[*] Binary protection state of htpasswd
Full RELRO Canary found NX disabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of htpasswd
lbu a1, -0x24(a1)
sllv a1, a1, v0
or v1, v1, a1
addiu v0, v0, 8
andi a1, v1, 0x3f
addu a1, a3, a1
addiu a0, a0, 1
lbu a1, (a1)
srl v1, v1, 6
sb a1, -1(a0)
bne a0, t0, 0x1fe8
addiu v0, v0, -6
sb zero, 8(s0)
move v0, zero
lw a0, 0x3c(sp)
lw v1, (s1)
bne a0, v1, 0x2088
lw ra, 0x54(sp)
lw s3, 0x50(sp)
lw s2, 0x4c(sp)
lw s1, 0x48(sp)
lw s0, 0x44(sp)
jr ra
addiu sp, sp, 0x58
lw a1, -0x7fd8(gp)
lw t9, -sym.imp.apr_psprintf(gp)
addiu a2, sp, 0x18
addiu a1, a1, str.Unable_to_generate_random_bytes:__pm
jalr t9
move a0, s3
lw gp, 0x10(sp)
sw v0, (s2)
b 0x2038
addiu v0, zero, 8
lw t9, -sym.imp.__stack_chk_fail(gp)
jalr t9
nop
lui gp, 2
addiu gp, gp, -0x6084
addu gp, gp, t9
addiu sp, sp, -0x28
sw s1, 0x1c(sp)
lw s1, -0x7fd8(gp)
sw s2, 0x20(sp)
sw s0, 0x18(sp)
sw gp, 0x10(sp)
--
move a0, s3
bnez v0, 0x243c
lw gp, 0x10(sp)
lw a0, 0x124(sp)
lw v1, (s1)
bne a0, v1, 0x2478
lw ra, 0x13c(sp)
lw s4, 0x138(sp)
lw s3, 0x134(sp)
lw s2, 0x130(sp)
lw s1, 0x12c(sp)
lw s0, 0x128(sp)
jr ra
addiu sp, sp, 0x140
lw a0, -0x7fd8(gp)
addiu v0, zero, 0x101
addiu s2, sp, 0x20
addiu a2, sp, 0x1c
move a1, s2
addiu a0, a0, str.Enter_password:_
jalr t9
sw v0, 0x1c(sp)
beqz v0, 0x2408
lw gp, 0x10(sp)
lw a1, -0x7fd8(gp)
lw t9, -sym.imp.apr_psprintf(gp)
lw a0, (s0)
addiu a2, zero, 0x100
jalr t9
addiu a1, a1, str.password_too_long____u_
lw gp, 0x10(sp)
sw v0, 4(s0)
b 0x22cc
addiu v0, zero, 5
lw t9, -sym.imp.apr_file_open_stdin(gp)
lw a1, (s0)
jalr t9
addiu a0, sp, 0x18
bnez v0, 0x2428
lw gp, 0x10(sp)
lw t9, -sym.imp.apr_file_read_full(gp)
addiu s2, sp, 0x20
lw a0, 0x18(sp)
addiu a3, sp, 0x1c
addiu a2, zero, 0x100
jalr t9
--
lw t9, -sym.imp.strlen(gp)
jalr t9
move a0, s1
b 0x25e0
lw gp, 0x18(sp)
lw t9, -0x7fd8(gp)
addiu s4, sp, 0x24
lw a2, (s0)
addiu a1, s0, 4
addiu t9, t9, 0x1f70
bal 0x1f70
move a0, s4
move s2, v0
bnez v0, 0x2680
lw gp, 0x18(sp)
lw t9, -sym.imp.apr_md5_encode(gp)
lw a3, 0xc(s0)
lw a2, 8(s0)
move a1, s4
jalr t9
move a0, s1
sw v0, 0x20(sp)
beqz v0, 0x2680
lw gp, 0x18(sp)
lw a1, -0x7fd8(gp)
lw t9, -sym.imp.apr_psprintf(gp)
lw a0, (s0)
addiu a2, sp, 0x20
jalr t9
addiu a1, a1, str.could_not_encode_password:__pm
lw gp, 0x18(sp)
sw v0, 4(s0)
move a0, s1
lw t9, -sym.imp.strlen(gp)
jalr t9
addiu s2, zero, 9
b 0x25e0
lw gp, 0x18(sp)
bal sym.get_password
move a0, s0
move s2, v0
bnez v0, 0x25f8
lw gp, 0x18(sp)
b 0x2590
lw s1, 0x10(s0)
lw a1, -0x7fd8(gp)
lw t9, -sym.imp.apr_psprintf(gp)
lw a0, (s0)
addiu a2, sp, 0x20
jalr t9
addiu a1, a1, str.Unable_to_generate_random_bytes:__pm
lw gp, 0x18(sp)
sw v0, 4(s0)
move a0, s1
lw t9, -sym.imp.strlen(gp)
jalr t9
addiu s2, zero, 8
b 0x25e0
lw gp, 0x18(sp)
lw t9, -sym.imp.crypt(gp)
move a1, s4
jalr t9
move a0, s1
beqz v0, 0x2830
lw gp, 0x18(sp)
lw a2, 0xc(s0)
lw t9, -sym.imp.apr_cpystrn(gp)
--
lw gp, 0x18(sp)
move a1, v0
lw t9, -sym.imp.strcmp(gp)
jalr t9
move a0, s0
beqz v0, 0x28b4
lw gp, 0x18(sp)
lw t9, -sym.imp.strlen(gp)
jalr t9
move a0, s1
lw gp, 0x18(sp)
move a2, v0
move a1, zero
lw t9, -sym.imp.memset(gp)
jalr t9
move a0, s5
b 0x25d0
lw gp, 0x18(sp)
lw t9, -sym.imp.__errno_location(gp)
jalr t9
addiu s2, zero, 3
lw gp, 0x18(sp)
lw v0, (v0)
lw a0, (s0)
lw a1, -0x7fd8(gp)
lw t9, -sym.imp.apr_psprintf(gp)
addiu a2, sp, 0x20
addiu a1, a1, str.crypt___failed:__pm
jalr t9
sw v0, 0x20(sp)
lw gp, 0x18(sp)
sw v0, 4(s0)
lw t9, -sym.imp.strlen(gp)
jalr t9
move a0, s1
b 0x25e0
lw gp, 0x18(sp)
lw a1, -0x7fd8(gp)
lw t9, -sym.imp.apr_psprintf(gp)
lw a0, (s0)
addiu a2, sp, 0x20
jalr t9
addiu a1, a1, str.Unable_to_encode_with_bcrypt:__pm
lw gp, 0x18(sp)
sw v0, 4(s0)
move a0, s1
lw t9, -sym.imp.strlen(gp)
jalr t9
addiu s2, zero, 3
b 0x25e0
lw gp, 0x18(sp)
lw v0, -loc._edata(gp)
lw a1, -0x7fd8(gp)
lw t9, -sym.imp.apr_file_printf(gp)
lw a0, (v0)
jalr t9
addiu a1, a1, str.Warning:_Password_truncated_to_8_characters_by_CRYPT_algorithm._n
b 0x2804
lw gp, 0x18(sp)
[*] Function sprintf used 6 times htpasswd
