AppleCache icon indicating copy to clipboard operation
AppleCache copied to clipboard

Published 20 hours ago verified publisher icon azenla

How to make the in-wifi cache service take effect

Open deadash opened this issue 3 years ago • 3 comments

When I use the cache service now, only the USB connection to share the wifi can take effect, and other devices under the same network cannot take effect.

The frida interception always makes errors and fails to register the local device. Is it stable when you use it?

I can help with some reverse engineering.

deadash avatar Apr 12 '22 09:04 deadash

With some hard work in reverse, I've managed to register the device on linux.

The idea is roughly as follows:

  1. Find the session and register functions,
  2. Among them, the session will obtain some system information of the mac, and the fixed string can be returned directly through the patch, and then the byte content of cert.cer is passed in to execute the session generation function to obtain bytes of size 0x152 (partly generated by arc4random), and a Class-like pointer.
  3. After sending the above bytes to apple through base64, return the cookie, then generate the json of the device information to be registered plus the cookie, pass it into the register function, including the above pointer (the first parameter), it will return after the signature The byte stream can be registered successfully by sending it to apple through base64.

deadash avatar May 13 '22 02:05 deadash

After giving it some thought, I've decided to publicly release the related signature algorithms. As you mentioned, they were reverse-engineered to implement Methods 1, 2, and 3. I've successfully implemented Method 1 and 2, meaning you can call them natively or through emulation (suitable for any architecture and environment). You can find the repository at the following address: https://github.com/deadash/apple_cache

In the future, the focus may shift towards converting the algorithms to LLVM-IR through emulation to obtain the complete algorithms. While I don't currently have the bandwidth to undertake this, thanks to the plethora of LLVM IR plugins available in Rust, it should be fairly straightforward to accomplish in the future.

deadash avatar Oct 25 '23 02:10 deadash

That's awesome! I've been very busy the last few years, so I haven't had a chance to take a look at this issue before now.

Thanks for continuing the work!

azenla avatar Oct 25 '23 02:10 azenla