[*] Binary protection state of sshd
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of sshd
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-80367616.squashfs_v4_le_extract/usr/sbin/sshd @ 0x453b0 */
| #include <stdint.h>
|
; (fcn) fcn.000453b0 () | void fcn_000453b0 (int16_t arg1, int16_t arg2) {
| int16_t var_0h;
| int16_t var_4h;
| r0 = arg1;
| r1 = arg2;
0x000453b0 push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr} |
0x000453b4 sub sp, 0xc |
0x000453b6 mov fp, r1 |
0x000453b8 mov r5, r0 | r5 = r0;
0x000453ba blx 0x56e8 | readlink ();
0x000453be blx 0x567c | r0 = DSA_SIG_free ();
0x000453c2 cmp.w r0, 0x196 |
| if (r0 != 0x196) {
0x000453c6 bne.w 0x4557c | goto label_1;
| }
0x000453ca mov r1, fp | r1 = fp;
0x000453cc mov r0, r5 | r0 = r5;
0x000453ce blx 0x5968 | r0 = fcn_00005968 ();
0x000453d2 mov sb, r0 | sb = r0;
0x000453d4 cmp r0, 0 |
| if (r0 != 0) {
0x000453d6 bne.w 0x4557c | goto label_1;
| }
0x000453da blx 0x6238 | r0 = fcn_00006238 ();
0x000453de mov r6, r0 | r6 = r0;
0x000453e0 cmp r0, 0 |
| if (r0 == 0) {
0x000453e2 beq.w 0x455a4 | goto label_2;
| }
0x000453e6 blx 0x6238 | r0 = fcn_00006238 ();
0x000453ea mov r7, r0 | r7 = r0;
0x000453ec cmp r0, 0 |
| if (r0 == 0) {
0x000453ee beq.w 0x455b2 | goto label_3;
| }
0x000453f2 blx 0x6238 | r0 = fcn_00006238 ();
0x000453f6 mov r4, r0 | r4 = r0;
0x000453f8 cmp r0, 0 |
| if (r0 == 0) {
0x000453fa beq.w 0x455be | goto label_4;
| }
0x000453fe blx 0x6238 | r0 = fcn_00006238 ();
0x00045402 mov r8, r0 | r8 = r0;
0x00045404 cmp r0, 0 |
| if (r0 == 0) {
0x00045406 beq.w 0x455c8 | goto label_5;
| }
0x0004540a mov r2, sb | r2 = sb;
0x0004540c mov r1, r4 | r1 = r4;
0x0004540e mov r0, r5 | r0 = r5;
0x00045410 blx 0x54f4 | r0 = fcn_000054f4 ();
0x00045412 ldrd r2, r8, [r0], -4 | __asm ("ldrd r2, r8, [r0], -4");
| if (r0 != 0) {
0x00045416 bne.w 0x45572 | goto label_6;
| }
0x0004541a mov r3, r7 | r3 = r7;
0x0004541c mov r2, r6 | r2 = r6;
0x0004541e mov r1, fp | r1 = fp;
0x00045420 mov r0, r5 | r0 = r5;
0x00045422 str.w sb, [sp] | __asm ("str.w sb, [sp]");
0x00045426 blx 0x56f4 | r0 = prctl ();
0x0004542a cmp r0, 1 |
| if (r0 != 1) {
0x0004542c bne.w 0x45572 | goto label_6;
| }
0x00045430 mov r0, r6 | r0 = r6;
0x00045432 blx 0x6074 | r0 = fcn_00006074 ();
0x00045436 mov sl, r0 | sl = r0;
0x00045438 mov r0, r4 | r0 = r4;
0x0004543a blx 0x6074 | r0 = fcn_00006074 ();
0x0004543e add.w r0, r0, r0, lsr 31 | r0 += (r0 >> 31);
0x00045442 cmp.w sl, r0, asr 1 |
| if (sl <= r0) {
0x00045446 ble.w 0x4559a | goto label_7;
| }
0x0004544a mov r0, r7 | r0 = r7;
0x0004544c blx 0x6074 | r0 = fcn_00006074 ();
0x00045450 mov sl, r0 | sl = r0;
0x00045452 mov r0, r4 | r0 = r4;
0x00045454 blx 0x6074 | r0 = fcn_00006074 ();
0x00045458 add.w r0, r0, r0, lsr 31 | r0 += (r0 >> 31);
0x0004545c cmp.w sl, r0, asr 1 |
| if (sl <= r0) {
