[*] Binary protection state of stclient
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function system tear down of stclient
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/bin/stclient @ 0x72e8 */
| #include <stdint.h>
|
; (fcn) fcn.000072e8 () | void fcn_000072e8 (int16_t arg_c0h, int16_t arg_370h, int16_t arg1, int16_t arg2, int16_t arg3) {
| int16_t var_0h;
| int16_t var_4h;
| r0 = arg1;
| r1 = arg2;
| r2 = arg3;
0x000072e8 push.w {r4, r5, r6, r7, r8, sb, lr} |
0x000072ec mov r5, r0 | r5 = r0;
0x000072ee ldr r0, [pc, 0x84] |
0x000072f0 sub sp, 0xc |
0x000072f2 ldr r3, [pc, 0x84] | r3 = *(0x737a);
0x000072f4 add r0, pc | r0 = 0xe66e;
0x000072f6 ldr r3, [r0, r3] |
0x000072f8 ldr r0, [r5, 0xc] | r0 = *((r5 + 0xc));
0x000072fa ldr r3, [r3] | r3 = *(0xe66e);
0x000072fc str r3, [sp, 4] | var_4h = r3;
0x000072fe mov.w r3, 0 | r3 = 0;
0x00007302 movs r3, 0 | r3 = 0;
0x00007304 str r3, [sp] | *(sp) = r3;
| if (r0 != 0) {
0x00007306 cbnz r0, 0x735e | goto label_1;
| }
0x00007308 movw r8, 0xd4c0 |
0x0000730c mov r7, r1 | r7 = r1;
0x0000730e mov r6, r2 | r6 = r2;
0x00007310 mov r4, r0 | r4 = r0;
0x00007312 mov sb, sp | sb = sp;
0x00007314 movt r8, 1 | r8 = 0x1d4c0;
0x00007316 lsrs r1, r0, 0x20 | r1 = r0 >> 0x20;
0x00007318 b 0x7322 |
| while (r0 == 0) {
0x0000731a ldr r3, [sp] | r3 = *(sp);
0x0000731c add r4, r3 | r4 += r3;
0x0000731e cmp r6, r4 |
| if (r6 < r4) {
0x00007320 bls 0x736c | goto label_2;
| }
0x00007322 ldr r3, [r5, 0x10] | r3 = *((r5 + 0x10));
0x00007324 mov r2, r8 | r2 = r8;
0x00007326 movs r1, 0 | r1 = 0;
0x00007328 ldr r0, [r3] | r0 = *(r3);
0x0000732a bl 0x7690 | fcn_00007690 (r0, r1, r2, r3, r4);
0x0000732e ldr r0, [r5] | r0 = *(r5);
0x00007330 mov r3, sb | r3 = sb;
0x00007332 subs r2, r6, r4 | r2 = r6 - r4;
0x00007334 adds r1, r7, r4 | r1 = r7 + r4;
0x00007336 blx 0x382c | r0 = curl_easy_send ();
0x0000733a cmp r0, 0 |
0x0000733c it ne |
| if (r0 != 0) {
0x0000733e cmpne r0, 0x51 | __asm ("cmpne r0, 0x51");
| }
0x00007340 beq 0x731a |
| }
0x00007342 movs r0, 0 | r0 = 0;
| do {
| label_0:
0x00007344 ldr r2, [pc, 0x34] |
0x00007346 ldr r3, [pc, 0x30] | r3 = *(0x737a);
0x00007348 add r2, pc | r2 = 0xe6c8;
0x0000734a ldr r3, [r2, r3] | r3 = *(0xe6c8);
0x0000734c ldr r2, [r3] | r2 = *(0xe6c8);
0x0000734e ldr r3, [sp, 4] | r3 = var_4h;
0x00007350 eors r2, r3 | r2 ^= r3;
0x00007352 mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x00007356 bne 0x7370 | goto label_3;
| }
0x00007358 add sp, 0xc |
0x0000735a pop.w {r4, r5, r6, r7, r8, sb, pc} |
| label_1:
0x0000735e bl 0x83dc | r0 = fcn_000083dc (r0, r1, r2);
0x00007362 cmp r0, 0 |
0x00007364 ite le |
