[*] Binary protection state of ssh-keygen
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of ssh-keygen
lw gp, 0x28(sp)
b 0xeb5c
move s4, zero
lw t9, -sym.ssh_err(gp)
bal sym.ssh_err
move a0, v0
lw gp, 0x28(sp)
sw v0, 0x14(sp)
addiu v0, zero, 2
lw v1, -0x7fdc(gp)
lw a1, -0x7fdc(gp)
lw a0, -0x7fdc(gp)
lw t9, -sym.sshlog(gp)
addiu v1, v1, -0x738
sw s6, 0x1c(sp)
sw v1, 0x18(sp)
sw v0, 0x10(sp)
move a3, zero
addiu a2, zero, 0x9f2
addiu a1, a1, 0x1da8
jalr t9
addiu a0, a0, -0xe90
move s4, zero
b 0xeb5c
lw gp, 0x28(sp)
lw t9, -sym.xasprintf(gp)
move a2, s6
addiu a1, a1, -0x714
jalr t9
addiu a0, sp, 0x44
lw gp, 0x28(sp)
lw t9, -0x7f2c(gp)
addiu t9, t9, -0x170c
bal 0xe8f4
lw a0, 0x44(sp)
move s0, v0
beqz v0, 0xeb5c
lw gp, 0x28(sp)
lw t9, -sym.imp.open64(gp)
lw a0, 0x44(sp)
addiu a2, zero, 0x1b6
jalr t9
addiu a1, zero, 0x301
move s3, v0
addiu v0, zero, -1
beq s3, v0, 0xf010
--
bal sym.sshbuf_free
lw a0, 0x3c(sp)
lw gp, 0x28(sp)
lw t9, -sym.imp.close(gp)
jalr t9
move a0, s3
b 0xebd4
lw gp, 0x28(sp)
lw v0, -0x76c4(gp)
lw a2, -0x7fdc(gp)
lw t9, -sym.imp.__fprintf_chk(gp)
lw a0, (v0)
addiu a2, a2, -0x6e0
jalr t9
addiu a1, zero, 1
lw gp, 0x28(sp)
b 0xee4c
lw a3, 0x44(sp)
lw t9, -sym.sshkey_type(gp)
bal sym.sshkey_type
move a0, s4
lw gp, 0x28(sp)
move a2, v0
addiu a0, sp, 0x48
lw a1, -0x7fdc(gp)
lw t9, -sym.xasprintf(gp)
jalr t9
addiu a1, a1, -0x78c
lw gp, 0x28(sp)
lw a0, 0x48(sp)
lw t9, -sym.read_passphrase(gp)
jalr t9
addiu a1, zero, 2
move s1, v0
beqz v0, 0xf0cc
lw gp, 0x28(sp)
b 0xec34
lbu v0, 0x38(s4)
lw v0, -0x7fdc(gp)
lw a1, -0x7fdc(gp)
lw a0, -0x7fdc(gp)
addiu v0, v0, -0x724
lw t9, -sym.sshlog(gp)
sw v0, 0x18(sp)
addiu v0, zero, 2
sw zero, 0x14(sp)
--
lw a1, -0x7fdc(gp)
lw t9, -sym.notify_complete(gp)
jalr t9
addiu a1, a1, -0x18c
bnez s0, 0x10f7c
lw gp, 0x40(sp)
lw s0, 0x7c(sp)
lw t9, -sym.imp.strrchr(gp)
addiu a1, zero, 0x2e
jalr t9
move a0, s0
beqz v0, 0x10704
lw gp, 0x40(sp)
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.strcmp(gp)
addiu a1, a1, 0x790
move a0, v0
jalr t9
sw v0, 0x54(sp)
bnez v0, 0x10704
lw gp, 0x40(sp)
lw v1, 0x54(sp)
sb zero, (v1)
lw s0, 0x7c(sp)
lw a1, -0x7fdc(gp)
lw t9, -sym.xasprintf(gp)
move a2, s0
