Zipped identityservicesd on Intel Core i5, macOS 10.14.6

[cvincent]

Following the README update in PR #25, here's a zip of my identityservicesd from this installation:

identityservicesd.zip

[0xdevalias]

Background context:

• Incorrectly detects arm64 on x86_64? #46

On a Mac Mini Intel Core i5 running Mojave 10.14.6:

No offsets found for 10.14.6/18G103/amd64

Originally posted by @cvincent in #46

[0xdevalias]

macos-10.14.6-mojave-x86_64-identityservicesd is the existing binary I have a sample of, and aligns with the hash currently recorded in the code:

• https://github.com/beeper/mac-registration-provider/blob/main/nac/offsets.go#L207-L208

macos-10.14.6-18G103-mojave-x86_64-identityservicesd is the binary attached to this issue.

⇒ sha256sum samples/macos-10.14.6-mojave-x86_64-identityservicesd*
23f14e11c672c07ef5934614ae2b83b34065ffe179e4a9bcdcdf00c2b724b3df  samples/macos-10.14.6-mojave-x86_64-identityservicesd
5f0e388cc2515734096af48bb4236f83bfb5106f02d030d8b5fa4c22c3922a14  samples/macos-10.14.6-18G103-mojave-x86_64-identityservicesd

---

Looking at the git blame for where 10.14.6 was originally added, it seemed to be by @jetfir3 in:

• Add offsets for High Sierra, Mojave and Catalina #12

---

These patterns may be useful with my auto-offset finding script for getting the right offsets for this binary:

Since these are not U2B, no 0x4000 padding calculation will be needed.

On 10.14.x and earlier, IDSProtoKeyTransparencyTrustedServiceReadFrom is not present, so I chose another symbol to use for the 10.14.6 offsets I provided -- _newLocalDeliveryServiceStatString. There wasn't any specific reasoning behind that selection and I suppose any symbol would do.

The patterns below will find all 4 offsets for all of 10.15.x:

ReferenceAddress: "\x55\x48\x89\xE5\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x83\xEC\x28\x49\x89\xF6\x48\x89\x7D\xD0\x4C\x8B\x2D..\x4D\x00\x4D"
NACInitAddress: "\x55\x48\x89\xE5\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xEC\x48\x18\x00\x00\x49\x89\xD6\x48\x8B\x05..\x1C\x00\x48\x8B"
NACKeyEstablishmentAddress: "\x55\x48\x89\xE5\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xEC\x28\x01\x00\x00\x48\x8B\x05..\x1B\x00\x48\x8B\x00\x48\x89\x45\xD0\x48\x85"
NACSignAddress: "\x55\x48\x89\xE5\x41\x57\x41\x56\x41\x55\x41\x54\x53\x48\x81\xEC\x58\x03\x00\x00\x41\x89\xD1\x49\x89\xFF\x48\x8B\x05..\x1C"

Originally posted by @jetfir3 in #9 (comment)

[0xdevalias]

Pushed some hacky updated code to my automated offset finder to make it (probably) work with non-fat binaries:

• 0xdevalias/poc-re-binsearch@aeb3ff9

To use it for this, you would need to uncomment the symbol = "_newLocalDeliveryServiceStatString" # For 10.14.x and earlier part, and probably update the offset patterns that are being searched for.

Which would currently give you output like this:

⇒ ./find_fat_binary_offsets.py samples/macos-10.14.6-18G103-mojave-x86_64-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 0 (0x0)
  CPU Subtype: 0 (0x0)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x0 (Valid Mach-O Header: Yes)
  Size: 0
  Align: 0

-= Found Symbol Offsets =-
Offset of _newLocalDeliveryServiceStatString in architecture x86_64: 0x238c26

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom:
  NACInitAddress:
  NACKeyEstablishmentAddress:
  NACSignAddress:

We could then use the _newLocalDeliveryServiceStatString offset found from the symbols (0x238c26) to dump the hex at that function, to attempt to build a pattern for it:

⇒ xxd -s 0x238c26 -l 64 -ps samples/macos-10.14.6-18G103-mojave-x86_64-identityservicesd | tr -d '\n'; echo

554889e54157415641554154534881ec98010000488b0517e22800488b00488945d0ff1512e828004889c348898530ffffff488b3d49bd31004c8b35d2213100

We could also do the same for the old 10.14.6 binary + offset already added to the code in this repo as a sanity check:

⇒ xxd -s 0x238842 -l 64 -ps samples/macos-10.14.6-mojave-x86_64-identityservicesd | tr -d '\n'; echo

