From 57f02cd5c334ceb6c5e8786b2ced55baba75728d Mon Sep 17 00:00:00 2001 From: PandaNinjas Date: Sun, 29 Jan 2023 21:47:46 -0800 Subject: Revert revert commit so we can be back at our original state for this branch (i hope it is the correct branch) This reverts commit 4d5700844809d45ca27a7efe8500d9d4c828ea2f. --- gradle/wrapper/gradle-wrapper.jar | Bin 52928 -> 0 bytes gradle/wrapper/gradle-wrapper.properties | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 gradle/wrapper/gradle-wrapper.jar (limited to 'gradle/wrapper') diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar deleted file mode 100644 index 6ffa237..0000000 Binary files a/gradle/wrapper/gradle-wrapper.jar and /dev/null differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 7b64320..357df5f 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -2,4 +2,4 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-3.1-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-3.1-bin.zip \ No newline at end of file -- cgit From 661d40251d6f8f98497aa61f5ea2e3c67f8e9190 Mon Sep 17 00:00:00 2001 From: PandaNinjas Date: Thu, 9 Feb 2023 19:17:16 -0800 Subject: it works:tm: --- README.md | 4 +- SECURITY.md | 2 +- build.gradle | 22 ++++---- gradle/wrapper/gradle-wrapper.properties | 2 +- .../nosession/NoSessionLoadingPlugin.java | 13 ----- .../mixin/client/YggdrasilSessionMixin.java | 3 +- .../nosession/tweaks/cleanup/CleanupTweaker.java | 1 + .../nosession/tweaks/initial/InitialTweaker.java | 37 ++++++++----- .../gq/malwarefight/nosession/utils/Utils.java | 62 ++++++---------------- src/main/java/gq/malwarefight/tokenapp/Main.java | 3 +- .../gq/malwarefight/tokenapp/SocketThread.java | 4 +- src/main/resources/mixins.nosession.json | 2 +- 12 files changed, 58 insertions(+), 97 deletions(-) (limited to 'gradle/wrapper') diff --git a/README.md b/README.md index 925d2a6..8345802 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,10 @@ This mod doesn't make you 100% safe, but it makes it much harder to steal your s [staying safe section](#staying-safe) ## Staying Safe -In order to work around an unpatchable security vulnerability, rename the NoSession jar to !.jar so it can load its protection before any other mods.
+In order to work around an unpatchable security vulnerability, rename the NoSession jar to !.jar, so it can load its protection before any other mods.
You should also use [MultiMC](https://github.com/MultiMC/Launcher/) or one of its derivates [PolyMC](https://github.com/PolyMC/PolyMC) or [PrismLauncher](https://github.com/PrismLauncher/PrismLauncher), because they use launch Minecraft in a way that improves security.
This only protects you from other mods. There are fake verification sites that can steal your session ID through that method.
-Don't login with Microsoft OAuth to anything except maybe your Minecraft launcher. You may also want to verify the signature on any NoSession binary. It's signed with [pandaninjas' GPG key](https://raw.githubusercontent.com/pandaninjas/pandaninjas/main/pandaninjas-publickey.key). +Don't log in with Microsoft OAuth to anything except maybe your Minecraft launcher. You may also want to verify the signature on any NoSession binary. It's signed with [pandaninjas' GPG key](https://raw.githubusercontent.com/pandaninjas/pandaninjas/main/pandaninjas-publickey.key). See [ILikePlayingGames' SkyblockModSafety guide](https://github.com/ILikePlayingGames/SkyblockModSafety) for other information diff --git a/SECURITY.md b/SECURITY.md index 7d9b630..4a30fd7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,7 +15,7 @@ Vulnerabilities that are out of scope are defined as those that NoSession itself However, if you can produce a patch for an out-of-scope vulnerability, a bug bounty will be awarded as well. -The bug bounty is a $5 USD Amazon Gift Card. I might run out, so it's awarded on a first come, first serve basis. +The bug bounty is a $5 USD Amazon Gift Card. I might run out, so it's awarded on a first come, first served basis. Report the bug bounty by sending a DM to PandaNinjas#3017 on Discord.