| if (r0 > 0) {
0x00007366 movle r0, 0 | r0 = 0;
| }
| if (r0 <= 0) {
0x00007368 movgt r0, 1 | r0 = 1;
| }
0x0000736a b 0x7344 |
| } while (1);
| label_2:
0x0000736c movs r0, 1 | r0 = 1;
0x0000736e b 0x7344 | goto label_0;
| label_3:
0x00007370 blx 0x3e20 | SSL_CTX_new ();
0x00007374 ldr r0, [sp, 0xc0] | r0 = *(arg_c0h);
0x00007376 movs r1, r0 | r1 = r0;
0x00007378 lsls r0, r0, 0x12 | r0 <<= 0x12;
0x0000737a movs r0, r0 |
0x0000737c str r7, [sp, 0x370] | *(arg_370h) = r7;
0x0000737e movs r1, r0 | r1 = r0;
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/bin/stclient @ 0xaf18 */
| #include <stdint.h>
|
; (fcn) fcn.0000af18 () | void fcn_0000af18 () {
| int16_t var_0h;
| int16_t var_4h;
| int16_t var_24h;
| int16_t var_0h_2;
| int16_t var_4h_2;
| int16_t var_8h;
| int16_t var_10h;
| int16_t var_14h;
| int16_t var_1ch;
| int16_t var_20h;
| int16_t var_24h_2;
| int16_t var_38h;
| int16_t var_4ch;
| int16_t var_1h;
| int32_t var_4ch_2;
| int32_t var_54h;
| int32_t var_54h_2;
| int16_t var_5ch;
| int16_t var_60h;
| int16_t var_8ch;
| int16_t var_10ch;
0x0000af18 blmi 0x195d8b0 | __asm ("blmi 0x195d8b0");
0x0000af1c ldr r0, [pc, 0x194] |
0x0000af1e add r2, pc | r2 += pc;
0x0000af20 push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr} |
0x0000af24 ldr r3, [r2, r3] | r3 = *((r2 + r3));
0x0000af26 sub sp, 0x114 |
0x0000af28 add r0, pc | r0 = 0x15fe0;
0x0000af2a ldr r3, [r3] | r3 = *(r3);
0x0000af2c str r3, [sp, 0x10c] | var_10ch = r3;
0x0000af2e mov.w r3, 0 | r3 = 0;
0x0000af32 blx 0x3dcc | r0 = g_variant_iter_loop ();
0x0000af36 mov r8, r0 | r8 = r0;
0x0000af38 cmp r0, 0 |
| if (r0 == 0) {
0x0000af3a beq.w 0xb094 | goto label_0;
| }
0x0000af3e ldrb r0, [r0] | r0 = *(r0);
0x0000af40 mov r4, r8 | r4 = r8;
| if (r0 == 0) {
0x0000af42 cbz r0, 0xaf52 | goto label_1;
| }
| do {
0x0000af44 blx 0x3bd0 | fcn_00003bd0 ();
0x0000af48 strb r0, [r4] | *(r4) = r0;
0x0000af4a ldrb r0, [r4, 1]! | r0 = *((r4 += 1));
0x0000af4e cmp r0, 0 |
0x0000af50 bne 0xaf44 |
| } while (r0 != 0);
| label_1:
0x0000af52 add.w sb, sp, 0x8c | sb += var_8ch;
0x0000af56 ldr r6, [pc, 0x160] |
0x0000af58 bl 0xaedc | fcn_0000aedc ();
0x0000af5c movs r1, 0x80 | r1 = 0x80;
0x0000af5e mov r7, r0 | r7 = r0;
0x0000af60 mov r0, sb | r0 = sb;
0x0000af62 add.w fp, sp, 0x20 |
0x0000af66 blx 0x39d4 | fcn_000039d4 ();
0x0000af6a add r3, sp, 0x4c | r3 += var_4ch;
0x0000af6c movs r2, 0x80 | r2 = 0x80;
0x0000af6e mov r4, r3 | r4 = r3;
0x0000af70 mov r1, sb | r1 = sb;
0x0000af72 mov r0, r7 | r0 = r7;
0x0000af74 add r5, sp, 0x60 | r5 += var_60h;
0x0000af76 str r3, [sp, 0x10] | var_10h = r3;
0x0000af78 add r6, pc | r6 = 0x16036;
0x0000af7a blx 0x448c | fcn_0000448c ();
0x0000af7e movs r3, 0 | r3 = 0;
0x0000af80 mov r2, fp | r2 = fp;
0x0000af82 mov r1, r4 | r1 = r4;
0x0000af84 mov r0, r7 | r0 = r7;
0x0000af86 str r3, [sp, 0x20] | var_20h = r3;
0x0000af88 mov sl, r5 | sl = r5;
0x0000af8a blx 0x42b4 | fcn_000042b4 ();
0x0000af8e mov r0, r7 | r0 = r7;
0x0000af90 mov r7, r5 | r7 = r5;
0x0000af92 blx 0x4244 | fcn_00004244 ();
| do {
0x0000af96 ldrb r2, [r4], 1 | r2 = *(r4);
| r4++;
0x0000af9a mov r0, r5 | r0 = r5;
0x0000af9c mov r1, r6 | r1 = r6;
0x0000af9e adds r5, 2 | r5 += 2;
0x0000afa0 blx 0x3ccc | fcn_00003ccc ();
0x0000afa4 cmp r4, sl |
0x0000afa6 bne 0xaf96 |
| } while (r4 != sl);
0x0000afa8 movw r3, 0x7661 |
0x0000afac movs r5, 0 | r5 = 0;
0x0000afae movt r3, 0x7368 | r3 = 0x73687661;
0x0000afb2 str r5, [sp, 0x1c] | var_1ch = r5;
0x0000afb4 str r3, [sp, 0x8c] | var_8ch = r3;
0x0000afb6 add.w sl, sp, 0x24 | sl += var_24h_2;
0x0000afba bl 0xaedc | fcn_0000aedc ();
0x0000afbe movs r2, 4 | r2 = 4;
0x0000afc0 mov r1, sb | r1 = sb;
0x0000afc2 mov r4, r0 | r4 = r0;
0x0000afc4 blx 0x448c | fcn_0000448c ();
0x0000afc8 mov r0, r8 | r0 = r8;
0x0000afca blx 0x40ec | fcn_000040ec ();
0x0000afce mov r1, r8 | r1 = r8;
0x0000afd0 mov r2, r0 | r2 = r0;
0x0000afd2 mov r0, r4 | r0 = r4;
0x0000afd4 blx 0x448c | fcn_0000448c ();
0x0000afd8 movs r2, 4 | r2 = 4;
0x0000afda add r1, sp, 0x1c | r1 += var_1ch;
0x0000afdc mov r0, r4 | r0 = r4;
0x0000afde blx 0x448c | fcn_0000448c ();
0x0000afe2 mov r2, fp | r2 = fp;
0x0000afe4 mov r1, sl | r1 = sl;
0x0000afe6 mov r0, r4 | r0 = r4;
0x0000afe8 str r5, [sp, 0x20] | var_20h = r5;
0x0000afea blx 0x42b4 | fcn_000042b4 ();
0x0000afee mov r0, r4 | r0 = r4;
0x0000aff0 blx 0x4244 | fcn_00004244 ();
0x0000aff4 strd r5, r5, [sp, 0x4c] | __asm ("strd r5, r5, [var_4ch]");
0x0000aff8 strd r5, r5, [sp, 0x54] | __asm ("strd r5, r5, [var_54h]");
0x0000affc str r5, [sp, 0x5c] | var_5ch = r5;
0x0000affe bl 0xaedc | fcn_0000aedc ();
0x0000b002 movs r2, 0x14 | r2 = 0x14;
0x0000b004 mov r1, sl | r1 = sl;
0x0000b006 str r0, [sp, 0x14] | var_14h = r0;
0x0000b008 blx 0x448c | fcn_0000448c ();
0x0000b00c mov r0, r7 | r0 = r7;
0x0000b00e blx 0x40ec | fcn_000040ec ();
0x0000b012 ldr r3, [sp, 0x14] | r3 = var_14h;
0x0000b014 mov r2, r0 | r2 = r0;
0x0000b016 mov r1, r7 | r1 = r7;
0x0000b018 mov r0, r3 | r0 = r3;
0x0000b01a blx 0x448c | fcn_0000448c ();
0x0000b01e ldr r3, [sp, 0x14] | r3 = var_14h;
0x0000b020 mov r2, fp | r2 = fp;
0x0000b022 add.w fp, sp, 0x38 |
0x0000b026 str r5, [sp, 0x20] | var_20h = r5;
0x0000b028 mov r1, fp | r1 = fp;
0x0000b02a mov r0, r3 | r0 = r3;
0x0000b02c blx 0x42b4 | fcn_000042b4 ();
