How'd you arrive at these?

[tejasmanohar]

Out of curiosity, how did you get these files? Decompiled something?

[avaidyam]

I'm not @CodaFi but the answer is somewhat simple: dump the SkyLight.framework and examine the symbols. Then you can look them up in AppKit.framework disassembly and figure out what parameters are passed. Then maybe mess with them a little bit to confirm your finding. Another way is to look at the assertion strings (i.e. "parameter not satisfying ") which will tell you what the parameter is in most cases.

[tejasmanohar]

Yep! Figured out some of it through playing around more

[noah-nuebling]

Hey guys, I'm interested in the CGSEventTapCreate and CGSPostMouseEvent functions which I saw in the list of missing functions which @avaidyam kindly provided in #3.

I've looked at all the binaries in the /System/Library/PrivateFrameworks/SkyLight.framework folder, using the nm and class-dump command-line tools, but I couldn't find anything interesting. I feel like I'm not looking at the right binaries.

Do you guys have any idea what I might be doing wrong?

Thanks!

[avaidyam]

Class-dumping likely won't help as these are C functions. They have also been renamed internally from CGS* to SLS* so that may help you find them.

[noah-nuebling]

Hey @avaidyam, thanks for getting back, and for the tips!

Class-dumping likely won't help as these are C functions

That makes sense, thanks for the heads up.

I ran nm again on all binaries in the Skylight framework using
nm -ao /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/**.
It yields absolutely nothing interesting. Using the -m argument you can see that all the functions it does find are externally defined.

So my conclusion here is that either:

1. The binaries which contain the interesting Skylight functions are not located in /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/. So I'm looking in the wrong place.
   • I feel like this is quite likely. The binaries in this location have names CursorAsset, CursorAsset_base, WindowServer, WSInfo and AquaAppearanceHelper. None of them sound like they should contain the main source code for the Skylight framework.
2. The function names have been stripped from the binaries by Apple.

So my questions are:

• If you still remember - Where in the system did you find the binaries which contained the names of the CGS... or SLS...functions, and what were the binaries called?
• Out of curiosity: Do we have an idea why the old CGS... function names still work now that they've been renamed to use SL as prefix?
• If you have any other tips or ideas, or if I'm misunderstanding something, please let me know, I'm still learning.

Again, thanks!

---

Not sure how relevant this is, but I also tested the IDA Pro disassembler and compared the results against the nm command-line tool.

I tested on the binary at /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer.

Taking a look at the Functions window in IDA Pro, it did find some extra functions which nm didn't. But they all had names that just consist of sub_ followed by random letters and numbers. Other than that the functions found by nm and IDA were identical. According to Google, these sub_ function names are generated by IDA when no function name is available in the binary.
So my conclusion was that nm should catch all function names in a binary.

[noah-nuebling]

I just found something very interesting.

There's a file which seems to contain all the Skylight function names at /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/PrivateFrameworks/SkyLight.framework/SkyLight.tbd

Lots of new stuff in there.

[noah-nuebling]

Okay I found somewhat of a solution.

Binaries of system libraries can't be found in the file system anymore in Big Sur.
Instead you have to extract them from a cache.

• More on this plus a tutorial on extracting the library binaries in Big Sur: https://lapcatsoftware.com/articles/bigsur.html
• Where the system library cache is located: https://stackoverflow.com/q/64512628/10601702

[noah-nuebling]

Also, I just found out, in order to link some (most? / all?) of the functions prefixed with SLS (which you can find in the SkyLight.tbd file I mentioned above) you have to set the -undefined and dynamic_lookup linker flags on your project. (In that order)

It should look like this: