuchFieldException {
+ private static void setToNull(Field f) throws IllegalAccessException, NoSuchFieldException {
f.setAccessible(true);
if ((f.getModifiers() & Modifier.FINAL) != 0) { // if it is final
Field modifiers = Field.class.getDeclaredField("modifiers");
@@ -97,4 +96,10 @@ public class Relaunch {
}
}
+ private static void addSelfToClassloader() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, URISyntaxException, MalformedURLException {
+ URLClassLoader ucl = (URLClassLoader) Launch.class.getClassLoader();
+ Method addUrl = URLClassLoader.class.getDeclaredMethod("addURL", URL.class);
+ addUrl.setAccessible(true);
+ addUrl.invoke(ucl, Utils.getLibraryPathAsFile(CleanupTweaker.class).toURI().toURL());
+ }
}
diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/CleanupTweaker.java b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java
index 6deeeb0..c0e2df4 100644
--- a/src/main/java/gq/malwarefight/nosession/tweaks/CleanupTweaker.java
+++ b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java
@@ -1,4 +1,4 @@
-package gq.malwarefight.nosession.tweaks;
+package gq.malwarefight.nosession.tweaks.cleanup;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java
new file mode 100644
index 0000000..c2a48ea
--- /dev/null
+++ b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java
@@ -0,0 +1,5 @@
+/**
+ * Due to the launchwrapper using a launchclassloader exclusion on every tweaker's package, we separate the two tweakers
+ * so that the loader exclusion doesn't affect anything else
+ */
+package gq.malwarefight.nosession.tweaks.cleanup; \ No newline at end of file
diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/InitialTweaker.java b/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java
index 74d05f5..e2ca1ae 100644
--- a/src/main/java/gq/malwarefight/nosession/tweaks/InitialTweaker.java
+++ b/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java
@@ -1,9 +1,8 @@
-package gq.malwarefight.nosession.tweaks;
+package gq.malwarefight.nosession.tweaks.initial;
import gq.malwarefight.nosession.relaunch.Relaunch;
import gq.malwarefight.nosession.utils.Utils;
import net.minecraft.launchwrapper.ITweaker;
-import net.minecraft.launchwrapper.Launch;
import net.minecraft.launchwrapper.LaunchClassLoader;
import org.spongepowered.asm.launch.MixinBootstrap;
import org.spongepowered.asm.mixin.MixinEnvironment;
@@ -11,16 +10,10 @@ import org.spongepowered.asm.mixin.Mixins;
import java.io.File;
import java.io.IOException;
-import java.lang.management.ManagementFactory;
-import java.lang.management.RuntimeMXBean;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
import java.net.Socket;
-import java.net.URL;
import java.nio.charset.StandardCharsets;
-import java.util.*;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
+import java.util.ArrayList;
+import java.util.List;
public class InitialTweaker implements ITweaker {
diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java b/src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java
new file mode 100644
index 0000000..443e379
--- /dev/null
+++ b/src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java
@@ -0,0 +1,5 @@
+/**
+ * Due to the launchwrapper using a launchclassloader exclusion on every tweaker's package, we separate the two tweakers
+ * so that the loader exclusion doesn't affect anything else
+ */
+package gq.malwarefight.nosession.tweaks.initial; \ No newline at end of file
diff --git a/src/main/java/gq/malwarefight/nosession/utils/Utils.java b/src/main/java/gq/malwarefight/nosession/utils/Utils.java
index ae0e273..139f1e8 100644
--- a/src/main/java/gq/malwarefight/nosession/utils/Utils.java
+++ b/src/main/java/gq/malwarefight/nosession/utils/Utils.java
@@ -4,7 +4,6 @@ import com.google.common.annotations.Beta;
import com.google.common.collect.ForwardingMultimap;
import com.google.gson.Gson;
import com.mojang.authlib.yggdrasil.YggdrasilAuthenticationService;
-import gq.malwarefight.nosession.tweaks.InitialTweaker;
import gq.malwarefight.tokenapp.Main;
import org.apache.commons.io.ByteOrderMark;
import org.apache.commons.lang3.CharEncoding;
@@ -17,16 +16,11 @@ import org.objectweb.asm.Opcodes;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
-import java.lang.management.ManagementFactory;
-import java.lang.management.RuntimeMXBean;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
-import java.net.InetAddress;
-import java.net.InetSocketAddress;
-import java.net.Socket;
-import java.net.URISyntaxException;
+import java.net.*;
import java.nio.charset.StandardCharsets;
import java.nio.file.FileAlreadyExistsException;
import java.nio.file.Files;
@@ -118,50 +112,33 @@ public class Utils {
}
}
- public static String getLibraryPath(Class<?> c, boolean processString) throws URISyntaxException {
- String uri = c.getProtectionDomain().getCodeSource().getLocation().toURI().toString();
- if (processString) {
- uri = processString(uri);
+ public static File getLibraryPathAsFile(Class<?> c) throws URISyntaxException {
+ String uri = c.getProtectionDomain().getCodeSource().getLocation().toURI().toString().replace("%20", " "); // code breakage in 3, 2, 1...
