[*] Binary protection state of overlayimage.cgi
Full RELRO Canary found NX disabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function printf tear down of overlayimage.cgi
sw s0, 0x170(sp)
sw ra, 0x194(sp)
sw fp, 0x190(sp)
sw s7, 0x18c(sp)
sw s6, 0x188(sp)
move s4, a0
move s0, a1
addiu a0, s1, str._tmp
move a1, s3
sw a3, 0x1a4(sp)
sw v1, 0x2c(sp)
sw v0, 0x16c(sp)
jalr t9
move s5, a2
bltz v0, 0x2a48
lw gp, 0x20(sp)
lw v1, 0x60(sp)
lw v0, 0x6c(sp)
mul v0, v0, v1
lui v1, 1
ori v1, v1, 0x9000
subu v0, v0, s0
slt v0, v0, v1
bnez v0, 0x2a48
lw s7, -0x7fdc(gp)
lw t9, -sym.imp.g_strdup_printf(gp)
addiu a1, s1, str._tmp
move a2, s5
jalr t9
addiu a0, s7, str._s__s
lw gp, 0x20(sp)
move a0, v0
move s1, v0
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.fopen(gp)
jalr t9
addiu a1, a1, 0x60f4
move s6, v0
beqz v0, 0x3030
lw gp, 0x20(sp)
lw t9, -sym.imp.fwrite(gp)
move a3, v0
move a2, s0
addiu a1, zero, 1
jalr t9
move a0, s4
--
lw v0, 0x28(sp)
beqz v0, 0x2c30
lw t9, -sym.imp.strdup(gp)
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.strstr(gp)
addiu a1, a1, str.transparencytrue
jalr t9
move a0, s4
bnez v0, 0x33f8
lw gp, 0x20(sp)
lw t9, -sym.imp.strdup(gp)
jalr t9
move a0, s5
lw gp, 0x20(sp)
addiu a1, zero, 0x2e
move a0, v0
lw t9, -sym.imp.strrchr(gp)
jalr t9
move s6, v0
beqz v0, 0x2c5c
lw gp, 0x20(sp)
sb zero, (v0)
lw v0, 0x1a4(sp)
bnez v0, 0x2f7c
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.g_strdup_printf(gp)
addiu a0, s7, str._s__s
move a2, s6
jalr t9
addiu a1, a1, str._etc_overlays
lw gp, 0x20(sp)
move s7, v0
move s5, zero
lw v1, -0x7fdc(gp)
lw t9, -sym.imp.mkstemp(gp)
addiu v0, v1, str._tmp_overlay_palette.XXXXXX
lw t1, str._tmp_overlay_palette.XXXXXX(v1)
lw t0, 4(v0)
lw a3, 8(v0)
lw a2, 0xc(v0)
lw a1, 0x10(v0)
lw v1, 0x14(v0)
lw v0, 0x18(v0)
addiu a0, sp, 0xec
sw a0, 0x38(sp)
sw t1, 0xec(sp)
--
move s4, zero
b 0x2ba0
move s5, zero
bnez v0, 0x2be0
lw v0, 0x1a4(sp)
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.strstr(gp)
addiu a1, a1, str.typewin_eight_bits
jalr t9
move a0, s4
bnez v0, 0x2bdc
lw gp, 0x20(sp)
move s7, zero
move fp, zero
move s6, zero
addiu s0, zero, -0x3ee
move s4, zero
b 0x2ba0
move s5, zero
sll s0, s0, 2
addiu v0, v0, 0x6350
lwx s0, s0(v0)
bltzl s0, 0x2e80
move s4, zero
lw a0, -0x7fdc(gp)
lw t9, -sym.imp.g_strdup_printf(gp)
move a1, s4
jalr t9
addiu a0, a0, 0x6180
move s4, v0
lw v0, 0x1a4(sp)
beqz v0, 0x2f30
lw gp, 0x20(sp)
beqz fp, 0x30a8
lw t9, -sym.imp.strrchr(gp)
lw a0, -0x7fdc(gp)
lw t9, -sym.imp.statfs(gp)
move a1, s3
jalr t9
addiu a0, a0, str._etc
bltz v0, 0x303c
lw gp, 0x20(sp)
lw v1, 0x60(sp)
lw v0, 0x6c(sp)
mul v0, v0, v1
