Closed KiaN2020 closed 2 years ago
most likely not, because Google issue different keys with Linux and it didn't work on Linux
most likely not, because Google issue different keys with Linux and it didn't work on Linux
Indeed, same as Win32. Different platform, different key. I think in the previous issue there was mention of python script that fakes requests, or works offline? That will still work on Mac, presumably (by signing request with Win64 key). May need recompilation, though. Wasm is platform-independent, but python extensions are not, IIRC.
is it possible to get this to work on macOS?
It probably is possible to make this work on macOS for macOS v4.10.2198 the public-key =
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArYPFwDFydUNnctoCnrh+Zqg8y/6crO1ASrBKHEan6nK8AyXjwNq5kBf5kesODnvvZQvBPZjX0TKe8RbECulhvbVhupfVavOM5o0b9tL1Tz9UhitLvdFckSivix+Mj2tUjWPanqNC3ppAnPhPZLDN8X3AqmwMXekZUJShvZFmypSrH0Qkb6dRTSc0O2guRNuIP4fMwQ8KvgA2NnOf/waR8Nxwwr1wWPjYXC+B22kF/5zmzuc7zzXeunHUYTAZqhv7OUs/poHIXDJ0cZUryJ30w8Q5Ab1gCABgm2k4dEtXQc2BvnCIwTb/wJvVHfUtE0NMa8cMYisTGNW0umvmcvE5yQIDAQAB
-----END RSA PUBLIC KEY-----
and the modulus =
ad83c5c0317275436772da029eb87e66a83ccbfe9caced404ab04a1c46a7ea72bc0325e3c0dab99017f991eb0e0e7bef650bc13d98d7d1329ef116c40ae961bdb561ba97d56af38ce68d1bf6d2f54f3f54862b4bbdd15c9128af8b1f8c8f6b548d63da9ea342de9a409cf84f64b0cdf17dc0aa6c0c5de9195094a1bd9166ca94ab1f44246fa7514d27343b682e44db883f87ccc10f0abe003636739fff0691f0dc70c2bd7058f8d85c2f81db6905ff9ce6cee73bcf35deba71d4613019aa1bfb394b3fa681c85c327471952bc89df4c3c43901bd600800609b6938744b5741cd81be7088c136ffc09bd51df52d13434c6bc70c622b1318d5b4ba6be672f139c9
but you are still missing the exponent & other values from wasm_src/codelift.cpp + offsets that will need to match / be updated for macOS. but maybe @Satsuoni wants to look into this as its not yet clear to me myself how to get those values.
is it possible to get this to work on macOS?
It probably is possible to make this work on macOS for macOS v4.10.2198 the public-key =
-----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEArYPFwDFydUNnctoCnrh+Zqg8y/6crO1ASrBKHEan6nK8AyXjwNq5kBf5kesODnvvZQvBPZjX0TKe8RbECulhvbVhupfVavOM5o0b9tL1Tz9UhitLvdFckSivix+Mj2tUjWPanqNC3ppAnPhPZLDN8X3AqmwMXekZUJShvZFmypSrH0Qkb6dRTSc0O2guRNuIP4fMwQ8KvgA2NnOf/waR8Nxwwr1wWPjYXC+B22kF/5zmzuc7zzXeunHUYTAZqhv7OUs/poHIXDJ0cZUryJ30w8Q5Ab1gCABgm2k4dEtXQc2BvnCIwTb/wJvVHfUtE0NMa8cMYisTGNW0umvmcvE5yQIDAQAB -----END RSA PUBLIC KEY-----
and the modulus =
ad83c5c0317275436772da029eb87e66a83ccbfe9caced404ab04a1c46a7ea72bc0325e3c0dab99017f991eb0e0e7bef650bc13d98d7d1329ef116c40ae961bdb561ba97d56af38ce68d1bf6d2f54f3f54862b4bbdd15c9128af8b1f8c8f6b548d63da9ea342de9a409cf84f64b0cdf17dc0aa6c0c5de9195094a1bd9166ca94ab1f44246fa7514d27343b682e44db883f87ccc10f0abe003636739fff0691f0dc70c2bd7058f8d85c2f81db6905ff9ce6cee73bcf35deba71d4613019aa1bfb394b3fa681c85c327471952bc89df4c3c43901bd600800609b6938744b5741cd81be7088c136ffc09bd51df52d13434c6bc70c622b1318d5b4ba6be672f139c9
but you are still missing the exponent & other values from wasm_src/codelift.cpp + offsets that will need to match / be updated for macOS. but maybe @Satsuoni wants to look into this as its not yet clear to me myself how to get those values.
@knobse thank you for the above, very much appreciated. Hopefully @Satsuoni will take a look and can help further.
I wrote how I got the constants, etc in the Readme. Ghidra works on dylibs, as far as I can tell, so the same procedure should work (system calls will need to be patched separately). All one needs is basic googling skills, and (a lot of ) time. And since I don't have convenient access to MacOS, I could not work on it even if I wanted to. And I don't :P Sorry. Once was quite enough.
Hey @Satsuoni maybe i understood it wrong but you kind of emulated the logic in c++. Why isn't it possible todo the same for macOS? you don't need access to a macOS device for that right? or do i not understand it correctly? Also on the HOW there is a lot unclear like how PFUN_180119595
was found + how you got rt value in prfnd.py
+ what to give it as input + how do see whats the right output & what isn't + same with kn in prfold.py
...etc... if i understood what you did i might be able todo it too but the Readme isn't complete.
Hey @Satsuoni maybe i understood it wrong but you kind of emulated the logic in c++. Why isn't it possible todo the same for macOS? you don't need access to a macOS device for that right? or do i not understand it correctly? Also on the HOW there is a lot unclear like how
PFUN_180119595
was found + how you got rt value inprfnd.py
+ what to give it as input + how do see whats the right output & what isn't + same with kn inprfold.py
...etc... if i understood what you did i might be able todo it too but the Readme isn't complete.
It is possible, it is just tiresome, so I don't want to do that. Please refer to Readme, section "Lazy git" for reason as to why.
Now, as to what is necessary to do that:
While extracting second half of key is nice (makes c++ code much smaller) , it is not strictly necessary.
I admit, I was in a hurry to finish readme... PFUN_180119595 was found by Ghidra, I just added "P" in front of the name. It was called pretty much every second line in the exponentiation function, so it is really hard to miss.
"rt" value in prfind is not used. I forgot to delete it. It was/is the first input. You can easily get it by calculating (output^65537)%n, where output is the last big number in the log file that is located in the same folder. You can also see that it is properly padded for PSS signature.
Prfnd consumes log file, example given in the folder, exponentiation.log Log file is produced by appropriately adjusted emulator running the exponentiation function.
Prfold is used on the file produced by Prfnd. kn there is not used... since it is after sys.exit() line. I experimented a lot...
If you find exponentiation function using buffers, (intermediate) input is the very first number.
In general, all described can be done with basic googling skills and reading the code (also done by googling) and Tomer's and mine guides. Heck, I was not even aware of Ghidra's existence three months ago >_> So I googled pretty much every line of python scripts. :)
Very cool. Thanks for the extra info! If i have some time i will see how far i can get with this i think i will have some issues but with this i should be able to get started.
@Satsuoni thanks for the extra info, I will have another read through your Readme and Tomer8007's writeup and see how I get on.
is it possible to get this to work on macOS?