554889e54157415641554154534881ec98010000488b05fbe52800488b00488945d0ff15f6eb28004889c348898530ffffff488b3d2dc131004c8b35b6253100

We could then add those to a file hashes-10.14.6-ReferenceAddress.txt:

# xxd -s 0x238c26 -l 64 -ps samples/macos-10.14.6-18G103-mojave-x86_64-identityservicesd | tr -d '\n'; echo
554889e54157415641554154534881ec98010000488b0517e22800488b00488945d0ff1512e828004889c348898530ffffff488b3d49bd31004c8b35d2213100

# xxd -s 0x238842 -l 64 -ps samples/macos-10.14.6-mojave-x86_64-identityservicesd | tr -d '\n'; echo
554889e54157415641554154534881ec98010000488b05fbe52800488b00488945d0ff15f6eb28004889c348898530ffffff488b3d2dc131004c8b35b6253100

And run ./diff_hex.py --file hashes-10.14.6-ReferenceAddress.txt to generate a pattern that would match that function in both of those:

⇒ ./diff_hex.py --file hashes-10.14.6-ReferenceAddress.txt
554889e54157415641554154534881ec98010000488b05....2800488b00488945d0ff15....28004889c348898530ffffff488b3d....31004c8b35....3100

If you had other 10.14.x binaries, you could follow a similar pattern of dumping the hex bytes of existing known offsets across multiple binaries, then using the diff_hex.py tool to identify a pattern that would match all of them. That would then be able to be used to find the correct offset in the binary in this issue.

---

Here are the dumps of the existing macos-10.14.6-mojave-x86_64-identityservicesd (23f14e11c672c07ef5934614ae2b83b34065ffe179e4a9bcdcdf00c2b724b3df), based on the offsets here:

mac-registration-provider/nac/offsets.go

Lines 16 to 22 in 1e1d190

	var offsets_10_14_6 = imdOffsetTuple{x86: imdOffsets{
	ReferenceSymbol: "newLocalDeliveryServiceStatString",
	ReferenceAddress: 0x238842,
	NACInitAddress: 0x338ce0,
	NACKeyEstablishmentAddress: 0x3478a0,
	NACSignAddress: 0x333240,
	}}

# SHA256
⇒ sha256sum samples/macos-10.14.6-mojave-x86_64-identityservicesd
23f14e11c672c07ef5934614ae2b83b34065ffe179e4a9bcdcdf00c2b724b3df  samples/macos-10.14.6-mojave-x86_64-identityservicesd

# ReferenceAddress
⇒ xxd -s 0x238842 -l 64 -ps samples/macos-10.14.6-mojave-x86_64-identityservicesd | tr -d '\n'; echo
554889e54157415641554154534881ec98010000488b05fbe52800488b00488945d0ff15f6eb28004889c348898530ffffff488b3d2dc131004c8b35b6253100

# NACInitAddress
xxd -s 0x338ce0 -l 64 -ps samples/macos-10.14.6-mojave-x86_64-identityservicesd | tr -d '\n'; echo
554889e54157415641554154534881ec481800004989d6488b055ae11800488b00488945d00f314889d348c1e3204809c348ba8fe3388ee3388ee34889d848f7

# NACKeyEstablishmentAddress
⇒ xxd -s 0x3478a0 -l 64 -ps samples/macos-10.14.6-mojave-x86_64-identityservicesd | tr -d '\n'; echo
554889e54157415641554154534881ec28010000488b059df51700488b00488945d04885ff0f94c04885f60f94c108c185d20f94c008c84189d70fb6c08d4806

# NACSignAddress
⇒ xxd -s 0x333240 -l 64 -ps samples/macos-10.14.6-mojave-x86_64-identityservicesd | tr -d '\n'; echo
554889e54157415641554154534881ec580300004189d14989ff488b05f73b1900488b00488945d0488d95d0fcffff488995d8fcffff89d02548488a9489d381

---

We could use diff_hex.py with those dumps + the existing patterns to try and find some patterns that might work for this binary (though may not provide unique matches). That ends up giving us something like this:

# 10.14.x (and earlier?)
hex_strings = {
    "x86_64": {
        f"ReferenceAddress ({symbol})": "554889e54157415641554154534881ec98010000488b05....2800488b00488945d0ff15....28004889c348898530ffffff488b3d....31004c8b35....3100",
        "NACInitAddress": "554889e5415741564155415453..........00",
        "NACKeyEstablishmentAddress": "554889e54157415641554154534881ec..010000488b05......00488b00488945d04885",
        "NACSignAddress": "554889e54157415641554154534881ec..030000"
    }
}

Which gives a result like this when run against the binary:

