[*] Binary protection state of libimpl_wsd_aentry.so
Full RELRO Canary found NX enabled DSO No RPATH No RUNPATH No Symbols
[*] Function strcpy tear down of libimpl_wsd_aentry.so
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/lib/libimpl_wsd_aentry.so @ 0x8d4 */
| #include <stdint.h>
|
; (fcn) fcn.000008d4 () | void fcn_000008d4 (int16_t arg1, int16_t arg2, int16_t arg3, int16_t arg4) {
| int16_t var_0h;
| int16_t var_bp_4h;
| int16_t var_bp_ch;
| int16_t var_ch_2;
| int16_t var_4h;
| int16_t var_8h;
| int16_t var_ch;
| int16_t var_10h;
| int16_t var_14h;
| int16_t var_11ch;
| r0 = arg1;
| r1 = arg2;
| r2 = arg3;
| r3 = arg4;
0x000008d4 push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr} |
0x000008d8 mov sl, r1 | sl = r1;
0x000008da sub sp, 0x124 |
0x000008dc ldr r1, [pc, 0x1c0] |
0x000008de mov r4, r3 | r4 = r3;
0x000008e0 mov r8, r0 | r8 = r0;
0x000008e2 str r3, [sp, 8] | var_8h = r3;
0x000008e4 mov r7, r2 | r7 = r2;
0x000008e6 ldr r3, [pc, 0x1bc] | r3 = *(0xaa6);
0x000008e8 add r1, pc | r1 = 0x138c;
0x000008ea movs r2, 4 | r2 = 4;
0x000008ec ldr r3, [r1, r3] |
0x000008ee movs r1, 0 | r1 = 0;
0x000008f0 mov r0, r1 | r0 = r1;
0x000008f2 ldr r3, [r3] | r3 = *(0x138c);
0x000008f4 str r3, [sp, 0x11c] | var_11ch = r3;
0x000008f6 mov.w r3, 0 | r3 = 0;
0x000008fa blx 0x6d8 | g_array_new ();
0x000008fe mov r1, r4 | r1 = r4;
0x00000900 mov sb, r0 | sb = r0;
0x00000902 blx 0x76c | fcn_0000076c ();
0x00000906 ldr.w r1, [sb, 4] | r1 = *((sb + 4));
0x0000090a mov r0, r8 | r0 = r8;
0x0000090c str.w r1, [sl] | __asm ("str.w r1, [sl]");
0x00000910 lsls r1, r1, 4 | r1 <<= 4;
0x00000912 blx 0x760 | fcn_00000760 ();
0x00000916 str r0, [r7] | *(r7) = r0;
0x00000918 mov r0, r8 | r0 = r8;
0x0000091a blx 0x790 | r0 = fcn_00000790 ();
0x0000091e mov r4, r0 | r4 = r0;
0x00000920 mov r0, r8 | r0 = r8;
0x00000922 blx 0x784 | r0 = fcn_00000784 ();
0x00000926 cmp r0, 0 |
| if (r0 == 0) {
0x00000928 beq.w 0xa96 | goto label_3;
| }
0x0000092c ldr r3, [r0] | r3 = *(r0);
0x0000092e str r3, [sp, 4] | var_4h = r3;
| label_2:
0x00000930 add.w fp, sp, 0x1c |
0x00000934 mov r1, r4 | r1 = r4;
0x00000936 mov.w r2, 0x100 | r2 = 0x100;
0x0000093a mov r0, fp | r0 = fp;
0x0000093c blx 0x6fc | stpcpy_chk ();
0x00000940 ldr r1, [pc, 0x164] |
0x00000942 sub.w r3, fp, r0 | r3 = fp - r0;
0x00000946 add.w r3, r3, 0x100 | r3 += 0x100;
0x0000094a movs r2, 2 | r2 = 2;
0x0000094c mov r4, r0 | r4 = r0;
0x0000094e add r1, pc | r1 = 0x13fa;
0x00000950 sub.w r4, r4, fp | r4 -= fp;
0x00000954 blx 0x6e4 | memcpy_chk ();
0x00000958 ldr.w r3, [sl] | r3 = *(sl);
0x0000095c cmp r3, 0 |
0x0000095e itttt gt |
| if (r3 <= 0) {
0x00000960 addgt r3, r4, 2 | r3 = r4 + 2;
| }
| if (r3 <= 0) {
0x00000962 movgt r6, 0 | r6 = 0;
| }
| if (r3 <= 0) {
0x00000964 strgt r3, [sp, 0xc] | var_ch = r3;
| }
