search

0xdevalias / poc-re-binsearch

Proof of Concept (PoC) code/notes exploring reverse engineering techniques for macOS fat binaries, focusing on binary searching and automatic offset identification
MIT License
5 stars 2 forks source link

14.4 final: multiple addresses found #1

Open matusfaro opened 8 months ago

matusfaro commented 8 months ago

Just wanted to let you know I tried this on 14.4 Final but arm64e IDSProtoKeyTransparencyTrustedServiceReadFrom appears to have found multiple addresses, see below. I tried using the first one, but messages were not coming through.

$ uname -a         
Darwin Mackey.local 23.4.0 Darwin Kernel Version 23.4.0: Wed Feb 21 21:45:49 PST 2024; root:xnu-10063.101.15~2/RELEASE_ARM64_T6020 arm64

$ ./find_fat_binary_offsets.py /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd 
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 8880384
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x880000 (Valid Mach-O Header: Yes)
  Size: 9865136
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0d6715
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0c0b84

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xd6715
  NACInitAddress: 0x557cd0
  NACKeyEstablishmentAddress: 0x537d10
  NACSignAddress: 0x54b000
Architecture 1 (arm64e):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xc0b84; 0x2f5d0c; 0x322dac; 0x33a660
  NACInitAddress: 0x4c2468
  NACKeyEstablishmentAddress: 0x4afccc
  NACSignAddress: 0x489ed8

By the way, thanks for making this utility!!

matusfaro commented 8 months ago

identityservicesd-14.4-final.zip

0xdevalias commented 7 months ago

@matusfaro Thanks for the heads up.

The tool actually has 2 methods for trying to get the offsets for IDSProtoKeyTransparencyTrustedServiceReadFrom, the 'hex offsets' (which unfortunately often doesn't get a unique match), and the 'symbol offsets' (which is pretty much always guaranteed to be correct due to the nature of how it works).

I would suspect if you use the offset value from the 'symbol offsets' it should work for you (arm64e: 0x0c0b84), but given that seems to match the first offset listed in the 'hex offsets' section, and you said that didn't work, then I'm not too sure what the issue is without digging deeper into it unfortunately.

By the way, thanks for making this utility!!

No worries :) It was a fun little refresher on reverse engineering, and exploration into automating aspects of it.

0xdevalias commented 7 months ago

identityservicesd-14.4-final.zip

⇒ sha256sum samples/macos-14.4-final-sonoma-identityservicesd
b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a  samples/macos-14.4-final-sonoma-identityservicesd