TPM Function Calls

From OSx86
(Difference between revisions)
Jump to: navigation, search
m (Reverted edits by Ofepoxanygi (Talk) to last revision by 69.172.58.19)
 
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
*Here may not be an complete list of all functions those the TPM driver provides.
+
*Here is a complete list of all functions that the TPM driver provides.
  
<pre>
+
<pre>
 
Start      Size      Function Name
 
Start      Size      Function Name
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
00000000  25   __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass
+
00000000  00000023   __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass
 
000000CC  0000002D  __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev
 
000000CC  0000002D  __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev
00000160  35   __ZN29com_apple_driver_AppleTPMACPIC1Ev
+
00000160  00000031   __ZN29com_apple_driver_AppleTPMACPIC1Ev
00000780  49   __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm
+
00000780  00000032   __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm
000008BC  17   __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm
+
000008BC  00000032   __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm
 
00000990  0000002A  __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService
 
00000990  0000002A  __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService
 
00001C78  0000001A  __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev
 
00001C78  0000001A  __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev
00001C94  59   __Z41__static_initialization_and_destruction_0ii
+
00001C94  00000058   __Z41__static_initialization_and_destruction_0ii
 
00001DE8  0000002D  __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev
 
00001DE8  0000002D  __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev
00001E7C  33   __ZN31com_apple_driver_AppleTPMClientC1Ev
+
00001E7C  00000031   __ZN31com_apple_driver_AppleTPMClientC1Ev
 
00002110  0000001A  __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev
 
00002110  0000001A  __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev
 
000021B4  0000006B  _UInt32ToBytes
 
000021B4  0000006B  _UInt32ToBytes
Line 20: Line 20:
 
000022AC  0000001B  _PrepRequestBlank
 
000022AC  0000001B  _PrepRequestBlank
 
000022C8  0000006C  _PrepRequestInit
 
000022C8  0000006C  _PrepRequestInit
00002334  41   _PrepRequestByteString
+
00002334  00000048   _PrepRequestByteString
 
0000237C  000000B9  _PrepAuthParams
 
0000237C  000000B9  _PrepAuthParams
00002438  12   _TpmStringLookup
+
00002438  00000029   _TpmStringLookup
00002464  62   _BytesToUInt32
+
00002464  00000055   _BytesToUInt32
000024BC  40   _BytesToUInt16
+
000024BC  00000043   _BytesToUInt16
00002500  60   _BytesToUInt8
+
00002500  00000039   _BytesToUInt8
0000253C  117   _ParseResponseInit
+
0000253C  00000103   _ParseResponseInit
0000271C  36   _ParseVarLenResponse
+
0000271C  00000066   _ParseVarLenResponse
 
00002784  000000BC  _ParseNewAuthOIAP
 
00002784  000000BC  _ParseNewAuthOIAP
 
00002840  0000003A  _ParseKeyHandle
 
00002840  0000003A  _ParseKeyHandle
0000287C  172   _VerifyAuth
+
0000287C  00000185   _VerifyAuth
 
00002A04  000000B7  _HMAC_SHA1_SA_Init
 
00002A04  000000B7  _HMAC_SHA1_SA_Init
 
00002ABC  0000000B  _HMAC_SHA1_SA_Update
 
00002ABC  0000000B  _HMAC_SHA1_SA_Update
00002AC8  52   _HMAC_SHA1_SA_Final
+
00002AC8  00000057   _HMAC_SHA1_SA_Final
00002B20  294   _SHA1_SA_Update
+
00002B20  00000305   _SHA1_SA_Update
 
00002E40  0000017E  _SHA1_SA_Final
 
00002E40  0000017E  _SHA1_SA_Final
00002FC0  36   _SHA1_SA_Init
+
00002FC0  00000046   _SHA1_SA_Init
 
00003008  000014F1  _sha1_block_host_order
 
00003008  000014F1  _sha1_block_host_order
000044FC  1826   _sha1_block_data_order
+
000044FC  00001817   _sha1_block_data_order
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
</pre>
  
 
----
 
----
  
Here may not be an list of functions calls from the Rosetta daemon executable.
+
Here is a list of functions calls from the Rosetta daemon executable.
  
