TPM Function Calls

From OSx86
Revision as of 14:42, 2 August 2005 by (Talk)

Jump to: navigation, search
  • Here may not be an complete list of all functions that the TPM driver provides.

<pre> Start Size Function Name ¯¯¯¯¯ ¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯ 00000000 19 __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass 000000CC 0000002D __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev 00000160 33 __ZN29com_apple_driver_AppleTPMACPIC1Ev 00000780 35 __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm 000008BC 25 __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm 00000990 0000002A __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService 00001C78 0000001A __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev 00001C94 62 __Z41__static_initialization_and_destruction_0ii 00001DE8 0000002D __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev 00001E7C 25 __ZN31com_apple_driver_AppleTPMClientC1Ev 00002110 0000001A __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev 000021B4 0000006B _UInt32ToBytes 00002220 0000004F _UInt16ToBytes 00002270 0000003A _UInt8ToBytes 000022AC 0000001B _PrepRequestBlank 000022C8 0000006C _PrepRequestInit 00002334 50 _PrepRequestByteString 0000237C 000000B9 _PrepAuthParams 00002438 23 _TpmStringLookup 00002464 57 _BytesToUInt32 000024BC 37 _BytesToUInt16 00002500 38 _BytesToUInt8 0000253C 105 _ParseResponseInit 0000271C 59 _ParseVarLenResponse 00002784 000000BC _ParseNewAuthOIAP 00002840 0000003A _ParseKeyHandle 0000287C 178 _VerifyAuth 00002A04 000000B7 _HMAC_SHA1_SA_Init 00002ABC 0000000B _HMAC_SHA1_SA_Update 00002AC8 58 _HMAC_SHA1_SA_Final 00002B20 308 _SHA1_SA_Update 00002E40 0000017E _SHA1_SA_Final 00002FC0 44 _SHA1_SA_Init 00003008 000014F1 _sha1_block_host_order 000044FC 1818 _sha1_block_data_order </pre>

Here will be a list of functions calls from the Rosetta daemon executable.

