Add support for MacOS 14.4 Beta

[dannyleeuk]

Please could we add support for MacOS 14.4 Beta - I get a "No Offsets found for 14.4"

Would be great to have Beta support so we can test it in advance of GA releases

[0xdevalias]

Are you able to upload a copy of the identity service executable as requested in other threads? Someone may be able to reverse it for you then.

[dannyleeuk]

identityservicesd.zip - 14.4 Apple Silicon (23E5211a)

Hi @0xdevalias - Attached 😄

[0xdevalias]

⇒ sha256sum samples/macos-14.4-23E5211a-sonoma-identityservicesd
5b4fc94e11555b628161ca1e5c4c14f8b3350fb28d0b513f4b6875ecce3b06ee  samples/macos-14.4-23E5211a-sonoma-identityservicesd

Attempted auto-discovery of the offsets:

• Automatically find/calculate offsets in binaries that haven't been manually reversed #9

⇒ ./find_fat_binary_offsets.py samples/macos-14.4-23E5211a-sonoma-identityservicesd

-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 8880384
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x880000 (Valid Mach-O Header: Yes)
  Size: 9865136
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0d6715
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0c0b84

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xd6715
  NACInitAddress: 0x557cd0
  NACKeyEstablishmentAddress: 0x537d10
  NACSignAddress: 0x54b000
Architecture 1 (arm64e):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xc0b84; 0x2f5d0c; 0x322dac; 0x33a660
  NACInitAddress: 0x4c2468
  NACKeyEstablishmentAddress: 0x4afccc
  NACSignAddress: 0x489ed8

These should probably be confirmed, but then a new PR could be created to add them.

---

Tangentially related:

I have extracted the offsets for macos 14.4 beta2. Would it be possible to add them so I can create a new registration code?

-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 8866912
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x87c000 (Valid Mach-O Header: Yes)
  Size: 9847584
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0d5a35
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0bec84

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xd5a35
  NACInitAddress: 0x5558a0
  NACKeyEstablishmentAddress: 0x5358e0
  NACSignAddress: 0x548bd0
Architecture 1 (arm64e):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xbec84; 0x2f33c4; 0x320464; 0x3378cc
  NACInitAddress: 0x4bf1d8
  NACKeyEstablishmentAddress: 0x4aca3c
  NACSignAddress: 0x486c48

Originally posted by @TheDave94 in #9 (comment)

[chota]

Bump. Also, willing to test if needed.

[0xdevalias]

@dannyleeuk Which beta did you upload the binary for out of curiosity?

[0xdevalias]

@chota Created PR with the above offsets, currently untested if you wanted to check it out + add whether it works there:

• add 14.4 beta offsets #36

[chota]

Error. I am not a programmer.

Christophers-MacBook-Pro:mac-registration-provider-main christophergautamhota$ ./build.sh
fatal: not a git repository (or any of the parent directories): .git
go: downloading nhooyr.io/websocket v1.8.10
go: downloading howett.net/plist v1.0.0
go: downloading github.com/tidwall/gjson v1.17.0
go: downloading github.com/tidwall/match v1.1.1
go: downloading github.com/tidwall/pretty v1.2.0
Christophers-MacBook-Pro:mac-registration-provider-main christophergautamhota$ chmod +x mac-registration-provider
Christophers-MacBook-Pro:mac-registration-provider-main christophergautamhota$ ./mac-registration-provider
panic: runtime error: slice bounds out of range [:8] with length 0

goroutine 1 [running]:
main.init()
/Users/christophergautamhota/Downloads/mac-registration-provider-main/main.go:34 +0x36f

Help?

[dannyleeuk]

@dannyleeuk Which beta did you upload the binary for out of curiosity?

@0xdevalias - Honestly, not sure. I think it was Beta 5, however they've just released 14.4 RC so I'm guessing i'll need to re-upload the new file just in case Apple have changed something again?

[0xdevalias]

so I'm guessing i'll need to re-upload the new file just in case Apple have changed something again?

@dannyleeuk Technically, yeah; and then we'll also probably need to check it again once the official final release comes out too.

[0xdevalias]

See also:

• 14.4 final: multiple addresses found 0xdevalias/poc-re-binsearch#1
• Offsets for 14.4 Final #40