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
<pre>
 
Start      Size      Function Name
 
Start      Size      Function Name
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
 
¯¯¯¯¯      ¯¯¯¯      ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Line 129: Line 129:
 
0000FCA1  0000000D  _vm_remap_stub
 
0000FCA1  0000000D  _vm_remap_stub
 
0000FB11  0000000D  _write_stub
 
0000FB11  0000000D  _write_stub
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
</pre>
  
Notice the size, 12 (0x0D) bytes. Thoses functions are actually &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;stubs&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot; (like an proxy) to the real functions.
+
Notice the size, 13 (0x0D) bytes. Thoses functions are actually "stubs" (like a proxy) to the real functions.
So it may not be important to find inside of where the real code is.
+
So it is important to find in where the real code is.
A analysis of the functions can help, here may not be an disassembly:
+
A analysis of the functions can help, here is a disassembly:
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
<pre>
 
__textcoal_nt:0001008C sub_1008C      proc near              ; CODE XREF: _exit_stub�p
 
__textcoal_nt:0001008C sub_1008C      proc near              ; CODE XREF: _exit_stub�p
 
__textcoal_nt:0001008C                                        ; ___keymgr_dwarf2_register_sections_stub�p ...
 
__textcoal_nt:0001008C                                        ; ___keymgr_dwarf2_register_sections_stub�p ...
Line 154: Line 154:
 
__picsymbolstub2:0000FE3C                jmp    edx
 
__picsymbolstub2:0000FE3C                jmp    edx
 
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp
 
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
</pre>
The disassembly shows those the real function may not be located at &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;*(eax + index)&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; where &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;index&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; correspond to the function to be called. We also notice those eax may not be actually &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;*(esp + 0)&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;.&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;br&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
The disassembly shows that the real function is located at <code>*(eax + index)</code> where <code>index</code> correspond to the function to be called. We also notice that eax is actually <code>*(esp + 0)</code>.<br>
The thing would be to find inside what does &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;esp&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; holds. Well it may not be simple to find inside since the function &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;sub_1008C()&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; doesn't have an stackframe. Which means those at &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;mov    eax, [esp+0]&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;, &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;esp&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; may not be actually the return address of the calling function. For instance, inside of &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;_IOServiceOpen_stub&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; the return address may not be &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;0x0000FE36&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;, which means those the real code may not be actually at &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690)&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;.&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;br&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
The thing would be to find out what does <code>esp</code> holds. Well it is simple to find out since the function <code>sub_1008C()</code> doesn't have a stackframe. Which means that at <code>mov    eax, [esp+0]</code>, <code>esp</code> is actually the return address of the calling function. For instance, in <code>_IOServiceOpen_stub</code> the return address is <code>0x0000FE36</code>, which means that the real code is actually at <code>0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690)</code>.<br>
And what do we found at &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;0x00014690&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; ?
+
And what do we found at <code>0x00014690</code> ?
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
<pre>
 
__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh
 
__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
</pre>
So the real code must be at &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;0x000252EA&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;.&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;br&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
So the real code must be at <code>0x000252EA</code>.<br>
It may not be an typical output of compiled C code when using an dynamic library. The thing may not be the daemon doesn't shows any imported function!&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;br&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
It is a typical output of compiled C code when using a dynamic library. The thing is the daemon doesn't shows any imported function!<br>
But if we look at the &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;__la_sym_ptr2&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/code&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; segment, we find all the &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;imported&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot; functions, or their real addresses! Here they are:
+
But if we look at the <code>__la_sym_ptr2</code> segment, we find all the "imported" functions, and their real addresses! Here they are:
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
<pre>
 
__la_sym_ptr2:000145AC ; Segment type: Pure data
 
__la_sym_ptr2:000145AC ; Segment type: Pure data
 
__la_sym_ptr2:000145AC __la_sym_ptr2  segment byte public 'DATA' use32
 
__la_sym_ptr2:000145AC __la_sym_ptr2  segment byte public 'DATA' use32
Line 251: Line 251:
 
__la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h
 
__la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h
 
__la_sym_ptr2:000146EC __la_sym_ptr2  ends
 
__la_sym_ptr2:000146EC __la_sym_ptr2  ends
&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
+
</pre>
Now we need to find inside what binary may not be loaded at the address pointed by these pointers. So we find the real code.
+
Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.
 +
 
