| 6 May 2025 |
 Corngood | #define EMBED_HASH_HI_PART_UTF8 "c3ab8ff13720e8ad9047dd39466b3c89" // SHA-256 of "foobar" in UTF-8
#define EMBED_HASH_LO_PART_UTF8 "74e592c2fa383d4a3960714caef0c4f2"
#define EMBED_HASH_FULL_UTF8 (EMBED_HASH_HI_PART_UTF8 EMBED_HASH_LO_PART_UTF8) // NUL terminated
bool is_exe_enabled_for_execution(pal::string_t* app_dll)
{
constexpr int EMBED_SZ = sizeof(EMBED_HASH_FULL_UTF8) / sizeof(EMBED_HASH_FULL_UTF8[0]);
constexpr int EMBED_MAX = (EMBED_SZ > 1025 ? EMBED_SZ : 1025); // 1024 DLL name length, 1 NUL
// Contains the EMBED_HASH_FULL_UTF8 value at compile time or the managed DLL name replaced by "dotnet build".
// Must not be 'const' because std::string(&embed[0]) below would bind to a const string ctor plus length
// where length is determined at compile time (=64) instead of the actual length of the string at runtime.
static char embed[EMBED_MAX] = EMBED_HASH_FULL_UTF8; // series of NULs followed by embed hash string
static const char hi_part[] = EMBED_HASH_HI_PART_UTF8;
static const char lo_part[] = EMBED_HASH_LO_PART_UTF8;
| 13:46:56 |
 GGG | isn't that replaced though | 13:48:11 |
| Corngood | binwalk doesn't work for me for a trivial apphost build dotnet new console, because the only thing changed in the apphost is the dll name (above). it might work for singlefilehost, where the managed stuff is appended | 13:48:41 |
| GGG | hm | 13:49:21 |
| Corngood | it is, but the hi_part and low_part are kept so it can verify that the replacement has happened | 13:49:23 |
| GGG | I wonder what's the likelyhood of c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2 appearing in a normal binary | 13:49:39 |
| GGG | maybe as a set of bytes it could happen, but as a sequence of ASCII characters I'm not sure | 13:49:51 |
| Corngood | I think that would depend on where it came from. Maybe I can track that down. | 13:50:32 |
| Corngood | If it's guid-ish then ~0 | 13:50:46 |
| GGG | I'm doing a simple preliminary test by doing grep -sRl 'c3ab8ff13720e8ad9047dd39466b3c89' /nix/store | 13:50:55 |
| GGG | it seems like they just SHA-256'd "foobar" | 13:51:13 |
| GGG | according to the comment on the code you posted | 13:51:19 |
| Corngood | oh, lol. that was stupid of them | 13:51:29 |
| Corngood | it's probably fine, but they could have easily avoided the possibility of someone else doing the same thing | 13:51:59 |
| Corngood | still, they were only concerned about their codebase and dependencies | 13:52:28 |
| Corngood | we don't need to differentiate already-patched or source-built binaries, do we? | 13:53:39 |
| GGG | no, this was only so I could make a hook to do the patching we do for pre-built .NET apps | 13:54:13 |
| GGG | that adds the whole ICU, Kerberos, OpenSSL and etc. deps | 13:54:25 |
| Corngood | But I mean we're not mixing other stuff in the same outputs that are being patched? | 13:56:10 |
| GGG | even if we do, there shouldn't be any harm I think | 13:56:36 |
| Corngood | I'm just thinking about if we make a general hook for doing this. We might want to warn against using it on already patched things.
Like you said it probably wouldn't break anything. Patched runtime would still explicitly load libs from /nix/store. | 13:57:17 |
| GGG | yeah, looking at the actual effects of it, it'd only add a few unnecessary RPATH and needed entries | 13:57:53 |
| GGG | but it wouldn't result in anything more in the nix store nor unnecessary packages being pulled in | 13:58:07 |
| GGG | if it's a framework-dependent apphost, then the runtime in the nix store should already work, so perhaps we only need to identify self-contained apphosts? | 13:58:58 |
| Corngood | Other than apphost and singlefilehost, is there anything else we need to worry about? Do they ship AOT things? | 13:59:13 |
| Corngood |
self-contained apphosts
This would be singlefilehost I believe. Let me see what one of those looks like after build.
| 14:00:07 |
| GGG | AOT would indeed be an issue we need to worry about as well, I don't know how the AOT binaries are built, I'd need to check to see if they have ICU among the needed libraries | 14:00:06 |
| Corngood | I sort of doubt they would have that magic foobar hash in them. | 14:00:35 |
| GGG | let me check with patchcil | 14:01:01 |
| GGG | it's the only AOT program we have in nixpkgs afaik | 14:01:09 |