⇒ ./find_fat_binary_offsets.py samples/macos-10.14.6-18G103-mojave-x86_64-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 0 (0x0)
  CPU Subtype: 0 (0x0)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x0 (Valid Mach-O Header: Yes)
  Size: -1
  Align: 0

-= Found Symbol Offsets =-
Offset of _newLocalDeliveryServiceStatString in architecture x86_64: 0x238c26

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  ReferenceAddress (_newLocalDeliveryServiceStatString): 0x238c26
  NACInitAddress: 0x2f07; 0x3838; 0x4f11; 0x580f; 0x5d42; 0x6466; 0x7bfb; 0x8085; 0x8607; 0xb56b; 0x104db; 0x10681; 0x112ef; 0x116cb; 0x11c98; 0x11ec0; 0x1272c; 0x1319b; 0x132bf; 0x14880; 0x14b6e; 0x14f05; 0x15475; 0x157d3; 0x15b5b; 0x15ea3; 0x15fef; 0x16d68; 0x16fc0; 0x17bd9; 0x18d63; 0x1a01a; 0x1a4f7; 0x1a730; 0x1b017; 0x1b398; 0x1c113; 0x1c9d2; 0x1cd4a; 0x1ff8f; 0x207e5; 0x21111; 0x21ca7; 0x221d9; 0x228cf; 0x22c79; 0x230c3; 0x239fa; 0x24198; 0x25641; 0x277b1; 0x2b128; 0x2b630; 0x2ba0b; 0x2c61e; 0x2e0a5; 0x2e9ee; 0x2fca5; 0x2fe25; 0x30013; 0x30285; 0x305b4; 0x3196d; 0x3291d; 0x34959; 0x351d8; 0x35d25; 0x3cf60; 0x3dd63; 0x3ec48; 0x3f67d; 0x413a2; 0x42e38; 0x43eaa; 0x450df; 0x4845d; 0x493b9; 0x4a307; 0x4b246; 0x4eb0e; 0x4f066; 0x4f3f5; 0x4fd93; 0x500f5; 0x50b87; 0x50e31; 0x51403; 0x51d02; 0x51ff6; 0x52424; 0x52665; 0x53c3d; 0x54866; 0x55466; 0x56f0c; 0x573fa; 0x594ac; 0x598e1; 0x5a651; 0x5cde0; 0x5ebb3; 0x5edd3; 0x5f092; 0x5f351; 0x5f791; 0x5fb4a; 0x5ff43; 0x60d0f; 0x62b73; 0x631e2; 0x6359f; 0x63a51; 0x64a68; 0x64f66; 0x66a8c; 0x68c53; 0x6ad69; 0x6b5e9; 0x6c24e; 0x6cfce; 0x6e3eb; 0x6eae5; 0x6ed8e; 0x6f4ed; 0x708f7; 0x7186c; 0x71abb; 0x71dcf; 0x7201e; 0x73a5d; 0x758ca; 0x75aef; 0x76079; 0x767a2; 0x775e7; 0x7782a; 0x784a7; 0x78d62; 0x7ad62; 0x7b172; 0x7b6a0; 0x7b9c7; 0x7c2b3; 0x7d58e; 0x7e090; 0x7e406; 0x7f27f; 0x7fbcd; 0x80501; 0x80a59; 0x81900; 0x82be2; 0x83f22; 0x8469f; 0x86594; 0x86bf9; 0x87bf5; 0x88208; 0x88ad6; 0x890a6; 0x89577; 0x8a249; 0x8c4a2; 0x8ceca; 0x8d564; 0x8d85e; 0x8db58; 0x8decc; 0x8e1c6; 0x8e938; 0x9025d; 0x91855; 0x927ef; 0x92c9f; 0x93911; 0x93ed0; 0x94fb7; 0x966bc; 0x9771b; 0x97c9b; 0x97fe7; 0x982c5; 0x9875e; 0x99ac0; 0x99d31; 0x9a4e3; 0x9abfd; 0x9b2fd; 0x9b664; 0x9bd4d; 0x9c530; 0x9c7df; 0x9cc5d; 0x9d901; 0x9e863; 0x9ebad; 0x9eef7; 0xa1897; 0xa1f0e; 0xa26aa; 0xa2e40; 0xa34f1; 0xa3c23; 0xa3f96; 0xa60db; 0xa8aab; 0xaa46e; 0xaa931; 0xacd1a; 0xaebc3; 0xaf27b; 0xb01c8; 0xb0b94; 0xb12eb; 0xb15ba; 0xb1768; 0xb2877; 0xb2e42; 0xb343b; 0xb3a05; 0xb47a3; 0xb4c0e; 0xb516b; 0xb55a8; 0xb5789; 0xb5e6f; 