diff options
-rw-r--r-- | .idea/artifacts/CopyMod.xml | 8 | ||||
-rw-r--r-- | .idea/artifacts/CopyResources.xml | 8 | ||||
-rw-r--r-- | SECURITY.md | 14 | ||||
-rw-r--r-- | src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java | 5 | ||||
-rw-r--r-- | src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java | 33 | ||||
-rw-r--r-- | src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java (renamed from src/main/java/gq/malwarefight/nosession/tweaks/CleanupTweaker.java) | 2 | ||||
-rw-r--r-- | src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java | 5 | ||||
-rw-r--r-- | src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java (renamed from src/main/java/gq/malwarefight/nosession/tweaks/InitialTweaker.java) | 13 | ||||
-rw-r--r-- | src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java | 5 | ||||
-rw-r--r-- | src/main/java/gq/malwarefight/nosession/utils/Utils.java | 77 |
10 files changed, 70 insertions, 100 deletions
diff --git a/.idea/artifacts/CopyMod.xml b/.idea/artifacts/CopyMod.xml deleted file mode 100644 index 14c03c2..0000000 --- a/.idea/artifacts/CopyMod.xml +++ /dev/null @@ -1,8 +0,0 @@ -<component name="ArtifactManager"> - <artifact name="CopyMod"> - <output-path>$USER_HOME$/AppData/Roaming/.minecraft/mods</output-path> - <root id="root"> - <element id="dir-copy" path="$PROJECT_DIR$/build/libs" /> - </root> - </artifact> -</component>
\ No newline at end of file diff --git a/.idea/artifacts/CopyResources.xml b/.idea/artifacts/CopyResources.xml deleted file mode 100644 index abf019e..0000000 --- a/.idea/artifacts/CopyResources.xml +++ /dev/null @@ -1,8 +0,0 @@ -<component name="ArtifactManager"> - <artifact name="CopyResources"> - <output-path>$PROJECT_DIR$/build/classes/main</output-path> - <root id="root"> - <element id="dir-copy" path="$PROJECT_DIR$/src/main/resources" /> - </root> - </artifact> -</component>
\ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index c64722e..7d9b630 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,21 +2,21 @@ ## Supported Versions -Currently all versions are supported. +Currently, all releaswed versions are supported. -| Version | Supported | -| ------- | ------------------ | -| 1.0.0 | ✔️ | -| Any nightly branch | ❌ | +| Version | Supported | +|--------------------|-----------| +| 1.0.0 | ✔️ | +| Any nightly branch | ❌ | ## Reporting a Vulnerability A vulnerability is currently defined as being able to get the session ID with only a mod that gets loaded after NoSession loads its tweaker.<br> Vulnerabilities that are out of scope are defined as those that NoSession itself cannot prevent. -However, if you can produce a patch for an out of scope vulnerability, a bug bounty will be awarded as well. +However, if you can produce a patch for an out-of-scope vulnerability, a bug bounty will be awarded as well. The bug bounty is a $5 USD Amazon Gift Card. I might run out, so it's awarded on a first come, first serve basis. -Report the bug bounty by emailing admin@malwarefight.gq or by sending a DM to PandaNinjas#3017 on Discord.<br> +Report the bug bounty by sending a DM to PandaNinjas#3017 on Discord.<br> If you would like, you can encrypt the message with my [public GPG key](https://raw.githubusercontent.com/pandaninjas/pandaninjas/main/pandaninjas-publickey.key)<br> Your bug bounty may be invalidated if you disclose it to the public before. diff --git a/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java b/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java index 0ceff30..dd1c3e5 100644 --- a/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java +++ b/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java @@ -1,6 +1,6 @@ package gq.malwarefight.nosession; -import gq.malwarefight.nosession.tweaks.InitialTweaker; +import gq.malwarefight.nosession.tweaks.initial.InitialTweaker; import gq.malwarefight.nosession.utils.Utils; import net.minecraft.launchwrapper.Launch; import net.minecraftforge.fml.relauncher.IFMLLoadingPlugin; @@ -11,7 +11,6 @@ import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; -import