Comment by Wowfunhappy

> Which underlying proxy is Aqua Proxy built on?

Aqua Proxy's source code is here: https://github.com/Wowfunhappy/AquaProxy/tree/master. It mostly leverages the Go standard library.

One thing I really like is that it won't MITM any requests that use TLS 1.3 or HTTP2. Since Mavericks doesn't support these protocols natively, the proxy knows this traffic must be coming from a relatively-modern app that ships its own TLS implementation and doesn't need any help.

> Can you touch on how some of these patches were made/backported from and to closed-source binaries?

The Mail plugin just disables a feature via Objective-C swizzling. Swizzling is fun, you can replace any method in any app with your own version. I usually use class-dump to get a list of methods in the original app, read the method names to guess at what each one does, and try the ones that look promising. More recently I've begun using Hopper (a proper decompiler/disassembler) more heavily, particularly because Claude is very good at reading both assembly and decompiler babble and can direct me.

The font patch is just a hex edit. To quote the readme:

>> The patch removes the `fnt_adjust` TrueType instruction from Apple's font rendering code. This instruction has not been used by legitimate fonts since the 90s. After CVE-2023-41990 was published, Apple responded by removing this instruction from modern macOS. This patch merely does the same on Mavericks.

The patched library replaces the vulnerable instruction with a no-op.