Initial parsing of the validation blob for IDS registration which comes out of IMDAppleServices

parse_nacsig.py

#!/usr/bin/env python
import apple_auth
from io import BytesIO
vd = BytesIO(bytes(apple_auth.IDS(open('idevice.json').read()).request_validation_data())) # create json with Smoothstep/apple-gen-rs
tag = vd.read(1) # always 0x02, maybe like the APNS msg for cert?
stat16b = vd.read(16) # static across machines, some versioning?
dyn16b = vd.read(16) # the actual signature from the obfuscated algorithm

len_payload = vd.read(4)
payload = BytesIO(vd.read(int.from_bytes(len_payload,"big")))
flags_tag = payload.read(1) # could be flag field as in APNS? this is always 0x05
flags = payload.read(4) # always 0b00000001
len_stat = payload.read(4)
stat256b = payload.read(int.from_bytes(len_stat,"big")) # machine specific, 256 byte blob from machine_info
maybezero = payload.read(4) # always 0b00000000

len_dyn = payload.read(4)
alldyn = BytesIO(payload.read(int.from_bytes(len_dyn,"big")))
dyn_tag = alldyn.read(1) # always 0x01
dyn20b = alldyn.read(20) # changes on every call, sha1 hash?

len_subdyn = alldyn.read(4)
subdyn = BytesIO(alldyn.read(int.from_bytes(len_subdyn,"big")))
two_decs = subdyn.read(2) # two bytes always in [0x00 - 0x09]
subdyn16b = subdyn.read(16) # changes on every call
unix_epoch = subdyn.read(4) # seconds since 01-01-1970
subdyn32b = subdyn.read(32) # changes on every call

print(tag.hex(), stat16b.hex(), dyn16b.hex(),
    len_payload.hex(), flags_tag.hex(), flags.hex(), len_stat.hex(), stat256b.hex(), maybezero.hex(),
        len_dyn.hex(), dyn_tag.hex(), dyn20b.hex(), len_subdyn.hex(), two_decs.hex(), subdyn16b.hex(), unix_epoch.hex(), subdyn32b.hex())