0x00045460 ble.w 0x4559a | goto label_7;
| }
0x00045464 mov r0, r5 | r0 = r5;
0x00045466 blx 0x56dc | r0 = EC_POINT_get_affine_coordinates_GFp ();
0x0004546a mov sl, r0 | sl = r0;
0x0004546c cmp r0, 0 |
| if (r0 == 0) {
0x0004546e beq.w 0x455d0 | goto label_8;
| }
0x00045472 movs r2, 0 | r2 = 0;
0x00045474 mov r1, r0 | r1 = r0;
0x00045476 mov r3, fp | r3 = fp;
0x00045478 mov r0, r5 | r0 = r5;
0x0004547a str r4, [sp] | *(sp) = r4;
0x0004547c str r2, [sp, 4] | var_4h = r2;
0x0004547e blx 0x5cdc | r0 = asprintf_chk ()
0x00045482 cmp r0, 1 |
| if (r0 != 1) {
0x00045484 bne.w 0x4558e | goto label_9;
| }
0x00045488 mov r0, r5 | r0 = r5;
0x0004548a mov r1, sl | r1 = sl;
0x0004548c blx 0x5968 | r0 = fcn_00005968 ();
0x00045490 cmp r0, 1 |
| if (r0 != 1) {
0x00045492 bne 0x45594 | goto label_10;
| }
0x00045494 blx 0x52d8 | fcn_000052d8 ();
0x00045498 mov r1, r4 | r1 = r4;
0x0004549a mov r2, r0 | r2 = r0;
0x0004549c mov r0, r8 | r0 = r8;
0x0004549e blx 0x53fc | r0 = fcn_000053fc ();
0x000454a2 cmp r0, 0 |
| if (r0 == 0) {
0x000454a4 beq 0x4558e | goto label_9;
| }
0x000454a6 mov r1, r8 | r1 = r8;
0x000454a8 mov r0, r6 | r0 = r6;
0x000454aa blx 0x5d00 | r0 = EVP_chacha20 ();
0x000454ae cmp r0, 0 |
| if (r0 >= 0) {
0x000454b0 bge 0x45594 | goto label_10;
| }
0x000454b2 mov r1, r8 | r1 = r8;
0x000454b4 mov r0, r7 | r0 = r7;
0x000454b6 blx 0x5d00 | r0 = EVP_chacha20 ();
0x000454ba cmp r0, 0 |
| if (r0 >= 0) {
0x000454bc bge 0x45594 | goto label_10;
| }
| do {
| label_0:
0x000454be mov r0, r6 | r0 = r6;
0x000454c0 blx 0x5bb0 | setgid ();
0x000454c4 mov r0, r7 | r0 = r7;
0x000454c6 blx 0x5bb0 | setgid ();
0x000454ca mov r0, r4 | r0 = r4;
0x000454cc blx 0x5bb0 | setgid ();
0x000454d0 mov r0, r8 | r0 = r8;
0x000454d2 blx 0x5bb0 | setgid ();
0x000454d6 mov r0, sl | r0 = sl;
0x000454d8 blx 0x53e4 | fcn_000053e4 ();
0x000454dc mov r0, sb | r0 = sb;
0x000454de add sp, 0xc |
0x000454e0 movs r1, 0 | r1 = 0;
0x000454e2 movs r2, 0 | r2 = 0;
0x000454e4 movs r3, 0 | r3 = 0;
0x000454e6 mov.w ip, 0 |
0x000454e8 lsrs r0, r0, 0x10 | r0 >>= 0x10;
0x000454ea mov.w lr, 0 | lr = 0;
0x000454ec lsrs r0, r0, 0x18 | r0 >>= 0x18;
0x000454ee vldr s0, [pc, 0xe8] | __asm ("vldr s0, [fcn.000455dc]");
0x000454f2 vldr s1, [pc, 0xe4] | __asm ("vldr s1, [fcn.000455dc]");
0x000454f6 vldr s2, [pc, 0xe0] | __asm ("vldr s2, [fcn.000455dc]");
0x000454fa vldr s3, [pc, 0xdc] | __asm ("vldr s3, [fcn.000455dc]");
0x000454fe vldr s4, [pc, 0xd8] | __asm ("vldr s4, [fcn.000455dc]");
0x00045502 vldr s5, [pc, 0xd4] | __asm ("vldr s5, [fcn.000455dc]");
0x00045506 vldr s6, [pc, 0xd0] | __asm ("vldr s6, [fcn.000455dc]");
0x0004550a vldr s7, [pc, 0xcc] | __asm ("vldr s7, [fcn.000455dc]");
0x0004550e vldr s8, [pc, 0xc8] | __asm ("vldr s8, [fcn.000455dc]");
0x00045512 vldr s9, [pc, 0xc4] | __asm ("vldr s9, [fcn.000455dc]");
