[*] Binary protection state of stclient
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function system tear down of stclient
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-80367616.squashfs_v4_le_extract/usr/bin/stclient @ 0xab34 */
| #include <stdint.h>
|
; (fcn) fcn.0000ab34 () | void fcn_0000ab34 (int16_t arg1, int16_t arg2, int16_t arg3) {
| int16_t var_4h_4;
| int16_t var_ch_4;
| int16_t var_10h_6;
| int16_t var_14h_6;
| int16_t var_18h;
| int16_t var_1ch_2;
| int16_t var_20h;
| int16_t var_24h;
| int16_t var_0h;
| int16_t var_8h;
| r0 = arg1;
| r1 = arg2;
| r2 = arg3;
0x0000ab34 push {r4, r5, lr} |
0x0000ab36 sub sp, 0x2c |
0x0000ab38 ldr.w lr, [pc, 0x70] |
0x0000ab3c movs r4, 0 | r4 = 0;
0x0000ab3e ldr.w ip, [pc, 0x70] | ip = *(0xabb2);
0x0000ab42 add lr, pc | lr = 0x156f2;
0x0000ab44 ldr r3, [pc, 0x6c] |
0x0000ab46 ldr.w ip, [lr, ip] |
0x0000ab4a add r3, pc | r3 = 0x15702;
0x0000ab4c ldr.w ip, [ip] | ip = *(0x156f2);
0x0000ab50 str.w ip, [sp, 0x24] | __asm ("str.w ip, [var_24h]");
0x0000ab54 mov.w ip, 0 |
0x0000ab58 ldr.w ip, [pc, 0x5c] | ip = *(0xabb8);
0x0000ab5c str r4, [sp, 0x20] | var_20h = r4;
0x0000ab5e ldr.w r5, [r3, ip] | r5 = *(0x15702);
0x0000ab62 ldr r3, [pc, 0x58] |
0x0000ab64 ldr.w ip, [pc, 0x58] |
0x0000ab68 str r2, [sp, 0x1c] | var_1ch_2 = r2;
0x0000ab6a add r2, sp, 0x20 | r2 += var_20h;
0x0000ab6c add r3, pc | r3 = 0x1572e;
0x0000ab6e strd r5, r0, [sp, 4] | __asm ("strd r5, r0, [sp, 4]");
0x0000ab72 ldr r4, [r3] | r4 = *(0x1572e);
0x0000ab74 add ip, pc | ip = 0x15738;
0x0000ab76 movs r0, 1 | r0 = 1;
0x0000ab78 str.w ip, [sp, 0x14] | __asm ("str.w ip, [var_14h_6]");
0x0000ab7c str r1, [sp, 0xc] | var_ch_4 = r1;
0x0000ab7e str r2, [sp, 0x10] | var_10h_6 = r2;
0x0000ab80 str r0, [sp, 0x18] | var_18h = r0;
| if (r4 != 0) {
0x0000ab82 cbz r4, 0xab90 |
0x0000ab84 add r2, sp, 4 | r2 += var_4h_4;
0x0000ab86 movs r1, 6 | r1 = 6;
0x0000ab88 mov r0, r4 | r0 = r4;
0x0000ab8a blx 0x3a30 | fcn_00003a30 ();
0x0000ab8e ldr r0, [sp, 0x18] | r0 = var_18h;
| }
0x0000ab90 ldr r2, [pc, 0x30] |
0x0000ab92 ldr r3, [pc, 0x1c] | r3 = *(0xabb2);
0x0000ab94 add r2, pc | r2 = 0x1575c;
0x0000ab96 ldr r3, [r2, r3] | r3 = *(0x1575c);
0x0000ab98 ldr r2, [r3] | r2 = *(0x1575c);
0x0000ab9a ldr r3, [sp, 0x24] | r3 = var_24h;
0x0000ab9c eors r2, r3 | r2 ^= r3;
0x0000ab9e mov.w r3, 0 | r3 = 0;
| if (r2 == r3) {
0x0000aba2 bne 0xaba8 |