| if (r3 <= 0) {
0x00000966 strgt fp, [sp, 0x10] | var_10h = fp;
| }
| if (r3 > 0) {
0x0000096a bgt 0x9e2 | goto label_4;
| }
0x0000096c b 0xa34 | goto label_5;
| do {
0x0000096e ldr r0, [r4, 8] | r0 = *((r4 + 8));
0x00000970 blx 0x748 | fcn_00000748 ();
0x00000974 ldr r3, [sp, 0xc] | r3 = var_ch;
0x00000976 adds r1, r0, r3 | r1 = r0 + r3;
0x00000978 mov r0, r8 | r0 = r8;
0x0000097a blx 0x6c0 | loc_imp_xsoap_malloc ();
0x0000097e ldr r1, [sp, 0x10] | r1 = var_10h;
0x00000980 str r0, [sp, 0x14] | var_14h = r0;
0x00000982 blx 0x6f0 | g_stpcpy ();
0x00000986 ldr r1, [r4, 8] | r1 = *((r4 + 8));
0x00000988 blx 0x6f0 | g_stpcpy ();
0x0000098c ldr r2, [sp, 0x14] | r2 = var_14h;
| label_0:
0x0000098e ldr r3, [r7] | r3 = *(r7);
0x00000990 movs r1, 8 | r1 = 8;
0x00000992 mov r0, r8 | r0 = r8;
0x00000994 add.w fp, r3, r5 |
0x00000998 str.w r2, [fp, 4] | __asm ("str.w r2, [var_bp_4h]");
0x0000099c blx 0x760 | fcn_00000760 ();
0x000009a0 ldr r3, [r7] | r3 = *(r7);
0x000009a2 ldr r1, [r4, 0x10] | r1 = *((r4 + 0x10));
0x000009a4 str.w r0, [fp, 0xc] | __asm ("str.w r0, [var_bp_ch]");
0x000009a8 add r3, r5 | r3 += r5;
0x000009aa ldr r2, [r3, 0xc] | r2 = *((r3 + 0xc));
0x000009ac str r1, [r2] | *(r2) = r1;
0x000009ae ldr r1, [r4, 0x14] | r1 = *((r4 + 0x14));
0x000009b0 str r1, [r2, 4] | *((r2 + 4)) = r1;
0x000009b2 ldr r2, [sp, 8] | r2 = var_8h;
| if (r2 != 0) {
0x000009b4 cbz r2, 0x9c0 |
0x000009b6 ldr r2, [r4, 0xc] | r2 = *((r4 + 0xc));
| if (r2 == 0) {
0x000009b8 cbz r2, 0x9c0 | goto label_1;
| }
0x000009ba ldrb r2, [r2] | r2 = *(r2);
0x000009bc cmp r2, 0 |
| if (r2 != 0) {
0x000009be bne 0xa58 | goto label_6;
| }
| }
| label_1:
0x000009c0 ldr r0, [r4, 4] | r0 = *((r4 + 4));
0x000009c2 adds r6, 1 | r6++;
0x000009c4 blx 0x6b4 | g_free ();
0x000009c8 ldr r0, [r4, 8] | r0 = *((r4 + 8));
0x000009ca blx 0x6b4 | g_free ();
0x000009ce ldr r0, [r4] | r0 = *(r4);
0x000009d0 blx 0x6b4 | g_free ();
0x000009d4 mov r0, r4 | r0 = r4;
0x000009d6 blx 0x6b4 | g_free ();
0x000009da ldr.w r3, [sl] | r3 = *(sl);
0x000009de cmp r3, r6 |
| if (r3 <= r6) {
0x000009e0 ble 0xa34 | goto label_5;
| }
| label_4:
0x000009e2 ldr.w r3, [sb] | r3 = *(sb);
0x000009e6 lsls r5, r6, 4 | r5 = r6 << 4;
0x000009e8 ldr.w r4, [r3, r6, lsl 2] | offset_0 = r6 << 2;
| r4 = *((r3 + offset_0));
0x000009ec ldr r0, [r4] | r0 = *(r4);
0x000009ee blx 0x748 | r0 = fcn_00000748 ();
0x000009f2 adds r1, r0, 1 | r1 = r0 + 1;
0x000009f4 mov r0, r8 | r0 = r8;
0x000009f6 ldr.w fp, [r7] | fp = *(r7);
0x000009fa blx 0x760 | fcn_00000760 ();
0x000009fe ldr r3, [r7] | r3 = *(r7);
0x00000a00 str.w r0, [fp, r5] | __asm ("str.w r0, [fp, r5]");
0x00000a04 ldr r1, [r4] | r1 = *(r4);
0x00000a06 ldr r0, [r3, r5] | r0 = *((r3 + r5));
0x00000a08 blx 0x708 | strcpy (r0, r1)
0x00000a0c ldr r3, [sp, 4] | r3 = var_4h;
0x00000a0e cmp r3, 0 |