0xb66c3; 0xb72cd; 0xb7471; 0xb771d; 0xb7959; 0xb8538; 0xb892e; 0xb8c8a; 0xb970b; 0xba9b1; 0xbac1b; 0xbb732; 0xbc456; 0xbd0b2; 0xbd456; 0xbdf25; 0xbe26a; 0xbea9a; 0xbeef3; 0xbf422; 0xbf87d; 0xbff27; 0xc070e; 0xc15f3; 0xc2700; 0xc2d18; 0xc2ef2; 0xc30e5; 0xc35d2; 0xc49f4; 0xc4c2d; 0xc4dfc; 0xc50c3; 0xc5429; 0xc6bf5; 0xc7210; 0xc7b9d; 0xc8458; 0xc8bb7; 0xc8e34; 0xc8fc3; 0xc92b6; 0xc95e5; 0xc9faa; 0xca4cf; 0xcaac6; 0xcae56; 0xcb1e9; 0xcb9a7; 0xcc06a; 0xcc5bc; 0xcd637; 0xce5eb; 0xcec01; 0xcf263; 0xd14e7; 0xd1dda; 0xd24d2; 0xd2d1d; 0xd3757; 0xd5039; 0xd5208; 0xd57c8; 0xd5906; 0xd695d; 0xd7427; 0xd7ccb; 0xd83b8; 0xda78b; 0xdabc9; 0xdb48c; 0xdb833; 0xdd7ae; 0xddb05; 0xde408; 0xde9b7; 0xdf6cf; 0xe24a2; 0xe3864; 0xe4f1a; 0xe7ba3; 0xe89bc; 0xeb145; 0xebb70; 0xec321; 0xee7d2; 0xf3364; 0xf4159; 0xf43d7; 0xf4fc7; 0xf5320; 0xf57be; 0xf5b97; 0xf71b1; 0xf78aa; 0xf875a; 0xf92bd; 0xfa576; 0xfb584; 0xfb956; 0xfbc23; 0xfcbf1; 0xfd7e0; 0xfdd6e; 0xfe1c9; 0xfe7fc; 0xffb4d; 0x1005b4; 0x101245; 0x101466; 0x102bd2; 0x103d89; 0x1046b5; 0x104c16; 0x10509b; 0x10552c; 0x105b18; 0x1062d3; 0x1068cb; 0x1078a3; 0x10869a; 0x1095d2; 0x109c7b; 0x10a181; 0x10c545; 0x10f376; 0x111ddf; 0x112999; 0x1134f0; 0x1147d5; 0x114dc3; 0x115808; 0x115e3f; 0x1165db; 0x11b3a8; 0x11d0e1; 0x11fe76; 0x1216e6; 0x122056; 0x122be4; 0x12401e; 0x125220; 0x125ab9; 0x126b54; 0x127a01; 0x12881e; 0x128a45; 0x12a74f; 0x12b29f; 0x12b620; 0x12d0f9; 0x12d63f; 0x12eb3c; 0x12f4cf; 0x12fbcb; 0x1308df; 0x130ce1; 0x13164a; 0x131a4c; 0x131e1f; 0x1330ff; 0x133d05; 0x1351b4; 0x135cbd; 0x135fca; 0x1372ed; 0x1377cd; 0x137ae0; 0x13b44e; 0x13b93b; 0x13c5f0; 0x13d5a7; 0x13d85f; 0x13fe3c; 0x1403a7; 0x140b37; 0x143822; 0x144125; 0x144a33; 0x1454de; 0x146309; 0x1472f7; 0x14842f; 0x148abb; 0x149688; 0x1499cf; 0x149d16; 0x14a05d; 0x14a3a4; 0x14a6eb; 0x14aa32; 0x14aee3; 0x14c288; 0x14c7ed; 0x14d68f; 0x14dce1; 0x14dee3; 0x14ef96; 0x15190a; 0x152796; 0x1560d3; 0x156e05; 0x157f65; 0x158913; 0x15b6f2; 0x15f37b; 0x15fc92; 0x160c18; 0x161149; 0x161f60; 0x162fa0; 0x167975; 0x167ca3; 0x1684ba; 0x168e3e; 0x169733; 0x16abe7; 0x16cbc6; 0x16d6d8; 0x1714bb; 0x1728ab; 0x173501; 0x1741bc; 0x175ca4; 0x17612c; 0x177980; 0x178c32; 0x179fe0; 0x17a35f; 0x17b94b; 0x17c1a5; 0x17d33d; 0x17e8f7; 0x1817f9; 0x181fe4; 0x183cf9; 0x184345; 0x184c6d; 0x185d59; 0x186cd3; 0x186f6a; 0x18745f; 0x188bcb; 0x189e33; 0x18a5b9; 0x18abb2; 0x18bc97; 0x18be28; 0x18ecd8; 0x18f49d; 0x19151f; 0x191d2d; 0x1974ce; 0x19985a; 0x19aa21; 0x19b1ed; 0x19b8b2; 0x1a13e6; 0x1a1ba9; 0x1a1de8; 0x1a2180; 0x1a37d8; 0x1a5675; 0x1a60d1; 