[*] Binary protection state of ntpd
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function fprintf tear down of ntpd
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/sbin/ntpd @ 0x3380 */
| #include <stdint.h>
|
; (fcn) fcn.00003380 () | void fcn_00003380 (int16_t arg_e8h, int16_t arg_268h, int16_t arg1) {
| int16_t var_4h_2;
| int16_t var_6h;
| int16_t var_74h;
| r0 = arg1;
0x00003380 push {r4, r5, r6, r7, lr} |
0x00003382 movs r1, 1 | r1 = 1;
0x00003384 ldr r4, [pc, 0x14c] |
0x00003386 sub sp, 0x7c |
0x00003388 mov r5, r0 | r5 = r0;
0x0000338a movs r2, 0 | r2 = 0;
0x0000338c ldr r3, [pc, 0x148] | r3 = *(0x34d8);
0x0000338e movt r1, 8 | r1 = (r1 & 0xFFFF) | 0x80000;
0x00003392 add r4, pc | r4 = 0x686a;
0x00003394 movs r0, 1 | r0 = 1;
0x00003396 ldr r3, [r4, r3] |
0x00003398 ldr r3, [r3] | r3 = *(0x686a);
0x0000339a str r3, [sp, 0x74] | var_74h = r3;
0x0000339c mov.w r3, 0 | r3 = 0;
0x000033a0 blx 0x1bf8 | r0 = fcn_00001bf8 ();
0x000033a4 mov r4, r0 | r4 = r0;
0x000033a6 adds r0, 1 | r0++;
| if (r0 == 1) {
0x000033a8 beq 0x3448 | goto label_2;
| }
0x000033aa add r7, sp, 4 | r7 += var_4h_2;
0x000033ac movs r2, 0x6e | r2 = 0x6e;
0x000033ae movs r1, 0 | r1 = 0;
0x000033b0 mov r0, r7 | r0 = r7;
0x000033b2 blx 0x1adc | fprintf_chk ()
0x000033b6 movs r6, 1 | r6 = 1;
0x000033b8 movs r2, 0x6c | r2 = 0x6c;
0x000033ba mov r1, r5 | r1 = r5;
0x000033bc add.w r0, sp, 6 | r0 += var_6h;
0x000033c0 strh.w r6, [sp, 4] | var_4h_2 = r6;
0x000033c4 bl 0x9e68 | r0 = fcn_00009e68 (r0, r1, r2);
0x000033c8 cmp r0, 0x6b |
| if (r0 > 0x6b) {
0x000033ca bhi 0x34c6 | goto label_3;
| }
0x000033cc mov r0, r5 | r0 = r5;
0x000033ce blx 0x1888 | r0 = fcn_00001888 ();
0x000033d2 adds r2, r0, 1 | r2 = r0 + 1;
0x000033d4 mov r6, r0 | r6 = r0;
| if (r2 == r0) {
0x000033d6 bne 0x33e2 |
0x000033d8 blx 0x1a94 | r0 = bind (r0, r1, r2);
0x000033dc ldr r3, [r0] | r3 = *(r0);
0x000033de cmp r3, 2 |
| if (r3 != 2) {
0x000033e0 bne 0x349c | goto label_4;
| }
| }
0x000033e2 movs r0, 0x4f | r0 = 0x4f;
0x000033e4 blx 0x1c04 | fcn_00001c04 ();
0x000033e6 invalid |
0x000033ea movs r2, 0x6e | r2 = 0x6e;
0x000033ec mov r7, r0 | r7 = r0;
0x000033ee mov r0, r4 | r0 = r4;
0x000033f0 blx 0x1ab8 | r0 = memset (r0, r1, r2);
0x000033f4 adds r3, r0, 1 | r3 = r0 + 1;
0x000033f6 mov r6, r0 | r6 = r0;
| if (r3 == r0) {
0x000033f8 beq 0x3482 | goto label_5;
| }
0x000033fa mov r0, r7 | r0 = r7;
0x000033fc blx 0x1c04 | fcn_00001c04 ();