If you would like, you can encrypt the message with my [public GPG key](https://raw.githubusercontent.com/pandaninjas/pandaninjas/main/pandaninjas-publickey.key)
diff --git a/build.gradle b/build.gradle index d7a1031..c54ce08 100644 --- a/build.gradle +++ b/build.gradle @@ -13,7 +13,6 @@ buildscript { plugins { id "java" - id "com.github.johnrengelman.shadow" version "2.0.4" } apply plugin: 'net.minecraftforge.gradle.forge' @@ -45,7 +44,7 @@ repositories { } dependencies { - shade('org.spongepowered:mixin:0.7.10-SNAPSHOT') { + shade('org.spongepowered:mixin:0.7.11-SNAPSHOT') { exclude module: 'launchwrapper' exclude module: 'guava' exclude module: 'gson' @@ -73,19 +72,16 @@ processResources { rename '(.+_at.cfg)', 'META-INF/$1' } -shadowJar { - dependencies {} - configurations = [project.configurations.shade] - duplicatesStrategy DuplicatesStrategy.EXCLUDE //prevent duplicates - classifier "" //prevent creation of unshadowed jar -} - -reobf { - //reobfuscate the shadowed jar - shadowJar {} -} jar { + dependsOn configurations.compile + from { + configurations.compile.collect { + it.isDirectory() ? it : zipTree(it) + } + } + exclude 'META-INF/*.RSA', 'META-INF/*.SF', 'META-INF/*.DSA', 'dummyThing' + manifest { attributes "ForceLoadAsMod": true, "TweakOrder": 0, diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 357df5f..ce94abc 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -2,4 +2,4 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-3.1-bin.zip \ No newline at end of file +distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-bin.zip \ No newline at end of file diff --git a/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java b/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java index dd1c3e5..a7be261 100644 --- a/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java +++ b/src/main/java/gq/malwarefight/nosession/NoSessionLoadingPlugin.java @@ -5,7 +5,6 @@ import gq.malwarefight.nosession.utils.Utils; import net.minecraft.launchwrapper.Launch; import net.minecraftforge.fml.relauncher.IFMLLoadingPlugin; -import java.io.File; import java.io.IOException; import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; @@ -62,19 +61,7 @@ public class NoSessionLoadingPlugin implements IFMLLoadingPlugin { Launch.classLoader.addURL(NoSessionLoadingPlugin.class.getProtectionDomain().getCodeSource().getLocation()); } - public static void lock() { - System.out.println("Waiting for lock"); - while (true) { - File f = new File("/home/pandaninjas/lock"); - if (f.exists()) { - f.delete(); - break; - } - } - } - static { - lock(); addSelfToClassLoader(); try { Properties p = Utils.getJavaProperties(); diff --git a/src/main/java/gq/malwarefight/nosession/mixin/client/YggdrasilSessionMixin.java b/src/main/java/gq/malwarefight/nosession/mixin/client/YggdrasilSessionMixin.java index 5451c26..25636f7 100644 --- a/src/main/java/gq/malwarefight/nosession/mixin/client/YggdrasilSessionMixin.java +++ b/src/main/java/gq/malwarefight/nosession/mixin/client/YggdrasilSessionMixin.java @@ -1,6 +1,5 @@ package gq.malwarefight.nosession.mixin.client; -import com.google.common.primitives.Booleans; import com.mojang.authlib.GameProfile; import com.mojang.authlib.exceptions.AuthenticationException; import com.mojang.authlib.yggdrasil.YggdrasilMinecraftSessionService; @@ -21,7 +20,7 @@ public class YggdrasilSessionMixin { @Inject(method = "joinServer", at = @At("HEAD"), cancellable = true, remap = false) public void joinServer(GameProfile profile, String authenticationToken, String serverId, CallbackInfo ci) throws AuthenticationException { if (authenticationToken.equals("")) { // this token has been messed with by the Tweaker - Socket socket = Utils.getProperSocket(); + Socket socket = Utils.getProperSocket(profile.getId()); try { assert socket != null; socket.getOutputStream().write(("login " + serverId + "\n").getBytes(StandardCharsets.UTF_8)); diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java index c0e2df4..a0d458b 100644 --- a/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java +++ b/src/main/java/gq/malwarefight/nosession/tweaks/cleanup/CleanupTweaker.java @@ -37,6 +37,7 @@ public class CleanupTweaker implements ITweaker { try { Utils.setStaticValue(cls, "wrapperModMap", new HashMap()); Utils.setStaticValue(cls, "wrapperParentMap", new HashMap()); + //noinspection UnstableApiUsage Utils.setStaticValue(cls, "wrapperCache", CacheBuilder.newBuilder().maximumSize(30L).weakValues().build(new CacheLoader() { public byte[] load(String file) throws Exception { return (byte[]) makeWrapper.invoke(null, file); diff --git a/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java b/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java index e2ca1ae..21b2646 100644 --- a/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java +++ b/src/main/java/gq/malwarefight/nosession/tweaks/initial/InitialTweaker.java @@ -9,11 +9,11 @@ import org.spongepowered.asm.mixin.MixinEnvironment; import org.spongepowered.asm.mixin.Mixins; import java.io.File; -import java.io.IOException; import java.net.Socket; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; +import java.util.UUID; public class InitialTweaker implements ITweaker { @@ -30,22 +30,13 @@ public class InitialTweaker implements ITweaker { */ @Override public final void acceptOptions(List args, File gameDir, File assetsDir, String version) { + boolean isRelaunch = false; // is this invocation from a relaunch? + String uuid = null; ArrayList argsCopy = new ArrayList<>(args); for (int i = 0; i < argsCopy.size(); i++) { if (argsCopy.get(i).equals("--accessToken")) { if (argsCopy.get(i + 1).equals("")) { - Runtime.getRuntime().addShutdownHook( - new Thread(() -> { - try { - Socket socket = Utils.getProperSocket(); - socket.getOutputStream().write("fullquit\n".getBytes(StandardCharsets.UTF_8)); - socket.close(); - } catch (IOException e) { - e.printStackTrace(); - } - }) - ); - return; // don't do anything, the change has already been made + isRelaunch = true; } try { Utils.setToken(args.get(i + 1)); @@ -53,8 +44,28 @@ public class InitialTweaker implements ITweaker { throw new RuntimeException(e); } argsCopy.set(i + 1, ""); + } else if (argsCopy.get(i).equals("--uuid")) { + uuid = argsCopy.get(i + 1); } } + if (isRelaunch) { + String finalUuid = uuid; + if (finalUuid == null) { + return; // if we don't have a uuid, quit + } + Runtime.getRuntime().addShutdownHook( + new Thread(() -> { + try { + Socket socket = Utils.getProperSocket(UUID.fromString(finalUuid)); + socket.getOutputStream().write("fullquit\n".getBytes(StandardCharsets.UTF_8)); + socket.close(); + } catch (Exception e) { + e.printStackTrace(); + } + }) + ); + return; // don't do anything, the change has already been made + } System.out.println("======================="); System.out.println("NoSession: relaunching without the token"); System.out.println("======================="); diff --git a/src/main/java/gq/malwarefight/nosession/utils/Utils.java b/src/main/java/gq/malwarefight/nosession/utils/Utils.java index 139f1e8..7d3c4dd 100644 --- a/src/main/java/gq/malwarefight/nosession/utils/Utils.java +++ b/src/main/java/gq/malwarefight/nosession/utils/Utils.java @@ -20,19 +20,18 @@ import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.lang.reflect.Modifier; -import java.net.