0x1a75c3; 0x1a7860; 0x1a802d; 0x1a945b; 0x1a9e71; 0x1aa7c0; 0x1aae07; 0x1ab76e; 0x1abdfd; 0x1ac0b7; 0x1ac692; 0x1ac9f3; 0x1acc7b; 0x1ad15b; 0x1b109a; 0x1b1234; 0x1b1bcd; 0x1b4c06; 0x1b528b; 0x1b5c11; 0x1b6731; 0x1b81b2; 0x1b8d08; 0x1b94ba; 0x1ba889; 0x1bc7c1; 0x1be127; 0x1beda0; 0x1bfc09; 0x1bfe04; 0x1c0211; 0x1c1f1e; 0x1c23b8; 0x1c2ba7; 0x1c3933; 0x1c8134; 0x1c89dc; 0x1c9c46; 0x1c9ff3; 0x1ca88a; 0x1cb6ad; 0x1cc172; 0x1cd6e4; 0x1ce667; 0x1cec71; 0x1cf6da; 0x1cfed0; 0x1d0720; 0x1d0e2a; 0x1d17af; 0x1d24b2; 0x1d2b45; 0x1d5315; 0x1d671c; 0x1d71ed; 0x1d7ee3; 0x1d84bf; 0x1d9285; 0x1d9d08; 0x1db8ce; 0x1dd306; 0x1de7e4; 0x1e2263; 0x1e607e; 0x1e650f; 0x1e6b70; 0x1e73fe; 0x1e7704; 0x1e7a2a; 0x1e9321; 0x1e9768; 0x1eaeb1; 0x1eb5ab; 0x1ec4a9; 0x1ece57; 0x1ed42a; 0x1ee78a; 0x1ee9aa; 0x1eedf0; 0x1ef457; 0x1ef622; 0x1f0eee; 0x1f300f; 0x1f44c8; 0x1f5764; 0x1f5e2f; 0x1f6bf1; 0x1f8e0d; 0x1f98be; 0x1fa680; 0x1fb09a; 0x1fc195; 0x1fcb2f; 0x1fea60; 0x1fee12; 0x20057e; 0x20143c; 0x201615; 0x201789; 0x201f01; 0x2033f2; 0x205c83; 0x2066a5; 0x207d1c; 0x207ff6; 0x208a2e; 0x20aafc; 0x20b450; 0x20d0c5; 0x20e334; 0x20ec72; 0x20f0b9; 0x20f404; 0x20fa96; 0x21067e; 0x211c41; 0x21245b; 0x21359a; 0x214074; 0x216858; 0x2180f0; 0x2182fc; 0x219d76; 0x21a8de; 0x21ac66; 0x21c019; 0x21d2d8; 0x21d5ff; 0x21dd29; 0x21e3df; 0x21f7a1; 0x2237cb; 0x2239b9; 0x2242b8; 0x225aec; 0x226c3c; 0x227957; 0x227d01; 0x228375; 0x228736; 0x228aa1; 0x229846; 0x22aa43; 0x22b05b; 0x22b28d; 0x22b583; 0x22ca6b; 0x22cd34; 0x22d89c; 0x22f11f; 0x22f8f5; 0x230231; 0x230ea2; 0x231a61; 0x2322d0; 0x2347c3; 0x234c18; 0x2354a7; 0x235975; 0x235ddf; 0x23627c; 0x236f4c; 0x23796b; 0x238294; 0x23865c; 0x238c26; 0x239b4a; 0x239ccd; 0x23a072; 0x23ad90; 0x23be85; 0x23c54c; 0x23d047; 0x23dfd8; 0x23ee6c; 0x23f6eb; 0x240180; 0x24121a; 0x241dfa; 0x2454a9; 0x247cf2; 0x248061; 0x249e25; 0x24a49a; 0x24cc20; 0x24eb99; 0x24f553; 0x24f860; 0x24fd35; 0x250d25; 0x2510ac; 0x251b68; 0x252dfc; 0x253944; 0x25459f; 0x25473f; 0x2548da; 0x254a75; 0x255b42; 0x256032; 0x258f88; 0x259fb5; 0x25a5a3; 0x25ac07; 0x25b0e3; 0x25b79c; 0x25ba6f; 0x25bbd5; 0x25bd33; 0x25c726; 0x25cc0c; 0x25d9a7; 0x25de9d; 0x25f094; 0x261275; 0x263965; 0x264d14; 0x2659bd; 0x2662ba; 0x266987; 0x26b625; 0x26cbfc; 0x26e27d; 0x26e821; 0x271355; 0x27249e; 0x272f01; 0x273757; 0x273e8b; 0x277240; 0x277ae7; 0x277e64; 0x2784ed; 0x27b7ff; 0x27bcd0; 0x27c160; 0x27e5ac; 0x2806a8; 0x282212; 0x28283e; 0x282d61; 0x283451; 0x283c61; 0x284fa1; 0x28552f; 0x2857d7; 0x285a4a; 0x2862bd; 0x2865c0; 0x286aee; 0x287c4d; 0x288c38; 0x289e9a; 