search

beeper / mac-registration-provider

A small service that generates iMessage registration data on a Mac
GNU Affero General Public License v3.0
138 stars 29 forks source link

identityservicesd 14.3 (23D56) #27

Closed cameronaaron closed 9 months ago

cameronaaron commented 9 months ago

We need to add compatibility with 14.3 (23D56)

identityservicesd 14.3 (23D56) identityservicesd.zip

0xdevalias commented 9 months ago

Is this one of the various beta versions (alongside the ones already supported); or is this a 'final release' version now?

cameronaaron commented 9 months ago

final i think

jetfir3 commented 9 months ago

Most likely the Release Candidate which was released ~4 days ago. This binary may or may not match what actually makes it to the final/stable 14.3 release.

0xdevalias commented 9 months ago

identityservicesd 14.3 (23D56)

⇒ sha256sum macos-14.3-23D56-sonoma-identityservicesd
d3c6986fefcbd2efea2a8a7c88104bf22d60d1f4f2bbf3615a1e3ce098aba765  macos-14.3-23D56-sonoma-identityservicesd

Using my automated script (see https://github.com/beeper/mac-registration-provider/issues/9), this is the output it gave:

⇒ ./find_fat_binary_offsets.py samples/macos-14.3-23D56-sonoma-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 8820512
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x870000 (Valid Mach-O Header: Yes)
  Size: 9796976
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0d47c9
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0bd81c

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xd47c9
  NACInitAddress: 0x54c6d0
  NACKeyEstablishmentAddress: 0x52c710
  NACSignAddress: 0x53fa00
Architecture 1 (arm64e):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xbd81c; 0x2ef2d0; 0x31c2d4; 0x333754
  NACInitAddress: 0x4b5580
  NACKeyEstablishmentAddress: 0x4a2de4
  NACSignAddress: 0x47cff0

Given the only part with multiple offsets is the IDSProtoKeyTransparencyTrustedServiceReadFrom symbol (that we have the proper offset for by directly looking it up), I assume these should be fine; though I haven't manually verified them at all.

Edit: Actually, these offsets seem to match with offsets_14_3_b3, though the hash is different:

https://github.com/beeper/mac-registration-provider/blob/673616637da32adea83e316cc98980b6caebc178/nac/offsets.go#L219-L234

skiman6010 commented 9 months ago

I wasn't sure if this binary was going to be what was in the final release, so I didn't push another update for this RC build. I can confirm though that the b3 offsets work and that new hash is all you need since I'm running the same build with those changes locally applied.