*; +import java.net.InetAddress; +import java.net.InetSocketAddress; +import java.net.Socket; +import java.net.URISyntaxException; import java.nio.charset.StandardCharsets; -import java.nio.file.FileAlreadyExistsException; -import java.nio.file.Files; -import java.nio.file.Path; import java.nio.file.Paths; import java.util.Arrays; import java.util.Properties; -import java.util.Random; +import java.util.UUID; public class Utils { public static int PORT = -1; - public static long ID = -1; private static final int BASE_PORT = 47777; public static byte[] read(InputStream i, Character delimiter) throws IOException { @@ -60,23 +59,25 @@ public class Utils { return new String(read(i, delimiter), StandardCharsets.UTF_8); } - public static Socket getProperSocket() { + public static Socket getProperSocket(UUID id) { if (PORT == -1) { Socket socket = null; - int port = 0; + int port; for (int i = BASE_PORT; i < BASE_PORT + 10; i++) { try { socket = new Socket(); socket.connect(new InetSocketAddress(InetAddress.getLoopbackAddress(), i)); - socket.getOutputStream().write("id\n".getBytes(StandardCharsets.UTF_8)); + socket.getOutputStream().write("uuid\n".getBytes(StandardCharsets.UTF_8)); String value = readString(socket.getInputStream(), '\n'); - if (value.equals(Long.toString(ID))) { + if (UUID.fromString(value).equals(id)) { port = i; + PORT = port; break; } - } catch (Exception ignored) {} + } catch (Exception exception) { + socket = null; + } } - PORT = port; return socket; } else { try { @@ -85,7 +86,7 @@ public class Utils { return socket; } catch (IOException e) { PORT = -1; - return getProperSocket(); + return getProperSocket(id); } } } @@ -141,37 +142,6 @@ public class Utils { ); } - public static boolean createLockFile(long value) { - Path path = Paths.get(System.getProperty("java.io.tmpdir"), "NoSessionLock" + value); - try { - Files.createFile(path); - } catch (FileAlreadyExistsException e) { - LogManager.getLogger().info("You won the lottery! Two NoSession instances used the same ID. The chance that a new NoSession instance uses the same ID as an old one is (NoSession instances) / 2^64"); - return false; - } catch (IOException e) { - LogManager.getLogger().warn("Failed to create lockfile " + e.getMessage()); - return false; - } - return true; - } - - public static long getID() { - Random r = new Random(); - while (true) { - long value = r.nextLong(); - if (createLockFile(value)) { - Runtime.getRuntime().addShutdownHook( - new Thread(() -> { - try { - Files.delete(Paths.get(System.getProperty("java.io.tmpdir"), "NoSessionLock" + value)); - } catch (Exception ignored) {} - }) - ); - return value; - } - } - } - public static Properties getJavaProperties() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { Properties p = new Properties(); Method m = System.class.getDeclaredMethod("initProperties", Properties.class); @@ -198,13 +168,11 @@ public class Utils { } public static void setToken(String token) throws IOException, InvocationTargetException, NoSuchMethodException, IllegalAccessException, URISyntaxException { - long value = getID(); - ID = value; Properties p = getJavaProperties(); String cp = getClasspath(p); System.out.println(cp); ProcessBuilder processBuilder = new ProcessBuilder( - getJavaExe(p), "-cp", getClasspath(p), Main.class.getName(), Long.toString(value) + getJavaExe(p), "-cp", getClasspath(p), Main.class.getName() ); processBuilder.redirectOutput(ProcessBuilder.Redirect.INHERIT).redirectError(ProcessBuilder.Redirect.INHERIT); Process c = processBuilder.start(); diff --git a/src/main/java/gq/malwarefight/tokenapp/Main.java b/src/main/java/gq/malwarefight/tokenapp/Main.java index 62a4da3..ecea1f3 100644 --- a/src/main/java/gq/malwarefight/tokenapp/Main.java +++ b/src/main/java/gq/malwarefight/tokenapp/Main.java @@ -15,13 +15,13 @@ import