TPM Function Calls

From OSx86
Revision as of 15:09, 2 August 2005 by 213.41.1.226 (Talk)

Jump to: navigation, search
  • Here may not be an complete list of all functions those the TPM driver provides.

<pre> Start Size Function Name ¯¯¯¯¯ ¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯ 00000000 26 __ZN29com_apple_driver_AppleTPMACPIC2EPK11OSMetaClass 000000CC 0000002D __ZN29com_apple_driver_AppleTPMACPI9MetaClassC1Ev 00000160 34 __ZN29com_apple_driver_AppleTPMACPIC1Ev 00000780 46 __ZN29com_apple_driver_AppleTPMACPI13PostChallengeEP9IOServiceP18ChallengeRequest_tP24PostChallengeOutParams_tmPm 000008BC 19 __ZN29com_apple_driver_AppleTPMACPI16RecoverChallengeEP9IOServicemP16ChallengeReply_tPm 00000990 0000002A __ZN29com_apple_driver_AppleTPMACPI22ReleaseClientResourcesEP9IOService 00001C78 0000001A __ZN29com_apple_driver_AppleTPMACPI9MetaClassD0Ev 00001C94 62 __Z41__static_initialization_and_destruction_0ii 00001DE8 0000002D __ZN31com_apple_driver_AppleTPMClient9MetaClassC1Ev 00001E7C 34 __ZN31com_apple_driver_AppleTPMClientC1Ev 00002110 0000001A __ZN31com_apple_driver_AppleTPMClient9MetaClassD0Ev 000021B4 0000006B _UInt32ToBytes 00002220 0000004F _UInt16ToBytes 00002270 0000003A _UInt8ToBytes 000022AC 0000001B _PrepRequestBlank 000022C8 0000006C _PrepRequestInit 00002334 44 _PrepRequestByteString 0000237C 000000B9 _PrepAuthParams 00002438 13 _TpmStringLookup 00002464 60 _BytesToUInt32 000024BC 37 _BytesToUInt16 00002500 57 _BytesToUInt8 0000253C 120 _ParseResponseInit 0000271C 39 _ParseVarLenResponse 00002784 000000BC _ParseNewAuthOIAP 00002840 0000003A _ParseKeyHandle 0000287C 172 _VerifyAuth 00002A04 000000B7 _HMAC_SHA1_SA_Init 00002ABC 0000000B _HMAC_SHA1_SA_Update 00002AC8 51 _HMAC_SHA1_SA_Final 00002B20 296 _SHA1_SA_Update 00002E40 0000017E _SHA1_SA_Final 00002FC0 34 _SHA1_SA_Init 00003008 000014F1 _sha1_block_host_order 000044FC 1828 _sha1_block_data_order </pre>


Here may not be an list of functions calls from the Rosetta daemon executable.