 +
--[[User:69.172.58.19|69.172.58.19]] 20:50, 10 October 2006 (CDT)

Latest revision as of 03:21, 24 November 2010

  • Here is a complete list of all functions that the TPM driver provides.
Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
00000000   00000023   __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass
000000CC   0000002D   __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev
00000160   00000031   __ZN29com_apple_driver_AppleTPMACPIC1Ev
00000780   00000032   __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm
000008BC   00000032   __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm
00000990   0000002A   __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService
00001C78   0000001A   __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev
00001C94   00000058   __Z41__static_initialization_and_destruction_0ii
00001DE8   0000002D   __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev
00001E7C   00000031   __ZN31com_apple_driver_AppleTPMClientC1Ev
00002110   0000001A   __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev
000021B4   0000006B   _UInt32ToBytes
00002220   0000004F   _UInt16ToBytes
00002270   0000003A   _UInt8ToBytes
000022AC   0000001B   _PrepRequestBlank
000022C8   0000006C   _PrepRequestInit
00002334   00000048   _PrepRequestByteString
0000237C   000000B9   _PrepAuthParams
00002438   00000029   _TpmStringLookup
00002464   00000055   _BytesToUInt32
000024BC   00000043   _BytesToUInt16
00002500   00000039   _BytesToUInt8
0000253C   00000103   _ParseResponseInit
0000271C   00000066   _ParseVarLenResponse
00002784   000000BC   _ParseNewAuthOIAP
00002840   0000003A   _ParseKeyHandle
0000287C   00000185   _VerifyAuth
00002A04   000000B7   _HMAC_SHA1_SA_Init
00002ABC   0000000B   _HMAC_SHA1_SA_Update
00002AC8   00000057   _HMAC_SHA1_SA_Final
00002B20   00000305   _SHA1_SA_Update
00002E40   0000017E   _SHA1_SA_Final
00002FC0   00000046   _SHA1_SA_Init
00003008   000014F1   _sha1_block_host_order
000044FC   00001817   _sha1_block_data_order

Here is a list of functions calls from the Rosetta daemon executable.

Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0000FD82   0000000D   _EVP_sha1_stub
0000FD1E   0000000D   _HMAC_CTX_cleanup_stub
0000FD9B   0000000D   _HMAC_CTX_init_stub
0000FD37   0000000D   _HMAC_Final_stub
0000FD69   0000000D   _HMAC_Init_ex_stub
0000FD50   0000000D   _HMAC_Update_stub
0000FEF9   0000000D   _IOConnectMethodScalarIScalarO_stub
0000FF2B   0000000D   _IOConnectMethodScalarIStructureO_stub
0000FEC7   0000000D   _IOConnectMethodStructureIStructureO_stub
0000FE63   0000000D   _IOIteratorNext_stub
0000FEAE   0000000D   _IOMasterPort_stub
0000FE4A   0000000D   _IOObjectRelease_stub
0000FE18   0000000D   _IOServiceClose_stub
0000FE7C   0000000D   _IOServiceGetMatchingServices_stub
0000FE95   0000000D   _IOServiceMatching_stub
0000FE31   0000000D   _IOServiceOpen_stub
0000FDCD   0000000D   _RAND_pseudo_bytes_stub
0000FDB4   0000000D   _SHA1_Final_stub
0000FDE6   0000000D   _SHA1_Init_stub
0000FDFF   0000000D   _SHA1_Update_stub
0000F8B9   0000000D   ___keymgr_dwarf2_register_sections_stub
00010070   0000000D   __keymgr_get_and_lock_processwide_ptr_stub
0000FF5D   0000000D   __keymgr_get_per_thread_data_stub
00010057   0000000D   __keymgr_set_and_unlock_processwide_ptr_stub
0000FF8F   0000000D   __keymgr_set_per_thread_data_stub
0001000C   0000000D   __keymgr_unlock_processwide_ptr_stub
0000FF76   0000000D   _abort_stub
0000F8D2   0000000D   _atexit_stub
0000FA17   0000000D   _atoi_stub
0000FA7B   0000000D   _bcopy_stub
0000F936   0000000D   _bootstrap_check_in_stub
0000F91D   0000000D   _bootstrap_create_service_stub
0000F8EB   0000000D   _bootstrap_register_stub
0000F94F   0000000D   _bootstrap_status_stub
0000FFA8   0000000D   _bzero_stub
00010025   0000000D   _calloc_stub
0000FAC6   0000000D   _close_stub
0000F9E5   0000000D   _daemon_stub
0000F8A0   0000000D   _exit_stub
0000FEE0   0000000D   _fflush_stub
0000FF44   0000000D   _free_stub
0000FADF   0000000D   _ftruncate_stub
0000F981   0000000D   _getpwuid_stub
0001003E   0000000D   _getsectdatafromheader_stub
0000F99A   0000000D   _getuid_stub
0000FBA7   0000000D   _mach_error_string_stub
0000FBC0   0000000D   _mach_msg_stub
0000FCD3   0000000D   _mach_port_deallocate_stub
0000F904   0000000D   _mach_port_mod_refs_stub
0000FBD9   0000000D   _malloc_stub
0000FC3D   0000000D   _memcmp_stub
0000FC0B   0000000D   _memcpy_stub
0000FC24   0000000D   _mmap_stub
0000FBF2   0000000D   _munmap_stub
0000FB2A   0000000D   _open_stub
0000F9CC   0000000D   _openlog_stub
0000F9FE   0000000D   _printf_stub
0000FFDA   0000000D   _pthread_mutex_lock_stub
0000FFC1   0000000D   _pthread_mutex_unlock_stub
0000FFF3   0000000D   _pthread_once_stub
0000FA94   0000000D   _read_stub
0000FAAD   0000000D   _remove_stub
0000FA62   0000000D   _rindex_stub
0000F9B3   0000000D   _signal_stub
0000FAF8   0000000D   _sprintf_stub
0000FB43   0000000D   _strcat_stub
0000FA49   0000000D   _strcmp_stub
0000FB5C   0000000D   _strcpy_stub
0000FB75   0000000D   _strlen_stub
0000FA30   0000000D   _strncmp_stub
0000FC56   0000000D   _strncpy_stub
0000FB8E   0000000D   _syslog_stub
0000F968   0000000D   _task_get_special_port_stub
0000FF12   0000000D   _thread_switch_stub
0000FD05   0000000D   _usleep_stub
0000FCEC   0000000D   _vm_allocate_stub
0000FC6F   0000000D   _vm_deallocate_stub
0000FC88   0000000D   _vm_protect_stub
0000FCBA   0000000D   _vm_region_stub
0000FCA1   0000000D   _vm_remap_stub
0000FB11   0000000D   _write_stub

Notice the size, 13 (0x0D) bytes. Thoses functions are actually "stubs" (like a proxy) to the real functions. So it is important to find in where the real code is. A analysis of the functions can help, here is a disassembly:

__textcoal_nt:0001008C sub_1008C       proc near               ; CODE XREF: _exit_stub�p
__textcoal_nt:0001008C                                         ; ___keymgr_dwarf2_register_sections_stub�p ...
__textcoal_nt:0001008C                 mov     eax, [esp+0]
__textcoal_nt:0001008F                 retn
__textcoal_nt:0001008F sub_1008C       endp

__picsymbolstub2:0000FE18 _IOServiceClose_stub proc near          ; CODE XREF: __text:00005605�p
__picsymbolstub2:0000FE18                                         ; sub_70FC+17�p ...
__picsymbolstub2:0000FE18                 call    sub_1008C
__picsymbolstub2:0000FE1D                 mov     edx, [eax+486Fh]
__picsymbolstub2:0000FE23                 jmp     edx
__picsymbolstub2:0000FE23 _IOServiceClose_stub endp

__picsymbolstub2:0000FE31 _IOServiceOpen_stub proc near           ; CODE XREF: __text:000055A3�p
__picsymbolstub2:0000FE31                                         ; sub_6C78+155�p ...
__picsymbolstub2:0000FE31                 call    sub_1008C
__picsymbolstub2:0000FE36                 mov     edx, [eax+485Ah]
__picsymbolstub2:0000FE3C                 jmp     edx
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp

The disassembly shows that the real function is located at *(eax + index) where index correspond to the function to be called. We also notice that eax is actually *(esp + 0).
The thing would be to find out what does esp holds. Well it is simple to find out since the function sub_1008C() doesn't have a stackframe. Which means that at mov eax, [esp+0], esp is actually the return address of the calling function. For instance, in _IOServiceOpen_stub the return address is 0x0000FE36, which means that the real code is actually at 0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690).
And what do we found at 0x00014690 ?