0x0000aba4 add sp, 0x2c |
0x0000aba6 pop {r4, r5, pc} |
| }
0x0000aba8 blx 0x3f18 | SSL_CTX_new ();
0x0000abac ldr r6, [r3, 0x7c] | r6 = *((r3 + 0x7c));
0x0000abae movs r0, r0 |
0x0000abb0 lsls r0, r1, 0x12 | r0 = r1 << 0x12;
0x0000abb2 movs r0, r0 |
0x0000abb4 ldr r6, [r2, 0x7c] | r6 = *((r2 + 0x7c));
0x0000abb6 movs r0, r0 |
0x0000abb8 lsls r0, r7, 0x12 | r0 = r7 << 0x12;
0x0000abba movs r0, r0 |
0x0000abbc strb r0, [r7, 0x18] | *((r7 + 0x18)) = r0;
0x0000abbe movs r0, r0 |
0x0000abc0 adds r0, r7, r7 | r0 = r7 + r7;
0x0000abc2 movs r0, r0 |
0x0000abc4 ldr r4, [r1, 0x78] | r4 = *((r1 + 0x78));
0x0000abc6 movs r0, r0 |
0x0000abc8 push {lr} |
0x0000abca sub sp, 0x14 |
0x0000abcc ldr.w lr, [pc, 0x58] |
0x0000abd0 movs r3, 1 | r3 = 1;
0x0000abd2 ldr.w ip, [pc, 0x58] | ip = *(0xac2e);
0x0000abd6 add lr, pc | lr = 0x15802;
0x0000abd8 ldr r1, [pc, 0x54] |
0x0000abda ldr r2, [pc, 0x58] |
0x0000abdc ldr.w ip, [lr, ip] |
0x0000abe0 add r1, pc | r1 = 0x15814;
0x0000abe2 add r2, pc | r2 = 0x1581c;
0x0000abe4 ldr.w ip, [ip] | ip = *(0x15802);
0x0000abe8 str.w ip, [sp, 0xc] | __asm ("str.w ip, [sp, 0xc]");
0x0000abec mov.w ip, 0 |
0x0000abf0 str r0, [sp, 4] | *((sp + 4)) = r0;
0x0000abf2 ldr r0, [r1] | r0 = *(0x15814);
0x0000abf4 str r2, [sp] | *(sp) = r2;
0x0000abf6 str r3, [sp, 8] | var_8h = r3;
| if (r0 == 0) {
0x0000abf8 cbz r0, 0xac1e | goto label_0;
| }
0x0000abfa mov r2, sp | r2 = sp;
0x0000abfc movs r1, 7 | r1 = 7;
0x0000abfe blx 0x3a30 | fcn_00003a30 ();
0x0000ac02 ldr r0, [sp, 8] | r0 = var_8h;
| do {
0x0000ac04 ldr r2, [pc, 0x30] |
0x0000ac06 ldr r3, [pc, 0x24] | r3 = *(0xac2e);
0x0000ac08 add r2, pc | r2 = 0x15844;
0x0000ac0a ldr r3, [r2, r3] | r3 = *(0x15844);
0x0000ac0c ldr r2, [r3] | r2 = *(0x15844);
0x0000ac0e ldr r3, [sp, 0xc] | r3 = *((sp + 0xc));
0x0000ac10 eors r2, r3 | r2 ^= r3;
0x0000ac12 mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x0000ac16 bne 0xac22 | goto label_1;
| }
0x0000ac18 add sp, 0x14 |
0x0000ac1a ldr pc, [sp], 4 | pc = *(sp);
| sp += 4;
| label_0:
0x0000ac1e mov r0, r3 | r0 = r3;
0x0000ac20 b 0xac04 |
| } while (1);
| label_1:
0x0000ac22 blx 0x3f18 | SSL_CTX_new ();
0x0000ac26 nop |
0x0000ac28 ldr r2, [r1, 0x74] | r2 = *((r1 + 0x74));
0x0000ac2a movs r0, r0 |
0x0000ac2c lsls r0, r1, 0x12 | r0 = r1 << 0x12;
0x0000ac2e movs r0, r0 |
0x0000ac30 strb r4, [r0, 0x17] | *((r0 + 0x17)) = r4;
0x0000ac32 movs r0, r0 |