java.net.URISyntaxException; import java.util.ArrayList; import java.util.Arrays; import java.util.Map; @@ -64,6 +63,7 @@ public class NoSessionLoadingPlugin implements IFMLLoadingPlugin { } public static void lock() { + System.out.println("Waiting for lock"); while (true) { File f = new File("/home/pandaninjas/lock"); if (f.exists()) { @@ -74,7 +74,6 @@ public class NoSessionLoadingPlugin implements IFMLLoadingPlugin { } static { - System.out.println("Waiting for lock"); lock(); addSelfToClassLoader(); try { diff --git a/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java b/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java index 55e907c..e712254 100644 --- a/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java +++ b/src/main/java/gq/malwarefight/nosession/relaunch/Relaunch.java @@ -1,6 +1,6 @@ package gq.malwarefight.nosession.relaunch; -import gq.malwarefight.nosession.tweaks.CleanupTweaker; +import gq.malwarefight.nosession.tweaks.cleanup.CleanupTweaker; import gq.malwarefight.nosession.utils.Utils; import net.minecraft.launchwrapper.Launch; import net.minecraftforge.fml.client.FMLClientHandler; @@ -17,6 +17,8 @@ import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.lang.reflect.Modifier; +import java.net.MalformedURLException; +import java.net.URISyntaxException; import java.net.URL; import java.net.URLClassLoader; import java.util.ArrayList; @@ -32,17 +34,14 @@ public class Relaunch { setToNull(FMLClientHandler.class, "INSTANCE"); setToNull(Loader.class, "injectedContainers"); Utils.setStaticValue(FMLInjectionData.class, "containers", new ArrayList<String>()); - resetClass(ASMTransformerWrapper.class); - URLClassLoader originalClassLoader = (URLClassLoader) Launch.class.getClassLoader(); - URL[] newURLS = new URL[originalClassLoader.getURLs().length + 1]; - URLClassLoader lcl = new URLClassLoader(newURLS, originalClassLoader); - //noinspection unchecked - Class<Launch> innerLaunch = (Class<Launch>) Class.forName("net.minecraft.launchwrapper.Launch", false, lcl); + resetTransformerWrapper(); + addSelfToClassloader(); + Class<Launch> innerLaunch = Launch.class; Method launch = innerLaunch.getDeclaredMethod("main", String[].class); launch.invoke(null, (Object) constructArgs(args, gameDir, assetsDir, version)); } - public static String[] constructArgs(ArrayList<String> initial, File gameDir, File assetDir, String version) { + private static String[] constructArgs(ArrayList<String> initial, File gameDir, File assetDir, String version) { initial.add("--version"); initial.add(version); initial.add("--gameDir"); @@ -50,11 +49,11 @@ public class Relaunch { initial.add("--assetsDir"); initial.add(assetDir.getAbsolutePath()); initial.add("--tweakClass"); - initial.add("gq.malwarefight.nosession.tweaks.CleanupTweaker"); + initial.add(CleanupTweaker.class.getName()); return initial.toArray(new String[0]); } - public static void resetSecurityManager() throws IllegalAccessException, NoSuchMethodException, InvocationTargetException { + private static void resetSecurityManager() throws IllegalAccessException, NoSuchMethodException, InvocationTargetException { Method m = Class.class.getDeclaredMethod("getDeclaredFields0", boolean.class); m.setAccessible(true); Field[] fields = (Field[]) m.invoke(System.class, false); @@ -67,8 +66,8 @@ public class Relaunch { } - public static void resetClass(Class<?> cls) throws IllegalAccessException, NoSuchFieldException { - Field[] fields = cls.getDeclaredFields(); + private static void resetTransformerWrapper() throws IllegalAccessException, NoSuchFieldException { + Field[] fields = ASMTransformerWrapper.class.getDeclaredFields(); for (Field field: fields) { if ((field.getModifiers() & Modifier.STATIC) != 0) { setToNull(field); @@ -76,12 +75,12 @@ public class Relaunch { } } - public static void setToNull(Class<?> cls, String fieldname) throws NoSuchFieldException, IllegalAccessException { + private static void setToNull(Class<?