java.util.UUID; public class Main { public static final int BASE_PORT = 47777; - public static long ID; public static YggdrasilMinecraftSessionService sessionService = null; public static YggdrasilAuthenticationService authenticationService = null; public static GameProfile gameProfile = null; public static void setup() throws IOException { String token = Utils.readString(System.in, '\n'); + System.out.println(token); YggdrasilAuthenticationService yas = new YggdrasilAuthenticationService(Proxy.NO_PROXY, token); authenticationService = yas; sessionService = (YggdrasilMinecraftSessionService) yas.createMinecraftSessionService(); @@ -40,7 +40,6 @@ public class Main { } public static void main(String[] args) { - ID = Long.parseLong(args[0]); try { setup(); } catch (Exception e) { diff --git a/src/main/java/gq/malwarefight/tokenapp/SocketThread.java b/src/main/java/gq/malwarefight/tokenapp/SocketThread.java index de029c1..f2d0be7 100644 --- a/src/main/java/gq/malwarefight/tokenapp/SocketThread.java +++ b/src/main/java/gq/malwarefight/tokenapp/SocketThread.java @@ -50,8 +50,8 @@ public class SocketThread extends Thread { sock.close(); } else if ("fullquit".equals(parts[0])) { System.exit(0); - } else if ("id".equals(parts[0])) { - writeResponse(Long.toString(Main.ID), out); + } else if ("uuid".equals(parts[0])) { + writeResponse(Main.gameProfile.getId().toString(), out); } else { writeResponse("418 I'm a teapot", out); } diff --git a/src/main/resources/mixins.nosession.json b/src/main/resources/mixins.nosession.json index 9570025..9483734 100644 --- a/src/main/resources/mixins.nosession.json +++ b/src/main/resources/mixins.nosession.json @@ -6,5 +6,5 @@ "client": [ "client.YggdrasilSessionMixin" ], - "minVersion": "0.7.10" + "minVersion": "0.7.11" } \ No newline at end of file -- cgit From fd5a8ddc7312e4ddfbed0e0fba89b785f1b89416 Mon Sep 17 00:00:00 2001 From: PandaNinjas Date: Fri, 10 Feb 2023 12:09:09 -0800 Subject: Fix the gradle wrapper --- gradle/wrapper/gradle-wrapper.jar | Bin 0 -> 54413 bytes gradle/wrapper/gradle-wrapper.properties | 2 +- gradlew | 25 ++++++++++++++----------- 3 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 gradle/wrapper/gradle-wrapper.jar (limited to 'gradle/wrapper') diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000..91ca28c Binary files /dev/null and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index ce94abc..16d2805 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,5 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-bin.zip zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-bin.zip \ No newline at end of file diff --git a/gradlew b/gradlew index 1751d8f..cccdd3d 100755 --- a/gradlew +++ b/gradlew @@ -1,5 +1,5 @@ -#!/usr/bin/env bash -set -x +#!/usr/bin/env sh + ############################################################################## ## ## Gradle start up script for UN*X @@ -33,11 +33,11 @@ DEFAULT_JVM_OPTS="" # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD="maximum" -warn ( ) { +warn () { echo "$*" } -die ( ) { +die () { echo echo "$*" echo @@ -154,16 +154,19 @@ if $cygwin ; then esac fi -# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules -function splitJvmOpts() { - JVM_OPTS=("$@") +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " } -eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS -JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME" +APP_ARGS=$(save "$@") + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong -if [[ "$(uname)" == "Darwin" ]] && [[ "$HOME" == "$PWD" ]]; then +if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then cd "$(dirname "$0")" fi -exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@" +exec "$JAVACMD" "$@" -- cgit