0x00003400 mov.w r1, 0x1b0 | r1 = 0x1b0;
0x00003404 mov r0, r5 | r0 = r5;
0x00003406 blx 0x1c10 | fcn_00001c10 ();
0x0000340a adds r0, 1 | r0++;
| if (r0 == 1) {
0x0000340c beq 0x3478 | goto label_6;
| }
0x0000340e ldr r0, [pc, 0xcc] |
0x00003410 add r0, pc | r0 = 0x68f2;
0x00003412 blx 0x1c74 | r0 = fcn_00001c74 ();
0x00003416 cmp r0, 0 |
| if (r0 == 0) {
0x00003418 beq 0x34b0 | goto label_7;
| }
0x0000341a ldr r2, [r0, 8] | r2 = *((r0 + 8));
0x0000341c movs r1, 0 | r1 = 0;
0x0000341e mov r0, r5 | r0 = r5;
0x00003420 blx 0x1a7c | getservbyname ();
0x00003424 adds r0, 1 | r0++;
| if (r0 == 1) {
0x00003426 beq 0x3452 | goto label_8;
| }
0x00003428 mov r0, r4 | r0 = r4;
0x0000342a bl 0x3348 | fcn_00003348 (r0);
| do {
| label_0:
0x0000342e ldr r2, [pc, 0xb0] |
0x00003430 ldr r3, [pc, 0xa4] | r3 = *(0x34d8);
0x00003432 add r2, pc | r2 = 0x6918;
0x00003434 ldr r3, [r2, r3] | r3 = *(0x6918);
0x00003436 ldr r2, [r3] | r2 = *(0x6918);
0x00003438 ldr r3, [sp, 0x74] | r3 = var_74h;
0x0000343a eors r2, r3 | r2 ^= r3;
0x0000343c mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x00003440 bne 0x34d0 | goto label_9;
| }
0x00003442 mov r0, r4 | r0 = r4;
0x00003444 add sp, 0x7c |
0x00003446 pop {r4, r5, r6, r7, pc} |
| label_2:
0x00003448 ldr r0, [pc, 0x98] |
0x0000344a add r0, pc | r0 = 0x6932;
0x0000344c bl 0x3ee4 | fcn_00003ee4 (r0, r1);
0x00003450 b 0x342e |
| } while (1);
| label_8:
0x00003452 blx 0x1a94 | r0 = bind (r0, r1, r2);
0x00003456 ldr r0, [r0] | r0 = *(r0);
0x00003458 blx 0x19a4 | r0 = vfprintf_chk ()
0x0000345c mov r1, r0 | r1 = r0;
0x0000345e ldr r0, [pc, 0x88] |
0x00003460 add r0, pc | r0 = 0x694e;
0x00003462 bl 0x3ee4 | fcn_00003ee4 (r0, r1);
| do {
| label_1:
0x00003466 mov r0, r4 | r0 = r4;
0x00003468 mov.w r4, -1 | r4 = -1;
0x0000346c blx 0x1c44 | getgrnam ();
0x00003470 mov r0, r5 | r0 = r5;
0x00003472 blx 0x1888 | fcn_00001888 ();
0x00003476 b 0x342e | goto label_0;
| label_6:
0x00003478 ldr r0, [pc, 0x70] |
0x0000347a add r0, pc | r0 = 0x696a;
0x0000347c bl 0x3ee4 | fcn_00003ee4 (r0, r1);
0x00003480 b 0x3466 |
| } while (1);
| label_5:
0x00003482 ldr r0, [pc, 0x6c] |
0x00003484 mov r1, r5 | r1 = r5;
0x00003486 add r0, pc | r0 = 0x697c;
0x00003488 bl 0x3ee4 | fcn_00003ee4 (r0, r1);
0x0000348c mov r0, r4 | r0 = r4;
0x0000348e mov r4, r6 | r4 = r6;
0x00003490 blx 0x1c44 | getgrnam ();
0x00003494 mov r0, r7 | r0 = r7;
0x00003496 blx 0x1c04 | fcn_00001c04 ();
0x0000349a b 0x342e | goto label_0;
