[*] Binary protection state of stclient
Full RELRO Canary found NX disabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of stclient
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/4325012-58052244.squashfs_v4_le_extract/usr/bin/stclient @ 0x1381c */
| #include <stdint.h>
|
; (fcn) sym.psk_create () | void psk_create () {
0x0001381c lui gp, 2 |
0x00013820 addiu gp, gp, 0x844 |
0x00013824 addu gp, gp, t9 | gp += t9;
0x00013828 addiu sp, sp, -0x158 |
0x0001382c lw a0, -0x7fbc(gp) | a0 = *((gp - 8175));
0x00013830 sw s5, 0x144(sp) | *(var_144h) = s5;
0x00013834 lw s5, -0x7904(gp) | s5 = *((gp - 7745));
0x00013838 sw gp, 0x20(sp) | *(var_20h) = gp;
0x0001383c sw ra, 0x154(sp) | *(var_154h) = ra;
0x00013840 sw fp, 0x150(sp) | *(var_150h) = fp;
0x00013844 sw s7, 0x14c(sp) | *(var_14ch) = s7;
0x00013848 sw s6, 0x148(sp) | *(var_148h) = s6;
0x0001384c sw s4, 0x140(sp) | *(var_140h) = s4;
0x00013850 sw s3, 0x13c(sp) | *(var_13ch) = s3;
0x00013854 sw s2, 0x138(sp) | *(var_138h) = s2;
0x00013858 sw s1, 0x134(sp) | *(var_134h) = s1;
0x0001385c sw s0, 0x130(sp) | *(var_130h) = s0;
0x00013860 lw v0, (s5) | v0 = *(s5);
0x00013864 lw t9, -0x7e60(gp) | t9 = sym.utilscommandsource_read_bootblock_param;
0x00013868 addiu a2, sp, 0x38 | a2 = sp + 0x38;
0x0001386c addiu a1, sp, 0x34 | a1 = sp + 0x34;
| /* str.AXISNSKEY */
0x00013870 addiu a0, a0, -0x5c20 | a0 += -0x5c20;
0x00013874 sw v0, 0x12c(sp) | *(var_12ch) = v0;
0x00013878 sw zero, 0x34(sp) | *(var_34h) = 0;
0x0001387c sw zero, 0x38(sp) | *(var_38h) = 0;
0x00013880 bal 0x12cfc | sym_utilscommandsource_read_bootblock_param ();
0x00013884 nop |
0x00013888 lw gp, 0x20(sp) | gp = *(var_20h);
| if (v0 == 0) {
0x0001388c beqz v0, 0x13b8c | goto label_0;
| }
0x00013890 lw s0, 0x34(sp) | s0 = *(var_34h);
0x00013894 lb a0, (s0) | a0 = *(s0);
0x00013898 move s1, zero | s1 = 0;
| if (a0 == 0) {
0x0001389c beqz a0, 0x138c8 | goto label_1;
| }
0x000138a0 lw t9, -0x79f4(gp) | t9 = sym.imp.g_ascii_tolower;
| do {
0x000138a4 addiu s1, s1, 1 | s1++;
0x000138a8 jalr t9 | t9 ();
0x000138ac lw gp, 0x20(sp) | gp = *(var_20h);
0x000138b0 sb v0, (s0) | *(s0) = v0;
0x000138b4 lw s0, 0x34(sp) | s0 = *(var_34h);
0x000138b8 addu s0, s0, s1 | s0 += s1;
0x000138bc lb a0, (s0) | a0 = *(s0);
0x000138c0 lw t9, -0x79f4(gp) | t9 = sym.imp.g_ascii_tolower;
0x000138c4 bnez a0, 0x138a4 |
| } while (a0 != 0);
| label_1:
0x000138c8 lw s4, -0x7fd8(gp) | s4 = *(gp);
0x000138cc addiu s3, sp, 0xac | s3 = sp + 0xac;
| /* fcn.000137b0 */
0x000138d0 addiu t9, s4, 0x37b0 | t9 = s4 + 0x37b0;
0x000138d4 sw t9, 0x28(sp) | *(var_28h_2) = t9;
0x000138d8 bal 0x137b0 | fcn_000137b0 ();
0x000138dc lw gp, 0x20(sp) | gp = *(var_20h);
0x000138e0 addiu a1, zero, 0x80 | a1 = 0x80;
0x000138e4 move a0, s3 | a0 = s3;
0x000138e8 lw t9, -0x7958(gp) | t9 = sym.imp.RAND_bytes;
