TPM Function Calls

From OSx86
Jump to: navigation, search
  • Here is a complete list of all functions that the TPM driver provides.
Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
00000000   00000023   __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass
000000CC   0000002D   __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev
00000160   00000031   __ZN29com_apple_driver_AppleTPMACPIC1Ev
00000780   00000032   __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm
000008BC   00000032   __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm
00000990   0000002A   __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService
00001C78   0000001A   __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev
00001C94   00000058   __Z41__static_initialization_and_destruction_0ii
00001DE8   0000002D   __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev
00001E7C   00000031   __ZN31com_apple_driver_AppleTPMClientC1Ev
00002110   0000001A   __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev
000021B4   0000006B   _UInt32ToBytes
00002220   0000004F   _UInt16ToBytes
00002270   0000003A   _UInt8ToBytes
000022AC   0000001B   _PrepRequestBlank
000022C8   0000006C   _PrepRequestInit
00002334   00000048   _PrepRequestByteString
0000237C   000000B9   _PrepAuthParams
00002438   00000029   _TpmStringLookup
00002464   00000055   _BytesToUInt32
000024BC   00000043   _BytesToUInt16
00002500   00000039   _BytesToUInt8
0000253C   00000103   _ParseResponseInit
0000271C   00000066   _ParseVarLenResponse
00002784   000000BC   _ParseNewAuthOIAP
00002840   0000003A   _ParseKeyHandle
0000287C   00000185   _VerifyAuth
00002A04   000000B7   _HMAC_SHA1_SA_Init
00002ABC   0000000B   _HMAC_SHA1_SA_Update
00002AC8   00000057   _HMAC_SHA1_SA_Final
00002B20   00000305   _SHA1_SA_Update
00002E40   0000017E   _SHA1_SA_Final
00002FC0   00000046   _SHA1_SA_Init
00003008   000014F1   _sha1_block_host_order
000044FC   00001817   _sha1_block_data_order

Here is a list of functions calls from the Rosetta daemon executable.

Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0000FD82   0000000D   _EVP_sha1_stub
0000FD1E   0000000D   _HMAC_CTX_cleanup_stub
0000FD9B   0000000D   _HMAC_CTX_init_stub
0000FD37   0000000D   _HMAC_Final_stub
0000FD69   0000000D   _HMAC_Init_ex_stub
0000FD50   0000000D   _HMAC_Update_stub
0000FEF9   0000000D   _IOConnectMethodScalarIScalarO_stub
0000FF2B   0000000D   _IOConnectMethodScalarIStructureO_stub
0000FEC7   0000000D   _IOConnectMethodStructureIStructureO_stub
0000FE63   0000000D   _IOIteratorNext_stub
0000FEAE   0000000D   _IOMasterPort_stub
0000FE4A   0000000D   _IOObjectRelease_stub
0000FE18   0000000D   _IOServiceClose_stub
0000FE7C   0000000D   _IOServiceGetMatchingServices_stub
0000FE95   0000000D   _IOServiceMatching_stub
0000FE31   0000000D   _IOServiceOpen_stub
0000FDCD   0000000D   _RAND_pseudo_bytes_stub
0000FDB4   0000000D   _SHA1_Final_stub
0000FDE6   0000000D   _SHA1_Init_stub
0000FDFF   0000000D   _SHA1_Update_stub
0000F8B9   0000000D   ___keymgr_dwarf2_register_sections_stub
00010070   0000000D   __keymgr_get_and_lock_processwide_ptr_stub
0000FF5D   0000000D   __keymgr_get_per_thread_data_stub
00010057   0000000D   __keymgr_set_and_unlock_processwide_ptr_stub
0000FF8F   0000000D   __keymgr_set_per_thread_data_stub
0001000C   0000000D   __keymgr_unlock_processwide_ptr_stub
0000FF76   0000000D   _abort_stub
0000F8D2   0000000D   _atexit_stub
0000FA17   0000000D   _atoi_stub
0000FA7B   0000000D   _bcopy_stub
0000F936   0000000D   _bootstrap_check_in_stub
0000F91D   0000000D   _bootstrap_create_service_stub
0000F8EB   0000000D   _bootstrap_register_stub
0000F94F   0000000D   _bootstrap_status_stub
0000FFA8   0000000D   _bzero_stub
00010025   0000000D   _calloc_stub
0000FAC6   0000000D   _close_stub
0000F9E5   0000000D   _daemon_stub
0000F8A0   0000000D   _exit_stub
0000FEE0   0000000D   _fflush_stub
0000FF44   0000000D   _free_stub
0000FADF   0000000D   _ftruncate_stub
0000F981   0000000D   _getpwuid_stub
0001003E   0000000D   _getsectdatafromheader_stub
0000F99A   0000000D   _getuid_stub
0000FBA7   0000000D   _mach_error_string_stub
0000FBC0   0000000D   _mach_msg_stub
0000FCD3   0000000D   _mach_port_deallocate_stub
0000F904   0000000D   _mach_port_mod_refs_stub
0000FBD9   0000000D   _malloc_stub
0000FC3D   0000000D   _memcmp_stub
0000FC0B   0000000D   _memcpy_stub
0000FC24   0000000D   _mmap_stub
0000FBF2   0000000D   _munmap_stub
0000FB2A   0000000D   _open_stub
0000F9CC   0000000D   _openlog_stub
0000F9FE   0000000D   _printf_stub
0000FFDA   0000000D   _pthread_mutex_lock_stub
0000FFC1   0000000D   _pthread_mutex_unlock_stub
0000FFF3   0000000D   _pthread_once_stub
0000FA94   0000000D   _read_stub
0000FAAD   0000000D   _remove_stub
0000FA62   0000000D   _rindex_stub
0000F9B3   0000000D   _signal_stub
0000FAF8   0000000D   _sprintf_stub
0000FB43   0000000D   _strcat_stub
0000FA49   0000000D   _strcmp_stub
0000FB5C   0000000D   _strcpy_stub
0000FB75   0000000D   _strlen_stub
0000FA30   0000000D   _strncmp_stub
0000FC56   0000000D   _strncpy_stub
0000FB8E   0000000D   _syslog_stub
0000F968   0000000D   _task_get_special_port_stub
0000FF12   0000000D   _thread_switch_stub
0000FD05   0000000D   _usleep_stub
0000FCEC   0000000D   _vm_allocate_stub
0000FC6F   0000000D   _vm_deallocate_stub
0000FC88   0000000D   _vm_protect_stub
0000FCBA   0000000D   _vm_region_stub
0000FCA1   0000000D   _vm_remap_stub
0000FB11   0000000D   _write_stub

Notice the size, 13 (0x0D) bytes. Thoses functions are actually "stubs" (like a proxy) to the real functions. So it is important to find in where the real code is. A analysis of the functions can help, here is a disassembly:

__textcoal_nt:0001008C sub_1008C       proc near               ; CODE XREF: _exit_stub�p
__textcoal_nt:0001008C                                         ; ___keymgr_dwarf2_register_sections_stub�p ...
__textcoal_nt:0001008C                 mov     eax, [esp+0]
__textcoal_nt:0001008F                 retn
__textcoal_nt:0001008F sub_1008C       endp

__picsymbolstub2:0000FE18 _IOServiceClose_stub proc near          ; CODE XREF: __text:00005605�p
__picsymbolstub2:0000FE18                                         ; sub_70FC+17�p ...
__picsymbolstub2:0000FE18                 call    sub_1008C
__picsymbolstub2:0000FE1D                 mov     edx, [eax+486Fh]
__picsymbolstub2:0000FE23                 jmp     edx
__picsymbolstub2:0000FE23 _IOServiceClose_stub endp

__picsymbolstub2:0000FE31 _IOServiceOpen_stub proc near           ; CODE XREF: __text:000055A3�p
__picsymbolstub2:0000FE31                                         ; sub_6C78+155�p ...
__picsymbolstub2:0000FE31                 call    sub_1008C
__picsymbolstub2:0000FE36                 mov     edx, [eax+485Ah]
__picsymbolstub2:0000FE3C                 jmp     edx
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp

The disassembly shows that the real function is located at *(eax + index) where index correspond to the function to be called. We also notice that eax is actually *(esp + 0).
The thing would be to find out what does esp holds. Well it is simple to find out since the function sub_1008C() doesn't have a stackframe. Which means that at mov eax, [esp+0], esp is actually the return address of the calling function. For instance, in _IOServiceOpen_stub the return address is 0x0000FE36, which means that the real code is actually at 0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690).
And what do we found at 0x00014690 ?