0x28bc7e; 0x28be3e; 0x28c2df; 0x28c643; 0x28d141; 0x28d9bf; 0x28fcc6; 0x290a61; 0x291ef6; 0x2922a3; 0x292881; 0x2932b1; 0x2938e0; 0x294263; 0x2944f4; 0x294b1e; 0x295524; 0x295fe0; 0x29888d; 0x299ba9; 0x29a242; 0x29afe4; 0x29b799; 0x29bb0b; 0x29e49c; 0x29f0bd; 0x29fabb; 0x2a0961; 0x2a2cc1; 0x2a439f; 0x2a467e; 0x2a5269; 0x2a54a3; 0x2a5caf; 0x2a5f11; 0x2a6506; 0x2a71dd; 0x2a77d2; 0x2a802b; 0x2a838b; 0x2a853f; 0x2a8d26; 0x2a9836; 0x2a9ce7; 0x2aa02e; 0x2aa6fa; 0x2aae81; 0x2ab58f; 0x2ac21d; 0x2ad3a5; 0x2adee7; 0x2b1db5; 0x2b23fb; 0x2b310e; 0x2b3509; 0x2b3e63; 0x2b50f6; 0x2b582b; 0x2b6acb; 0x2b72c6; 0x2b768b; 0x2b81dc; 0x2b97cd; 0x2baadd; 0x2bcbca; 0x2be036; 0x2bf050; 0x2bf5f5; 0x2bfbba; 0x2c054e; 0x2c0f30; 0x2c193a; 0x2c1e4f; 0x2c28cf; 0x2c2a4b; 0x2c2ee8; 0x2c3d4c; 0x2c4fc8; 0x2c6e24; 0x2c7448; 0x2c8a35; 0x2c9b31; 0x2cab2f; 0x2cb694; 0x2cd2b0; 0x2d0803; 0x2d172e; 0x2d1950; 0x2d2519; 0x2d2956; 0x2d30c4; 0x2d391e; 0x2d4d68; 0x2d5873; 0x2d6057; 0x2d7467; 0x2d863e; 0x2dbf80; 0x2dc9da; 0x2dcf13; 0x2dda64; 0x2df597; 0x2e1eef; 0x2e296d; 0x2e2b8d; 0x2e2dd2; 0x2e3970; 0x2e4089; 0x2e5214; 0x2e5693; 0x2e664c; 0x2e68b1; 0x2e755e; 0x2e7cb8; 0x2e8485; 0x2e8ec5; 0x2e9507; 0x2e9c49; 0x2e9ef3; 0x2eaa04; 0x2eb5a0; 0x2ec5e2; 0x2ed173; 0x2eda00; 0x2ee364; 0x2eec95; 0x2ef074; 0x2ef303; 0x2ef5db; 0x2ef8cf; 0x2efd91; 0x2f03a4; 0x2f068d; 0x2f094c; 0x2f100c; 0x2f1419; 0x2f1a36; 0x2f1e0d; 0x2f2412; 0x2f28ab; 0x2f2eab; 0x2f33bd; 0x2f48d5; 0x2f52a0; 0x2f7380; 0x2f88f5; 0x2f9014; 0x2f9441; 0x2f9811; 0x2f9b66; 0x2fa214; 0x2fe74b; 0x2ff49b; 0x2ff876; 0x3008ef; 0x3020b1; 0x30292d; 0x303232; 0x303d5d; 0x3050e7; 0x305ae5; 0x30624e; 0x306fb3; 0x3074d4; 0x3087f2; 0x308b1b; 0x308dc5; 0x3096cb; 0x30a0eb; 0x30af6f; 0x30bbdc; 0x30bffb; 0x30c61e; 0x312207; 0x31695d; 0x3183cd; 0x31867c; 0x318b0c; 0x31a010; 0x31a56d; 0x31b00a; 0x31c51d; 0x31d59e; 0x31d999; 0x31e814; 0x327872; 0x327b06; 0x330cf0; 0x333240; 0x338ce0; 0x342080; 0x3478a0; 0x3492d0; 0x349550; 0x34a5a0; 0x34a990; 0x34b840; 0x34c010; 0x34c350; 0x353ca0; 0x354be0; 0x354fd0; 0x355470; 0x356e80; 0x357f30; 0x35ddb0; 0x360250; 0x361430; 0x364420; 0x367970
  NACKeyEstablishmentAddress: 0x3478a0
  NACSignAddress: 0x277b1; 0x35d25; 0x7e406; 0x8469f; 0xb970b; 0xbd456; 0xbe26a; 0xf3364; 0x14ef96; 0x15b6f2; 0x15fc92; 0x160c18; 0x161f60; 0x1d2b45; 0x1dd306; 0x1de7e4; 0x23a072; 0x261275; 0x263965; 0x266987; 0x26e821; 0x271355; 0x273e8b; 0x283c61; 0x28d9bf; 0x2938e0; 0x2a2cc1; 0x2a77d2; 0x2bfbba; 0x2c054e; 0x2d391e; 0x2d863e; 0x2df597; 0x303232; 0x3074d4; 0x30a0eb; 0x30af6f; 0x333240