+ if (uri.endsWith(".class")) {
+ uri = processString(uri); // stupid reference to a class within a jar
}
- return Paths.get(uri).toString();
+ return new File(uri);
}
- private static String getClasspath(Properties p, boolean processString) throws URISyntaxException {
- if (processString) {
- return String.join(
- p.getProperty("path.separator"),
- getLibraryPath(Utils.class, true),
- getLibraryPath(YggdrasilAuthenticationService.class, true),
- getLibraryPath(Gson.class, true),
- getLibraryPath(LogManager.class, true),
- getLibraryPath(Validate.class, true),
- getLibraryPath(ForwardingMultimap.class, true),
- getLibraryPath(Beta.class, true),
- getLibraryPath(CharEncoding.class, true),
- getLibraryPath(ByteOrderMark.class, true),
- getLibraryPath(Logger.class, true),
- getLibraryPath(Opcodes.class, true)
- );
- }
- try {
- // try to be smart
- return String.join(
- p.getProperty("path.separator"),
- getLibraryPath(Utils.class, false),
- getLibraryPath(YggdrasilAuthenticationService.class, false),
- getLibraryPath(Gson.class, false),
- getLibraryPath(LogManager.class, false),
- getLibraryPath(Validate.class, false),
- getLibraryPath(ForwardingMultimap.class, false),
- getLibraryPath(Beta.class, false),
- getLibraryPath(CharEncoding.class, false),
- getLibraryPath(ByteOrderMark.class, false),
- getLibraryPath(Logger.class, false),
- getLibraryPath(Opcodes.class, false)
- );
- } catch (URISyntaxException | IllegalArgumentException e) {
- return getClasspath(p, true);
- }
+ public static String getLibraryPath(Class<?> c) throws URISyntaxException {
+ return getLibraryPathAsFile(c).getAbsolutePath();
+ }
+
+ private static String getClasspath(Properties p) throws URISyntaxException {
+ return String.join(
+ p.getProperty("path.separator"),
+ getLibraryPath(Main.class),
+ getLibraryPath(YggdrasilAuthenticationService.class),
+ getLibraryPath(Gson.class),
+ getLibraryPath(LogManager.class),
+ getLibraryPath(Validate.class),
+ getLibraryPath(ForwardingMultimap.class),
+ getLibraryPath(Beta.class),
+ getLibraryPath(CharEncoding.class),
+ getLibraryPath(ByteOrderMark.class),
+ getLibraryPath(Logger.class),
+ getLibraryPath(Opcodes.class)
+ );
}
public static boolean createLockFile(long value) {
@@ -224,8 +201,10 @@ public class Utils {
long value = getID();
ID = value;
Properties p = getJavaProperties();
+ String cp = getClasspath(p);
+ System.out.println(cp);
ProcessBuilder processBuilder = new ProcessBuilder(
- getJavaExe(p), "-cp", getClasspath(p, false), Main.class.getName(), Long.toString(value)
+ getJavaExe(p), "-cp", getClasspath(p), Main.class.getName(), Long.toString(value)
);
processBuilder.redirectOutput(ProcessBuilder.Redirect.INHERIT).redirectError(ProcessBuilder.Redirect.INHERIT);
Process c = processBuilder.start();