addiu a1, a1, -0x15c
jalr t9
addiu a0, sp, 0x80
lw gp, 0x40(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x7c(sp)
lw gp, 0x40(sp)
lw a2, 0x84(sp)
lw a1, 0x80(sp)
lw t9, -sym.sshkey_save_public(gp)
jalr t9
lw a0, 0x78(sp)
bnez v0, 0x10f14
lw gp, 0x40(sp)
lw v0, -0x7fcc(gp)
lw v0, 0x6144(v0)
beqz v0, 0x10970
lw a0, 0x78(sp)
--
lw s2, -0x7fcc(gp)
sw v0, 0x30(sp)
lw v0, -0x7fdc(gp)
lw s6, -0x7fdc(gp)
sw v0, 0x34(sp)
lw v0, -0x7f2c(gp)
addiu s0, sp, 0x70
addiu v0, v0, -0x2758
sw v0, 0x38(sp)
lw v0, -0x7fcc(gp)
move s4, zero
addiu v0, v0, 0x4cf4
sw v0, 0x40(sp)
lw v0, -0x7fdc(gp)
addiu fp, sp, 0x64
addiu v0, v0, 0x800
addiu s7, sp, 0xa8
b 0x1454c
sw v0, 0x44(sp)
lw v0, 0xe0(sp)
lw a0, 0xe4(sp)
or v0, v0, a0
bnez v0, 0x144e4
lw t9, -sym.sshkey_free(gp)
lw v0, 0x30(sp)
lw t9, -sym.xasprintf(gp)
move a3, s1
addiu a2, s2, 0x513c
addiu a1, v0, 0x768
jalr t9
addiu a0, sp, 0x5c
lw gp, 0x28(sp)
lw v0, 0x34(sp)
move a3, s1
lw t9, -sym.xasprintf(gp)
addiu a2, s2, 0x513c
addiu a1, v0, 0x778
jalr t9
addiu a0, sp, 0x60
lw gp, 0x28(sp)
move a3, s1
addiu a2, s2, 0x513c
lw a1, -0x7fdc(gp)
lw t9, -sym.xasprintf(gp)
addiu a1, a1, 0x78c
jalr t9
addiu a0, sp, 0x68
beqz s4, 0x1460c
lw gp, 0x28(sp)
lw a1, -0x7fdc(gp)
lw a2, (s0)
lw t9, -sym.imp.__printf_chk(gp)
addiu a1, a1, 0x7b8
jalr t9
addiu a0, zero, 1
lw gp, 0x28(sp)
addiu s5, zero, -1
lw v0, -0x7858(gp)
lw t9, -sym.imp.fflush(gp)
jalr t9
lw a0, (v0)
lw gp, 0x28(sp)
lw t9, -sym.sshkey_type_from_name(gp)
bal sym.sshkey_type_from_name
--
addiu s0, s0, 0xc
lw gp, 0x28(sp)
lw t9, -sym.sshkey_free(gp)
bal sym.sshkey_free
lw a0, 0x58(sp)
lw gp, 0x28(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x5c(sp)
lw gp, 0x28(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x60(sp)
lw gp, 0x28(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x64(sp)
lw gp, 0x28(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x68(sp)
lw s3, -4(s0)
beqz s3, 0x147a4
lw gp, 0x28(sp)
lw s1, 4(s0)
lw t9, -sym.xasprintf(gp)
move a3, s1
addiu a2, s2, 0x513c
addiu a1, s6, 0x1588
move a0, fp
sw zero, 0x54(sp)
sw zero, 0x58(sp)
sw zero, 0x68(sp)
sw zero, 0x64(sp)
sw zero, 0x60(sp)
jalr t9
sw zero, 0x5c(sp)
lw gp, 0x28(sp)
lw a1, 0x64(sp)