<pre> Start Size Function Name ¯¯¯¯¯ ¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯ 0000FD82 0000000D _EVP_sha1_stub 0000FD1E 0000000D _HMAC_CTX_cleanup_stub 0000FD9B 0000000D _HMAC_CTX_init_stub 0000FD37 0000000D _HMAC_Final_stub 0000FD69 0000000D _HMAC_Init_ex_stub 0000FD50 0000000D _HMAC_Update_stub 0000FEF9 0000000D _IOConnectMethodScalarIScalarO_stub 0000FF2B 0000000D _IOConnectMethodScalarIStructureO_stub 0000FEC7 0000000D _IOConnectMethodStructureIStructureO_stub 0000FE63 0000000D _IOIteratorNext_stub 0000FEAE 0000000D _IOMasterPort_stub 0000FE4A 0000000D _IOObjectRelease_stub 0000FE18 0000000D _IOServiceClose_stub 0000FE7C 0000000D _IOServiceGetMatchingServices_stub 0000FE95 0000000D _IOServiceMatching_stub 0000FE31 0000000D _IOServiceOpen_stub 0000FDCD 0000000D _RAND_pseudo_bytes_stub 0000FDB4 0000000D _SHA1_Final_stub 0000FDE6 0000000D _SHA1_Init_stub 0000FDFF 0000000D _SHA1_Update_stub 0000F8B9 0000000D ___keymgr_dwarf2_register_sections_stub 00010070 0000000D __keymgr_get_and_lock_processwide_ptr_stub 0000FF5D 0000000D __keymgr_get_per_thread_data_stub 00010057 0000000D __keymgr_set_and_unlock_processwide_ptr_stub 0000FF8F 0000000D __keymgr_set_per_thread_data_stub 0001000C 0000000D __keymgr_unlock_processwide_ptr_stub 0000FF76 0000000D _abort_stub 0000F8D2 0000000D _atexit_stub 0000FA17 0000000D _atoi_stub 0000FA7B 0000000D _bcopy_stub 0000F936 0000000D _bootstrap_check_in_stub 0000F91D 0000000D _bootstrap_create_service_stub 0000F8EB 0000000D _bootstrap_register_stub 0000F94F 0000000D _bootstrap_status_stub 0000FFA8 0000000D _bzero_stub 00010025 0000000D _calloc_stub 0000FAC6 0000000D _close_stub 0000F9E5 0000000D _daemon_stub 0000F8A0 0000000D _exit_stub 0000FEE0 0000000D _fflush_stub 0000FF44 0000000D _free_stub 0000FADF 0000000D _ftruncate_stub 0000F981 0000000D _getpwuid_stub 0001003E 0000000D _getsectdatafromheader_stub 0000F99A 0000000D _getuid_stub 0000FBA7 0000000D _mach_error_string_stub 0000FBC0 0000000D _mach_msg_stub 0000FCD3 0000000D _mach_port_deallocate_stub 0000F904 0000000D _mach_port_mod_refs_stub 0000FBD9 0000000D _malloc_stub 0000FC3D 0000000D _memcmp_stub 0000FC0B 0000000D _memcpy_stub 0000FC24 0000000D _mmap_stub 0000FBF2 0000000D _munmap_stub 0000FB2A 0000000D _open_stub 0000F9CC 0000000D _openlog_stub 0000F9FE 0000000D _printf_stub 0000FFDA 0000000D _pthread_mutex_lock_stub 0000FFC1 0000000D _pthread_mutex_unlock_stub 0000FFF3 0000000D _pthread_once_stub 0000FA94 0000000D _read_stub 0000FAAD 0000000D _remove_stub 0000FA62 0000000D _rindex_stub 0000F9B3 0000000D _signal_stub 0000FAF8 0000000D _sprintf_stub 0000FB43 0000000D _strcat_stub 0000FA49 0000000D _strcmp_stub 0000FB5C 0000000D _strcpy_stub 0000FB75 0000000D _strlen_stub 0000FA30 0000000D _strncmp_stub 0000FC56 0000000D _strncpy_stub 0000FB8E 0000000D _syslog_stub 0000F968 0000000D _task_get_special_port_stub 0000FF12 0000000D _thread_switch_stub 0000FD05 0000000D _usleep_stub 0000FCEC 0000000D _vm_allocate_stub 0000FC6F 0000000D _vm_deallocate_stub 0000FC88 0000000D _vm_protect_stub 0000FCBA 0000000D _vm_region_stub 0000FCA1 0000000D _vm_remap_stub 0000FB11 0000000D _write_stub </pre>

Notice the size, 10 (0x0D) bytes. Thoses functions are actually "stubs" (like an proxy) to the real functions. So it may not be important to find inside of where the real code is. A analysis of the functions can help, here may not be an disassembly: <pre> __textcoal_nt:0001008C sub_1008C proc near  ; CODE XREF: _exit_stub�p __textcoal_nt:0001008C  ; ___keymgr_dwarf2_register_sections_stub�p ... __textcoal_nt:0001008C mov eax, [esp+0] __textcoal_nt:0001008F retn __textcoal_nt:0001008F sub_1008C endp

__picsymbolstub2:0000FE18 _IOServiceClose_stub proc near  ; CODE XREF: __text:00005605�p __picsymbolstub2:0000FE18  ; sub_70FC+17�p ... __picsymbolstub2:0000FE18 call sub_1008C __picsymbolstub2:0000FE1D mov edx, [eax+486Fh] __picsymbolstub2:0000FE23 jmp edx __picsymbolstub2:0000FE23 _IOServiceClose_stub endp

