TPM Function Calls

From OSx86
(Difference between revisions)
Jump to: navigation, search
Line 253: Line 253:
Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.
Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.
--[[User:|]] 20:50, 10 October 2006 (CDT)

Revision as of 01:50, 11 October 2006

  • Here is a complete list of all functions that the TPM driver provides.
Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
00000000   00000023   __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass
000000CC   0000002D   __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev
00000160   00000031   __ZN29com_apple_driver_AppleTPMACPIC1Ev
00000780   00000032   __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm
000008BC   00000032   __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm
00000990   0000002A   __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService
00001C78   0000001A   __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev
00001C94   00000058   __Z41__static_initialization_and_destruction_0ii
00001DE8   0000002D   __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev
00001E7C   00000031   __ZN31com_apple_driver_AppleTPMClientC1Ev
00002110   0000001A   __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev
000021B4   0000006B   _UInt32ToBytes
00002220   0000004F   _UInt16ToBytes
00002270   0000003A   _UInt8ToBytes
000022AC   0000001B   _PrepRequestBlank
000022C8   0000006C   _PrepRequestInit
00002334   00000048   _PrepRequestByteString
0000237C   000000B9   _PrepAuthParams
00002438   00000029   _TpmStringLookup
00002464   00000055   _BytesToUInt32
000024BC   00000043   _BytesToUInt16
00002500   00000039   _BytesToUInt8
0000253C   00000103   _ParseResponseInit
0000271C   00000066   _ParseVarLenResponse
00002784   000000BC   _ParseNewAuthOIAP
00002840   0000003A   _ParseKeyHandle
0000287C   00000185   _VerifyAuth
00002A04   000000B7   _HMAC_SHA1_SA_Init
00002ABC   0000000B   _HMAC_SHA1_SA_Update
00002AC8   00000057   _HMAC_SHA1_SA_Final
00002B20   00000305   _SHA1_SA_Update
00002E40   0000017E   _SHA1_SA_Final
00002FC0   00000046   _SHA1_SA_Init
00003008   000014F1   _sha1_block_host_order
000044FC   00001817   _sha1_block_data_order

Here is a list of functions calls from the Rosetta daemon executable.

Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0000FD82   0000000D   _EVP_sha1_stub
0000FD1E   0000000D   _HMAC_CTX_cleanup_stub
0000FD9B   0000000D   _HMAC_CTX_init_stub
0000FD37   0000000D   _HMAC_Final_stub
0000FD69   0000000D   _HMAC_Init_ex_stub
0000FD50   0000000D   _HMAC_Update_stub
0000FEF9   0000000D   _IOConnectMethodScalarIScalarO_stub
0000FF2B   0000000D   _IOConnectMethodScalarIStructureO_stub
0000FEC7   0000000D   _IOConnectMethodStructureIStructureO_stub
0000FE63   0000000D   _IOIteratorNext_stub
0000FEAE   0000000D   _IOMasterPort_stub
0000FE4A   0000000D   _IOObjectRelease_stub
0000FE18   0000000D   _IOServiceClose_stub
0000FE7C   0000000D   _IOServiceGetMatchingServices_stub
0000FE95   0000000D   _IOServiceMatching_stub
0000FE31   0000000D   _IOServiceOpen_stub
0000FDCD   0000000D   _RAND_pseudo_bytes_stub
0000FDB4   0000000D   _SHA1_Final_stub
0000FDE6   0000000D   _SHA1_Init_stub
0000FDFF   0000000D   _SHA1_Update_stub
0000F8B9   0000000D   ___keymgr_dwarf2_register_sections_stub
00010070   0000000D   __keymgr_get_and_lock_processwide_ptr_stub
0000FF5D   0000000D   __keymgr_get_per_thread_data_stub
00010057   0000000D   __keymgr_set_and_unlock_processwide_ptr_stub
0000FF8F   0000000D   __keymgr_set_per_thread_data_stub
0001000C   0000000D   __keymgr_unlock_processwide_ptr_stub
0000FF76   0000000D   _abort_stub
0000F8D2   0000000D   _atexit_stub
0000FA17   0000000D   _atoi_stub
0000FA7B   0000000D   _bcopy_stub
0000F936   0000000D   _bootstrap_check_in_stub
0000F91D   0000000D   _bootstrap_create_service_stub
0000F8EB   0000000D   _bootstrap_register_stub
0000F94F   0000000D   _bootstrap_status_stub
0000FFA8   0000000D   _bzero_stub
00010025   0000000D   _calloc_stub
0000FAC6   0000000D   _close_stub
0000F9E5   0000000D   _daemon_stub
0000F8A0   0000000D   _exit_stub
0000FEE0   0000000D   _fflush_stub
0000FF44   0000000D   _free_stub
0000FADF   0000000D   _ftruncate_stub
0000F981   0000000D   _getpwuid_stub
0001003E   0000000D   _getsectdatafromheader_stub
0000F99A   0000000D   _getuid_stub
0000FBA7   0000000D   _mach_error_string_stub
0000FBC0   0000000D   _mach_msg_stub
0000FCD3   0000000D   _mach_port_deallocate_stub
0000F904   0000000D   _mach_port_mod_refs_stub
0000FBD9   0000000D   _malloc_stub
0000FC3D   0000000D   _memcmp_stub
0000FC0B   0000000D   _memcpy_stub
0000FC24   0000000D   _mmap_stub
0000FBF2   0000000D   _munmap_stub
0000FB2A   0000000D   _open_stub
0000F9CC   0000000D   _openlog_stub
0000F9FE   0000000D   _printf_stub
0000FFDA   0000000D   _pthread_mutex_lock_stub
0000FFC1   0000000D   _pthread_mutex_unlock_stub
0000FFF3   0000000D   _pthread_once_stub
0000FA94   0000000D   _read_stub
0000FAAD   0000000D   _remove_stub
0000FA62   0000000D   _rindex_stub
0000F9B3   0000000D   _signal_stub
0000FAF8   0000000D   _sprintf_stub
0000FB43   0000000D   _strcat_stub
0000FA49   0000000D   _strcmp_stub
0000FB5C   0000000D   _strcpy_stub
0000FB75   0000000D   _strlen_stub
0000FA30   0000000D   _strncmp_stub
0000FC56   0000000D   _strncpy_stub
0000FB8E   0000000D   _syslog_stub
0000F968   0000000D   _task_get_special_port_stub
0000FF12   0000000D   _thread_switch_stub
0000FD05   0000000D   _usleep_stub
0000FCEC   0000000D   _vm_allocate_stub
0000FC6F   0000000D   _vm_deallocate_stub
0000FC88   0000000D   _vm_protect_stub
0000FCBA   0000000D   _vm_region_stub
0000FCA1   0000000D   _vm_remap_stub
0000FB11   0000000D   _write_stub

Notice the size, 13 (0x0D) bytes. Thoses functions are actually "stubs" (like a proxy) to the real functions. So it is important to find in where the real code is. A analysis of the functions can help, here is a disassembly:

__textcoal_nt:0001008C sub_1008C       proc near               ; CODE XREF: _exit_stub�p
__textcoal_nt:0001008C                                         ; ___keymgr_dwarf2_register_sections_stub�p ...
__textcoal_nt:0001008C                 mov     eax, [esp+0]
__textcoal_nt:0001008F                 retn
__textcoal_nt:0001008F sub_1008C       endp

__picsymbolstub2:0000FE18 _IOServiceClose_stub proc near          ; CODE XREF: __text:00005605�p
__picsymbolstub2:0000FE18                                         ; sub_70FC+17�p ...
__picsymbolstub2:0000FE18                 call    sub_1008C
__picsymbolstub2:0000FE1D                 mov     edx, [eax+486Fh]
__picsymbolstub2:0000FE23                 jmp     edx
__picsymbolstub2:0000FE23 _IOServiceClose_stub endp

__picsymbolstub2:0000FE31 _IOServiceOpen_stub proc near           ; CODE XREF: __text:000055A3�p
__picsymbolstub2:0000FE31                                         ; sub_6C78+155�p ...
__picsymbolstub2:0000FE31                 call    sub_1008C
__picsymbolstub2:0000FE36                 mov     edx, [eax+485Ah]
__picsymbolstub2:0000FE3C                 jmp     edx
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp

The disassembly shows that the real function is located at *(eax + index) where index correspond to the function to be called. We also notice that eax is actually *(esp + 0).
The thing would be to find out what does esp holds. Well it is simple to find out since the function sub_1008C() doesn't have a stackframe. Which means that at mov eax, [esp+0], esp is actually the return address of the calling function. For instance, in _IOServiceOpen_stub the return address is 0x0000FE36, which means that the real code is actually at 0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690).
And what do we found at 0x00014690 ?