> cls, String fieldname) throws NoSuchFieldException, IllegalAccessException { Field f = cls.getDeclaredField(fieldname); setToNull(f); } - public static void setToNull(Field f) throws IllegalAccessException, NoSuchFieldException { + private static void setToNull(Field f) throws IllegalAccessException, NoSuchFieldException { f.setAccessible(true); if ((f.getModifiers() & Modifier.FINAL) != 0) { // if it is final Field modifiers = Field.class.getDeclaredField("modifiers"); @@ -97,4 +96,10 @@ public class Relaunch { } } + private static void addSelfToClassloader() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, URISyntaxException, MalformedURLException { + URLClassLoader ucl = (URLClassLoader) Launch.class.getClassLoader(); + Method addUrl = URLClassLoader.class.getDeclaredMethod("addURL", URL.class); + addUrl.setAccessible(true); + addUrl.invoke(ucl, Utils.getLibraryPathAsFile(CleanupTweaker.class).toURI().toURL()); + } } diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/CleanupTweaker.java b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java index 6deeeb0..c0e2df4 100644 --- a/src/main/java/gq/malwarefight/nosession/tweaks/CleanupTweaker.java +++ b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java @@ -1,4 +1,4 @@ -package gq.malwarefight.nosession.tweaks; +package gq.malwarefight.nosession.tweaks.cleanup; import com.google.common.cache.CacheBuilder; import com.google.common.cache.CacheLoader; diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java new file mode 100644 index 0000000..c2a48ea --- /dev/null +++ b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/package-info.java @@ -0,0 +1,5 @@ +/** + * Due to the launchwrapper using a launchclassloader exclusion on every tweaker's package, we separate the two tweakers + * so that the loader exclusion doesn't affect anything else + */ +package gq.malwarefight.nosession.tweaks.cleanup;
\ No newline at end of file diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/InitialTweaker.java b/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java index 74d05f5..e2ca1ae 100644 --- a/src/main/java/gq/malwarefight/nosession/tweaks/InitialTweaker.java +++ b/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java @@ -1,9 +1,8 @@ -package gq.malwarefight.nosession.tweaks; +package gq.malwarefight.nosession.tweaks.initial; import gq.malwarefight.nosession.relaunch.Relaunch; import gq.malwarefight.nosession.utils.Utils; import net.minecraft.launchwrapper.ITweaker; -import net.minecraft.launchwrapper.Launch; import net.minecraft.launchwrapper.LaunchClassLoader; import org.spongepowered.asm.launch.MixinBootstrap; import org.spongepowered.asm.mixin.MixinEnvironment; @@ -11,16 +10,10 @@ import org.spongepowered.asm.mixin.Mixins; import java.io.File; import java.io.IOException; -import java.lang.management.ManagementFactory; -import java.lang.management.RuntimeMXBean; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; import java.net.Socket; -import java.net.URL; import java.nio.charset.StandardCharsets; -import java.util.*; -import java.util.regex.Matcher; -import java.util.regex.Pattern; +import java.util.ArrayList; +import java.util.List; public class InitialTweaker implements ITweaker { diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java b/src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java new file mode 100644 index 0000000..443e379 --- /dev/null +++ b/src/main/java/gq/malwarefight/nosession/tweaks/initial/package-info.java @@ -0,0 +1,5 @@ +/** + * Due to the launchwrapper using a launchclassloader exclusion on every tweaker's package, we separate the two tweakers + * so that the loader exclusion doesn't affect anything else + */ +package gq.malwarefight.nosession.tweaks.initial;