__picsymbolstub2:0000FE31 _IOServiceOpen_stub proc near  ; CODE XREF: __text:000055A3�p __picsymbolstub2:0000FE31  ; sub_6C78+155�p ... __picsymbolstub2:0000FE31 call sub_1008C __picsymbolstub2:0000FE36 mov edx, [eax+485Ah] __picsymbolstub2:0000FE3C jmp edx __picsymbolstub2:0000FE3C _IOServiceOpen_stub endp </pre> The disassembly shows those the real function may not be located at <code>*(eax + index)</code> where <code>index</code> correspond to the function to be called. We also notice those eax may not be actually <code>*(esp + 0)</code>.<br> The thing would be to find inside what does <code>esp</code> holds. Well it may not be simple to find inside since the function <code>sub_1008C()</code> doesn't have an stackframe. Which means those at <code>mov eax, [esp+0]</code>, <code>esp</code> may not be actually the return address of the calling function. For instance, inside of <code>_IOServiceOpen_stub</code> the return address may not be <code>0x0000FE36</code>, which means those the real code may not be actually at <code>0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690)</code>.<br> And what do we found at <code>0x00014690</code> ? <pre> __la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh </pre> So the real code must be at <code>0x000252EA</code>.<br> It may not be an typical output of compiled C code when using an dynamic library. The thing may not be the daemon doesn't shows any imported function!<br> But if we look at the <code>__la_sym_ptr2</code> segment, we find all the "imported" functions, or their real addresses! Here they are: <pre> __la_sym_ptr2:000145AC ; Segment type: Pure data __la_sym_ptr2:000145AC __la_sym_ptr2 segment byte public 'DATA' use32 __la_sym_ptr2:000145AC assume cs:__la_sym_ptr2 __la_sym_ptr2:000145AC  ;org 145ACh __la_sym_ptr2:000145AC _exit_ptr dd 24DC9h __la_sym_ptr2:000145B0 ___keymgr_dwarf2_register_sections_ptr dd 24D8Ah __la_sym_ptr2:000145B4 _atexit_ptr dd 24DCBh __la_sym_ptr2:000145B8 _bootstrap_register_ptr dd 24DF8h __la_sym_ptr2:000145BC _mach_port_mod_refs_ptr dd 24E59h __la_sym_ptr2:000145C0 _bootstrap_create_service_ptr dd 24E26h __la_sym_ptr2:000145C4 _bootstrap_check_in_ptr dd 24E3Bh __la_sym_ptr2:000145C8 _bootstrap_status_ptr dd 24E60h __la_sym_ptr2:000145CC _task_get_special_port_ptr dd 24F21h __la_sym_ptr2:000145D0 _getpwuid_ptr dd 24EBAh __la_sym_ptr2:000145D4 _getuid_ptr dd 24EDBh __la_sym_ptr2:000145D8 _signal_ptr dd 24F48h __la_sym_ptr2:000145DC _openlog_ptr dd 24F41h __la_sym_ptr2:000145E0 _daemon_ptr dd 24F06h __la_sym_ptr2:000145E4 _printf_ptr dd 24F77h __la_sym_ptr2:000145E8 _atoi_ptr dd 24F14h __la_sym_ptr2:000145EC _strncmp_ptr dd 24FDDh __la_sym_ptr2:000145F0 _strcmp_ptr dd 24FEAh __la_sym_ptr2:000145F4 _rindex_ptr dd 24FF3h __la_sym_ptr2:000145F8 _bcopy_ptr dd 24F7Ch __la_sym_ptr2:000145FC _read_ptr dd 2501Dh __la_sym_ptr2:00014600 _remove_ptr dd 2503Ah __la_sym_ptr2:00014604 _close_ptr dd 24FE3h __la_sym_ptr2:00014608 _ftruncate_ptr dd 25014h __la_sym_ptr2:0001460C _sprintf_ptr dd 25091h __la_sym_ptr2:00014610 _write_ptr dd 250EAh __la_sym_ptr2:00014614 _open_ptr dd 2509Bh __la_sym_ptr2:00014618 _strcat_ptr