move a2, s7
lw t9, -sym.imp.__xstat64(gp)
jalr t9
addiu a0, zero, 3
beqz v0, 0x14294
lw gp, 0x28(sp)
lw t9, -sym.imp.__errno_location(gp)
--
move v0, s2
lw ra, 0x434(sp)
lw s2, 0x430(sp)
lw s1, 0x42c(sp)
lw s0, 0x428(sp)
jr ra
addiu sp, sp, 0x438
beq v0, v1, 0x3ae58
lw a1, -0x7fdc(gp)
lw t9, -sym.imp.strcasecmp(gp)
addiu a1, a1, 0x5374
jalr t9
move a0, s0
sltiu s2, v0, 1
b 0x3ae5c
lw gp, 0x18(sp)
b 0x3ae6c
move s2, zero
lw t9, -sym.imp.__stack_chk_fail(gp)
jalr t9
nop
lui gp, 6
addiu gp, gp, 0x11d4
addu gp, gp, t9
addiu sp, sp, -0x58
lw t9, -sym.xvasprintf(gp)
sw s1, 0x44(sp)
lw s1, -0x773c(gp)
sw gp, 0x28(sp)
sw ra, 0x54(sp)
sw s0, 0x40(sp)
sw s4, 0x50(sp)
sw s3, 0x4c(sp)
sw s2, 0x48(sp)
lw v1, (s1)
addiu v0, sp, 0x60
sw a2, 0x60(sp)
sw a3, 0x64(sp)
move a2, v0
sw v1, 0x3c(sp)
move s0, a0
sw v0, 0x34(sp)
sw zero, 0x38(sp)
bal sym.xvasprintf
addiu a0, sp, 0x38
lw gp, 0x28(sp)
--
sw v0, 0x10(sp)
b 0x3b274
addiu a2, zero, 0x122
lui gp, 6
addiu gp, gp, 0xd48
addu gp, gp, t9
addiu sp, sp, -0x50
sw s3, 0x48(sp)
lw s3, -0x773c(gp)
sw s0, 0x3c(sp)
sw gp, 0x20(sp)
sw ra, 0x4c(sp)
sw s2, 0x44(sp)
sw s1, 0x40(sp)
lw v0, (s3)
move s0, a0
sw a2, 0x58(sp)
sw a3, 0x5c(sp)
sw v0, 0x34(sp)
beqz a0, 0x3b41c
sw zero, 0x2c(sp)
beqz a1, 0x3b3b4
lw a0, (a0)
addiu v0, zero, -1
beq a0, v0, 0x3b454
lw t9, -sym.xvasprintf(gp)
blez a0, 0x3b41c
lw t9, -sym.imp.kill(gp)
jalr t9
addiu a1, zero, 0xf
addiu s1, zero, -1
lw gp, 0x20(sp)
b 0x3b3ec
addiu s2, zero, 4
lw t9, -sym.imp.__errno_location(gp)
jalr t9
nop
lw a0, (v0)
bne a0, s2, 0x3b4a4
lw gp, 0x20(sp)
lw t9, -sym.imp.waitpid(gp)
lw a0, (s0)
move a2, zero
jalr t9
move a1, zero
beq v0, s1, 0x3b3d4
--
addiu sp, sp, 0x30
lw v0, -0x7fdc(gp)
lw a1, -0x7fdc(gp)
addiu v0, v0, 0x5550
lw a0, -0x7fdc(gp)
sw v0, 0x18(sp)
lw t9, -sym.sshfatal(gp)
addiu v0, zero, 1
sw zero, 0x14(sp)
sw v0, 0x10(sp)
move a3, zero
addiu a2, zero, 0x69
addiu a1, a1, 0x5580
bal sym.sshfatal
addiu a0, a0, 0x5420
lui gp, 6
addiu gp, gp, 0x7d4
addu gp, gp, t9
addiu sp, sp, -0x28
addiu v0, sp, 0x30
sw s0, 0x20(sp)
lw s0, -0x773c(gp)
sw gp, 0x10(sp)
sw ra, 0x24(sp)
lw v1, (s0)
lw t9, -sym.xvasprintf(gp)
sw a2, 0x30(sp)
sw v1, 0x1c(sp)
sw a3, 0x34(sp)
sw v0, 0x18(sp)
bal sym.xvasprintf
move a2, v0
lw a0, 0x1c(sp)
lw v1, (s0)
bne a0, v1, 0x3b930
lw gp, 0x10(sp)
lw ra, 0x24(sp)
lw s0, 0x20(sp)
jr ra
addiu sp, sp, 0x28
lw t9, -sym.imp.__stack_chk_fail(gp)
jalr t9
nop
nop
lui gp, 6
addiu gp, gp, 0x760
--
lw t9, -sym.imp.strlen(gp)
jalr t9
move a0, s3
bnez v0, 0x3eff0
lw gp, 0x20(sp)
lw a3, -0x7fdc(gp)
addiu a3, a3, 0x5678
b 0x3ef64
addiu s0, s1, 1
lw t9, -sym.imp.getpwuid(gp)
jalr t9
move a0, s3
beqz v0, 0x3f058
lw gp, 0x20(sp)
lw s3, 0x14(v0)
lw t9, -sym.imp.strlen(gp)
jalr t9
move a0, s3
bnez v0, 0x3efd0
lw gp, 0x20(sp)
lw a3, -0x7fdc(gp)
addiu a3, a3, 0x5678
bnel s1, zero, 0x3ef64
addiu s0, s1, 1
lw a1, -0x7fdc(gp)
lw t9, -sym.xasprintf(gp)
sw s0, 0x10(sp)
move a2, s3
addiu a1, a1, 0x5c2c
bal sym.xasprintf
addiu a0, sp, 0x28
slti v0, v0, 0x1000
beqz v0, 0x3f020
lw gp, 0x20(sp)
lw v0, 0x28(sp)
lw a0, 0xac(sp)
lw v1, (s2)
bne a0, v1, 0x3f014
lw ra, 0xc4(sp)
lw s4, 0xc0(sp)
lw s3, 0xbc(sp)
lw s2, 0xb8(sp)
lw s1, 0xb4(sp)
lw s0, 0xb0(sp)
jr ra
addiu sp, sp, 0xc8
--
jr ra
addiu sp, sp, 0x48
lw a0, -0x7fdc(gp)
lw t9, -sym.xstrdup(gp)
bal sym.xstrdup
addiu a0, a0, 0x5c94
move s4, v0
b 0x3f598
lw gp, 0x18(sp)
lw t9, -sym.imp.__stack_chk_fail(gp)
jalr t9
nop
lui gp, 6
addiu gp, gp, -0x3558
addu gp, gp, t9
addiu sp, sp, -0x40
move v1, a2
sw s1, 0x34(sp)
lw s1, -0x773c(gp)
sw gp, 0x18(sp)
sw s2, 0x38(sp)
sw s0, 0x30(sp)
sw ra, 0x3c(sp)
lw v0, (s1)
addiu a2, sp, 0x4c
lw t9, -sym.xvasprintf(gp)
move s0, a0
sw a2, 0x20(sp)
move s2, a1
sw a3, 0x4c(sp)
move a1, v1
addiu a0, sp, 0x24
sw v0, 0x2c(sp)
bal sym.xvasprintf
nop
lw a2, (s0)
beqz a2, 0x3f6e4
lw gp, 0x18(sp)
lb v0, (a2)
beqz v0, 0x3f6e8
lw t9, -sym.imp.free(gp)
beql s2, zero, 0x3f700
lw s2, -0x7fdc(gp)
lw a1, -0x7fdc(gp)
lw v0, 0x24(sp)
lw t9, -sym.xasprintf(gp)
move a3, s2
addiu a1, a1, 0x5c2c
addiu a0, sp, 0x28
bal sym.xasprintf
sw v0, 0x10(sp)
lw gp, 0x18(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x24(sp)
lw gp, 0x18(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, (s0)
lw v0, 0x28(sp)
lw gp, 0x18(sp)
sw v0, (s0)
lw v1, 0x2c(sp)
lw v0, (s1)
bne v1, v0, 0x3f708
lw ra, 0x3c(sp)
[*] Function sprintf used 13 times ssh-keygen
