Skip to content

Instantly share code, notes, and snippets.

@xkef

xkef/security_commands_macos_10.15(catalina).md

Last active November 5, 2023 03:22
Show Gist options
  • Save xkef/c8b7dc8ebd9b724b0b9a47b884900319 to your computer and use it in GitHub Desktop.
Save xkef/c8b7dc8ebd9b724b0b9a47b884900319 to your computer and use it in GitHub Desktop.
Download ZIP
catalina spctl
Raw
security_commands_macos_10.15(catalina).md

codesign

sign unsigned package yourself (carefully debug first with ghidra, virustotal etc ;)

sudo codesign –force –deep –sign – /Applications/Foobar.app

example studio one crack

this is postinstall script from .pkg package

#!/bin/sh
sudo chmod -R 777 /Applications/Studio\ One\ 4.app 
sudo codesign -fs - /Applications/Studio\ One\ 4.app

# homecalling
sudo -- sh -c -e "echo '127.0.0.1 updates.presonus.com' >> /etc/hosts";
sudo -- sh -c -e "echo '127.0.0.1 registration.presonus.com' >> /etc/hosts";
sudo -- sh -c -e "echo '127.0.0.1 api.presonus.com' >> /etc/hosts";
sleep 3
sudo spctl --master-disable
exit 0

example russian group TNT

#!/bin/bash
printf '\e[1;40;92m'
clear
printf "All TNT releases are provided\n\tfree of charge for educational and uncommercial reasons.\n"
printf "Все релизы TNT предоставляются\n\tбезвозмездно для образовательных и некоммерческих целей.\n"
echo ""
echo "Press ENTER if you agree or close this window!"
echo "Нажмите ENTER, если вы согласны, или закройте окно!"
read ok
echo "Please wait..."
echo "Пожалуйста, подождите..."
echo ""
DMG=$(dirname "$0")
DIR=/tmp/tnt$RANDOM
rm -rf $DIR
mkdir -p $DIR
cp "$DMG/Manual install"/*.dmg $DIR
xattr -r -d com.apple.quarantine $DIR/*.dmg  &>/dev/null
#if [ $? -ne 0 ]; then
# echo "Failed to add a Gatekeep exception, please try manual installation!"
# echo "Ошибка добавления исключения Gatekeep, установите программу вручную!"
# printf '\e[39m'
# exit 1
#fi
mkdir -p $DIR/mount
hdiutil attach -owners on -quiet -noverify -mountpoint $DIR/mount $DIR/*.dmg -shadow $DIR/shadow
find $DIR/mount -maxdepth 1 \! -type l \! -path $DIR/mount -exec xattr -r -d com.apple.quarantine {} \; &>/dev/null
echo ""
echo "If the application fails to open wait a bit and try again!"
echo "Если программа не открывается, подождите немного и попробуйте снова!"
echo ""
echo "Have a nice day/night!"
echo "Приятного дня/вечера!"
(sleep 5 && hdiutil detach -force "$DMG") &
printf '\e[39m'
exit 0
@xkef
Copy link
Author

xkef commented Mar 22, 2020 

vcuijyhr@sharklasers.com
March 22, 2020
Your comment is awaiting moderation.

keygen probably trojan:

https://www.virustotal.com/gui/file/6773a1d28cc64ef2e4563fdfc4438de32cb6f5b229faaa71498a39dd8261f2c1/community

https://imgur.com/H8morWs.png

@xkef
Copy link
Author

xkef commented Mar 24, 2020

iZotope Neutron Patch using regex; works for all plugins

sudo perl -pi \
    -e 's|\x00\x55\x48\x89\xE5\x48\x8B\xBF\x18\x05\x00\x00\x48\x8B\x35|\x00\x31\xC0\xFF\xC0\xC3\x8B\xBF\x18\x05\x00\x00\x48\x8B\x35|g' \
    /Library/Audio/Plug-Ins/Components/iZNeutron3AUHook.component/Contents/Resources/iZNeutron3.bundle/Contents/MacOS/iZNeutron3

sudo perl -pi \
    -e 's|\xC3\x55\x48\x89\xE5\x48\x8B\xBF\x18\x05\x00\x00\x48\x8B\x35|\xC3\xB8\x05\x00\x00\x00\xC3\xBF\x18\x05\x00\x00\x48\x8B\x35|g' \
    /Library/Audio/Plug-Ins/Components/iZNeutron3AUHook.component/Contents/Resources/iZNeutron3.bundle/Contents/MacOS/iZNeutron3

sudo codesign -fs - \
    /Library/Audio/Plug-Ins/Components/iZNeutron3AUHook.component/Contents/Resources/iZNeutron3.bundle/Contents/MacOS/iZNeutron3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment