add 14.4 beta offsets

[0xdevalias]

Adds the offsets for the 14.4 beta binary provided in the following issue.

• Closes Add support for MacOS 14.4 Beta #34

These offsets were automatically extracted using my finder tooling, and I haven't tested/manually verified them:

• Automatically find/calculate offsets in binaries that haven't been manually reversed #9
• https://github.com/0xdevalias/poc-re-binsearch/blob/main/find_fat_binary_offsets.py

[0xdevalias]

If anyone knows which specific beta this is for, we can update it to be a bit more explicit:

@dannyleeuk Which beta did you upload the binary for out of curiosity?

Originally posted by @0xdevalias in #34 (comment)

---

Similarly, if you know the hash for the 14.4 beta 2 binary (@TheDave94 ?), then we could add those offsets too:

• Add support for MacOS 14.4 Beta #34 (comment)

[chota]

If anyone knows which specific beta this is for, we can update it to be a bit more explicit:

@dannyleeuk Which beta did you upload the binary for out of curiosity?
Originally posted by @0xdevalias in #34 (comment)

Similarly, if you know the hash for the 14.4 beta 2 binary (@TheDave94 ?), then we could add those offsets too:

• Add support for MacOS 14.4 Beta #34 (comment)

Hash "5b4fc94e11555b628161ca1e5c4c14f8b3350fb28d0b513f4b6875ecce3b06ee" corresponds to "Version 14.4 Beta (23E5211a)," here.

[0xdevalias]

Hash "5b4fc94e11555b628161ca1e5c4c14f8b3350fb28d0b513f4b6875ecce3b06ee" corresponds to "Version 14.4 Beta (23E5211a)," here.

@chota Yup, but that's not what I was asking for; I already calculated that and it's included in this PR (and that comment I linked to). The hash I was asking about was for the '14.4 beta2' offsets that @TheDave94 provided, that I referenced in the 2nd part of the comment linked above, but which were originally posted here:

• Automatically find/calculate offsets in binaries that haven't been manually reversed #9 (comment)

[matusfaro]

14.4 Final is here and I opened a PR for these offsets here: #40

However I wasn't able to successfully test it out. If you notice even in this thread, the neat little tool find_fat_binary_offsets.py prints out multiple addresses which tells me something probably changed that needs more reverse engineering.

Notice there are four addresses, not just one: IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xc0b84; 0x2f5d0c; 0x322dac; 0x33a660

14.4 Final:

$ ./find_fat_binary_offsets.py /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd 
-= Universal Binary Sections =-
Architecture 0 (x86_64):
  CPU Type: 16777223 (0x1000007)
  CPU Subtype: 3 (0x3)
  CPU Subtype Capability: 0 (0x0)
  Offset: 0x4000 (Valid Mach-O Header: Yes)
  Size: 8880384
  Align: 14
Architecture 1 (arm64e):
  CPU Type: 16777228 (0x100000c)
  CPU Subtype: 2 (0x2)
  CPU Subtype Capability: 128 (0x80)
  Offset: 0x880000 (Valid Mach-O Header: Yes)
  Size: 9865136
  Align: 14

-= Found Symbol Offsets =-
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0d6715
Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0c0b84

-= Found Hex Offsets (with pure python fixed sequence search + regex) =-
Architecture 0 (x86_64):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xd6715
  NACInitAddress: 0x557cd0
  NACKeyEstablishmentAddress: 0x537d10
  NACSignAddress: 0x54b000
Architecture 1 (arm64e):
  IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xc0b84; 0x2f5d0c; 0x322dac; 0x33a660
  NACInitAddress: 0x4c2468
  NACKeyEstablishmentAddress: 0x4afccc
  NACSignAddress: 0x489ed8

[0xdevalias]

@matusfaro Thanks for the heads up.

The tool actually has 2 methods for trying to get the offsets for IDSProtoKeyTransparencyTrustedServiceReadFrom, the 'hex offsets' (which unfortunately often doesn't get a unique match), and the 'symbol offsets' (which is pretty much always guaranteed to be correct due to the nature of how it works).

I would suspect if you use the offset value from the 'symbol offsets' it should work for you (arm64e: 0x0c0b84), but given that seems to match the first offset listed in the 'hex offsets' section, and you said that didn't work, then I'm not too sure what the issue is without digging deeper into it unfortunately.

Originally posted by @0xdevalias in 0xdevalias/poc-re-binsearch#1 (comment)