[*] Binary protection state of scp.openssh
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of scp.openssh
addiu s4, sp, 0x54
addiu v0, v0, 0x42d0
addiu fp, sp, 0x5c
b 0x63c0
sw v0, 0x40(sp)
lw a0, 0x54(sp)
beqz a0, 0x6268
lw t9, -sym.okname(gp)
bal sym.okname
nop
beqz v0, 0x6650
lw gp, 0x20(sp)
lw v0, 0x58(sp)
beqz v0, 0x6670
lw v0, -obj.throughlocal(gp)
lw v0, (v0)
beqz v0, 0x643c
lw v0, 0x74(sp)
lw v0, 0x5c(sp)
addiu a0, zero, 0x2d
lb a1, (v0)
beq a1, a0, 0x6298
lw a3, 0x48(sp)
lw a3, 0x3c(sp)
lw a1, -0x7fd4(gp)
lw t9, -sym.xasprintf(gp)
lw a2, -obj.cmd(gp)
addiu s6, sp, 0x60
addiu a1, a1, 0x29dc
move a0, s6
lw s3, -obj.remout(gp)
lw s2, -obj.remin(gp)
bal sym.xasprintf
sw v0, 0x10(sp)
lw gp, 0x20(sp)
lw a3, 0x60(sp)
lw a2, 0x70(sp)
lw t9, -sym.do_cmd(gp)
lw a1, 0x54(sp)
lw a0, 0x58(sp)
sw s3, 0x14(sp)
bal sym.do_cmd
sw s2, 0x10(sp)
bltz v0, 0x68b0
lw gp, 0x20(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x60(sp)
lw v0, 0x6c(sp)
addiu a0, zero, 0x2d
lb a1, (v0)
beq a1, a0, 0x676c
lw gp, 0x20(sp)
lw a3, 0x3c(sp)
lw v1, 0x44(sp)
lw t9, -sym.xasprintf(gp)
lw a2, -obj.cmd(gp)
addiu a1, v1, 0x29e8
move a0, s6
bal sym.xasprintf
sw v0, 0x10(sp)
lw gp, 0x20(sp)
lw t4, (s3)
lw v0, (s2)
lw t9, -sym.do_cmd2(gp)
lw a3, 0x60(sp)
lw a2, 0x74(sp)
lw a1, 0x64(sp)
lw a0, 0x68(sp)
sw t4, 0x14(sp)
bal sym.do_cmd2
sw v0, 0x10(sp)
bltz v0, 0x68b0
lw gp, 0x20(sp)
lw t9, -sym.imp.free(gp)
jalr t9
--
beqz v0, 0x639c
lw gp, 0x20(sp)
lw v0, -obj.errs(gp)
addiu a0, zero, 1
b 0x639c
sw a0, (v0)
lw s2, -obj.errs(gp)
lw t9, -0x7f7c(gp)
addiu a1, zero, 1
bal 0x1d880
lw a0, (s2)
lw gp, 0x20(sp)
b 0x639c
sw v0, (s2)
lw s2, -obj.remin(gp)
addiu v0, zero, -1
lw a0, (s2)
bne a0, v0, 0x6708
lw v0, 0x6c(sp)
addiu a0, zero, 0x2d
lb a1, (v0)
beq a1, a0, 0x6698
lw a3, 0x48(sp)
lw a3, 0x3c(sp)
lw v1, 0x44(sp)
lw t9, -sym.xasprintf(gp)
lw a2, -obj.cmd(gp)
addiu a1, v1, 0x29e8
addiu a0, sp, 0x60
bal sym.xasprintf
sw v0, 0x10(sp)
lw gp, 0x20(sp)
lw a3, 0x60(sp)
lw a2, 0x74(sp)
lw v0, -obj.remout(gp)
lw t9, -sym.do_cmd(gp)
lw a1, 0x64(sp)
lw a0, 0x68(sp)
sw v0, 0x14(sp)
bal sym.do_cmd
sw s2, 0x10(sp)
bltz v0, 0x68b0
lw gp, 0x20(sp)
lw t9, -sym.response(gp)
bal sym.response
nop
--
sw a0, 0x38(sp)
sw v1, 0x28(sp)
move a0, zero
addiu s7, sp, 0x54
addiu s6, sp, 0x48
addiu s5, sp, 0x50
addiu fp, sp, 0x4c
b 0x8854
sw v0, 0x3c(sp)
lw a0, 0x50(sp)
beqz a0, 0x8794
lw t9, -sym.okname(gp)
bal sym.okname
nop
beqz v0, 0x89b0
lw gp, 0x18(sp)
lw v0, 0x48(sp)
beqz v0, 0x88d0
lw v0, 0x4c(sp)
addiu v1, zero, 0x2d
lb a0, (v0)
beq a0, v1, 0x87b4
lw a3, 0x30(sp)
lw a3, 0x2c(sp)
lw v1, 0x24(sp)
lw t9, -sym.xasprintf(gp)
lw a2, -obj.cmd(gp)
addiu a1, v1, 0x29dc
addiu a0, sp, 0x44
lw s2, -obj.remout(gp)
lw s1, -obj.remin(gp)
bal sym.xasprintf
sw v0, 0x10(sp)
lw gp, 0x18(sp)
lw a3, 0x44(sp)
lw a2, 0x54(sp)
lw t9, -sym.do_cmd(gp)
