Closed matusfaro closed 5 months ago
@matusfaro Thanks for the heads up.
The tool actually has 2 methods for trying to get the offsets for
IDSProtoKeyTransparencyTrustedServiceReadFrom
, the 'hex offsets' (which unfortunately often doesn't get a unique match), and the 'symbol offsets' (which is pretty much always guaranteed to be correct due to the nature of how it works).I would suspect if you use the offset value from the 'symbol offsets' it should work for you (
arm64e: 0x0c0b84
), but given that seems to match the first offset listed in the 'hex offsets' section, and you said that didn't work, then I'm not too sure what the issue is without digging deeper into it unfortunately.Originally posted by @0xdevalias in https://github.com/0xdevalias/poc-re-binsearch/issues/1#issuecomment-2002788236
⇒ sha256sum samples/macos-14.4-final-sonoma-identityservicesd b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a samples/macos-14.4-final-sonoma-identityservicesd
Originally posted by @0xdevalias in https://github.com/0xdevalias/poc-re-binsearch/issues/1#issuecomment-2002811609
Tested locally on 14.4 and I still get the same no offsets found:
./mac-registration-provider
2024/03/23 13:27:35 Starting mac-registration-provider unknown
2024/03/23 13:27:35 Loading identityservicesd
2024/03/23 13:27:35 No offsets found for 14.4/23E214/arm64
@michaelstephens Can you post the output of:
$ sha256sum /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
I am on the same version as you 23E214
so your identityservicesd
must be different. Can you also post that file if it is different?
Edit:
My sha is b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a
@michaelstephens Can you post the output of:
$ sha256sum /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
I am on the same version as you
23E214
so youridentityservicesd
must be different. Can you also post that file if it is different?Edit: My sha is
b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a
> sha256sum /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
hmm it appears to be the same
Tested locally on 14.4 and I still get the same no offsets found
@michaelstephens Dumb question, but are you building the version of the code from this PR and running it when you get the 'no offsets found'?
Tested locally on 14.4 and I still get the same no offsets found
@michaelstephens Dumb question, but are you building the version of the code from this PR and running it when you get the 'no offsets found'?
Fair question haha, I've tried both this fork and your fork as well, assuming just a go build
builds what is locally available
Closing as 14.4.1 is already out.
Closing as 14.4.1 is already out.
@matusfaro That wouldn't make the offsets for 14.4 irrelevant though.. in the same way that there are offsets for many older versions..?
WARNING; Untested, requires someone to test these out as I wasn't able to.
My iMessage integration hasn't been working correctly for some time and these new offsets didn't help.
Also note that the neat little tool
find_fat_binary_offsets.py
does print out multiple offsets for armIDSProtoKeyTransparencyTrustedServiceReadFrom: 0xc0b84; 0x2f5d0c; 0x322dac; 0x33a660
so I am guessing maybe the script needs updating. I already posted on that repo: https://github.com/0xdevalias/poc-re-binsearch/issues/1 it also contains the binary identity service daemon as well.14.4 Final: