[*] Binary protection state of busybox.suid
Full RELRO Canary found NX disabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of busybox.suid
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/4325012-58052244.squashfs_v4_le_extract/usr/bin/busybox.suid @ 0x1630 */
| #include <stdint.h>
|
; (fcn) fcn.00001630 () | void fcn_00001630 () {
0x00001630 lui gp, 2 |
0x00001634 addiu gp, gp, -0x5630 |
0x00001638 addu gp, gp, t9 | gp += t9;
0x0000163c addiu sp, sp, -0xb0 |
0x00001640 lw v0, -0x7e6c(gp) | v0 = *((gp - 8091));
0x00001644 lw a3, -0x7f84(gp) | a3 = *((gp - 8161));
0x00001648 sw gp, 0x18(sp) | *(var_18h) = gp;
0x0000164c sw ra, 0xac(sp) | *(var_ach) = ra;
0x00001650 sw fp, 0xa8(sp) | *(var_a8h) = fp;
0x00001654 sw s7, 0xa4(sp) | *(var_a4h) = s7;
0x00001658 sw s6, 0xa0(sp) | *(var_a0h) = s6;
0x0000165c sw s5, 0x9c(sp) | *(var_9ch) = s5;
0x00001660 sw s4, 0x98(sp) | *(var_98h) = s4;
0x00001664 sw s3, 0x94(sp) | *(var_94h) = s3;
0x00001668 sw s2, 0x90(sp) | *(var_90h) = s2;
0x0000166c sw s1, 0x8c(sp) | *(var_8ch) = s1;
0x00001670 sw s0, 0x88(sp) | *(var_88h) = s0;
0x00001674 lw v1, (v0) | v1 = *(v0);
0x00001678 sw v0, 0x20(sp) | *(var_20h) = v0;
0x0000167c lb v0, (a3) | v0 = *(a3);
0x00001680 sw a3, 0x2c(sp) | *(var_2ch) = a3;
0x00001684 sw v1, 0x84(sp) | *(var_84h) = v1;
0x00001688 move s0, a0 | s0 = a0;
| if (v0 == 0) {
0x0000168c beqz v0, 0x18a8 | goto label_1;
| }
0x00001690 move fp, a1 | fp = a1;
0x00001694 move s4, a2 | s4 = a2;
| if (a0 == 0) {
0x00001698 bnez a0, 0x16a4 |
0x0000169c lw s0, -0x7fd0(gp) | s0 = *((gp - 8180));
0x000016a0 addiu s0, s0, 0x2f04 | s0 += 0x2f04;
| }
0x000016a4 move s3, zero | s3 = 0;
| if (s4 != 0) {
0x000016a8 beqz s4, 0x16c0 |
0x000016ac lw t9, -0x7eb4(gp) | t9 = sym.imp.strlen;
0x000016b0 move a0, s4 | a0 = s4;
0x000016b4 jalr t9 | t9 ();
0x000016b8 lw gp, 0x18(sp) | gp = *(var_18h);
0x000016bc move s3, v0 | s3 = v0;
| }
0x000016c0 lw v0, -0x7fbc(gp) | v0 = *((gp - 8175));
0x000016c4 lw s1, -0x7f80(gp) | s1 = *((gp - 8160));
0x000016c8 lw t9, -0x7eb4(gp) | t9 = sym.imp.strlen;
0x000016cc lw a0, (v0) | a0 = *(v0);
0x000016d0 sw v0, 0x24(sp) | *(var_24h) = v0;
0x000016d4 sw s1, 0x28(sp) | *(var_28h) = s1;
0x000016d8 jalr t9 | t9 ();
0x000016dc lw gp, 0x18(sp) | gp = *(var_18h);
0x000016e0 lw a0, (s1) | a0 = *(s1);
0x000016e4 addiu s2, v0, 2 | s2 = v0 + 2;
0x000016e8 lw t9, -0x7eb4(gp) | t9 = sym.imp.strlen;
0x000016ec move s6, v0 | s6 = v0;
0x000016f0 jalr t9 | t9 ();
0x000016f4 addiu a1, zero, 0x50 | a1 = 0x50;
0x000016f8 subu a1, a1, s2 | __asm ("subu a1, a1, s2");
0x000016fc lw gp, 0x18(sp) | gp = *(var_18h);
0x00001700 move s5, v0 | s5 = v0;
| if (a1 > 0) {
0x00001704 blez a1, 0x1750 |
0x00001708 lw t9, -0x7ee0(gp) | t9 = sym.imp.__vsnprintf_chk;
0x0000170c addiu s1, sp, 0x34 | s1 = sp + 0x34;
0x00001710 addu a0, s1, s2 | a0 = s1 + s2;