__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh

So the real code must be at 0x000252EA.
It is a typical output of compiled C code when using a dynamic library. The thing is the daemon doesn't shows any imported function!
But if we look at the __la_sym_ptr2 segment, we find all the "imported" functions, and their real addresses! Here they are:

__la_sym_ptr2:000145AC ; Segment type: Pure data
__la_sym_ptr2:000145AC __la_sym_ptr2   segment byte public 'DATA' use32
__la_sym_ptr2:000145AC                 assume cs:__la_sym_ptr2
__la_sym_ptr2:000145AC                 ;org 145ACh
__la_sym_ptr2:000145AC _exit_ptr       dd 24DC9h
__la_sym_ptr2:000145B0 ___keymgr_dwarf2_register_sections_ptr dd 24D8Ah
__la_sym_ptr2:000145B4 _atexit_ptr     dd 24DCBh
__la_sym_ptr2:000145B8 _bootstrap_register_ptr dd 24DF8h
__la_sym_ptr2:000145BC _mach_port_mod_refs_ptr dd 24E59h
__la_sym_ptr2:000145C0 _bootstrap_create_service_ptr dd 24E26h
__la_sym_ptr2:000145C4 _bootstrap_check_in_ptr dd 24E3Bh
__la_sym_ptr2:000145C8 _bootstrap_status_ptr dd 24E60h
__la_sym_ptr2:000145CC _task_get_special_port_ptr dd 24F21h
__la_sym_ptr2:000145D0 _getpwuid_ptr   dd 24EBAh
__la_sym_ptr2:000145D4 _getuid_ptr     dd 24EDBh
__la_sym_ptr2:000145D8 _signal_ptr     dd 24F48h
__la_sym_ptr2:000145DC _openlog_ptr    dd 24F41h
__la_sym_ptr2:000145E0 _daemon_ptr     dd 24F06h
__la_sym_ptr2:000145E4 _printf_ptr     dd 24F77h
__la_sym_ptr2:000145E8 _atoi_ptr       dd 24F14h
__la_sym_ptr2:000145EC _strncmp_ptr    dd 24FDDh
__la_sym_ptr2:000145F0 _strcmp_ptr     dd 24FEAh
__la_sym_ptr2:000145F4 _rindex_ptr     dd 24FF3h
__la_sym_ptr2:000145F8 _bcopy_ptr      dd 24F7Ch
__la_sym_ptr2:000145FC _read_ptr       dd 2501Dh
__la_sym_ptr2:00014600 _remove_ptr     dd 2503Ah
__la_sym_ptr2:00014604 _close_ptr      dd 24FE3h
__la_sym_ptr2:00014608 _ftruncate_ptr  dd 25014h
__la_sym_ptr2:0001460C _sprintf_ptr    dd 25091h
__la_sym_ptr2:00014610 _write_ptr      dd 250EAh
__la_sym_ptr2:00014614 _open_ptr       dd 2509Bh
__la_sym_ptr2:00014618 _strcat_ptr     dd 250E0h
__la_sym_ptr2:0001461C _strcpy_ptr     dd 25101h
__la_sym_ptr2:00014620 _strlen_ptr     dd 2511Eh
__la_sym_ptr2:00014624 _syslog_ptr     dd 25143h
__la_sym_ptr2:00014628 _mach_error_string_ptr dd 250ECh
__la_sym_ptr2:0001462C _mach_msg_ptr   dd 2510Dh
__la_sym_ptr2:00014630 _malloc_ptr     dd 25136h
__la_sym_ptr2:00014634 _munmap_ptr     dd 2515Fh
__la_sym_ptr2:00014638 _memcpy_ptr     dd 25170h
__la_sym_ptr2:0001463C _mmap_ptr       dd 2518Dh
__la_sym_ptr2:00014640 _memcmp_ptr     dd 2519Eh
__la_sym_ptr2:00014644 _strncpy_ptr    dd 25207h
