From 0d181ad1f3600f4007a843ddbac409f51e444a1a Mon Sep 17 00:00:00 2001
From: Samuel Keeley <sam.keeley@gmail.com>
Date: Wed, 2 Aug 2017 16:43:09 -0700
Subject: [PATCH 1/2] update macdestroyer to work with high sierra and recovery
 key

---
 macdestroyer/postinstall | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 macdestroyer/postinstall

diff --git a/macdestroyer/postinstall b/macdestroyer/postinstall
old mode 100644
new mode 100755
index 66947ba..8c6a39e
--- a/macdestroyer/postinstall
+++ b/macdestroyer/postinstall
@@ -32,6 +32,9 @@ LOCK_USER_SHELL=/usr/bin/false
 LOCK_USER_GROUP=20
 LOCK_USER_IMAGE="/Library/User Pictures/jolly-roger.jpg"
 
+RECOVERY_KEY_FILE='/var/root/crypt_output.plist'
+RECOVERY_KEY_KEY='RecoveryKey'
+
 function check_for_root() {
   if [[ $(id -u) -ne 0 ]]; then
     echo "Not invoked as root, exiting."
@@ -53,8 +56,27 @@ function create_temp_user() {
   dscl . create /Users/${LOCK_USER_UNAME} Hint "${LOCK_USER_HINT}"
 }
 
+function get_recovery_key() {
+ local recovery_key=`/usr/bin/defaults read ${RECOVERY_KEY_FILE} ${RECOVERY_KEY_KEY}`
+ echo $recovery_key 
+}
+
 function add_user_to_filevault() {
-  fdeadduser ${LOCK_USER_UNAME} ${LOCK_USER_PASSW}
+  if [[ ${OSTYPE:6} -ge 17 ]]; then
+      # At least 10.13, fdeadduser doesn't work anymore, so we need a recovery key.
+      local RECOVERY_KEY=get_recovery_key
+      /usr/bin/expect -c "
+      log_user 0
+      spawn fdesetup add -usertoadd ${LOCK_USER_UNAME}
+      expect \"or the recovery key:\"
+      send ${RECOVERY_KEY}\r
+      expect \"Enter the password for the added user '${LOCK_USER_UNAME}':\"
+      send ${LOCK_USER_PASSW}\r
+      log_user 1
+      expect eof"
+  else 
+      fdeadduser ${LOCK_USER_UNAME} ${LOCK_USER_PASSW}
+  fi
 }
 
 function remove_old_filevault_users() {

From 9f756eebb1fdaf6c06d7ea11a7141687d3f1b283 Mon Sep 17 00:00:00 2001
From: Samuel Keeley <sam.keeley@gmail.com>
Date: Tue, 8 Aug 2017 09:41:38 -0500
Subject: [PATCH 2/2] check for recovery key, apfs, sip, etc.

---
 macdestroyer/postinstall | 83 ++++++++++++++++++++++++++++++----------
 1 file changed, 62 insertions(+), 21 deletions(-)

diff --git a/macdestroyer/postinstall b/macdestroyer/postinstall
index 8c6a39e..652dcd3 100755
--- a/macdestroyer/postinstall
+++ b/macdestroyer/postinstall
@@ -20,14 +20,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-PATH="/usr/bin:/bin:/sbin:/usr/local/bin"
-
-CURRENT_FV_USERS=$(fdesetup list 2>&1 | cut -d ',' -f 1)
+PATH='/usr/bin:/bin:/sbin:/usr/local/bin'
 
 LOCK_USER_UNAME=fde_locked_user
 LOCK_USER_PASSW=$(openssl rand -base64 32)
-LOCK_USER_NAME="Machine Disabled"
-LOCK_USER_HINT="Machine Disabled"
+LOCK_USER_NAME='Machine Disabled'
+LOCK_USER_HINT='Machine Disabled'
 LOCK_USER_SHELL=/usr/bin/false
 LOCK_USER_GROUP=20
 LOCK_USER_IMAGE="/Library/User Pictures/jolly-roger.jpg"
@@ -35,6 +33,12 @@ LOCK_USER_IMAGE="/Library/User Pictures/jolly-roger.jpg"
 RECOVERY_KEY_FILE='/var/root/crypt_output.plist'
 RECOVERY_KEY_KEY='RecoveryKey'
 
+
+function current_fv_users() {
+  local USERS=`fdesetup list 2>&1 | cut -d ',' -f 1`
+  echo $USERS
+}
+
 function check_for_root() {
   if [[ $(id -u) -ne 0 ]]; then
     echo "Not invoked as root, exiting."
@@ -58,30 +62,56 @@ function create_temp_user() {
 
 function get_recovery_key() {
  local recovery_key=`/usr/bin/defaults read ${RECOVERY_KEY_FILE} ${RECOVERY_KEY_KEY}`
- echo $recovery_key 
+ if [[ $? == 0 ]]; then
+    echo $recovery_key
+  else
+    echo 'unknown'
+  fi
+}
+
+function apfs_check() {
+  diskutil info / | grep 'Type (Bundle):' | grep -q 'apfs'
+  echo $?
 }
 
 function add_user_to_filevault() {
-  if [[ ${OSTYPE:6} -ge 17 ]]; then
+  if [[ afps_check -eq 0 ]]; then
       # At least 10.13, fdeadduser doesn't work anymore, so we need a recovery key.
-      local RECOVERY_KEY=get_recovery_key
-      /usr/bin/expect -c "
-      log_user 0
-      spawn fdesetup add -usertoadd ${LOCK_USER_UNAME}
-      expect \"or the recovery key:\"
-      send ${RECOVERY_KEY}\r
-      expect \"Enter the password for the added user '${LOCK_USER_UNAME}':\"
-      send ${LOCK_USER_PASSW}\r
-      log_user 1
-      expect eof"
+      local RECOVERY_KEY=`get_recovery_key`
+      echo $RECOVERY_KEY
+      if [ "${RECOVERY_KEY}" = 'unknown' ]; then
+        /usr/bin/expect -c "
+        log_user 0
+        spawn fdesetup add -usertoadd ${LOCK_USER_UNAME}
+        expect \"or the recovery key:\"
+        send ${RECOVERY_KEY}\r
+        expect \"Enter the password for the added user '${LOCK_USER_UNAME}':\"
+        send ${LOCK_USER_PASSW}\r
+        log_user 1
+        expect eof"
+      fi
   else 
       fdeadduser ${LOCK_USER_UNAME} ${LOCK_USER_PASSW}
   fi
+
+  # check if that actually worked
+  for USER in `current_fv_users`; do
+    echo $USER
+    if [[ ${USER} == ${LOCK_USER_UNAME} ]]; then
+      USER_ADDED=1
+    fi
+  done
+  if [[ $USER_ADDED -ne 1 ]]; then
+    USER_ADD_FAILURE=1
+  fi
 }
 
 function remove_old_filevault_users() {
-  for USER in ${CURRENT_FV_USERS}; do
-    fdesetup remove -user ${USER}
+  for USER in `current_fv_users`; do
+    # on APFS volumes this returns '(null)' for a PRK
+    if [[ ${USER} != '(null)' && ${USER} != ${LOCK_USER_UNAME}} ]]; then
+      fdesetup remove -user ${USER}
+    fi
   done
 }
 
@@ -89,15 +119,26 @@ function break_machine() {
   mv -f /sbin/launchd /sbin/launchd_disabled
 }
 
+function check_for_sip() {
+  csrutil status | grep -q 'enabled'
+  echo $?
+}
+
 function main() {
   check_for_root
 
   if check_for_filevault; then
     create_temp_user
     add_user_to_filevault
-    remove_old_filevault_users
+    if [[ ${USER_ADD_FAILURE} -ne 1 ]]; then
+      remove_old_filevault_users
+    else
+      if [[ check_for_sip == 1 ]]; then
+        break_machine
+      fi
+    fi
   else
-    break_machine
+   break_machine
   fi
 
   halt -q