OSX-KVM - March 2021 - Batch Update 1

Changes:

- Upgrade to OpenCore 0.6.7-RELEASE

- Big Sur image building script updates (Nick)
  - See https://github.com/kholia/OSX-KVM/pull/169 for details.

- Removed history to reduce repository size

resources/.synergy.conf

@@ -0,0 +1,12 @@
+# Run "synergys" on Linux host
+
+section: screens
+        uber:
+        mac:
+end
+section: links
+        uber:
+                right = mac
+        mac:
+                left = uber
+end

resources/README.md

@@ -0,0 +1,8 @@
+Use `idadif.py` to apply the `kernel.dif` patch to the macOS `kernel` binary.
+
+
+```
+$ sha256sum kernel*
+be90edb9653be25e1747cefc1ec9fd452b90dd917ba9eb391a76f260f84cd9f0  kernel <-- patched 10.15.4 kernel
+ac2fc51e53519a3147359e2b25dd8aa6b1fa79d41f92091cc058b2aab7e901d6  kernel.bak <-- original 10.15.4 kernel
+```

resources/idadif.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+# Small IDA .dif patcher - https://stalkr.net/files/ida/idadif.py
+
+import re
+from sys import argv,exit
+
+def patch(file, dif, revert=False):
+	code = open(file,'rb').read()
+	dif = open(dif,'r').read()
+	m = re.findall('([0-9a-fA-F]+): ([0-9a-fA-F]+) ([0-9a-fA-F]+)', dif)
+	for offset,orig,new in m:
+		o, orig, new = int(offset,16), orig.decode('hex'), new.decode('hex')
+		if revert:
+			if code[o]==new:
+				code = code[:o]+orig+code[o+1:]
+			else:
+				raise Exception("patched byte at %s is not %02X" % (offset, ord(new)))
+		else:
+			if code[o]==orig:
+				code = code[:o]+new+code[o+1:]
+			else:
+				raise Exception("original byte at %s is not %02X" % (offset, ord(orig)))
+	open(file,'wb').write(code)
+
+def main():
+	if len(argv)<3:
+		print("Usage: %s <binary> <IDA.dif file> [revert]" % (argv[0]))
+		print("Applies given IDA .dif file to patch binary; use revert to revert patch.")
+		exit(0)
+
+	file, dif, revert = argv[1], argv[2], False
+	if len(argv)>3:
+		revert = True
+		print("Reverting patch %r on file %r" % (dif, file))
+	else:
+		print("Patching file %r with %r" % (file, dif))
+
+	try:
+		patch(file, dif, revert)
+		print("Done")
+	except Exception as e:
+		print("Error: %s" % str(e))
+		exit(1)
+
+if __name__ == "__main__":
+	main()

resources/kernel.dif

@@ -0,0 +1,8 @@
+This difference file was created by IDA
+
+kernel
+0000000000787C73: E8 90
+0000000000787C74: 78 90
+0000000000787C75: E8 90
+0000000000787C76: AA 90
+0000000000787C77: FF 90

resources/kernel_autopatcher.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+#
+# NOTE -> https://github.com/kholia/OSX-KVM/blob/master/reversing-notes.md
+#
+# https://github.com/radareorg/radare2-r2pipe/blob/master/python/examples/libgraph.py
+# https://github.com/radareorg/radare2-r2pipe/tree/master/python
+#
+# https://www.hex-rays.com/wp-content/uploads/2019/12/xnu_debugger_primer.pdf
+# https://geosn0w.github.io/Debugging-macOS-Kernel-For-Fun/
+#
+# sudo apt-get install radare2  # Ubuntu 20.04 LTS
+# pip install r2pipe
+#
+# This software is Copyright (c) 2020, Dhiru Kholia. This program is provided
+# for educational, research, and non-commercial personal use only.
+# !!! ATTENTION !!! Any commercial usage against the Apple EULA is at your own
+# risk!
+#
+# Note: Commercial usage and redistribution is forbidden (not allowed).
+#
+# THIS SOFTWARE IS PROVIDED BY <COPYRIGHT HOLDER> 'AS IS' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# $ ./kernel_autopatcher.py kernel
+# [+] Processing <kernel> file...
+# [+] Patching done!
+#
+# (Re)Tested against the default "kernel" from macOS Catalina 10.15.7 in
+# October, 2020.
+#
+# Note: Disable SIP on the macOS VM (We do it via OpenCore's config.plist)
+# `00000000` - SIP completely enabled
+# `30000000` - Allow unsigned kexts and writing to protected fs locations
+# `67000000` - SIP completely disabled
+#
+# Note: sudo mount -uw /
+#
+# Kernel location (Catalina): /System/Library/Kernels/kernel
+#
+# $ md5sum kernel*
+# 3966d407c344708d599500c60c1194c0  kernel
+# 8530d3422795652ed320293ecc127770  kernel.patched
+#
+# Test command -> sudo /usr/bin/AssetCacheManagerUtil activate
+
+import r2pipe
+
+import sys
+import os
+
+
+def patcher(fname):
+    target_symbol = "sym._cpuid_get_feature_names"
+
+    # analysis code
+    # r2 = r2pipe.open(fname, ["-2"])  # -2 -> disable stderr messages
+    r2 = r2pipe.open(fname, ["-2", "-w"])  # -2 -> disable stderr messages
+    print("[+] Processing <%s> file..." % fname)
+    r2.cmd('aa')
+    # print(r2.cmd("pdf @ sym._cpuid_get_feature_names"))
+    result = r2.cmdj("axtj %s" % target_symbol)
+    if not result:
+        print("[!] Can't find xrefs to <%s>. Aborting!" % target_symbol)
+        sys.exit(2)
+    # print(result)
+    r2.cmd("s `axt sym._cpuid_get_feature_names~[1]`")  # jump to the function call site
+    result = r2.cmdj("pdj 1")
+    if not result:
+        print("[!] Can't disassemble instruction at function call site. Aborting!")
+        sys.exit(3)
+    opcode_size = result[0]["size"]
+    assert (opcode_size == 5)  # sanity check, call sym._cpuid_get_feature_name -> 5 bytes
+
+    # patching code
+    # > pa nop
+    r2.cmd("\"wa nop;nop;nop;nop;nop\"")
+    r2.quit()
+    print("[+] Patching done!")
+
+
+if __name__ == "__main__":
+    if len(sys.argv) > 1:
+        path = sys.argv[1]
+        patcher(path)
+    else:
+        print("Usage: %s [path-to-kernel-file]" % (sys.argv[0]))
+        sys.exit(1)