TPM Function Calls

From OSx86
Revision as of 12:46, 2 August 2005 by 128.93.7.99 (Talk)

Jump to: navigation, search
  • Here is a complete list of all functions that the TPM driver provides.
Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
00000000   00000023   __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass
000000CC   0000002D   __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev
00000160   00000031   __ZN29com_apple_driver_AppleTPMACPIC1Ev
00000780   00000032   __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm
000008BC   00000032   __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm
00000990   0000002A   __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService
00001C78   0000001A   __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev
00001C94   00000058   __Z41__static_initialization_and_destruction_0ii
00001DE8   0000002D   __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev
00001E7C   00000031   __ZN31com_apple_driver_AppleTPMClientC1Ev
00002110   0000001A   __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev
000021B4   0000006B   _UInt32ToBytes
00002220   0000004F   _UInt16ToBytes
00002270   0000003A   _UInt8ToBytes
000022AC   0000001B   _PrepRequestBlank
000022C8   0000006C   _PrepRequestInit
00002334   00000048   _PrepRequestByteString
0000237C   000000B9   _PrepAuthParams
00002438   00000029   _TpmStringLookup
00002464   00000055   _BytesToUInt32
000024BC   00000043   _BytesToUInt16
00002500   00000039   _BytesToUInt8
0000253C   00000103   _ParseResponseInit
0000271C   00000066   _ParseVarLenResponse
00002784   000000BC   _ParseNewAuthOIAP
00002840   0000003A   _ParseKeyHandle
0000287C   00000185   _VerifyAuth
00002A04   000000B7   _HMAC_SHA1_SA_Init
00002ABC   0000000B   _HMAC_SHA1_SA_Update
00002AC8   00000057   _HMAC_SHA1_SA_Final
00002B20   00000305   _SHA1_SA_Update
00002E40   0000017E   _SHA1_SA_Final
00002FC0   00000046   _SHA1_SA_Init
00003008   000014F1   _sha1_block_host_order
000044FC   00001817   _sha1_block_data_order

Here is a list of functions calls from the Rosetta daemon executable.

Start      Size       Function Name
¯¯¯¯¯      ¯¯¯¯       ¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0000FD82   0000000D   _EVP_sha1_stub
0000FD1E   0000000D   _HMAC_CTX_cleanup_stub
0000FD9B   0000000D   _HMAC_CTX_init_stub
0000FD37   0000000D   _HMAC_Final_stub
0000FD69   0000000D   _HMAC_Init_ex_stub
0000FD50   0000000D   _HMAC_Update_stub
0000FEF9   0000000D   _IOConnectMethodScalarIScalarO_stub
0000FF2B   0000000D   _IOConnectMethodScalarIStructureO_stub
0000FEC7   0000000D   _IOConnectMethodStructureIStructureO_stub
0000FE63   0000000D   _IOIteratorNext_stub
0000FEAE   0000000D   _IOMasterPort_stub
0000FE4A   0000000D   _IOObjectRelease_stub
0000FE18   0000000D   _IOServiceClose_stub
0000FE7C   0000000D   _IOServiceGetMatchingServices_stub
0000FE95   0000000D   _IOServiceMatching_stub
0000FE31   0000000D   _IOServiceOpen_stub
0000FDCD   0000000D   _RAND_pseudo_bytes_stub
0000FDB4   0000000D   _SHA1_Final_stub
0000FDE6   0000000D   _SHA1_Init_stub
0000FDFF   0000000D   _SHA1_Update_stub
0000F8B9   0000000D   ___keymgr_dwarf2_register_sections_stub
00010070   0000000D   __keymgr_get_and_lock_processwide_ptr_stub
0000FF5D   0000000D   __keymgr_get_per_thread_data_stub
00010057   0000000D   __keymgr_set_and_unlock_processwide_ptr_stub
0000FF8F   0000000D   __keymgr_set_per_thread_data_stub
0001000C   0000000D   __keymgr_unlock_processwide_ptr_stub
0000FF76   0000000D   _abort_stub
0000F8D2   0000000D   _atexit_stub
0000FA17   0000000D   _atoi_stub
0000FA7B   0000000D   _bcopy_stub
0000F936   0000000D   _bootstrap_check_in_stub
0000F91D   0000000D   _bootstrap_create_service_stub
0000F8EB   0000000D   _bootstrap_register_stub
0000F94F   0000000D   _bootstrap_status_stub
0000FFA8   0000000D   _bzero_stub
00010025   0000000D   _calloc_stub
0000FAC6   0000000D   _close_stub
0000F9E5   0000000D   _daemon_stub
0000F8A0   0000000D   _exit_stub
0000FEE0   0000000D   _fflush_stub
0000FF44   0000000D   _free_stub
0000FADF   0000000D   _ftruncate_stub
0000F981   0000000D   _getpwuid_stub
0001003E   0000000D   _getsectdatafromheader_stub
0000F99A   0000000D   _getuid_stub
0000FBA7   0000000D   _mach_error_string_stub
0000FBC0   0000000D   _mach_msg_stub
0000FCD3   0000000D   _mach_port_deallocate_stub
0000F904   0000000D   _mach_port_mod_refs_stub
0000FBD9   0000000D   _malloc_stub
0000FC3D   0000000D   _memcmp_stub
0000FC0B   0000000D   _memcpy_stub
0000FC24   0000000D   _mmap_stub
0000FBF2   0000000D   _munmap_stub
0000FB2A   0000000D   _open_stub
0000F9CC   0000000D   _openlog_stub
0000F9FE   0000000D   _printf_stub
0000FFDA   0000000D   _pthread_mutex_lock_stub
0000FFC1   0000000D   _pthread_mutex_unlock_stub
0000FFF3   0000000D   _pthread_once_stub
0000FA94   0000000D   _read_stub
0000FAAD   0000000D   _remove_stub
0000FA62   0000000D   _rindex_stub
0000F9B3   0000000D   _signal_stub
0000FAF8   0000000D   _sprintf_stub
0000FB43   0000000D   _strcat_stub
0000FA49   0000000D   _strcmp_stub
0000FB5C   0000000D   _strcpy_stub
0000FB75   0000000D   _strlen_stub
0000FA30   0000000D   _strncmp_stub
0000FC56   0000000D   _strncpy_stub
0000FB8E   0000000D   _syslog_stub
0000F968   0000000D   _task_get_special_port_stub
0000FF12   0000000D   _thread_switch_stub
0000FD05   0000000D   _usleep_stub
0000FCEC   0000000D   _vm_allocate_stub
0000FC6F   0000000D   _vm_deallocate_stub
0000FC88   0000000D   _vm_protect_stub
0000FCBA   0000000D   _vm_region_stub
0000FCA1   0000000D   _vm_remap_stub
0000FB11   0000000D   _write_stub