0x00000a10 bne 0x96e |
| } while (r3 != 0);
0x00000a12 ldr r0, [r4, 4] | r0 = *((r4 + 4));
0x00000a14 blx 0x748 | fcn_00000748 ();
0x00000a16 vfnms.f64 d9, d8, d3 | __asm ("vfnms.f64 d9, d8, d3");
0x00000a1a adds r1, r0, r3 | r1 = r0 + r3;
0x00000a1c mov r0, r8 | r0 = r8;
0x00000a1e blx 0x6c0 | loc_imp_xsoap_malloc ();
0x00000a22 ldr r1, [sp, 0x10] | r1 = var_10h;
0x00000a24 str r0, [sp, 0x14] | var_14h = r0;
0x00000a26 blx 0x6f0 | g_stpcpy ();
0x00000a2a ldr r1, [r4, 4] | r1 = *((r4 + 4));
0x00000a2c blx 0x6f0 | g_stpcpy ();
0x00000a30 ldr r2, [sp, 0x14] | r2 = var_14h;
0x00000a32 b 0x98e | goto label_0;
| label_5:
0x00000a34 movs r1, 1 | r1 = 1;
0x00000a36 mov r0, sb | r0 = sb;
0x00000a38 blx 0x714 | g_array_free ();
0x00000a3c ldr r2, [pc, 0x6c] |
0x00000a3e ldr r3, [pc, 0x64] | r3 = *(0xaa6);
0x00000a40 add r2, pc | r2 = 0x14f0;
0x00000a42 ldr r3, [r2, r3] | r3 = *(0x14f0);
0x00000a44 ldr r2, [r3] | r2 = *(0x14f0);
0x00000a46 ldr r3, [sp, 0x11c] | r3 = var_11ch;
0x00000a48 eors r2, r3 | r2 ^= r3;
0x00000a4a mov.w r3, 0 | r3 = 0;
| if (r2 == r3) {
0x00000a4e bne 0xa9a |
0x00000a50 movs r0, 1 | r0 = 1;
0x00000a52 add sp, 0x124 |
0x00000a54 pop.w {r4, r5, r6, r7, r8, sb, sl, fp, pc} |
| label_6:
0x00000a58 movs r1, 4 | r1 = 4;
0x00000a5a mov r0, r8 | r0 = r8;
0x00000a5c str r3, [sp, 0x14] | var_14h = r3;
0x00000a5e blx 0x760 | fcn_00000760 ();
0x00000a62 ldr r3, [sp, 0x14] | r3 = var_14h;
0x00000a64 str r0, [r3, 8] | *((r3 + 8)) = r0;
0x00000a66 ldr r0, [r4, 0xc] | r0 = *((r4 + 0xc));
0x00000a68 blx 0x748 | fcn_00000748 ();
0x00000a6c ldr r3, [r7] | r3 = *(r7);
0x00000a6e adds r1, r0, 1 | r1 = r0 + 1;
0x00000a70 mov r0, r8 | r0 = r8;
0x00000a72 add r3, r5 | r3 += r5;
0x00000a74 ldr r3, [r3, 8] | r3 = *((r3 + 8));
0x00000a76 str r3, [sp, 0x14] | var_14h = r3;
0x00000a78 blx 0x760 | fcn_00000760 ();
0x00000a7c ldr r3, [sp, 0x14] | r3 = var_14h;
0x00000a7e ldr r1, [r4, 0xc] | r1 = *((r4 + 0xc));
0x00000a80 str r0, [r3] | *(r3) = r0;
0x00000a82 ldr r3, [r7] | r3 = *(r7);
0x00000a84 add r3, r5 | r3 += r5;
0x00000a86 ldr r3, [r3, 8] | r3 = *((r3 + 8));
0x00000a88 ldr r0, [r3] | r0 = *(r3);
0x00000a8a blx 0x708 | strcpy (r0, r1)
0x00000a8e ldr r0, [r4, 0xc] | r0 = *((r4 + 0xc));
0x00000a90 blx 0x6b4 | g_free ();
0x00000a94 b 0x9c0 | goto label_1;
| label_3:
0x00000a96 str r0, [sp, 4] | var_4h = r0;
0x00000a98 b 0x930 | goto label_2;
| }
0x00000a9a blx 0x6cc | stack_chk_fail ();
0x00000a9e nop |
0x00000aa0 lsls r4, r4, 0x1a | r4 <<= 0x1a;
0x00000aa2 movs r1, r0 | r1 = r0;
0x00000aa4 lsls r4, r4, 1 | r4 <<= 1;
0x00000aa6 movs r0, r0 |
0x00000aa8 lsls r2, r6, 0xb | r2 = r6 << 0xb;
0x00000aaa movs r0, r0 |
0x00000aac lsls r4, r1, 0x15 | r4 = r1 << 0x15;
0x00000aae movs r1, r0 | r1 = r0;
| }
[*] Function strcpy used 3 times libimpl_wsd_aentry.so