0x000138ec move s0, v0 | s0 = v0;
0x000138f0 jalr t9 | t9 ();
0x000138f4 lw gp, 0x20(sp) | gp = *(var_20h);
0x000138f8 move a0, s0 | a0 = s0;
0x000138fc addiu a2, zero, 0x80 | a2 = 0x80;
0x00013900 lw t9, -0x7d30(gp) | t9 = sym.imp.EVP_DigestUpdate;
0x00013904 move a1, s3 | a1 = s3;
0x00013908 jalr t9 | t9 ();
0x0001390c lw gp, 0x20(sp) | gp = *(var_20h);
0x00013910 addiu v0, sp, 0x40 | v0 = sp + 0x40;
0x00013914 addiu s7, sp, 0x6c | s7 = sp + 0x6c;
0x00013918 lw t9, -0x7c84(gp) | t9 = sym.imp.EVP_DigestFinal;
0x0001391c move a0, s0 | a0 = s0;
0x00013920 move a2, v0 | a2 = v0;
0x00013924 move a1, s7 | a1 = s7;
0x00013928 sw v0, 0x2c(sp) | *(var_2ch_2) = v0;
0x0001392c lw s1, -0x7fbc(gp) | s1 = *((gp - 8175));
0x00013930 sw zero, 0x40(sp) | *(var_40h) = 0;
0x00013934 jalr t9 | t9 ();
0x00013938 lw gp, 0x20(sp) | gp = *(var_20h);
0x0001393c move a0, s0 | a0 = s0;
0x00013940 addiu s6, sp, 0x80 | s6 = sp + 0x80;
0x00013944 lw t9, -0x7c64(gp) | t9 = sym.imp.EVP_MD_CTX_free;
0x00013948 move fp, s7 | fp = s7;
0x0001394c jalr t9 | t9 ();
0x00013950 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013954 move s4, s6 | s4 = s6;
0x00013958 addiu s2, sp, 0xa8 | s2 = sp + 0xa8;
| /* str._02x */
0x0001395c addiu s0, s1, -0x5c0c | s0 = s1 + -0x5c0c;
| do {
0x00013960 lw t9, -0x7a60(gp) | t9 = sym.imp.g_sprintf
0x00013964 lbu a2, (fp) | a2 = *(fp);
0x00013968 move a0, s4 | a0 = s4;
0x0001396c move a1, s0 | a1 = s0;
0x00013970 addiu s4, s4, 2 | s4 += 2;
0x00013974 jalr t9 | t9 ();
0x00013978 addiu fp, fp, 1 | fp++;
0x0001397c lw gp, 0x20(sp) | gp = *(var_20h);
0x00013980 bne s2, s4, 0x13960 |
| } while (s2 != s4);
0x00013984 lw v0, -0x7fbc(gp) | v0 = *((gp - 8175));
0x00013988 lw t9, 0x28(sp) | t9 = *(var_28h_2);
0x0001398c sw zero, 0x3c(sp) | *(var_3ch_2) = 0;
0x00013990 lw v0, -0x5bf0(v0) | v0 = *((v0 - 5884));
0x00013994 lw s0, 0x34(sp) | s0 = *(var_34h);
0x00013998 sw v0, 0xac(sp) | *(var_ach) = v0;
0x0001399c jalr t9 | t9 ();
0x000139a0 lw gp, 0x20(sp) | gp = *(var_20h);
0x000139a4 addiu a2, zero, 4 | a2 = 4;
0x000139a8 move a1, s3 | a1 = s3;
0x000139ac lw t9, -0x7d30(gp) | t9 = sym.imp.EVP_DigestUpdate;
0x000139b0 move a0, v0 | a0 = v0;
0x000139b4 move s2, v0 | s2 = v0;
0x000139b8 jalr t9 | t9 ();
0x000139bc lw gp, 0x20(sp) | gp = *(var_20h);
0x000139c0 move a0, s0 | a0 = s0;
0x000139c4 lw t9, -0x79a4(gp) | t9 = sym.imp.strlen;
| /* str._02x */
0x000139c8 addiu s1, s1, -0x5c0c | s1 += -0x5c0c;
0x000139cc jalr t9 | t9 ();
0x000139d0 lw gp, 0x20(sp) | gp = *(var_20h);
0x000139d4 move a1, s0 | a1 = s0;
0x000139d8 move a0, s2 | a0 = s2;
0x000139dc lw t9, -0x7d30(gp) | t9 = sym.imp.EVP_DigestUpdate;
0x000139e0 move a2, v0 | a2 = v0;
0x000139e4 jalr t9 | t9 ();
0x000139e8 lw gp, 0x20(sp) | gp = *(var_20h);