0x00001714 sw fp, 0x14(sp) | *(var_14h) = fp;
0x00001718 sw s0, 0x10(sp) | *(var_10h) = s0;
0x0000171c addiu a3, zero, -1 | a3 = -1;
0x00001720 addiu a2, zero, 1 | a2 = 1;
0x00001724 jalr t9 | t9 ();
0x00001728 addiu a0, zero, 0x4d | a0 = 0x4d;
0x0000172c subu a0, a0, s5 | __asm ("subu a0, a0, s5");
0x00001730 addu s7, s2, v0 | s7 = s2 + v0;
0x00001734 subu a0, a0, s3 | __asm ("subu a0, a0, s3");
0x00001738 slt a0, s7, a0 | a0 = (s7 < a0) ? 1 : 0;
0x0000173c lw gp, 0x18(sp) | gp = *(var_18h);
0x00001740 sw s1, 0x30(sp) | *(var_30h) = s1;
| if (a0 != 0) {
0x00001744 beqz a0, 0x1750 |
0x00001748 move a0, s1 | a0 = s1;
0x0000174c b 0x17bc |
| }
| } else {
0x00001750 lw t9, -0x7ec8(gp) | t9 = sym.imp.__vasprintf_chk
0x00001754 move a3, fp | a3 = fp;
0x00001758 move a2, s0 | a2 = s0;
0x0000175c addiu a1, zero, 1 | a1 = 1;
0x00001760 addiu a0, sp, 0x30 | a0 = sp + 0x30;
0x00001764 jalr t9 | t9 ();
0x00001768 move s1, v0 | s1 = v0;
0x0000176c lw gp, 0x18(sp) | gp = *(var_18h);
| if (v0 < 0) {
0x00001770 bltz v0, 0x18a8 | goto label_1;
| }
0x00001774 addu s7, s2, v0 | s7 = s2 + v0;
0x00001778 addu a1, s7, s3 | a1 = s7 + s3;
0x0000177c lw t9, -0x7e94(gp) | t9 = sym.imp.realloc;
0x00001780 addu a1, a1, s5 | a1 += s5;
0x00001784 lw a0, 0x30(sp) | a0 = *(var_30h);
0x00001788 addiu a1, a1, 3 | a1 += 3;
0x0000178c jalr t9 | t9 ();
0x00001790 lw gp, 0x18(sp) | gp = *(var_18h);
| if (v0 == 0) {
0x00001794 beqz v0, 0x18f4 | goto label_2;
| }
0x00001798 lw t9, -0x7e5c(gp) | t9 = sym.imp.memmove;
0x0000179c move a2, s1 | a2 = s1;
0x000017a0 addu a0, v0, s2 | a0 = v0 + s2;
0x000017a4 move a1, v0 | a1 = v0;
0x000017a8 sw v0, 0x30(sp) | *(var_30h) = v0;
0x000017ac jalr t9 | t9 ();
0x000017b0 lw gp, 0x18(sp) | gp = *(var_18h);
0x000017b4 lw a0, 0x30(sp) | a0 = *(var_30h);
0x000017b8 addiu s1, sp, 0x34 | s1 = sp + 0x34;
| }
0x000017bc lw v0, 0x24(sp) | v0 = *(var_24h);
0x000017c0 lw t9, -0x7e88(gp) | t9 = sym.imp.strcpy;
0x000017c4 lw a1, (v0) | a1 = *(v0);
0x000017c8 jalr t9 | t9 ();
0x000017cc lw v0, 0x30(sp) | v0 = *(var_30h);
0x000017d0 addiu a2, zero, 0x3a | a2 = 0x3a;
0x000017d4 addu v0, v0, s6 | v0 += s6;
0x000017d8 lw gp, 0x18(sp) | gp = *(var_18h);
0x000017dc sb a2, (v0) | *(v0) = a2;
0x000017e0 lw v0, 0x30(sp) | v0 = *(var_30h);
0x000017e4 addiu a1, zero, 0x20 | a1 = 0x20;
0x000017e8 addu s6, v0, s6 | s6 = v0 + s6;
0x000017ec sb a1, 1(s6) | *((s6 + 1)) = a1;
| if (s4 != 0) {
0x000017f0 beqz s4, 0x1838 |
0x000017f4 lw a0, 0x30(sp) | a0 = *(var_30h);
0x000017f8 lbu v0, (s0) | v0 = *(s0);
0x000017fc addu a0, a0, s7 | a0 += s7;
| if (v0 != 0) {
0x00001800 beqz v0, 0x1824 |
0x00001804 sb a2, (a0) | *(a0) = a2;
0x00001808 lw v0, 0x30(sp) | v0 = *(var_30h);
0x0000180c addiu a0, s7, 1 | a0 = s7 + 1;
0x00001810 addu v0, v0, a0 | v0 += a0;
0x00001814 addiu s7, s7, 2 | s7 += 2;
0x00001818 sb a1, (v0) | *(v0) = a1;
0x0000181c lw a0, 0x30(sp) | a0 = *(var_30h);