| label_4:
0x0000349c ldr r0, [pc, 0x54] |
0x0000349e mov r1, r5 | r1 = r5;
0x000034a0 add r0, pc | r0 = 0x6998;
0x000034a2 bl 0x3ee4 | fcn_00003ee4 (r0, r1);
0x000034a6 mov r0, r4 | r0 = r4;
0x000034a8 mov r4, r6 | r4 = r6;
0x000034aa blx 0x1c44 | getgrnam ();
0x000034ae b 0x342e | goto label_0;
| label_7:
0x000034b0 blx 0x1a94 | r0 = bind (r0, r1, r2);
0x000034b4 ldr r0, [r0] | r0 = *(r0);
0x000034b6 blx 0x19a4 | r0 = vfprintf_chk ()
0x000034ba mov r1, r0 | r1 = r0;
0x000034bc ldr r0, [pc, 0x38] |
0x000034be add r0, pc | r0 = 0x69ba;
0x000034c0 bl 0x3ee4 | fcn_00003ee4 (r0, r1);
0x000034c4 b 0x3466 | goto label_1;
| label_3:
0x000034c6 ldr r1, [pc, 0x34] |
0x000034c8 mov r0, r6 | r0 = r6;
0x000034ca add r1, pc | r1 = 0x69cc;
0x000034cc blx 0x1b4c | fcn_00001b4c ();
| label_9:
0x000034d0 blx 0x1860 | register_atfork ();
0x000034d4 add r2, sp, 0xe8 | r2 += arg_e8h;
0x000034d6 movs r1, r0 | r1 = r0;
0x000034d8 lsls r0, r7, 7 | r0 = r7 << 7;
0x000034da movs r0, r0 |
0x000034dc strh r0, [r4, 0x1a] | *((r4 + 0x1a)) = r0;
0x000034de movs r0, r0 |
0x000034e0 add r1, sp, 0x268 | r1 += arg_268h;
0x000034e2 movs r1, r0 | r1 = r0;
0x000034e4 strh r6, [r5, 0x14] | *((r5 + 0x14)) = r6;
0x000034e6 movs r0, r0 |
0x000034e8 strh r0, [r7, 0x18] | *((r7 + 0x18)) = r0;
0x000034ea movs r0, r0 |
0x000034ec strh r2, [r4, 0x16] | *((r4 + 0x16)) = r2;
0x000034ee movs r0, r0 |
0x000034f0 strh r6, [r7, 0x14] | *((r7 + 0x14)) = r6;
0x000034f2 movs r0, r0 |
0x000034f4 strh r4, [r1, 0x14] | *((r1 + 0x14)) = r4;
0x000034f6 movs r0, r0 |
0x000034f8 strh r6, [r7, 0x14] | *((r7 + 0x14)) = r6;
0x000034fa movs r0, r0 |
0x000034fc strh r6, [r0, 0x12] | *((r0 + 0x12)) = r6;
0x000034fe movs r0, r0 |
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/sbin/ntpd @ 0x3e54 */
| #include <stdint.h>
|
; (fcn) fcn.00003e54 () | void fcn_00003e54 (int16_t arg1, int16_t arg2, int16_t arg3) {
| int16_t var_0h_2;
| r0 = arg1;
| r1 = arg2;
| r2 = arg3;
0x00003e54 invalid |
0x00003e58 sub sp, 8 |
| if (r1 == 0) {
0x00003e5a cbz r1, 0x3eb2 | goto label_1;
| }
0x00003e5c mov r0, r2 | r0 = r2;
0x00003e5e mov.w r3, 0x2000 | r3 = 0x2000;
0x00003e62 ldr r6, [pc, 0x5c] |
0x00003e64 movs r2, 1 | r2 = 1;
0x00003e66 strd r1, r0, [sp] | __asm ("strd r1, r0, [sp]");
0x00003e6a mov r1, r3 | r1 = r3;
0x00003e6c ldr r0, [pc, 0x54] |
0x00003e6e add r6, pc | r6 = 0x7d34;
0x00003e70 add r0, pc | r0 = 0x7d38;
0x00003e72 blx 0x17e0 | fcn_000017e0 ();