0x000139ec move a0, s2 | a0 = s2;
0x000139f0 addiu a2, zero, 4 | a2 = 4;
0x000139f4 lw t9, -0x7d30(gp) | t9 = sym.imp.EVP_DigestUpdate;
0x000139f8 addiu a1, sp, 0x3c | a1 = sp + 0x3c;
0x000139fc jalr t9 | t9 ();
0x00013a00 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013a04 lw s4, 0x2c(sp) | s4 = *(var_2ch_2);
0x00013a08 addiu s0, sp, 0x44 | s0 = sp + 0x44;
0x00013a0c lw t9, -0x7c84(gp) | t9 = sym.imp.EVP_DigestFinal;
0x00013a10 move a2, s4 | a2 = s4;
0x00013a14 move a1, s0 | a1 = s0;
0x00013a18 move a0, s2 | a0 = s2;
0x00013a1c sw zero, 0x40(sp) | *(var_40h) = 0;
0x00013a20 jalr t9 | t9 ();
0x00013a24 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013a28 lw t9, -0x7c64(gp) | t9 = sym.imp.EVP_MD_CTX_free;
0x00013a2c move a0, s2 | a0 = s2;
0x00013a30 jalr t9 | t9 ();
0x00013a34 lw t9, 0x28(sp) | t9 = *(var_28h_2);
0x00013a38 jalr t9 | t9 ();
0x00013a3c nop |
0x00013a40 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013a44 move a1, s0 | a1 = s0;
0x00013a48 addiu a2, zero, 0x14 | a2 = 0x14;
0x00013a4c lw t9, -0x7d30(gp) | t9 = sym.imp.EVP_DigestUpdate;
0x00013a50 move a0, v0 | a0 = v0;
0x00013a54 move s2, v0 | s2 = v0;
0x00013a58 jalr t9 | t9 ();
0x00013a5c lw gp, 0x20(sp) | gp = *(var_20h);
0x00013a60 lw t9, -0x79a4(gp) | t9 = sym.imp.strlen;
0x00013a64 move a0, s6 | a0 = s6;
0x00013a68 jalr t9 | t9 ();
0x00013a6c lw gp, 0x20(sp) | gp = *(var_20h);
0x00013a70 move a0, s2 | a0 = s2;
0x00013a74 move a2, v0 | a2 = v0;
0x00013a78 lw t9, -0x7d30(gp) | t9 = sym.imp.EVP_DigestUpdate;
0x00013a7c move a1, s6 | a1 = s6;
0x00013a80 jalr t9 | t9 ();
0x00013a84 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013a88 move a2, s4 | a2 = s4;
0x00013a8c addiu s4, sp, 0x58 | s4 = sp + 0x58;
0x00013a90 lw t9, -0x7c84(gp) | t9 = sym.imp.EVP_DigestFinal;
0x00013a94 move a1, s4 | a1 = s4;
0x00013a98 move a0, s2 | a0 = s2;
0x00013a9c sw zero, 0x40(sp) | *(var_40h) = 0;
0x00013aa0 jalr t9 | t9 ();
0x00013aa4 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013aa8 move a0, s2 | a0 = s2;
0x00013aac lw t9, -0x7c64(gp) | t9 = sym.imp.EVP_MD_CTX_free;
0x00013ab0 move s2, s7 | s2 = s7;
0x00013ab4 jalr t9 | t9 ();
0x00013ab8 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013abc lw t9, -0x7954(gp) | t9 = sym.imp.EVP_sha1;
0x00013ac0 jalr t9 | t9 ();
0x00013ac4 nop |
0x00013ac8 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013acc addiu v1, zero, 0x14 | v1 = 0x14;
0x00013ad0 move a3, s4 | a3 = s4;
0x00013ad4 lw t9, -0x7c90(gp) | t9 = sym.imp.HMAC;
0x00013ad8 move a1, s0 | a1 = s0;
0x00013adc sw zero, 0x18(sp) | *(var_18h_2) = 0;
0x00013ae0 sw s7, 0x14(sp) | *(var_14h) = s7;
0x00013ae4 sw v1, 0x10(sp) | *(var_10h) = v1;
0x00013ae8 addiu a2, zero, 0x14 | a2 = 0x14;
0x00013aec move a0, v0 | a0 = v0;
0x00013af0 jalr t9 | t9 ();