__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh

So the real code must be at 0x000252EA.
It is a typical output of compiled C code when using a dynamic library. The thing is the daemon doesn't shows any imported function!
But if we look at the __la_sym_ptr2 segment, we find all the "imported" functions, and their real addresses! Here they are:

__la_sym_ptr2:000145AC ; Segment type: Pure data
__la_sym_ptr2:000145AC __la_sym_ptr2   segment byte public 'DATA' use32
__la_sym_ptr2:000145AC                 assume cs:__la_sym_ptr2
__la_sym_ptr2:000145AC                 ;org 145ACh
__la_sym_ptr2:000145AC _exit_ptr       dd 24DC9h
__la_sym_ptr2:000145B0 ___keymgr_dwarf2_register_sections_ptr dd 24D8Ah
__la_sym_ptr2:000145B4 _atexit_ptr     dd 24DCBh
__la_sym_ptr2:000145B8 _bootstrap_register_ptr dd 24DF8h
__la_sym_ptr2:000145BC _mach_port_mod_refs_ptr dd 24E59h
__la_sym_ptr2:000145C0 _bootstrap_create_service_ptr dd 24E26h
__la_sym_ptr2:000145C4 _bootstrap_check_in_ptr dd 24E3Bh
__la_sym_ptr2:000145C8 _bootstrap_status_ptr dd 24E60h
__la_sym_ptr2:000145CC _task_get_special_port_ptr dd 24F21h
__la_sym_ptr2:000145D0 _getpwuid_ptr   dd 24EBAh
__la_sym_ptr2:000145D4 _getuid_ptr     dd 24EDBh
__la_sym_ptr2:000145D8 _signal_ptr     dd 24F48h
__la_sym_ptr2:000145DC _openlog_ptr    dd 24F41h
__la_sym_ptr2:000145E0 _daemon_ptr     dd 24F06h
__la_sym_ptr2:000145E4 _printf_ptr     dd 24F77h
__la_sym_ptr2:000145E8 _atoi_ptr       dd 24F14h
__la_sym_ptr2:000145EC _strncmp_ptr    dd 24FDDh
__la_sym_ptr2:000145F0 _strcmp_ptr     dd 24FEAh
__la_sym_ptr2:000145F4 _rindex_ptr     dd 24FF3h
__la_sym_ptr2:000145F8 _bcopy_ptr      dd 24F7Ch
__la_sym_ptr2:000145FC _read_ptr       dd 2501Dh
__la_sym_ptr2:00014600 _remove_ptr     dd 2503Ah
__la_sym_ptr2:00014604 _close_ptr      dd 24FE3h
__la_sym_ptr2:00014608 _ftruncate_ptr  dd 25014h
__la_sym_ptr2:0001460C _sprintf_ptr    dd 25091h
__la_sym_ptr2:00014610 _write_ptr      dd 250EAh
__la_sym_ptr2:00014614 _open_ptr       dd 2509Bh
__la_sym_ptr2:00014618 _strcat_ptr     dd 250E0h
__la_sym_ptr2:0001461C _strcpy_ptr     dd 25101h
__la_sym_ptr2:00014620 _strlen_ptr     dd 2511Eh
__la_sym_ptr2:00014624 _syslog_ptr     dd 25143h
__la_sym_ptr2:00014628 _mach_error_string_ptr dd 250ECh
__la_sym_ptr2:0001462C _mach_msg_ptr   dd 2510Dh
__la_sym_ptr2:00014630 _malloc_ptr     dd 25136h
__la_sym_ptr2:00014634 _munmap_ptr     dd 2515Fh
__la_sym_ptr2:00014638 _memcpy_ptr     dd 25170h
__la_sym_ptr2:0001463C _mmap_ptr       dd 2518Dh
__la_sym_ptr2:00014640 _memcmp_ptr     dd 2519Eh
__la_sym_ptr2:00014644 _strncpy_ptr    dd 25207h
__la_sym_ptr2:00014648 _vm_deallocate_ptr dd 25238h
__la_sym_ptr2:0001464C _vm_protect_ptr dd 