0x00001820 addu a0, a0, s7 | a0 += s7;
| }
0x00001824 lw t9, -0x7e88(gp) | t9 = sym.imp.strcpy;
0x00001828 move a1, s4 | a1 = s4;
0x0000182c jalr t9 | t9 ();
0x00001830 lw gp, 0x18(sp) | gp = *(var_18h);
0x00001834 addu s7, s7, s3 | s7 += s3;
| }
0x00001838 lw v0, 0x28(sp) | v0 = *(var_28h);
0x0000183c lw a0, 0x30(sp) | a0 = *(var_30h);
0x00001840 lw t9, -0x7e88(gp) | t9 = sym.imp.strcpy;
0x00001844 lw a1, (v0) | a1 = *(v0);
0x00001848 addu a0, a0, s7 | a0 += s7;
0x0000184c jalr t9 | t9 ();
0x00001850 lw v0, 0x2c(sp) | v0 = *(var_2ch);
0x00001854 addu s5, s7, s5 | s5 = s7 + s5;
0x00001858 lbu v0, (v0) | v0 = *(v0);
0x0000185c andi v0, v0, 1 | v0 &= 1;
0x00001860 lw gp, 0x18(sp) | gp = *(var_18h);
| if (v0 == 0) {
0x00001864 beqz v0, 0x1890 | goto label_3;
| }
0x00001868 lw t9, -0x7f7c(gp) | t9 = *(gp);
| label_0:
0x0000186c bal 0x1e74 | fcn_00001e74 ();
0x00001870 nop |
0x00001874 lw gp, 0x18(sp) | gp = *(var_18h);
0x00001878 lw a1, 0x30(sp) | a1 = *(var_30h);
0x0000187c move a2, s5 | a2 = s5;
0x00001880 lw t9, -0x7f78(gp) | t9 = *(gp);
0x00001884 addiu a0, zero, 2 | a0 = 2;
0x00001888 bal 0x1ee0 | fcn_00001ee0 ();
0x0000188c lw gp, 0x18(sp) | gp = *(var_18h);
| do {
| label_3:
0x00001890 lw a0, 0x30(sp) | a0 = *(var_30h);
0x00001894 lw t9, -0x7e60(gp) | t9 = sym.imp.free;
| if (a0 != s1) {
0x00001898 beq a0, s1, 0x18a8 |
0x0000189c jalr t9 | t9 ();
0x000018a0 nop |
0x000018a4 lw gp, 0x18(sp) | gp = *(var_18h);
| }
| label_1:
0x000018a8 lw v0, 0x20(sp) | v0 = *(var_20h);
0x000018ac lw v1, 0x84(sp) | v1 = *(var_84h);
0x000018b0 lw v0, (v0) | v0 = *(v0);
0x000018b4 lw ra, 0xac(sp) | ra = *(var_ach);
| if (v1 == v0) {
0x000018b8 bne v1, v0, 0x18e8 |
0x000018bc lw fp, 0xa8(sp) | fp = *(var_a8h);
0x000018c0 lw s7, 0xa4(sp) | s7 = *(var_a4h);
0x000018c4 lw s6, 0xa0(sp) | s6 = *(var_a0h);
0x000018c8 lw s5, 0x9c(sp) | s5 = *(var_9ch);
0x000018cc lw s4, 0x98(sp) | s4 = *(var_98h);
0x000018d0 lw s3, 0x94(sp) | s3 = *(var_94h);
0x000018d4 lw s2, 0x90(sp) | s2 = *(var_90h);
0x000018d8 lw s1, 0x8c(sp) | s1 = *(var_8ch);
0x000018dc lw s0, 0x88(sp) | s0 = *(var_88h);
0x000018e0 addiu sp, sp, 0xb0 |
0x000018e4 jr ra | return v0;
| }
0x000018e8 lw t9, -0x7e78(gp) | t9 = sym.imp.__stack_chk_fail;
0x000018ec jalr t9 | t9 ();
0x000018f0 nop |
| label_2:
0x000018f4 lw v0, 0x30(sp) | v0 = *(var_30h);
0x000018f8 addiu v1, zero, 0xa | v1 = 0xa;
0x000018fc addu v0, v0, s1 | v0 += s1;
0x00001900 addiu s5, s1, 1 | s5 = s1 + 1;
0x00001904 sb v1, (v0) | *(v0) = v1;
0x00001908 lw v0, 0x2c(sp) | v0 = *(var_2ch);
0x0000190c lbu v0, (v0) | v0 = *(v0);
0x00001910 andi v0, v0, 1 | v0 &= 1;
0x00001914 addiu s1, sp, 0x34 | s1 = sp + 0x34;
0x00001918 beqz v0, 0x1890 |
| } while (v0 == 0);
0x0000191c lw t9, -0x7f7c(gp) | t9 = *(gp);
0x00001920 b 0x186c | goto label_0;
| }
[*] Function sprintf used 2 times busybox.suid