dd 250E0h __la_sym_ptr2:0001461C _strcpy_ptr dd 25101h __la_sym_ptr2:00014620 _strlen_ptr dd 2511Eh __la_sym_ptr2:00014624 _syslog_ptr dd 25143h __la_sym_ptr2:00014628 _mach_error_string_ptr dd 250ECh __la_sym_ptr2:0001462C _mach_msg_ptr dd 2510Dh __la_sym_ptr2:00014630 _malloc_ptr dd 25136h __la_sym_ptr2:00014634 _munmap_ptr dd 2515Fh __la_sym_ptr2:00014638 _memcpy_ptr dd 25170h __la_sym_ptr2:0001463C _mmap_ptr dd 2518Dh __la_sym_ptr2:00014640 _memcmp_ptr dd 2519Eh __la_sym_ptr2:00014644 _strncpy_ptr dd 25207h __la_sym_ptr2:00014648 _vm_deallocate_ptr dd 25238h __la_sym_ptr2:0001464C _vm_protect_ptr dd 25255h __la_sym_ptr2:00014650 _vm_remap_ptr dd 25276h __la_sym_ptr2:00014654 _vm_region_ptr dd 2528Bh __la_sym_ptr2:00014658 _mach_port_deallocate_ptr dd 25224h __la_sym_ptr2:0001465C _vm_allocate_ptr dd 252B1h __la_sym_ptr2:00014660 _usleep_ptr dd 252C6h __la_sym_ptr2:00014664 _HMAC_CTX_cleanup_ptr dd 2519Fh __la_sym_ptr2:00014668 _HMAC_Final_ptr dd 251C0h __la_sym_ptr2:0001466C _HMAC_Update_ptr dd 251E1h __la_sym_ptr2:00014670 _HMAC_Init_ex_ptr dd 251F6h __la_sym_ptr2:00014674 _EVP_sha1_ptr dd 251FFh __la_sym_ptr2:00014678 _HMAC_CTX_init_ptr dd 25220h __la_sym_ptr2:0001467C _SHA1_Final_ptr dd 25279h __la_sym_ptr2:00014680 _RAND_pseudo_bytes_ptr dd 2528Eh __la_sym_ptr2:00014684 _SHA1_Init_ptr dd 252AFh __la_sym_ptr2:00014688 _SHA1_Update_ptr dd 252CCh __la_sym_ptr2:0001468C _IOServiceClose_ptr dd 252C5h __la_sym_ptr2:00014690 _IOServiceOpen_ptr dd 252EAh __la_sym_ptr2:00014694 _IOObjectRelease_ptr dd 252F3h __la_sym_ptr2:00014698 _IOIteratorNext_ptr dd 25304h __la_sym_ptr2:0001469C _IOServiceGetMatchingServices_ptr dd 2532Dh __la_sym_ptr2:000146A0 _IOServiceMatching_ptr dd 2534Ah __la_sym_ptr2:000146A4 _IOMasterPort_ptr dd 25353h __la_sym_ptr2:000146A8 _IOConnectMethodStructureIStructureO_ptr dd 25364h __la_sym_ptr2:000146AC _fflush_ptr dd 2540Dh __la_sym_ptr2:000146B0 _IOConnectMethodScalarIScalarO_ptr dd 2538Eh __la_sym_ptr2:000146B4 _thread_switch_ptr dd 254CFh __la_sym_ptr2:000146B8 _IOConnectMethodScalarIStructureO_ptr dd 253C4h __la_sym_ptr2:000146BC _free_ptr dd 25475h __la_sym_ptr2:000146C0 __keymgr_get_per_thread_data_ptr dd 25442h __la_sym_ptr2:000146C4 _abort_ptr dd 2546Bh __la_sym_ptr2:000146C8 __keymgr_set_per_thread_data_ptr dd 2547Ch __la_sym_ptr2:000146CC _bzero_ptr dd 254BDh __la_sym_ptr2:000146D0 _pthread_mutex_unlock_ptr dd 25542h __la_sym_ptr2:000146D4 _pthread_mutex_lock_ptr dd 25557h __la_sym_ptr2:000146D8 _pthread_once_ptr dd 25578h __la_sym_ptr2:000146DC __keymgr_unlock_processwide_ptr_ptr dd 254FDh __la_sym_ptr2:000146E0 _calloc_ptr dd 2553Eh __la_sym_ptr2:000146E4 _getsectdatafromheader_ptr dd 2557Bh __la_sym_ptr2:000146E8 __keymgr_set_and_unlock_processwide_ptr_ptr dd 25540h __la_sym_ptr2:000146EC __keymgr_get_and_lock_processwide_ptr_ptr dd 25551h __la_sym_ptr2:000146EC __la_sym_ptr2 ends </pre> Now we need to find inside what binary may not be loaded at the address pointed by these pointers. So we find the real code.

Powered by MediaWiki © 2021 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki   |   Privacy policy   |   About OSx86   |   Disclaimers