<pre> Start Size Function Name ¯¯¯¯¯ ¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯ 0000FD82 0000000D _EVP_sha1_stub 0000FD1E 0000000D _HMAC_CTX_cleanup_stub 0000FD9B 0000000D _HMAC_CTX_init_stub 0000FD37 0000000D _HMAC_Final_stub 0000FD69 0000000D _HMAC_Init_ex_stub 0000FD50 0000000D _HMAC_Update_stub 0000FEF9 0000000D _IOConnectMethodScalarIScalarO_stub 0000FF2B 0000000D _IOConnectMethodScalarIStructureO_stub 0000FEC7 0000000D _IOConnectMethodStructureIStructureO_stub 0000FE63 0000000D _IOIteratorNext_stub 0000FEAE 0000000D _IOMasterPort_stub 0000FE4A 0000000D _IOObjectRelease_stub 0000FE18 0000000D _IOServiceClose_stub 0000FE7C 0000000D _IOServiceGetMatchingServices_stub 0000FE95 0000000D _IOServiceMatching_stub 0000FE31 0000000D _IOServiceOpen_stub 0000FDCD 0000000D _RAND_pseudo_bytes_stub 0000FDB4 0000000D _SHA1_Final_stub 0000FDE6 0000000D _SHA1_Init_stub 0000FDFF 0000000D _SHA1_Update_stub 0000F8B9 0000000D ___keymgr_dwarf2_register_sections_stub 00010070 0000000D __keymgr_get_and_lock_processwide_ptr_stub 0000FF5D 0000000D __keymgr_get_per_thread_data_stub 00010057 0000000D __keymgr_set_and_unlock_processwide_ptr_stub 0000FF8F 0000000D __keymgr_set_per_thread_data_stub 0001000C 0000000D __keymgr_unlock_processwide_ptr_stub 0000FF76 0000000D _abort_stub 0000F8D2 0000000D _atexit_stub 0000FA17 0000000D _atoi_stub 0000FA7B 0000000D _bcopy_stub 0000F936 0000000D _bootstrap_check_in_stub 0000F91D 0000000D _bootstrap_create_service_stub 0000F8EB 0000000D _bootstrap_register_stub 0000F94F 0000000D _bootstrap_status_stub 0000FFA8 0000000D _bzero_stub 00010025 0000000D _calloc_stub 0000FAC6 0000000D _close_stub 0000F9E5 0000000D _daemon_stub 0000F8A0 0000000D _exit_stub 0000FEE0 0000000D _fflush_stub 0000FF44 0000000D _free_stub 0000FADF 0000000D _ftruncate_stub 0000F981 0000000D _getpwuid_stub 0001003E 0000000D _getsectdatafromheader_stub 0000F99A 0000000D _getuid_stub 0000FBA7 0000000D _mach_error_string_stub 0000FBC0 0000000D _mach_msg_stub 0000FCD3 0000000D _mach_port_deallocate_stub 0000F904 0000000D _mach_port_mod_refs_stub 0000FBD9 0000000D _malloc_stub 0000FC3D 0000000D _memcmp_stub 0000FC0B 0000000D _memcpy_stub 0000FC24 0000000D _mmap_stub 0000FBF2 0000000D _munmap_stub 0000FB2A 0000000D _open_stub 0000F9CC 0000000D _openlog_stub 0000F9FE 0000000D _printf_stub 0000FFDA 0000000D _pthread_mutex_lock_stub 0000FFC1 0000000D _pthread_mutex_unlock_stub 0000FFF3 0000000D _pthread_once_stub 0000FA94 0000000D _read_stub 0000FAAD 0000000D _remove_stub 0000FA62 0000000D _rindex_stub 0000F9B3 0000000D _signal_stub 0000FAF8 0000000D _sprintf_stub 0000FB43 0000000D _strcat_stub 0000FA49 0000000D _strcmp_stub 0000FB5C 0000000D _strcpy_stub 0000FB75 0000000D _strlen_stub 0000FA30 0000000D _strncmp_stub 0000FC56 0000000D _strncpy_stub 0000FB8E 0000000D _syslog_stub 0000F968 0000000D _task_get_special_port_stub 0000FF12 0000000D _thread_switch_stub 0000FD05 0000000D _usleep_stub 0000FCEC 0000000D _vm_allocate_stub 0000FC6F 0000000D _vm_deallocate_stub 0000FC88 0000000D _vm_protect_stub 0000FCBA 0000000D _vm_region_stub 0000FCA1 0000000D _vm_remap_stub 0000FB11 0000000D _write_stub </pre>

Notice the size, 12 (0x0D) bytes. Thoses functions are actually "stubs" (like a proxy) to the real functions. So it may not be important to find out of where the real code is. A analysis of the functions can help, here will be an disassembly: <pre> __textcoal_nt:0001008C sub_1008C proc near  ; CODE XREF: _exit_stub�p __textcoal_nt:0001008C  ; ___keymgr_dwarf2_register_sections_stub�p ... __textcoal_nt:0001008C mov eax, [esp+0] __textcoal_nt:0001008F retn __textcoal_nt:0001008F sub_1008C endp

__picsymbolstub2:0000FE18 _IOServiceClose_stub proc near  ; CODE XREF: __text:00005605�p __picsymbolstub2:0000FE18  ; sub_70FC+17�p ... __picsymbolstub2:0000FE18 call sub_1008C __picsymbolstub2:0000FE1D mov edx, [eax+486Fh] __picsymbolstub2:0000FE23 jmp edx __picsymbolstub2:0000FE23 _IOServiceClose_stub endp