0x00013af4 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013af8 move s0, s3 | s0 = s3;
0x00013afc addiu s4, sp, 0xd4 | s4 = sp + 0xd4;
| do {
0x00013b00 lw t9, -0x7a60(gp) | t9 = sym.imp.g_sprintf
0x00013b04 lbu a2, (s2) | a2 = *(s2);
0x00013b08 move a0, s0 | a0 = s0;
0x00013b0c move a1, s1 | a1 = s1;
0x00013b10 addiu s0, s0, 2 | s0 += 2;
0x00013b14 jalr t9 | t9 ();
0x00013b18 addiu s2, s2, 1 | s2++;
0x00013b1c lw gp, 0x20(sp) | gp = *(var_20h);
0x00013b20 bne s4, s0, 0x13b00 |
| } while (s4 != s0);
0x00013b24 lw t9, -0x7b00(gp) | t9 = sym.imp.g_free;
0x00013b28 lw a0, 0x34(sp) | a0 = *(var_34h);
0x00013b2c jalr t9 | t9 ();
0x00013b30 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013b34 move a2, s3 | a2 = s3;
0x00013b38 move a1, s6 | a1 = s6;
0x00013b3c lw a0, -0x7fbc(gp) | a0 = *((gp - 8175));
0x00013b40 lw t9, -0x79fc(gp) | t9 = sym.imp.g_strdup_printf;
| /* str.nonce_spsk_s */
0x00013b44 addiu a0, a0, -0x5c04 | a0 += -0x5c04;
0x00013b48 jalr t9 | t9 ();
0x00013b4c lw gp, 0x20(sp) | gp = *(var_20h);
| do {
0x00013b50 lw a0, 0x12c(sp) | a0 = *(var_12ch);
0x00013b54 lw v1, (s5) | v1 = *(s5);
0x00013b58 lw ra, 0x154(sp) | ra = *(var_154h);
| if (a0 != v1) {
0x00013b5c bne a0, v1, 0x13bd4 | goto label_2;
| }
0x00013b60 lw fp, 0x150(sp) | fp = *(var_150h);
0x00013b64 lw s7, 0x14c(sp) | s7 = *(var_14ch);
0x00013b68 lw s6, 0x148(sp) | s6 = *(var_148h);
0x00013b6c lw s5, 0x144(sp) | s5 = *(var_144h);
0x00013b70 lw s4, 0x140(sp) | s4 = *(var_140h);
0x00013b74 lw s3, 0x13c(sp) | s3 = *(var_13ch);
0x00013b78 lw s2, 0x138(sp) | s2 = *(var_138h);
0x00013b7c lw s1, 0x134(sp) | s1 = *(var_134h);
0x00013b80 lw s0, 0x130(sp) | s0 = *(var_130h);
0x00013b84 addiu sp, sp, 0x158 |
0x00013b88 jr ra | return v0;
| label_0:
0x00013b8c lw v0, 0x38(sp) | v0 = *(var_38h);
0x00013b90 lw a3, -0x7fd8(gp) | a3 = *(gp);
0x00013b94 lw a1, -0x7fbc(gp) | a1 = *((gp - 8175));
0x00013b98 lw v0, 8(v0) | v0 = *((v0 + 2));
0x00013b9c lw t9, -0x7f68(gp) | t9 = sym.logsyslog;
0x00013ba0 sw v0, 0x10(sp) | *(var_10h) = v0;
| /* str.Failed_to_read_bootblock_parameter:__s */
0x00013ba4 addiu a3, a3, 0x7f34 | a3 += 0x7f34;
0x00013ba8 addiu a2, zero, 0x82 | a2 = 0x82;
| /* str.psk.c */
0x00013bac addiu a1, a1, -0x5c14 | a1 += -0x5c14;
0x00013bb0 addiu a0, zero, 3 | a0 = 3;
0x00013bb4 bal 0x13be0 | sym_logsyslog ();
0x00013bb8 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013bbc lw t9, -0x78dc(gp) | t9 = sym.imp.g_error_free;
0x00013bc0 lw a0, 0x38(sp) | a0 = *(var_38h);
0x00013bc4 jalr t9 | t9 ();
0x00013bc8 lw gp, 0x20(sp) | gp = *(var_20h);
0x00013bcc move v0, zero | v0 = 0;
0x00013bd0 b 0x13b50 |
| } while (1);
| label_2:
0x00013bd4 lw t9, -0x7ae4(gp) | t9 = sym.imp.__stack_chk_fail;
0x00013bd8 jalr t9 | t9 ();
0x00013bdc nop |
| }
[*] Function sprintf used 3 times stclient