lw a1, 0x50(sp)
lw a0, 0x48(sp)
sw s2, 0x14(sp)
bal sym.do_cmd
sw s1, 0x10(sp)
bltz v0, 0x8a48
lw gp, 0x18(sp)
lw t9, -sym.imp.free(gp)
jalr t9
--
addiu sp, sp, 0x30
lw v0, -0x7fd4(gp)
lw a1, -0x7fd4(gp)
addiu v0, v0, 0x3484
lw a0, -0x7fd4(gp)
sw v0, 0x18(sp)
lw t9, -sym.sshfatal(gp)
addiu v0, zero, 1
sw zero, 0x14(sp)
sw v0, 0x10(sp)
move a3, zero
addiu a2, zero, 0x69
addiu a1, a1, 0x34b0
bal sym.sshfatal
addiu a0, a0, 0x3354
lui gp, 3
addiu gp, gp, 0x2854
addu gp, gp, t9
addiu sp, sp, -0x28
addiu v0, sp, 0x30
sw s0, 0x20(sp)
lw s0, -0x7bfc(gp)
sw gp, 0x10(sp)
sw ra, 0x24(sp)
lw v1, (s0)
lw t9, -sym.xvasprintf(gp)
sw a2, 0x30(sp)
sw v1, 0x1c(sp)
sw a3, 0x34(sp)
sw v0, 0x18(sp)
bal sym.xvasprintf
move a2, v0
lw a0, 0x1c(sp)
lw v1, (s0)
bne a0, v1, 0xb880
lw gp, 0x10(sp)
lw ra, 0x24(sp)
lw s0, 0x20(sp)
jr ra
addiu sp, sp, 0x28
lw t9, -sym.imp.__stack_chk_fail(gp)
jalr t9
nop
nop
lui gp, 3
addiu gp, gp, 0x27e0
--
lw t9, -sym.imp.strlen(gp)
jalr t9
move a0, s3
bnez v0, 0xef40
lw gp, 0x20(sp)
lw a3, -0x7fd4(gp)
addiu a3, a3, 0x35a8
b 0xeeb4
addiu s0, s1, 1
lw t9, -sym.imp.getpwuid(gp)
jalr t9
move a0, s3
beqz v0, 0xefa8
lw gp, 0x20(sp)
lw s3, 0x14(v0)
lw t9, -sym.imp.strlen(gp)
jalr t9
move a0, s3
bnez v0, 0xef20
lw gp, 0x20(sp)
lw a3, -0x7fd4(gp)
addiu a3, a3, 0x35a8
bnel s1, zero, 0xeeb4
addiu s0, s1, 1
lw a1, -0x7fd4(gp)
lw t9, -sym.xasprintf(gp)
sw s0, 0x10(sp)
move a2, s3
addiu a1, a1, 0x2cac
bal sym.xasprintf
addiu a0, sp, 0x28
slti v0, v0, 0x1000
beqz v0, 0xef70
lw gp, 0x20(sp)
lw v0, 0x28(sp)
lw a0, 0xac(sp)
lw v1, (s2)
bne a0, v1, 0xef64
lw ra, 0xc4(sp)
lw s4, 0xc0(sp)
lw s3, 0xbc(sp)
lw s2, 0xb8(sp)
lw s1, 0xb4(sp)
lw s0, 0xb0(sp)
jr ra
addiu sp, sp, 0xc8
--
jr ra
addiu sp, sp, 0x48
lw a0, -0x7fd4(gp)
lw t9, -sym.xstrdup(gp)
bal sym.xstrdup
addiu a0, a0, 0x3c04
move s4, v0
b 0xf4e8
lw gp, 0x18(sp)
lw t9, -sym.imp.__stack_chk_fail(gp)
jalr t9
nop
lui gp, 3
addiu gp, gp, -0x14d8
addu gp, gp, t9
addiu sp, sp, -0x40
move v1, a2
sw s1, 0x34(sp)
lw s1, -0x7bfc(gp)
sw gp, 0x18(sp)
sw s2, 0x38(sp)
sw s0, 0x30(sp)
sw ra, 0x3c(sp)
lw v0, (s1)
addiu a2, sp, 0x4c
lw t9, -sym.xvasprintf(gp)
move s0, a0
sw a2, 0x20(sp)
move s2, a1
sw a3, 0x4c(sp)
move a1, v1
addiu a0, sp, 0x24
sw v0, 0x2c(sp)
bal sym.xvasprintf
nop
lw a2, (s0)
beqz a2, 0xf634
lw gp, 0x18(sp)
lb v0, (a2)
beqz v0, 0xf638
lw t9, -sym.imp.free(gp)
beql s2, zero, 0xf650
lw s2, -0x7fd4(gp)
lw a1, -0x7fd4(gp)
lw v0, 0x24(sp)
lw t9, -sym.xasprintf(gp)
move a3, s2
addiu a1, a1, 0x2cac
addiu a0, sp, 0x28
bal sym.xasprintf
sw v0, 0x10(sp)
lw gp, 0x18(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, 0x24(sp)
lw gp, 0x18(sp)
lw t9, -sym.imp.free(gp)
jalr t9
lw a0, (s0)
lw v0, 0x28(sp)
lw gp, 0x18(sp)
sw v0, (s0)
lw v1, 0x2c(sp)
lw v0, (s1)
bne v1, v0, 0xf658
lw ra, 0x3c(sp)
[*] Function sprintf used 8 times scp.openssh