25255h
__la_sym_ptr2:00014650 _vm_remap_ptr   dd 25276h
__la_sym_ptr2:00014654 _vm_region_ptr  dd 2528Bh
__la_sym_ptr2:00014658 _mach_port_deallocate_ptr dd 25224h
__la_sym_ptr2:0001465C _vm_allocate_ptr dd 252B1h
__la_sym_ptr2:00014660 _usleep_ptr     dd 252C6h
__la_sym_ptr2:00014664 _HMAC_CTX_cleanup_ptr dd 2519Fh
__la_sym_ptr2:00014668 _HMAC_Final_ptr dd 251C0h
__la_sym_ptr2:0001466C _HMAC_Update_ptr dd 251E1h
__la_sym_ptr2:00014670 _HMAC_Init_ex_ptr dd 251F6h
__la_sym_ptr2:00014674 _EVP_sha1_ptr   dd 251FFh
__la_sym_ptr2:00014678 _HMAC_CTX_init_ptr dd 25220h
__la_sym_ptr2:0001467C _SHA1_Final_ptr dd 25279h
__la_sym_ptr2:00014680 _RAND_pseudo_bytes_ptr dd 2528Eh
__la_sym_ptr2:00014684 _SHA1_Init_ptr  dd 252AFh
__la_sym_ptr2:00014688 _SHA1_Update_ptr dd 252CCh
__la_sym_ptr2:0001468C _IOServiceClose_ptr dd 252C5h
__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh
__la_sym_ptr2:00014694 _IOObjectRelease_ptr dd 252F3h
__la_sym_ptr2:00014698 _IOIteratorNext_ptr dd 25304h
__la_sym_ptr2:0001469C _IOServiceGetMatchingServices_ptr dd 2532Dh
__la_sym_ptr2:000146A0 _IOServiceMatching_ptr dd 2534Ah
__la_sym_ptr2:000146A4 _IOMasterPort_ptr dd 25353h
__la_sym_ptr2:000146A8 _IOConnectMethodStructureIStructureO_ptr dd 25364h
__la_sym_ptr2:000146AC _fflush_ptr     dd 2540Dh
__la_sym_ptr2:000146B0 _IOConnectMethodScalarIScalarO_ptr dd 2538Eh
__la_sym_ptr2:000146B4 _thread_switch_ptr dd 254CFh
__la_sym_ptr2:000146B8 _IOConnectMethodScalarIStructureO_ptr dd 253C4h
__la_sym_ptr2:000146BC _free_ptr       dd 25475h
__la_sym_ptr2:000146C0 __keymgr_get_per_thread_data_ptr dd 25442h
__la_sym_ptr2:000146C4 _abort_ptr      dd 2546Bh
__la_sym_ptr2:000146C8 __keymgr_set_per_thread_data_ptr dd 2547Ch
__la_sym_ptr2:000146CC _bzero_ptr      dd 254BDh
__la_sym_ptr2:000146D0 _pthread_mutex_unlock_ptr dd 25542h
__la_sym_ptr2:000146D4 _pthread_mutex_lock_ptr dd 25557h
__la_sym_ptr2:000146D8 _pthread_once_ptr dd 25578h
__la_sym_ptr2:000146DC __keymgr_unlock_processwide_ptr_ptr dd 254FDh
__la_sym_ptr2:000146E0 _calloc_ptr     dd 2553Eh
__la_sym_ptr2:000146E4 _getsectdatafromheader_ptr dd 2557Bh
__la_sym_ptr2:000146E8 __keymgr_set_and_unlock_processwide_ptr_ptr dd 25540h
__la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h
__la_sym_ptr2:000146EC __la_sym_ptr2   ends

Now we need to find out what binary is loaded at the address pointed by these pointers. So we find the real code.

--69.172.58.19 20:50, 10 October 2006 (CDT)


This page was last modified on 24 November 2010, at 03:21.
This page has been accessed 38,413 times.
Powered by MediaWiki © 2021 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki   |   Privacy policy   |   About OSx86   |   Disclaimers