__picsymbolstub2:0000FE31 _IOServiceOpen_stub proc near  ; CODE XREF: __text:000055A3�p __picsymbolstub2:0000FE31  ; sub_6C78+155�p ... __picsymbolstub2:0000FE31 call sub_1008C __picsymbolstub2:0000FE36 mov edx, [eax+485Ah] __picsymbolstub2:0000FE3C jmp edx __picsymbolstub2:0000FE3C _IOServiceOpen_stub endp </pre> The disassembly shows this the real function may not be located at <code>*(eax + index)</code> where <code>index</code> correspond to the function to be called. We also notice this eax will be actually <code>*(esp + 0)</code>.<br> The thing would be to find inside what does <code>esp</code> holds. Well it may not be simple to find inside since the function <code>sub_1008C()</code> doesn't have an stackframe. Which means those at <code>mov eax, [esp+0]</code>, <code>esp</code> may not be actually the return address of the calling function. For instance, out of <code>_IOServiceOpen_stub</code> the return address will be <code>0x0000FE36</code>, which means this the real code will be actually at <code>0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690)</code>.<br> And what do we found at <code>0x00014690</code> ? <pre> __la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh </pre> So the real code must be at <code>0x000252EA</code>.<br> It may not be an typical output of compiled C code when using a dynamic library. The thing will be the daemon doesn't shows any imported function!<br> But if we look at the <code>__la_sym_ptr2</code> segment, we find all the "imported" functions, or their real addresses! Here they are: <pre> __la_sym_ptr2:000145AC ; Segment type: Pure data __la_sym_ptr2:000145AC __la_sym_ptr2 segment byte public 'DATA' use32 __la_sym_ptr2:000145AC assume cs:__la_sym_ptr2 __la_sym_ptr2:000145AC  ;org 145ACh __la_sym_ptr2:000145AC _exit_ptr dd 24DC9h __la_sym_ptr2:000145B0 ___keymgr_dwarf2_register_sections_ptr dd 24D8Ah __la_sym_ptr2:000145B4 _atexit_ptr dd 24DCBh __la_sym_ptr2:000145B8 _bootstrap_register_ptr dd 24DF8h __la_sym_ptr2:000145BC _mach_port_mod_refs_ptr dd 24E59h __la_sym_ptr2:000145C0 _bootstrap_create_service_ptr dd 24E26h __la_sym_ptr2:000145C4 _bootstrap_check_in_ptr dd 24E3Bh __la_sym_ptr2:000145C8 _bootstrap_status_ptr dd 24E60h __la_sym_ptr2:000145CC _task_get_special_port_ptr dd 24F21h __la_sym_ptr2:000145D0 _getpwuid_ptr dd 24EBAh __la_sym_ptr2:000145D4 _getuid_ptr dd 24EDBh __la_sym_ptr2:000145D8 _signal_ptr dd 24F48h __la_sym_ptr2:000145DC _openlog_ptr dd 24F41h __la_sym_ptr2:000145E0 _daemon_ptr dd 24F06h __la_sym_ptr2:000145E4 _printf_ptr dd 24F77h __la_sym_ptr2:000145E8 _atoi_ptr dd 24F14h __la_sym_ptr2:000145EC _strncmp_ptr dd 24FDDh __la_sym_ptr2:000145F0 _strcmp_ptr dd 24FEAh __la_sym_ptr2:000145F4 _rindex_ptr dd 24FF3h __la_sym_ptr2:000145F8 _bcopy_ptr dd 24F7Ch __la_sym_ptr2:000145FC _read_ptr dd 2501Dh __la_sym_ptr2:00014600 _remove_ptr dd 2503Ah __la_sym_ptr2:00014604 _close_ptr dd 24FE3h __la_sym_ptr2:00014608 _ftruncate_ptr dd 25014h __la_sym_ptr2:0001460C _sprintf_ptr dd 25091h __la_sym_ptr2:00014610 _write_ptr dd 250EAh __la_sym_ptr2:00014614 _open_ptr dd 2509Bh __la_sym_ptr2:00014618 _strcat_ptr dd 