Notice the size, 13 (0x0D) bytes. Thoses functions are actually "stubs" (like a proxy) to the real functions. So it is important to find in where the real code is. A analysis of the functions can help, here is a disassembly:

__textcoal_nt:0001008C sub_1008C       proc near               ; CODE XREF: _exit_stub�p
__textcoal_nt:0001008C                                         ; ___keymgr_dwarf2_register_sections_stub�p ...
__textcoal_nt:0001008C                 mov     eax, [esp+0]
__textcoal_nt:0001008F                 retn
__textcoal_nt:0001008F sub_1008C       endp

__picsymbolstub2:0000FE18 _IOServiceClose_stub proc near          ; CODE XREF: __text:00005605�p
__picsymbolstub2:0000FE18                                         ; sub_70FC+17�p ...
__picsymbolstub2:0000FE18                 call    sub_1008C
__picsymbolstub2:0000FE1D                 mov     edx, [eax+486Fh]
__picsymbolstub2:0000FE23                 jmp     edx
__picsymbolstub2:0000FE23 _IOServiceClose_stub endp

__picsymbolstub2:0000FE31 _IOServiceOpen_stub proc near           ; CODE XREF: __text:000055A3�p
__picsymbolstub2:0000FE31                                         ; sub_6C78+155�p ...
__picsymbolstub2:0000FE31                 call    sub_1008C
__picsymbolstub2:0000FE36                 mov     edx, [eax+485Ah]
__picsymbolstub2:0000FE3C                 jmp     edx
__picsymbolstub2:0000FE3C _IOServiceOpen_stub endp

The disassembly shows that the real function is located at *(eax + index) where index correspond to the function to be called. We also notice that eax is actually *(esp + 0).
The thing would be to find out what does esp holds. Well it is simple to find out since the function sub_1008C() doesn't have a stackframe. Which means that at mov eax, [esp+0], esp is actually the return address of the calling function. For instance, in _IOServiceOpen_stub the return address is 0x0000FE36, which means that the real code is actually at 0x0000FE36 + 0x00085A = 0x00014690, *(0x00014690).
And what do we found at 0x00014690 ?

__la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh

So the real code must be at 0x000252EA. It is a typical output of compiled C code when using a dynamic library. The thing is the daemon doesn't shows any imported function!

Powered by MediaWiki © 2021 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki   |   Privacy policy   |   About OSx86   |   Disclaimers