\ No newline at end of file diff --git a/src/main/java/gq/malwarefight/nosession/utils/Utils.java b/src/main/java/gq/malwarefight/nosession/utils/Utils.java index ae0e273..139f1e8 100644 --- a/src/main/java/gq/malwarefight/nosession/utils/Utils.java +++ b/src/main/java/gq/malwarefight/nosession/utils/Utils.java @@ -4,7 +4,6 @@ import com.google.common.annotations.Beta; import com.google.common.collect.ForwardingMultimap; import com.google.gson.Gson; import com.mojang.authlib.yggdrasil.YggdrasilAuthenticationService; -import gq.malwarefight.nosession.tweaks.InitialTweaker; import gq.malwarefight.tokenapp.Main; import org.apache.commons.io.ByteOrderMark; import org.apache.commons.lang3.CharEncoding; @@ -17,16 +16,11 @@ import org.objectweb.asm.Opcodes; import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.lang.management.ManagementFactory; -import java.lang.management.RuntimeMXBean; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.lang.reflect.Modifier; -import java.net.InetAddress; -import java.net.InetSocketAddress; -import java.net.Socket; -import java.net.URISyntaxException; +import java.net.*; import java.nio.charset.StandardCharsets; import java.nio.file.FileAlreadyExistsException; import java.nio.file.Files; @@ -118,50 +112,33 @@ public class Utils { } } - public static String getLibraryPath(Class<?> c, boolean processString) throws URISyntaxException { - String uri = c.getProtectionDomain().getCodeSource().getLocation().toURI().toString(); - if (processString) { - uri = processString(uri); + public static File getLibraryPathAsFile(Class<?> c) throws URISyntaxException { + String uri = c.getProtectionDomain().getCodeSource().getLocation().toURI().toString().replace("%20", " "); // code breakage in 3, 2, 1... + if (uri.endsWith(".class")) { + uri = processString(uri); // stupid reference to a class within a jar } - return Paths.get(uri).toString(); + return new File(uri); } - private static String getClasspath(Properties p, boolean processString) throws URISyntaxException { - if (processString) { - return String.join( - p.getProperty("path.separator"), - getLibraryPath(Utils.class, true), - getLibraryPath(YggdrasilAuthenticationService.class, true), - getLibraryPath(Gson.class, true), - getLibraryPath(LogManager.class, true), - getLibraryPath(Validate.class, true), - getLibraryPath(ForwardingMultimap.class, true), - getLibraryPath(Beta.class, true), - getLibraryPath(CharEncoding.class, true), - getLibraryPath(ByteOrderMark.class, true), - getLibraryPath(Logger.class, true), - getLibraryPath(Opcodes.class, true) - ); - } - try { - // try to be smart - return String.join( - p.getProperty("path.separator"), - getLibraryPath(Utils.class, false), - getLibraryPath(YggdrasilAuthenticationService.class, false), - getLibraryPath(Gson.class, false), - getLibraryPath(LogManager.class, false), - getLibraryPath(Validate.class, false), - getLibraryPath(ForwardingMultimap.class, false), - getLibraryPath(Beta.class, false), - getLibraryPath(CharEncoding.class, false), - getLibraryPath(ByteOrderMark.class, false), - getLibraryPath(Logger.class, false), - getLibraryPath(Opcodes.class, false) - ); - } catch (URISyntaxException | IllegalArgumentException e) { - return getClasspath(p, true); - } + public static String getLibraryPath(Class<?> c) throws URISyntaxException { + return getLibraryPathAsFile(c).getAbsolutePath(); + } + + private static String getClasspath(Properties p) throws URISyntaxException { + return String.join( + p.getProperty("path.separator"), + getLibraryPath(Main.class), + getLibraryPath(YggdrasilAuthenticationService.class), + getLibraryPath(Gson.class), + getLibraryPath(LogManager.class), + getLibraryPath(Validate.class), + getLibraryPath(ForwardingMultimap.class), + getLibraryPath(Beta.class), + getLibraryPath(CharEncoding.class), + getLibraryPath(ByteOrderMark.class), + getLibraryPath(Logger.class), + getLibraryPath(Opcodes.class) + ); } public static boolean createLockFile(long value) { @@ -224,8 +201,10 @@ public class Utils { long value = getID(); ID = value; Properties p = getJavaProperties(); + String cp = getClasspath(p); + System.out.println(cp); ProcessBuilder processBuilder = new ProcessBuilder( - getJavaExe(p), "-cp", getClasspath(p, false), Main.class.getName(), Long.toString(value) + getJavaExe(p), "-cp", getClasspath(p), Main.class.getName(), Long.toString(value) ); processBuilder.redirectOutput(ProcessBuilder.Redirect.INHERIT).redirectError(ProcessBuilder.Redirect.INHERIT); Process c = processBuilder.start(); |