Editing TPM Function Calls

Jump to: navigation, search

Warning: You are not logged in.

Your IP address will be recorded in this page's edit history.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
 +
=[http://orylyvejuza.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
 
*Here is a complete list of all functions that the TPM driver provides.
 
*Here is a complete list of all functions that the TPM driver provides.
  
<pre>
+
&lt;pre&gt;
 
Start      Size      Function Name
 
Start      Size      Function Name
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Line 39: Line 40:
 
00003008  000014F1  _sha1_block_host_order
 
00003008  000014F1  _sha1_block_host_order
 
000044FC  00001817  _sha1_block_data_order
 
000044FC  00001817  _sha1_block_data_order
</pre>
+
&lt;/pre&gt;
  
 
----
 
----
Line 45: Line 46:
 
Here is a list of functions calls from the Rosetta daemon executable.
 
Here is a list of functions calls from the Rosetta daemon executable.
  
<pre>
+
&lt;pre&gt;
 
Start      Size      Function Name
 
Start      Size      Function Name
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Line 129: Line 130:
 
0000FCA1  0000000D  _vm_remap_stub
 
0000FCA1  0000000D  _vm_remap_stub
 
0000FB11  0000000D  _write_stub
 
0000FB11  0000000D  _write_stub
</pre>
+
&lt;/pre&gt;
  
Notice the size, 13 (0x0D) bytes. Thoses functions are actually "stubs" (like a proxy) to the real functions.
+
Notice the size, 13 (0x0D) bytes. Thoses functions are actually &quot;stubs&quot; (like a proxy) to the real functions.
 
So it is important to find in where the real code is.
 
So it is important to find in where the real code is.
 
A analysis of the functions can help, here is a disassembly:
 
A analysis of the functions can help, here is a disassembly:
<pre>
+
&lt;pre&gt;
 
__textcoal_nt:0001008C sub_1008C      proc near              ; CODE XREF: _exit_stub�p
 
__textcoal_nt:0001008C sub_1008C      proc near              ; CODE XREF: _exit_stub�p
 
__textcoal_nt:0001008C                                        ; ___keymgr_dwarf2_register_sections_stub�p ...
 
__textcoal_nt:0001008C                                        ; ___keymgr_dwarf2_register_sections_stub�p ...
Line 154: Line 155:
 
__picsymbolstub2:0000FE3C                jmp    edx
 
__picsymbolstub2:0000FE3C                jmp    edx
 
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp
 
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp
</pre>
+
&lt;/pre&gt;
The disassembly shows that the real function is located at <code>*(eax + index)</code> where <code>index</code> correspond to the function to be called. We also notice that eax is actually <code>*(esp + 0)</code>.<br>
+
The disassembly shows that the real function is located at &lt;code&gt;*(eax + index)&lt;/code&gt; where &lt;code&gt;index&lt;/code&gt; correspond to the function to be called. We also notice that eax is actually &lt;code&gt;*(esp + 0)&lt;/code&gt;.&lt;br&gt;
The thing would be to find out what does <code>esp</code> holds. Well it is simple to find out since the function <code>sub_1008C()</code> doesn't have a stackframe. Which means that at <code>mov    eax, [esp+0]</code>, <code>esp</code> is actually the return address of the calling function. For instance, in <code>_IOServiceOpen_stub</code> the return address is <code>0x0000FE36</code>, which means that the real code is actually at <code>0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690)</code>.<br>
+
The thing would be to find out what does &lt;code&gt;esp&lt;/code&gt; holds. Well it is simple to find out since the function &lt;code&gt;sub_1008C()&lt;/code&gt; doesn't have a stackframe. Which means that at &lt;code&gt;mov    eax, [esp+0]&lt;/code&gt;, &lt;code&gt;esp&lt;/code&gt; is actually the return address of the calling function. For instance, in &lt;code&gt;_IOServiceOpen_stub&lt;/code&gt; the return address is &lt;code&gt;0x0000FE36&lt;/code&gt;, which means that the real code is actually at &lt;code&gt;0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690)&lt;/code&gt;.&lt;br&gt;
And what do we found at <code>0x00014690</code> ?
+
And what do we found at &lt;code&gt;0x00014690&lt;/code&gt; ?
<pre>
+
&lt;pre&gt;
 
__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh
 
__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh
</pre>
+
&lt;/pre&gt;
So the real code must be at <code>0x000252EA</code>.<br>
+
So the real code must be at &lt;code&gt;0x000252EA&lt;/code&gt;.&lt;br&gt;
It is a typical output of compiled C code when using a dynamic library. The thing is the daemon doesn't shows any imported function!<br>
+
It is a typical output of compiled C code when using a dynamic library. The thing is the daemon doesn't shows any imported function!&lt;br&gt;
But if we look at the <code>__la_sym_ptr2</code> segment, we find all the "imported" functions, and their real addresses! Here they are:
+
But if we look at the &lt;code&gt;__la_sym_ptr2&lt;/code&gt; segment, we find all the &quot;imported&quot; functions, and their real addresses! Here they are:
<pre>
+
&lt;pre&gt;
 
__la_sym_ptr2:000145AC ; Segment type: Pure data
 
__la_sym_ptr2:000145AC ; Segment type: Pure data
 
__la_sym_ptr2:000145AC __la_sym_ptr2  segment byte public 'DATA' use32
 
__la_sym_ptr2:000145AC __la_sym_ptr2  segment byte public 'DATA' use32
Line 251: Line 252:
 
__la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h
 
__la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h
 
__la_sym_ptr2:000146EC __la_sym_ptr2  ends
 
__la_sym_ptr2:000146EC __la_sym_ptr2  ends
</pre>
+
&lt;/pre&gt;
 
Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.
 
Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.
  
 
--[[User:69.172.58.19|69.172.58.19]] 20:50, 10 October 2006 (CDT)
 
--[[User:69.172.58.19|69.172.58.19]] 20:50, 10 October 2006 (CDT)

Please note that all contributions to OSx86 may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see OSx86:Copyrights for details). Do not submit copyrighted work without permission!

Cancel | Editing help (opens in new window)
Powered by MediaWiki © 2021 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki   |   Privacy policy   |   About OSx86   |   Disclaimers