lui v1, 1
slt v0, v0, v1
bnez v0, 0x303c
lw v0, 0x2c(sp)
move s0, zero
move fp, zero
sw s4, (v0)
b 0x2ba0
move s4, zero
bnez fp, 0x3114
lw s0, -0x7fdc(gp)
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.g_strdup_printf(gp)
move a2, s6
addiu a1, a1, str._etc_overlays
jalr t9
addiu a0, s0, str._s__s.ovl
lw gp, 0x20(sp)
addiu a0, zero, 2
lw t9, -sym.imp.umask(gp)
jalr t9
move s5, v0
lw gp, 0x20(sp)
addiu a1, zero, 0x1fd
move a0, s5
lw t9, -sym.imp.mkdir(gp)
jalr t9
move s7, v0
bltz v0, 0x30c4
lw gp, 0x20(sp)
lw t9, -sym.imp.umask(gp)
jalr t9
move a0, s7
lw gp, 0x20(sp)
move a2, s6
move a1, s5
lw t9, -sym.imp.g_strdup_printf(gp)
jalr t9
addiu a0, s0, str._s__s.ovl
move s7, v0
b 0x2c88
lw gp, 0x20(sp)
lw v0, 0x38(sp)
sw s7, 0x48(sp)
sw s1, 0x44(sp)
sw zero, 0x4c(sp)
sw v0, 0x40(sp)
lw v0, -0x7fdc(gp)
addiu v0, v0, 0x60d8
sw v0, 0x3c(sp)
lw v0, -0x7fdc(gp)
addiu v0, v0, str._usr_bin_image2ovl
b 0x2d80
sw v0, 0x28(sp)
move s4, zero
b 0x2994
addiu s0, zero, -0x3e8
--
lw gp, 0x20(sp)
b 0x2f30
sb zero, (v0)
lw t9, -sym.imp.__errno_location(gp)
jalr t9
nop
lw s0, (v0)
addiu v0, zero, 0x11
beq s0, v0, 0x3384
lw gp, 0x20(sp)
xori s0, s0, 0x1c
addiu v1, zero, -0x3ef
addiu v0, zero, -0x3e8
movz v0, v1, s0
move s0, v0
lw t9, -sym.imp.umask(gp)
jalr t9
move a0, s7
lw gp, 0x20(sp)
move s7, zero
move fp, zero
b 0x3074
move s4, zero
lw a1, -0x7fdc(gp)
lw a0, -0x7fdc(gp)
lw t9, -sym.imp.g_strdup_printf(gp)
move a2, s6
addiu a1, a1, str._etc_overlays
jalr t9
addiu a0, a0, str._s__s.ovl
lw gp, 0x20(sp)
addiu a0, zero, 2
lw t9, -sym.imp.umask(gp)
jalr t9
move s5, v0
lw gp, 0x20(sp)
addiu a1, zero, 0x1fd
move a0, s5
lw t9, -sym.imp.mkdir(gp)
jalr t9
move s4, v0
bltz v0, 0x3344
lw gp, 0x20(sp)
lw t9, -sym.imp.umask(gp)
jalr t9
move a0, s4
lw gp, 0x20(sp)
move a1, s5
lw a0, -0x7fdc(gp)
lw t9, -sym.imp.g_strdup_printf(gp)
jalr t9
addiu a0, a0, str._s_bmp
lw gp, 0x20(sp)
move a2, s3
move a1, s1
lw t9, -sym.imp.__xstat(gp)
addiu a0, zero, 3
jalr t9
move s4, v0
bltz v0, 0x3398
lw gp, 0x20(sp)
lw t9, -sym.imp.open(gp)
move a1, zero
jalr t9
move a0, s1
move s7, v0
bltz v0, 0x3398
lw gp, 0x20(sp)
lw t9, -sym.imp.open(gp)
addiu a2, zero, 0x1a4
--
lw gp, 0x20(sp)
lw s0, (v0)
addiu v1, zero, -0x3ef
lw t9, -sym.imp.unlink(gp)
xori s0, s0, 0xb
addiu v0, zero, -0x3e8
movz v0, v1, s0
move a0, s4
jalr t9
move s0, v0
lw gp, 0x20(sp)
beqz s7, 0x3258
lw t9, -sym.imp.close(gp)
jalr t9
move a0, s7
lw gp, 0x20(sp)
blez fp, 0x326c
lw t9, -sym.imp.close(gp)
jalr t9
move a0, s7
lw gp, 0x20(sp)
bnez s0, 0x358c
lw t9, -sym.imp.unlink(gp)
lw s7, 0x28(sp)
beqz s7, 0x33b4
lw t9, -sym.imp.g_strdup_printf(gp)
