Sigh, Apple's signature algorithm is intentionally complicated.

2026-02-12 16:32:45 +00:00 · 2019-10-13 05:12:26 -05:00
parent adfe632227
commit 69e93b2785
4 changed files with 66 additions and 0 deletions
--- a/registration/cert.cer
+++ b/registration/cert.cer
--- a/registration/register.dart
+++ b/registration/register.dart
@@ -0,0 +1,52 @@
+import 'dart:async';
+import 'dart:convert';
+import 'dart:io';
+
+Future<void> main(List<String> args) async {
+  var client = new HttpClient();
+  var request = await client
+      .postUrl(Uri.parse("https://lcdn-registration.apple.com/lcdn/register"));
+  request.write(json.encode({
+    "push-token": "fbFqxPukE8hfZD+Lbeo+E6390ih2lmY0I13apvLhZ6I=",
+    "ranked-peers": true,
+    "details": {
+      "capabilities": {
+        "ur": true,
+        "sc": true,
+        "pc": true,
+        "im": true,
+        "ns": true,
+        "query-parameters": true
+      },
+      "cache-size": 230000000000,
+      "ac-power": true,
+      "is-portable": true,
+      "local-network": [
+        {"speed": 1300, "wired": false}
+      ]
+    },
+    "local-ranges-only": true,
+    "local-ranges": [
+      {"first": "10.0.0.0", "last": "10.0.255.255"}
+    ],
+    "cache-software": [
+      {"type": "cache", "name": "Caching Server", "version": "233"},
+      {
+        "build": "19A583",
+        "type": "system",
+        "name": "Mac OS X",
+        "version": "10.15"
+      }
+    ],
+    "guid": "A14862D9-9643-4F18-B0BA-990BC2CAC0C2",
+    "local-addresses": [
+      {"address": "10.0.0.20", "netmask": "255.255.0.0", "port": "51391"}
+    ],
+    "session-token":
+        "1570938452471~46E0EE91164ABF1E4D42F7C3DC51B0747AD1BC3E7C9073CB6230D8F2191C40D9"
+  }));
+  var response = await request.close();
+  var result = await utf8.decodeStream(response);
+  print(result);
+  client.close();
+}
--- a/registration/unregister.bin
+++ b/registration/unregister.bin
--- a/signature/README.md
+++ b/signature/README.md
@@ -11,3 +11,17 @@ The payload is in between these two parts.
 A 32-bit big endian unsigned number represents the payload size, and directly following the payload is a 32-bit big endian unsigned number representing the remaining bytes in the signature (however do note that there seem to be two trailing null characters).

 The first section contains what seems to be a header, then a length for some signature data at position 0x4A.
+
+Update: After a lot of work, I found the signature algorithm, and have been attempting to figure out it's origin. Turns out it's a custom algorithm just for Content Caching.
+
+I've got a few options here:
+
+1. Isolate the disassembled signature algorithm, and attempt to convert it to usable assembly. (Tough due to the use of a switch table...)
+2. Create a binary patcher which goes into the signature algorithm as an entry-point, then require any external server to call this binary over an RPC.
+3. Develop a Frida script to spawn the AssetCache server and hijack the registration data then kill the server.
+
+I prefer Option 1, but it's going to be a huge pain. Might need to contact others for assistance in cracking the algorithm, it's really just a bunch of magic numbers.
+
+I think I will start with a hybrid of Option 2 and Option 3, where I will make a server that does the registration for me by hijacking the AssetCache binary.
+
+Good news is, after registration is at least possible, the rest is super easy!