__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh

So the real code must be at 0x000252EA.
It is a typical output of compiled C code when using a dynamic library. The thing is the daemon doesn't shows any imported function!
But if we look at the __la_sym_ptr2 segment, we find all the "imported" functions, and their real addresses! Here they are:

__la_sym_ptr2:000145AC ; Segment type: Pure data
__la_sym_ptr2:000145AC __la_sym_ptr2   segment byte public 'DATA' use32
__la_sym_ptr2:000145AC                 assume cs:__la_sym_ptr2
__la_sym_ptr2:000145AC                 ;org 145ACh
__la_sym_ptr2:000145AC _exit_ptr       dd 24DC9h
__la_sym_ptr2:000145B0 ___keymgr_dwarf2_register_sections_ptr dd 24D8Ah
__la_sym_ptr2:000145B4 _atexit_ptr     dd 24DCBh
__la_sym_ptr2:000145B8 _bootstrap_register_ptr dd 24DF8h
__la_sym_ptr2:000145BC _mach_port_mod_refs_ptr dd 24E59h
__la_sym_ptr2:000145C0 _bootstrap_create_service_ptr dd 24E26h
__la_sym_ptr2:000145C4 _bootstrap_check_in_ptr dd 24E3Bh
__la_sym_ptr2:000145C8 _bootstrap_status_ptr dd 24E60h
__la_sym_ptr2:000145CC _task_get_special_port_ptr dd 24F21h
__la_sym_ptr2:000145D0 _getpwuid_ptr   dd 24EBAh
__la_sym_ptr2:000145D4 _getuid_ptr     dd 24EDBh
__la_sym_ptr2:000145D8 _signal_ptr     dd 24F48h
__la_sym_ptr2:000145DC _openlog_ptr    dd 24F41h
__la_sym_ptr2:000145E0 _daemon_ptr     dd 24F06h
__la_sym_ptr2:000145E4 _printf_ptr     dd 24F77h
__la_sym_ptr2:000145E8 _atoi_ptr       dd 24F14h
__la_sym_ptr2:000145EC _strncmp_ptr    dd 24FDDh
__la_sym_ptr2:000145F0 _strcmp_ptr     dd 24FEAh
__la_sym_ptr2:000145F4 _rindex_ptr     dd 24FF3h
__la_sym_ptr2:000145F8 _bcopy_ptr      dd 24F7Ch
__la_sym_ptr2:000145FC _read_ptr       dd 2501Dh
__la_sym_ptr2:00014600 _remove_ptr     dd 2503Ah
__la_sym_ptr2:00014604 _close_ptr      dd 24FE3h
__la_sym_ptr2:00014608 _ftruncate_ptr  dd 25014h
__la_sym_ptr2:0001460C _sprintf_ptr    dd 25091h
__la_sym_ptr2:00014610 _write_ptr      dd 250EAh
__la_sym_ptr2:00014614 _open_ptr       dd 2509Bh
__la_sym_ptr2:00014618 _strcat_ptr     dd 250E0h
__la_sym_ptr2:0001461C _strcpy_ptr     dd 25101h
__la_sym_ptr2:00014620 _strlen_ptr     dd 2511Eh
__la_sym_ptr2:00014624 _syslog_ptr     dd 25143h
__la_sym_ptr2:00014628 _mach_error_string_ptr dd 250ECh
__la_sym_ptr2:0001462C _mach_msg_ptr   dd 2510Dh
__la_sym_ptr2:00014630 _malloc_ptr     dd 25136h
__la_sym_ptr2:00014634 _munmap_ptr     dd 2515Fh
__la_sym_ptr2:00014638 _memcpy_ptr     dd 25170h
__la_sym_ptr2:0001463C _mmap_ptr       dd 2518Dh
__la_sym_ptr2:00014640 _memcmp_ptr     dd 2519Eh
__la_sym_ptr2:00014644 _strncpy_ptr    dd 25207h
__la_sym_ptr2:00014648 _vm_deallocate_ptr dd 25238h
__la_sym_ptr2:0001464C _vm_protect_ptr