0x0000b030 ldr r3, [sp, 0x14] | r3 = var_14h;
0x0000b032 mov r0, r3 | r0 = r3;
0x0000b034 blx 0x4244 | fcn_00004244 ();
0x0000b038 blx 0x39c8 | fcn_000039c8 ();
0x0000b03c ldr r2, [sp, 0x10] | r2 = var_10h;
0x0000b03e mov r3, fp | r3 = fp;
0x0000b040 str r5, [sp, 8] | var_8h = r5;
0x0000b042 mov r5, sb | r5 = sb;
0x0000b044 mov r1, sl | r1 = sl;
0x0000b046 str r2, [sp, 4] | var_4h_2 = r2;
0x0000b048 mov r4, r2 | r4 = r2;
0x0000b04a movs r2, 0x14 | r2 = 0x14;
0x0000b04c str r2, [sp] | *(sp) = r2;
0x0000b04e blx 0x42cc | fcn_000042cc ();
| do {
0x0000b052 ldrb r2, [r4], 1 | r2 = *(r4);
| r4++;
0x0000b056 mov r0, r5 | r0 = r5;
0x0000b058 mov r1, r6 | r1 = r6;
0x0000b05a adds r5, 2 | r5 += 2;
0x0000b05c blx 0x3ccc | fcn_00003ccc ();
0x0000b060 cmp r7, r4 |
0x0000b062 bne 0xb052 |
| } while (r7 != r4);
0x0000b064 mov r0, r8 | r0 = r8;
0x0000b066 blx 0x3e48 | fcn_00003e48 ();
0x0000b06a ldr r0, [pc, 0x50] |
0x0000b06c mov r2, sb | r2 = sb;
0x0000b06e mov r1, r7 | r1 = r7;
0x0000b070 add r0, pc | r0 = 0x16132;
0x0000b072 blx 0x3bdc | r0 = fcn_00003bdc ();
0x0000b076 mov r8, r0 | r8 = r0;
| do {
0x0000b078 ldr r2, [pc, 0x44] |
0x0000b07a ldr r3, [pc, 0x34] | r3 = *(0xb0b2);
0x0000b07c add r2, pc | r2 = 0x16140;
0x0000b07e ldr r3, [r2, r3] | r3 = *(0x16140);
0x0000b080 ldr r2, [r3] | r2 = *(0x16140);
0x0000b082 ldr r3, [sp, 0x10c] | r3 = var_10ch;
0x0000b084 eors r2, r3 | r2 ^= r3;
0x0000b086 mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x0000b08a bne 0xb0a6 | goto label_2;
| }
0x0000b08c mov r0, r8 | r0 = r8;
0x0000b08e add sp, 0x114 |
0x0000b090 pop.w {r4, r5, r6, r7, r8, sb, sl, fp, pc} |
| label_0:
0x0000b094 ldr r3, [pc, 0x2c] |
0x0000b096 movs r2, 0x82 | r2 = 0x82;
0x0000b098 ldr r1, [pc, 0x2c] |
0x0000b09a movs r0, 3 | r0 = 3;
0x0000b09c add r3, pc | r3 = 0x16164;
0x0000b09e add r1, pc | r1 = 0x1616a;
0x0000b0a0 bl 0xb0cc | fcn_0000b0cc (r0, r1, r2);
0x0000b0a4 b 0xb078 |
| } while (1);
| label_2:
0x0000b0a6 blx 0x3e20 | SSL_CTX_new ();
0x0000b0aa nop |
0x0000b0ac ldrb r6, [r0, r0] | r6 = *((r0 + r0));
0x0000b0ae movs r1, r0 | r1 = r0;
0x0000b0b0 lsls r0, r0, 0x12 | r0 <<= 0x12;
0x0000b0b2 movs r0, r0 |
0x0000b0b4 adcs r4, r5 | __asm ("adcs r4, r5");
0x0000b0b6 movs r0, r0 |
0x0000b0b8 adcs r0, r2 | __asm ("adcs r0, r2");
0x0000b0ba movs r0, r0 |
0x0000b0bc eors r0, r4 | r0 ^= r4;
0x0000b0be movs r0, r0 |
0x0000b0c0 ldrh r0, [r5, r2] | r0 = *((r5 + r2));
0x0000b0c2 movs r1, r0 | r1 = r0;
0x0000b0c4 ands r4, r0 | r4 &= r0;
0x0000b0c6 movs r0, r0 |
0x0000b0c8 subs r7, 0xee | r7 -= 0xee;
0x0000b0ca movs r0, r0 |
| }
[*] Function system used 1 times stclient