That gives us a unique match for ReferenceAddress and NACKeyEstablishmentAddress; but not for NACInitAddress or NACSignAddress.

[0xdevalias]

Looking at a bunch of the existing 10.14.x/10.15.x offsets, we can observe that:

• NACKeyEstablishmentAddress - NACSignAddress = 0x14660
• NACKeyEstablishmentAddress - NACInitAddress = 0xebc0

If we assume that same pattern may hold on this binary, we can attempt to narrow down the likely matching offset:

• NACSignAddress: NACKeyEstablishmentAddress (0x3478a0) - 0x14660 = 0x333240
  • This appears to be one of the offsets listed above for NACSignAddress, so may be what we want.
• NACInitAddress: NACKeyEstablishmentAddress (0x3478a0) - 0xebc0 = 0x338ce0
  • This appears to be one of the offsets listed above for NACInitAddress, so may be what we want.

That would then give us:

var offsets_10_14_6_18G103 = imdOffsetTuple{x86: imdOffsets{
	ReferenceSymbol:            "newLocalDeliveryServiceStatString",
	ReferenceAddress:           0x238c26,
	NACInitAddress:             0x338ce0,
	NACKeyEstablishmentAddress: 0x3478a0,
	NACSignAddress:             0x333240,
}}

var offsets = map[[32]byte]imdOffsetTuple{
    //..snip..
	// macOS 10.14.6
	hexToByte32("23f14e11c672c07ef5934614ae2b83b34065ffe179e4a9bcdcdf00c2b724b3df"): offsets_10_14_6,
	// macOS 10.14.6 (18G103)
	hexToByte32("5f0e388cc2515734096af48bb4236f83bfb5106f02d030d8b5fa4c22c3922a14"): offsets_10_14_6_18G103,
    //..snip..

Contrasting that with the existing offsets_10_14_6:

mac-registration-provider/nac/offsets.go

Lines 16 to 22 in 1e1d190

	var offsets_10_14_6 = imdOffsetTuple{x86: imdOffsets{
	ReferenceSymbol: "newLocalDeliveryServiceStatString",
	ReferenceAddress: 0x238842,
	NACInitAddress: 0x338ce0,
	NACKeyEstablishmentAddress: 0x3478a0,
	NACSignAddress: 0x333240,
	}}

We can see that ReferenceAddress appears to be different, but NACInitAddress / NACKeyEstablishmentAddress / NACSignAddress all appear to be the same offsets.

---

I haven't tested that.. but you should be able to add it to the code, re-compile, and check if it works on your system. Then would be worth making a PR for it to share back.