dd 25255h
__la_sym_ptr2:00014650 _vm_remap_ptr   dd 25276h
__la_sym_ptr2:00014654 _vm_region_ptr  dd 2528Bh
__la_sym_ptr2:00014658 _mach_port_deallocate_ptr dd 25224h
__la_sym_ptr2:0001465C _vm_allocate_ptr dd 252B1h
__la_sym_ptr2:00014660 _usleep_ptr     dd 252C6h
__la_sym_ptr2:00014664 _HMAC_CTX_cleanup_ptr dd 2519Fh
__la_sym_ptr2:00014668 _HMAC_Final_ptr dd 251C0h
__la_sym_ptr2:0001466C _HMAC_Update_ptr dd 251E1h
__la_sym_ptr2:00014670 _HMAC_Init_ex_ptr dd 251F6h
__la_sym_ptr2:00014674 _EVP_sha1_ptr   dd 251FFh
__la_sym_ptr2:00014678 _HMAC_CTX_init_ptr dd 25220h
__la_sym_ptr2:0001467C _SHA1_Final_ptr dd 25279h
__la_sym_ptr2:00014680 _RAND_pseudo_bytes_ptr dd 2528Eh
__la_sym_ptr2:00014684 _SHA1_Init_ptr  dd 252AFh
__la_sym_ptr2:00014688 _SHA1_Update_ptr dd 252CCh
__la_sym_ptr2:0001468C _IOServiceClose_ptr dd 252C5h
__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh
__la_sym_ptr2:00014694 _IOObjectRelease_ptr dd 252F3h
__la_sym_ptr2:00014698 _IOIteratorNext_ptr dd 25304h
__la_sym_ptr2:0001469C _IOServiceGetMatchingServices_ptr dd 2532Dh
__la_sym_ptr2:000146A0 _IOServiceMatching_ptr dd 2534Ah
__la_sym_ptr2:000146A4 _IOMasterPort_ptr dd 25353h
__la_sym_ptr2:000146A8 _IOConnectMethodStructureIStructureO_ptr dd 25364h
__la_sym_ptr2:000146AC _fflush_ptr     dd 2540Dh
__la_sym_ptr2:000146B0 _IOConnectMethodScalarIScalarO_ptr dd 2538Eh
__la_sym_ptr2:000146B4 _thread_switch_ptr dd 254CFh
__la_sym_ptr2:000146B8 _IOConnectMethodScalarIStructureO_ptr dd 253C4h
__la_sym_ptr2:000146BC _free_ptr       dd 25475h
__la_sym_ptr2:000146C0 __keymgr_get_per_thread_data_ptr dd 25442h
__la_sym_ptr2:000146C4 _abort_ptr      dd 2546Bh
__la_sym_ptr2:000146C8 __keymgr_set_per_thread_data_ptr dd 2547Ch
__la_sym_ptr2:000146CC _bzero_ptr      dd 254BDh
__la_sym_ptr2:000146D0 _pthread_mutex_unlock_ptr dd 25542h
__la_sym_ptr2:000146D4 _pthread_mutex_lock_ptr dd 25557h
__la_sym_ptr2:000146D8 _pthread_once_ptr dd 25578h
__la_sym_ptr2:000146DC __keymgr_unlock_processwide_ptr_ptr dd 254FDh
__la_sym_ptr2:000146E0 _calloc_ptr     dd 2553Eh
__la_sym_ptr2:000146E4 _getsectdatafromheader_ptr dd 2557Bh
__la_sym_ptr2:000146E8 __keymgr_set_and_unlock_processwide_ptr_ptr dd 25540h
__la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h
__la_sym_ptr2:000146EC __la_sym_ptr2   ends

Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.

--69.172.58.19 20:50, 10 October 2006 (CDT)


This page was last modified on 24 November 2010, at 03:21.
This page has been accessed 36,414 times.
Powered by MediaWiki © 2015 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki  |   PHP hosting by CatN  |   Designed by Ed Gain   |   Privacy policy   |   About OSx86   |   Disclaimers