Offsets for 14.4 Final

[matusfaro]

WARNING; Untested, requires someone to test these out as I wasn't able to.

My iMessage integration hasn't been working correctly for some time and these new offsets didn't help.

Also note that the neat little tool find_fat_binary_offsets.py does print out multiple offsets for arm IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xc0b84; 0x2f5d0c; 0x322dac; 0x33a660 so I am guessing maybe the script needs updating. I already posted on that repo: 0xdevalias/poc-re-binsearch#1 it also contains the binary identity service daemon as well.

14.4 Final:

$ ./find_fat_binary_offsets.py /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd 
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 8880384
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x880000 (Valid Mach-O Header: Yes)
  Size: 9865136
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0d6715
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0c0b84

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xd6715
  NACInitAddress: 0x557cd0
  NACKeyEstablishmentAddress: 0x537d10
  NACSignAddress: 0x54b000
Architecture 1 (arm64e):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xc0b84; 0x2f5d0c; 0x322dac; 0x33a660
  NACInitAddress: 0x4c2468
  NACKeyEstablishmentAddress: 0x4afccc
  NACSignAddress: 0x489ed8

[0xdevalias]

@matusfaro Thanks for the heads up.

The tool actually has 2 methods for trying to get the offsets for IDSProtoKeyTransparencyTrustedServiceReadFrom, the 'hex offsets' (which unfortunately often doesn't get a unique match), and the 'symbol offsets' (which is pretty much always guaranteed to be correct due to the nature of how it works).

I would suspect if you use the offset value from the 'symbol offsets' it should work for you (arm64e: 0x0c0b84), but given that seems to match the first offset listed in the 'hex offsets' section, and you said that didn't work, then I'm not too sure what the issue is without digging deeper into it unfortunately.

Originally posted by @0xdevalias in 0xdevalias/poc-re-binsearch#1 (comment)

---

identityservicesd-14.4-final.zip

⇒ sha256sum samples/macos-14.4-final-sonoma-identityservicesd
b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a  samples/macos-14.4-final-sonoma-identityservicesd

Originally posted by @0xdevalias in 0xdevalias/poc-re-binsearch#1 (comment)

[michaelstephens]

Tested locally on 14.4 and I still get the same no offsets found:

./mac-registration-provider
2024/03/23 13:27:35 Starting mac-registration-provider unknown
2024/03/23 13:27:35 Loading identityservicesd
2024/03/23 13:27:35 No offsets found for 14.4/23E214/arm64

[matusfaro]

@michaelstephens Can you post the output of:

$ sha256sum  /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd

I am on the same version as you 23E214 so your identityservicesd must be different. Can you also post that file if it is different?

Edit:
My sha is b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a

[michaelstephens]

@michaelstephens Can you post the output of:

$ sha256sum  /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd

I am on the same version as you 23E214 so your identityservicesd must be different. Can you also post that file if it is different?

Edit: My sha is b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a

> sha256sum  /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
b82c5c6c9010a42cb64397e3760dd31144cbd471126111de9bb27fa3d2d2639a  /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd

hmm it appears to be the same

[0xdevalias]

Tested locally on 14.4 and I still get the same no offsets found

@michaelstephens Dumb question, but are you building the version of the code from this PR and running it when you get the 'no offsets found'?

[michaelstephens]

Tested locally on 14.4 and I still get the same no offsets found

@michaelstephens Dumb question, but are you building the version of the code from this PR and running it when you get the 'no offsets found'?

Fair question haha, I've tried both this fork and your fork as well, assuming just a go build builds what is locally available

[matusfaro]

Closing as 14.4.1 is already out.

[0xdevalias]

Closing as 14.4.1 is already out.

@matusfaro That wouldn't make the offsets for 14.4 irrelevant though.. in the same way that there are offsets for many older versions..?