[0xdevalias]

And these patterns seem to work for both of the 10.14.6 binaries, to find the unique offsets automagically:

symbol = "_newLocalDeliveryServiceStatString" # For 10.14.x and earlier

# 10.14.6 unique match (non-minified patterns)
# hex_strings = {
#     "x86_64": {
#         f"ReferenceAddress ({symbol})": "554889e54157415641554154534881ec98010000488b05....2800488b00488945d0ff15....28004889c348898530ffffff488b3d....31004c8b35....3100",
#         "NACInitAddress": "554889e54157415641554154534881ec481800004989d6488b05......00488b00488945d00f314889d348c1e3204809c348ba8fe3388ee3388ee34889d848f7e248c1ea03488d04d24829c34889d848c1e00448ba7febeb767bf7f7fe4831c24883e307",
#         "NACKeyEstablishmentAddress": "554889e54157415641554154534881ec28010000488b05......00488b00488945d04885ff0f94c04885f60f94c108c185d20f94c008c84189d70fb6c08d48064c8d25......0049630c8c488d15e5ffffff4801ca41bd05514f51ffe24656904889f248",
#         "NACSignAddress": "554889e54157415641554154534881ec580300004189d14989ff488b05......00488b00488945d0488d95d0fcffff488995d8fcffff89d02548488a9489d381e3109524214189d24181e2a022514a8d3c1289fa81e20000042809c281f20200029489f8",
#     }
# }

# 10.14.6 unique match (minified patterns)
hex_strings = {
    "x86_64": {
        f"ReferenceAddress ({symbol})": "554889e54157415641554154534881ec98010000488b05....28",
        "NACInitAddress": "554889e54157415641554154534881ec4818",
        "NACKeyEstablishmentAddress": "554889e54157415641554154534881ec28010000488b05......00488b00488945d04885",
        "NACSignAddress": "554889e54157415641554154534881ec5803",
    }
}

⇒ ./find_fat_binary_offsets.py samples/macos-10.14.6-mojave-x86_64-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 0 (0x0)
  CPU Subtype: 0 (0x0)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x0 (Valid Mach-O Header: Yes)
  Size: -1
  Align: 0

-= Found Symbol Offsets =-
Offset of _newLocalDeliveryServiceStatString in architecture x86_64: 0x238842

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  ReferenceAddress (_newLocalDeliveryServiceStatString): 0x238842
  NACInitAddress: 0x338ce0
  NACKeyEstablishmentAddress: 0x3478a0
  NACSignAddress: 0x333240

⇒ ./find_fat_binary_offsets.py samples/macos-10.14.6-18G103-mojave-x86_64-identityservicesd
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 0 (0x0)
  CPU Subtype: 0 (0x0)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x0 (Valid Mach-O Header: Yes)
  Size: -1
  Align: 0

-= Found Symbol Offsets =-
Offset of _newLocalDeliveryServiceStatString in architecture x86_64: 0x238c26

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  ReferenceAddress (_newLocalDeliveryServiceStatString): 0x238c26
  NACInitAddress: 0x338ce0
  NACKeyEstablishmentAddress: 0x3478a0
  NACSignAddress: 0x333240

[jetfir3]

Nice detective work @0xdevalias

I had no idea that binaries from the same macOS version # (same arch even -- as 10.14.6 is only x86_64, obviously) could differ although I suppose I am not surprised.

A possible alternative to a whole new 10.14.6 offset reference could be to use a different reference symbol which shares the same address between both builds. I haven't had a moment to compare both binaries yet but can look at this a bit later.

[jetfir3]

Update:
After diffing the symbol offsets, there are no "text section symbols" that match (other than 0x000000 T __mh_execute_header). I had previously went with a text section symbol since the original reference symbol for the project, IDSProtoKeyTransparencyTrustedServiceReadFrom, was also a text section symbol.

I'm not sure if sticking to text symbols is needed or if switching to block (S) or data (D) symbols would also work and text symbols were just chosen since they often appear earlier in the binary and would be a "quicker reference"?

If a text symbol is not required for a reference address/symbol then one of the following examples could be used as their offsets match in both binaries:

0x4c9d78 S _IDSEngramKeyStoreErrorDomain
0x55dbf0 D __IDSIDQueryErrorDomain

I should also note that a majority of the non-text symbols matched in both binaries, so it wouldn't be unreasonable to assume that the 3 NAC-related addresses which matched the "new" 10.14.6 binary via pattern matching etc are correct.

[cvincent]

If anyone can apply these changes and link me to a build, I could quickly test it out on my hardware and confirm whether it works. I could maybe do that myself, but I'm not familiar with Go nor have it installed, and the target hardware is currently extremely un-ergonomic to use right now as it was only ever intended to run this service.

[cvincent]

I managed to recompile it with this change and can confirm it worked. I don't have my SSH key or anything on this machine otherwise I'd push up a PR.

Sadly, I won't be proceeding from here as I didn't read closely enough that this only re-enables iMessage in Beeper via email, not the phone number. Looking into setting up Blue Bubbles instead. :(