Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add offsets for 13.3.1 (x86/arm64) + 13.5 (x86) #7

Merged
merged 1 commit into from
Dec 23, 2023
Merged

add offsets for 13.3.1 (x86/arm64) + 13.5 (x86) #7

merged 1 commit into from
Dec 23, 2023

Conversation

0xdevalias
Copy link
Contributor

@0xdevalias 0xdevalias commented Dec 22, 2023
edited
Loading

This PR adds the offsets extracted from the binaries on 13.3.1 (x86/arm64) + 13.5 (x86)

⇒ file macos*
macos-13.3.1-22E261-ventura-arm64-identityservicesd: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64e]
macos-13.3.1-22E261-ventura-arm64-identityservicesd (for architecture x86_64):	Mach-O 64-bit executable x86_64
macos-13.3.1-22E261-ventura-arm64-identityservicesd (for architecture arm64e):	Mach-O 64-bit executable arm64e

macos-13.5-22G74-ventura-x86-identityservicesd:      Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64e]
macos-13.5-22G74-ventura-x86-identityservicesd (for architecture x86_64):	Mach-O 64-bit executable x86_64
macos-13.5-22G74-ventura-x86-identityservicesd (for architecture arm64e):	Mach-O 64-bit executable arm64e
⇒ sha256sum  macos*

3c8357aaa1df1eb3a21d88182a1a0fca1c612a4d63592e022ca65bbf47deee35  macos-13.3.1-22E261-ventura-arm64-identityservicesd

fff8db27fef2a2b874f7bc6fb303a98e3e3b8aceb8dd4c5bfa2bad7b76ea438a  macos-13.5-22G74-ventura-x86-identityservicesd

I verified my process by first confirming I could find the same offsets that were already identified for the 14.2 binary (on both x86/arm64)

Sanity checked my found offsets by calculating the difference from NACInitAddress -> NACKeyEstablishmentAddress and NACKeyEstablishmentAddress -> NACSignAddress in the 14.2 binary (x86/arm64), and they match the differences between the offsets I calculated for the 13.3.1/13.5 binaries (x86/arm64).

@0xdevalias 0xdevalias mentioned this pull request Dec 22, 2023
Closed
@0xdevalias
Copy link
Contributor Author

I've also been working on a PoC script that is able to find the offsets automagically (at least across the 13.3.1, 13.5, 14.2 x86 binaries I have tested it against so far). I'll probably continue working on it tomorrow, and then hopefully push the code on a PoC repo; will open an issue mentioning it if I do; but so far, seems to work well (if not a touch slower than i'd like):

13.3.1:

⇒ ./find_fat_binary_offsets.py macos-13.3.1-22E261-ventura-arm64-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 7922416
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x794000 (Valid Mach-O Header: Yes)
  Size: 8783712
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0ccfdf
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0b7570

-= Found Hex Offsets =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom (x86_64): 0xccfdf
  NACInitAddress (x86_64): 0x4ac060
  NACKeyEstablishmentAddress (x86_64): 0x48c0a0
  NACSignAddress (x86_64): 0x49f390
Architecture 1 (arm64e):

13.5:

⇒ ./find_fat_binary_offsets.py macos-13.5-22G74-ventura-x86-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 7989040
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x7a4000 (Valid Mach-O Header: Yes)
  Size: 8833808
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0cc743
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0b524c

-= Found Hex Offsets =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom (x86_64): 0xcc743
  NACInitAddress (x86_64): 0x4b91e0
  NACKeyEstablishmentAddress (x86_64): 0x499220
  NACSignAddress (x86_64): 0x4ac510
Architecture 1 (arm64e):

14.2:

./find_fat_binary_offsets.py macos-14.2-sonoma-arm64-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 8820512
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x870000 (Valid Mach-O Header: Yes)
  Size: 9796976
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0d4899
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0bd9f0

-= Found Hex Offsets =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom (x86_64): 0xd4899
  NACInitAddress (x86_64): 0x54c730
  NACKeyEstablishmentAddress (x86_64): 0x52c770
  NACSignAddress (x86_64): 0x53fa60
Architecture 1 (arm64e):

@synman synman mentioned this pull request Dec 22, 2023
Closed
@ericmigi
Copy link

@bradtgmurray @tulir

tulir
tulir approved these changes Dec 23, 2023
View reviewed changes
Copy link
Member

@tulir tulir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, I tested your script and it finds the correct offsets for 14.0-14.3

@tulir tulir merged commit 7975b5b into beeper:main Dec 23, 2023
@0xdevalias 0xdevalias deleted the 0xdevalias/add-offsets-13.3.1-13.5 branch December 23, 2023 10:42
@0xdevalias
Copy link
Contributor Author

0xdevalias commented Dec 23, 2023
edited
Loading

I tested your script and it finds the correct offsets for 14.0-14.3

@tulir Nice, good to know!

I just finished making a little "dump hex at offset in fat binary" helper script too, so should be able to use that to make patterns to match arm automagically as well:

I've also been working on a PoC script that is able to find the offsets automagically (at least across the 13.3.1, 13.5, 14.2 x86 binaries I have tested it against so far). I'll probably continue working on it tomorrow, and then hopefully push the code on a PoC repo

This is the repo:

The 'find offsets automagically' script is:

Some helper scripts for figuring out what to use as the patterns there include:

You might find some useful or interesting notes here:

There might be more stuff that is/will end up in that repo that could also be useful; but for now, I think that is the bulk of it.

Edit: See this issue for more details:

@0xdevalias 0xdevalias mentioned this pull request Dec 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tulir tulir tulir approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0xdevalias @ericmigi @tulir