0x0000ac34 invalid |
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-80367616.squashfs_v4_le_extract/usr/bin/stclient @ 0xaccc */
| #include <stdint.h>
|
; (fcn) fcn.0000accc () | void fcn_0000accc () {
| int16_t var_4h;
| int16_t var_8h;
| int16_t var_ch;
| if (? >= ?) {
0x0000accc addlt fp, r5, r0, lsl 10 |
| }
0x0000acd0 ldr.w lr, [pc, 0x64] |
0x0000acd4 movs r3, 0 | r3 = 0;
0x0000acd6 add r2, sp, 8 | r2 += var_8h;
0x0000acd8 add r1, sp, 4 | r1 += var_4h;
0x0000acda ldr.w ip, [pc, 0x60] | ip = *(0xad3e);
0x0000acde add lr, pc | lr = 0x15a1a;
0x0000ace0 ldr.w ip, [lr, ip] |
0x0000ace4 ldr.w ip, [ip] | ip = *(0x15a1a);
0x0000ace8 str.w ip, [sp, 0xc] | __asm ("str.w ip, [var_ch]");
0x0000acec mov.w ip, 0 |
0x0000acf0 strd r3, r3, [sp, 4] | __asm ("strd r3, r3, [var_8h]");
0x0000acf4 bl 0xa9a8 | r0 = fcn_0000a9a8 (r0, r1, r2);
| if (r0 != 0) {
0x0000acf8 cbnz r0, 0xad12 | goto label_0;
| }
0x0000acfa ldr r3, [sp, 8] | r3 = var_8h;
| if (r3 == 0) {
0x0000acfc cbz r3, 0xad2e | goto label_1;
| }
0x0000acfe ldr r3, [r3, 8] | r3 = *((r3 + 8));
| do {
0x0000ad00 ldr r2, [pc, 0x3c] |
0x0000ad02 movs r0, 3 | r0 = 3;
0x0000ad04 movs r1, 1 | r1 = 1;
0x0000ad06 add r2, pc | r2 = 0x15a4a;
0x0000ad08 blx 0x3f00 | stack_chk_fail ();
0x0000ad0c ldr r0, [sp, 8] | r0 = var_8h;
0x0000ad0e blx 0x39c4 | fcn_000039c4 ();
| label_0:
0x0000ad12 ldr r2, [pc, 0x30] |
0x0000ad14 ldr r3, [pc, 0x24] | r3 = *(0xad3c);
0x0000ad16 ldr r0, [sp, 4] | r0 = var_4h;
0x0000ad18 add r2, pc | r2 = 0x15a62;
0x0000ad1a ldr r3, [r2, r3] | r3 = *(0x15a62);
0x0000ad1c ldr r2, [r3] | r2 = *(0x15a62);
0x0000ad1e ldr r3, [sp, 0xc] | r3 = var_ch;
0x0000ad20 eors r2, r3 | r2 ^= r3;
0x0000ad22 mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x0000ad26 bne 0xad34 | goto label_2;
| }
0x0000ad28 add sp, 0x14 |
0x0000ad2a ldr pc, [sp], 4 | pc = *(sp);
| sp += 4;
| label_1:
0x0000ad2e ldr r3, [pc, 0x18] |
0x0000ad30 add r3, pc | r3 = 0x15a7e;
0x0000ad32 b 0xad00 |
| } while (1);
| label_2:
0x0000ad34 blx 0x3f18 | SSL_CTX_new ();
0x0000ad38 ldr r2, [r0, 0x64] | r2 = *((r0 + 0x64));
0x0000ad3a movs r0, r0 |
0x0000ad3c lsls r0, r1, 0x12 | r0 = r1 << 0x12;
0x0000ad3e movs r0, r0 |
0x0000ad40 cmp r6, r0 |
0x0000ad42 movs r0, r0 |
0x0000ad44 ldr r0, [r1, 0x60] | r0 = *((r1 + 0x60));
0x0000ad46 movs r0, r0 |
0x0000ad48 add ip, r6 |
0x0000ad4a movs r0, r0 |
| }
[*] Function system used 1 times stclient
