Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add offsets for 12.7.1 (x86/arm64) #18

Merged
merged 2 commits into from
Jan 9, 2024
Merged

add offsets for 12.7.1 (x86/arm64) #18

merged 2 commits into from
Jan 9, 2024

Conversation

0xdevalias
Copy link
Contributor

@0xdevalias 0xdevalias commented Jan 6, 2024
edited
Loading

This PR adds the offsets extracted from the binary on 12.7.1 (x86/arm64)

⇒ file samples/macos-12.7.1-monterey-identityservicesd
samples/macos-12.7.1-monterey-identityservicesd: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64e]
samples/macos-12.7.1-monterey-identityservicesd (for architecture x86_64):	Mach-O 64-bit executable x86_64
samples/macos-12.7.1-monterey-identityservicesd (for architecture arm64e):	Mach-O 64-bit executable arm64e
⇒ sha256sum samples/macos-12.7.1-monterey-identityservicesd
5833338da6350266eda33f5501c5dfc793e0632b52883aa2389c438c02d03718  samples/macos-12.7.1-monterey-identityservicesd

Originally shared in this comment:

If you do end up finding them manually or something, could you please update the provider or post them here (because might as well if you already did the work and also I kind of want to be able to use that mac.....)

Yeah, absolutely. See below for the offsets I reversed this morning, and I will double check them a bit later + open a PR to have them added to this tool. They should be correct, but I want to be triple sure before I submit a PR with them.

It looks like my current 'automatically find the offsets' code doesn't fully work on that version of identityservicesd from macOS Monterey 12.7.1:

Manually reversing the offsets (assuming I didn't make a mistake):

samples/macos-12.7.1-monterey-identityservicesd

sha256: 5833338da6350266eda33f5501c5dfc793e0632b52883aa2389c438c02d03718

x86

IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xb2278 (0x1000b2278)
nac_init: 0x4132e0 (0x1004132e0)
nac_key_establishment: 0x465e00 (0x100465e00)
nac_sign: 0x405c10 (0x100405c10)

arm64

IDSProtoKeyTransparencyTrustedServiceReadFrom: 0x0b562c (0x1000b562c)
nac_init: 0x43d408 (0x10043d408) (??? auto tool found this, but don't think it's correct.. 0x5897bc (0x1005897bc) ???)
nac_key_establishment: 0x3fdafc (0x1003fdafc)
nac_sign: 0x3f2844 (0x1003f2844)

I'll see if I can use this to refine the patterns used in find_fat_binary_offsets.py

Originally posted by @0xdevalias in #9 (comment)

For verification, this method may allow acquiring the relevant binary versions:

Curious, how do you have access to the older binaries? Extracting them from Time Machine backups/similar, or?

Originally posted by @0xdevalias in #12 (comment)

Downloading macOS and extracting the binary for each version.

https://github.com/corpnewt/gibMacOS
https://support.apple.com/kb/DL2052
etc

Originally posted by @jetfir3 in #12 (comment)

@0xdevalias 0xdevalias mentioned this pull request Jan 6, 2024
Open
@tulir tulir merged commit 54a2821 into beeper:main Jan 9, 2024
1 check passed
@0xdevalias 0xdevalias deleted the 0xdevalias/identityservicesd-12.7.1-offsets branch January 9, 2024 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@0xdevalias @tulir