| label_0:
0x00003e76 ldr r3, [pc, 0x50] |
0x00003e78 add r3, pc | r3 = 0x7d46;
0x00003e7a ldr r5, [r3, 8] | r5 = *(0x7d4e);
| if (r4 == 0) {
0x00003e7c cbz r4, 0x3e9c | goto label_2;
| }
0x00003e7e mov r0, r4 | r0 = r4;
0x00003e80 blx 0x19a4 | vfprintf_chk ()
0x00003e84 ldr r3, [pc, 0x44] |
0x00003e86 mov r2, r5 | r2 = r5;
0x00003e88 ldr r1, [pc, 0x44] |
0x00003e8a strd r6, r0, [sp] | __asm ("strd r6, r0, [sp]");
0x00003e8e movs r0, 2 | r0 = 2;
0x00003e90 add r3, pc | r3 = 0x7d60;
0x00003e92 add r1, pc | r1 = 0x7d66;
0x00003e94 bl 0x3e04 | fcn_00003e04 (r0, r1, r2);
| do {
0x00003e98 add sp, 8 |
0x00003e9a pop {r4, r5, r6, pc} |
| label_2:
0x00003e9c ldr r4, [pc, 0x34] |
0x00003e9e mov r3, r6 | r3 = r6;
0x00003ea0 ldr r1, [pc, 0x34] |
0x00003ea2 mov r2, r5 | r2 = r5;
0x00003ea4 movs r0, 2 | r0 = 2;
0x00003ea6 add r4, pc | r4 = 0x7d7e;
0x00003ea8 add r1, pc | r1 = 0x7d84;
0x00003eaa str r4, [sp] | *(sp) = r4;
0x00003eac bl 0x3e04 | fcn_00003e04 (r0, r1, r2);
0x00003eb0 b 0x3e98 |
| } while (1);
| label_1:
0x00003eb2 ldr r3, [pc, 0x28] |
0x00003eb4 ldr r6, [pc, 0x28] |
0x00003eb6 add r3, pc | r3 = 0x7d98;
0x00003eb8 add r6, pc | r6 = 0x7d9c;
0x00003eba strb r1, [r3] | *(r3) = r1;
0x00003ebc b 0x3e76 | goto label_0;
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-50593792.squashfs_v4_le_extract/usr/sbin/ntpd @ 0x3ee4 */
| #include <stdint.h>
|
; (fcn) fcn.00003ee4 () | void fcn_00003ee4 (int16_t arg_240h, int16_t arg_378h) {
| int16_t var_0h_6;
| int16_t var_ch;
| int16_t var_10h_6;
| int16_t var_14h;
| int16_t var_28h;
| int16_t var_2ch;
0x00003ee4 push {r0, r1, r2, r3} |
0x00003ee6 ldr r2, [pc, 0xa4] |
0x00003ee8 ldr r3, [pc, 0xa4] | r3 = *(0x3f90);
0x00003eea push {r4, r5, r6, lr} |
0x00003eec sub sp, 0x18 |
0x00003eee add r2, pc | r2 = 0x7e80;
0x00003ef0 ldr r6, [sp, 0x28] | r6 = var_28h;
0x00003ef2 ldr r3, [r2, r3] |
0x00003ef4 ldr r3, [r3] | r3 = *(0x7e80);
0x00003ef6 str r3, [sp, 0x14] | var_14h = r3;
0x00003ef8 mov.w r3, 0 | r3 = 0;
0x00003efc blx 0x1a94 | r0 = bind (r0, r1, r2);
0x00003f00 ldr r5, [r0] | r5 = *(r0);
0x00003f02 mov r4, r0 | r4 = r0;
0x00003f04 cmp r6, 0 |
| if (r6 == 0) {
0x00003f06 beq 0x3f74 | goto label_1;
| }
0x00003f08 add r3, sp, 0x2c | r3 += var_2ch;
0x00003f0a mov r0, r5 | r0 = r5;
0x00003f0c str r3, [sp, 0x10] | var_10h_6 = r3;
0x00003f0e blx 0x19a4 | vfprintf_chk ()
0x00003f12 ldr r2, [pc, 0x80] |
0x00003f14 mov r3, r6 | r3 = r6;
0x00003f16 str r0, [sp] | *(sp) = r0;