0x00045516 vldr s10, [pc, 0xc0] | __asm ("vldr s10, [fcn.000455dc]");
0x0004551a vldr s11, [pc, 0xbc] | __asm ("vldr s11, [fcn.000455dc]");
0x0004551e vldr s12, [pc, 0xb8] | __asm ("vldr s12, [fcn.000455dc]");
0x00045522 vldr s13, [pc, 0xb4] | __asm ("vldr s13, [fcn.000455dc]");
0x00045526 vldr s14, [pc, 0xb0] | __asm ("vldr s14, [fcn.000455dc]");
0x0004552a vldr s15, [pc, 0xac] | __asm ("vldr s15, [fcn.000455dc]");
0x0004552e vmov.i32 d16, 0 | __asm ("vmov.i32 d16, 0");
0x00045532 vmov.i32 d17, 0 | __asm ("vmov.i32 d17, 0");
0x00045536 vmov.i32 d18, 0 | __asm ("vmov.i32 d18, 0");
0x0004553a vmov.i32 d19, 0 | __asm ("vmov.i32 d19, 0");
0x0004553e vmov.i32 d20, 0 | __asm ("vmov.i32 d20, 0");
0x00045542 vmov.i32 d21, 0 | __asm ("vmov.i32 d21, 0");
0x00045546 vmov.i32 d22, 0 | __asm ("vmov.i32 d22, 0");
0x0004554a vmov.i32 d23, 0 | __asm ("vmov.i32 d23, 0");
0x0004554e vmov.i32 d24, 0 | __asm ("vmov.i32 d24, 0");
0x00045552 vmov.i32 d25, 0 | __asm ("vmov.i32 d25, 0");
0x00045556 vmov.i32 d26, 0 | __asm ("vmov.i32 d26, 0");
0x0004555a vmov.i32 d27, 0 | __asm ("vmov.i32 d27, 0");
0x0004555e vmov.i32 d28, 0 | __asm ("vmov.i32 d28, 0");
0x00045562 vmov.i32 d29, 0 | __asm ("vmov.i32 d29, 0");
0x00045566 vmov.i32 d30, 0 | __asm ("vmov.i32 d30, 0");
0x0004556a vmov.i32 d31, 0 | __asm ("vmov.i32 d31, 0");
0x0004556e pop.w {r4, r5, r6, r7, r8, sb, sl, fp, pc} |
| label_6:
0x00045572 mvn sb, 0x15 | sb = ~0x15;
0x00045576 mov.w sl, 0 | sl = 0;
0x0004557a b 0x454be |
| } while (1);
| label_1:
0x0004557c mov.w r8, 0 | r8 = 0;
0x00045580 mvn sb, 0x13 | sb = ~0x13;
0x00045584 mov r7, r8 | r7 = r8;
0x00045586 mov r6, r8 | r6 = r8;
0x00045588 mov r4, r8 | r4 = r8;
0x0004558a mov sl, r8 | sl = r8;
0x0004558c b 0x454be | goto label_0;
| label_9:
0x0004558e mvn sb, 0x15 | sb = ~0x15;
0x00045592 b 0x454be | goto label_0;
| label_10:
0x00045594 mvn sb, 0x13 | sb = ~0x13;
0x00045598 b 0x454be | goto label_0;
| label_7:
0x0004559a mvn sb, 0x13 | sb = ~0x13;
0x0004559e mov.w sl, 0 | sl = 0;
0x000455a2 b 0x454be | goto label_0;
| label_2:
0x000455a4 mov r8, r0 | r8 = r0;
0x000455a6 mov r7, r0 | r7 = r0;
0x000455a8 mov r4, r0 | r4 = r0;
0x000455aa mov sl, r0 | sl = r0;
0x000455ac mvn sb, 1 | sb = ~1;
0x000455b0 b 0x454be | goto label_0;
| label_3:
0x000455b2 mov r8, r0 | r8 = r0;
0x000455b4 mov r4, r0 | r4 = r0;
0x000455b6 mov sl, r0 | sl = r0;
0x000455b8 mvn sb, 1 | sb = ~1;
0x000455bc b 0x454be | goto label_0;
| label_4:
0x000455be mov r8, r0 | r8 = r0;
0x000455c0 mov sl, r0 | sl = r0;
0x000455c2 mvn sb, 1 | sb = ~1;
0x000455c6 b 0x454be | goto label_0;
| label_5:
0x000455c8 mov sl, r0 | sl = r0;
0x000455ca mvn sb, 1 | sb = ~1;
0x000455ce b 0x454be | goto label_0;
| label_8:
0x000455d0 mvn sb, 1 | sb = ~1;
0x000455d4 b 0x454be | goto label_0;
| }
[*] Function sprintf used 2 times sshd