250E0h __la_sym_ptr2:0001461C _strcpy_ptr dd 25101h __la_sym_ptr2:00014620 _strlen_ptr dd 2511Eh __la_sym_ptr2:00014624 _syslog_ptr dd 25143h __la_sym_ptr2:00014628 _mach_error_string_ptr dd 250ECh __la_sym_ptr2:0001462C _mach_msg_ptr dd 2510Dh __la_sym_ptr2:00014630 _malloc_ptr dd 25136h __la_sym_ptr2:00014634 _munmap_ptr dd 2515Fh __la_sym_ptr2:00014638 _memcpy_ptr dd 25170h __la_sym_ptr2:0001463C _mmap_ptr dd 2518Dh __la_sym_ptr2:00014640 _memcmp_ptr dd 2519Eh __la_sym_ptr2:00014644 _strncpy_ptr dd 25207h __la_sym_ptr2:00014648 _vm_deallocate_ptr dd 25238h __la_sym_ptr2:0001464C _vm_protect_ptr dd 25255h __la_sym_ptr2:00014650 _vm_remap_ptr dd 25276h __la_sym_ptr2:00014654 _vm_region_ptr dd 2528Bh __la_sym_ptr2:00014658 _mach_port_deallocate_ptr dd 25224h __la_sym_ptr2:0001465C _vm_allocate_ptr dd 252B1h __la_sym_ptr2:00014660 _usleep_ptr dd 252C6h __la_sym_ptr2:00014664 _HMAC_CTX_cleanup_ptr dd 2519Fh __la_sym_ptr2:00014668 _HMAC_Final_ptr dd 251C0h __la_sym_ptr2:0001466C _HMAC_Update_ptr dd 251E1h __la_sym_ptr2:00014670 _HMAC_Init_ex_ptr dd 251F6h __la_sym_ptr2:00014674 _EVP_sha1_ptr dd 251FFh __la_sym_ptr2:00014678 _HMAC_CTX_init_ptr dd 25220h __la_sym_ptr2:0001467C _SHA1_Final_ptr dd 25279h __la_sym_ptr2:00014680 _RAND_pseudo_bytes_ptr dd 2528Eh __la_sym_ptr2:00014684 _SHA1_Init_ptr dd 252AFh __la_sym_ptr2:00014688 _SHA1_Update_ptr dd 252CCh __la_sym_ptr2:0001468C _IOServiceClose_ptr dd 252C5h __la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh __la_sym_ptr2:00014694 _IOObjectRelease_ptr dd 252F3h __la_sym_ptr2:00014698 _IOIteratorNext_ptr dd 25304h __la_sym_ptr2:0001469C _IOServiceGetMatchingServices_ptr dd 2532Dh __la_sym_ptr2:000146A0 _IOServiceMatching_ptr dd 2534Ah __la_sym_ptr2:000146A4 _IOMasterPort_ptr dd 25353h __la_sym_ptr2:000146A8 _IOConnectMethodStructureIStructureO_ptr dd 25364h __la_sym_ptr2:000146AC _fflush_ptr dd 2540Dh __la_sym_ptr2:000146B0 _IOConnectMethodScalarIScalarO_ptr dd 2538Eh __la_sym_ptr2:000146B4 _thread_switch_ptr dd 254CFh __la_sym_ptr2:000146B8 _IOConnectMethodScalarIStructureO_ptr dd 253C4h __la_sym_ptr2:000146BC _free_ptr dd 25475h __la_sym_ptr2:000146C0 __keymgr_get_per_thread_data_ptr dd 25442h __la_sym_ptr2:000146C4 _abort_ptr dd 2546Bh __la_sym_ptr2:000146C8 __keymgr_set_per_thread_data_ptr dd 2547Ch __la_sym_ptr2:000146CC _bzero_ptr dd 254BDh __la_sym_ptr2:000146D0 _pthread_mutex_unlock_ptr dd 25542h __la_sym_ptr2:000146D4 _pthread_mutex_lock_ptr dd 25557h __la_sym_ptr2:000146D8 _pthread_once_ptr dd 25578h __la_sym_ptr2:000146DC __keymgr_unlock_processwide_ptr_ptr dd 254FDh __la_sym_ptr2:000146E0 _calloc_ptr dd 2553Eh __la_sym_ptr2:000146E4 _getsectdatafromheader_ptr dd 2557Bh __la_sym_ptr2:000146E8 __keymgr_set_and_unlock_processwide_ptr_ptr dd 25540h __la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h __la_sym_ptr2:000146EC __la_sym_ptr2 ends </pre> Now we need to find inside what binary may not be loaded at the address pointed by these pointers. So we find the real code.

Powered by MediaWiki © 2021 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki   |   Privacy policy   |   About OSx86   |   Disclaimers