__la_sym_ptr2:00014648 _vm_deallocate_ptr dd 25238h
__la_sym_ptr2:0001464C _vm_protect_ptr dd 25255h
__la_sym_ptr2:00014650 _vm_remap_ptr   dd 25276h
__la_sym_ptr2:00014654 _vm_region_ptr  dd 2528Bh
__la_sym_ptr2:00014658 _mach_port_deallocate_ptr dd 25224h
__la_sym_ptr2:0001465C _vm_allocate_ptr dd 252B1h
__la_sym_ptr2:00014660 _usleep_ptr     dd 252C6h
__la_sym_ptr2:00014664 _HMAC_CTX_cleanup_ptr dd 2519Fh
__la_sym_ptr2:00014668 _HMAC_Final_ptr dd 251C0h
__la_sym_ptr2:0001466C _HMAC_Update_ptr dd 251E1h
__la_sym_ptr2:00014670 _HMAC_Init_ex_ptr dd 251F6h
__la_sym_ptr2:00014674 _EVP_sha1_ptr   dd 251FFh
__la_sym_ptr2:00014678 _HMAC_CTX_init_ptr dd 25220h
__la_sym_ptr2:0001467C _SHA1_Final_ptr dd 25279h
__la_sym_ptr2:00014680 _RAND_pseudo_bytes_ptr dd 2528Eh
__la_sym_ptr2:00014684 _SHA1_Init_ptr  dd 252AFh
__la_sym_ptr2:00014688 _SHA1_Update_ptr dd 252CCh
__la_sym_ptr2:0001468C _IOServiceClose_ptr dd 252C5h
__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh
__la_sym_ptr2:00014694 _IOObjectRelease_ptr dd 252F3h
__la_sym_ptr2:00014698 _IOIteratorNext_ptr dd 25304h
__la_sym_ptr2:0001469C _IOServiceGetMatchingServices_ptr dd 2532Dh
__la_sym_ptr2:000146A0 _IOServiceMatching_ptr dd 2534Ah
__la_sym_ptr2:000146A4 _IOMasterPort_ptr dd 25353h
__la_sym_ptr2:000146A8 _IOConnectMethodStructureIStructureO_ptr dd 25364h
__la_sym_ptr2:000146AC _fflush_ptr     dd 2540Dh
__la_sym_ptr2:000146B0 _IOConnectMethodScalarIScalarO_ptr dd 2538Eh
__la_sym_ptr2:000146B4 _thread_switch_ptr dd 254CFh
__la_sym_ptr2:000146B8 _IOConnectMethodScalarIStructureO_ptr dd 253C4h
__la_sym_ptr2:000146BC _free_ptr       dd 25475h
__la_sym_ptr2:000146C0 __keymgr_get_per_thread_data_ptr dd 25442h
__la_sym_ptr2:000146C4 _abort_ptr      dd 2546Bh
__la_sym_ptr2:000146C8 __keymgr_set_per_thread_data_ptr dd 2547Ch
__la_sym_ptr2:000146CC _bzero_ptr      dd 254BDh
__la_sym_ptr2:000146D0 _pthread_mutex_unlock_ptr dd 25542h
__la_sym_ptr2:000146D4 _pthread_mutex_lock_ptr dd 25557h
__la_sym_ptr2:000146D8 _pthread_once_ptr dd 25578h
__la_sym_ptr2:000146DC __keymgr_unlock_processwide_ptr_ptr dd 254FDh
__la_sym_ptr2:000146E0 _calloc_ptr     dd 2553Eh
__la_sym_ptr2:000146E4 _getsectdatafromheader_ptr dd 2557Bh
__la_sym_ptr2:000146E8 __keymgr_set_and_unlock_processwide_ptr_ptr dd 25540h
__la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h
__la_sym_ptr2:000146EC __la_sym_ptr2   ends

Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.

-- 20:50, 10 October 2006 (CDT)

Powered by MediaWiki © 2021 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki   |   Privacy policy   |   About OSx86   |   Disclaimers