0x00003f18 movs r1, 1 | r1 = 1;
0x00003f1a add r0, sp, 0xc | r0 += var_ch;
0x00003f1c add r2, pc | r2 = 0x7eb6;
0x00003f1e blx 0x1964 | fcn_00001964 ();
0x00003f22 adds r0, 1 | r0++;
| if (r0 == 1) {
0x00003f24 beq 0x3f56 | goto label_2;
| }
0x00003f26 movs r0, 4 | r0 = 4;
0x00003f28 ldrd r1, r2, [sp, 0xc] | __asm ("ldrd r1, r2, [var_10h_6]");
0x00003f2c bl 0x3d38 | fcn_00003d38 (r0, r1, r2);
0x00003f30 ldr r0, [sp, 0xc] | r0 = var_ch;
0x00003f32 blx 0x17a4 | fcn_000017a4 ();
| do {
| label_0:
0x00003f36 ldr r2, [pc, 0x60] |
0x00003f38 ldr r3, [pc, 0x54] | r3 = *(0x3f90);
0x00003f3a str r5, [r4] | *(r4) = r5;
0x00003f3c add r2, pc | r2 = 0x7eda;
0x00003f3e ldr r3, [r2, r3] | r3 = *(0x7eda);
0x00003f40 ldr r2, [r3] | r2 = *(0x7eda);
0x00003f42 ldr r3, [sp, 0x14] | r3 = var_14h;
0x00003f44 eors r2, r3 | r2 ^= r3;
0x00003f46 mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x00003f4a bne 0x3f88 | goto label_3;
| }
0x00003f4c add sp, 0x18 |
0x00003f4e pop.w {r4, r5, r6, lr} |
0x00003f52 add sp, 0x10 |
0x00003f54 bx lr | return;
| label_2:
0x00003f56 ldr r2, [sp, 0x10] | r2 = var_10h_6;
0x00003f58 mov r1, r6 | r1 = r6;
0x00003f5a movs r0, 4 | r0 = 4;
0x00003f5c bl 0x3d38 | fcn_00003d38 (r0, r1, r2);
0x00003f60 mov r0, r5 | r0 = r5;
0x00003f62 blx 0x19a4 | vfprintf_chk ()
0x00003f64 stc p9, c4, [r0, -0x34]! | __asm ("stc p9, c4, [r0, -0x34]!");
0x00003f68 mov r2, r0 | r2 = r0;
0x00003f6a movs r0, 4 | r0 = 4;
0x00003f6c add r1, pc | r1 += pc;
0x00003f6e bl 0x3e04 | fcn_00003e04 (r0, r1, r2);
0x00003f72 b 0x3f36 |
| } while (1);
| label_1:
0x00003f74 mov r0, r5 | r0 = r5;
0x00003f76 blx 0x19a4 | vfprintf_chk ()
0x00003f7a ldr r1, [pc, 0x24] |
0x00003f7c mov r2, r0 | r2 = r0;
0x00003f7e movs r0, 4 | r0 = 4;
0x00003f80 add r1, pc | r1 = 0x7f26;
0x00003f82 bl 0x3e04 | fcn_00003e04 (r0, r1, r2);
0x00003f86 b 0x3f36 | goto label_0;
| label_3:
0x00003f88 blx 0x1860 | register_atfork ();
0x00003f8c ldr r6, [sp, 0x378] | r6 = *(arg_378h);
0x00003f8e movs r1, r0 | r1 = r0;
0x00003f90 lsls r0, r7, 7 | r0 = r7 << 7;
0x00003f92 movs r0, r0 |
0x00003f94 ldrb r4, [r5, 4] | r4 = *((r5 + 4));
0x00003f96 movs r0, r0 |
0x00003f98 ldr r6, [sp, 0x240] | r6 = *(arg_240h);
0x00003f9a movs r1, r0 | r1 = r0;
0x00003f9c strb r4, [r2, 0x1a] | *((r2 + 0x1a)) = r4;
0x00003f9e movs r0, r0 |
0x00003fa0 strb r0, [r0, 0x1a] | *((r0 + 0x1a)) = r0;
0x00003fa2 movs r0, r0 |
| }
[*] Function fprintf used 8 times ntpd