lw a0, -0x7fdc(gp)
move a1, s5
jalr t9
addiu a0, a0, str._s_pal
lw gp, 0x20(sp)
move a0, v0
move fp, v0
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.fopen(gp)
jalr t9
addiu a1, a1, 0x616c
move s0, v0
beqz v0, 0x3580
lw gp, 0x20(sp)
lw t9, -sym.imp.fputs(gp)
move a1, v0
jalr t9
move a0, s7
lw gp, 0x20(sp)
lw t9, -sym.imp.fclose(gp)
--
jalr t9
move s1, v0
move s0, v0
lw gp, 0x10(sp)
beqz v0, 0x36f0
move s2, zero
lw s3, -0x7fdc(gp)
lw s5, -0x7fdc(gp)
addiu s3, s3, 0x6214
addiu s4, s4, str._etc_overlays
addiu s5, s5, str._s__s
lw t9, -sym.imp.strstr(gp)
addiu s6, s0, 0xb
move a0, s6
jalr t9
move a1, s3
lw gp, 0x10(sp)
addiu a0, zero, 8
beqz v0, 0x36d8
lw t9, -sym.imp.g_malloc(gp)
jalr t9
nop
lw gp, 0x10(sp)
move s7, v0
move a2, s6
lw t9, -sym.imp.g_strdup_printf(gp)
move a1, s4
jalr t9
move a0, s5
sw v0, (s7)
lw gp, 0x10(sp)
lbu v0, 0xa(s0)
move a0, s2
xori v0, v0, 4
lw t9, -sym.imp.g_slist_append(gp)
sltiu v0, v0, 1
move a1, s7
jalr t9
sw v0, 4(s7)
lw gp, 0x10(sp)
move s2, v0
lw t9, -sym.imp.readdir(gp)
jalr t9
move a0, s1
move s0, v0
bnez v0, 0x3660
--
sw s0, 0x18(sp)
move s0, a0
lw a0, (a0)
sw ra, 0x1c(sp)
sw gp, 0x10(sp)
jalr t9
nop
lw gp, 0x10(sp)
lw ra, 0x1c(sp)
move a0, s0
lw t9, -sym.imp.g_free(gp)
lw s0, 0x18(sp)
jr t9
addiu sp, sp, 0x20
lui gp, 2
addiu gp, gp, -0x479c
addu gp, gp, t9
lw t9, -0x7fdc(gp)
addiu t9, t9, 0x22bc
b 0x22bc
nop
lui gp, 2
addiu gp, gp, -0x47b8
addu gp, gp, t9
addiu sp, sp, -0x100
lw t9, -sym.imp.g_strdup_printf(gp)
sw s2, 0xec(sp)
lw s2, -0x7efc(gp)
sw s4, 0xf4(sp)
sw s1, 0xe8(sp)
lw s4, -0x7fdc(gp)
lw v0, (s2)
move s1, a0
lw a0, -0x7fdc(gp)
sw gp, 0x10(sp)
sw ra, 0xfc(sp)
sw s3, 0xf0(sp)
addiu a1, s4, str._etc_overlays
addiu a0, a0, 0x61a0
sw s5, 0xf8(sp)
sw s0, 0xe4(sp)
sw v0, 0xdc(sp)
jalr t9
nop
lw gp, 0x10(sp)
addiu a2, sp, 0x4c
--
lw s3, -0x7fdc(gp)
lw s4, -0x7fdc(gp)
lw s6, -0x7fdc(gp)
addiu s3, s3, 0x6348
addiu s4, s4, 0x634c
b 0x3bf4
addiu s6, s6, str._s__s
lw t9, -sym.imp.readdir(gp)
jalr t9
move a0, s2
beqz v0, 0x3c78
lw gp, 0x20(sp)
lw t9, -sym.imp.strcmp(gp)
addiu s0, v0, 0xb
move a1, s3
jalr t9
move a0, s0
beqz v0, 0x3be0
lw gp, 0x20(sp)
lw t9, -sym.imp.strcmp(gp)
move a1, s4
jalr t9
move a0, s0
beqz v0, 0x3be0
lw gp, 0x20(sp)
lw t9, -sym.imp.g_strdup_printf(gp)
lw a1, 0x2c(sp)
move a2, s0
jalr t9
move a0, s6
lw gp, 0x20(sp)
move a0, v0
lw t9, -sym.imp.unlink(gp)
jalr t9
move s0, v0
lw gp, 0x20(sp)
lw t9, -sym.imp.g_free(gp)
jalr t9
move a0, s0
lw gp, 0x20(sp)
lw t9, -sym.imp.readdir(gp)
jalr t9
move a0, s2
bnez v0, 0x3bf4
lw gp, 0x20(sp)
lw t9, -sym.imp.closedir(gp)
[*] Function printf used 11 times overlayimage.cgi
