[*] Binary protection state of httpd
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of httpd
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-80367616.squashfs_v4_le_extract/usr/sbin/httpd @ 0x36e14 */
| #include <stdint.h>
|
; (fcn) sym.ap_error_log2stderr () | void ap_error_log2stderr (int16_t arg1) {
| int16_t var_0h;
| int16_t var_4h;
| r0 = arg1;
0x00036e14 ldr.w ip, [pc, 0x50] |
0x00036e18 movs r2, 0 | r2 = 0;
0x00036e1a ldr r1, [pc, 0x50] | r1 = *(0x36e6e);
0x00036e1c push {r4, lr} |
0x00036e1e mov r4, r0 | r4 = r0;
0x00036e20 add ip, pc | ip = 0x6dc8c;
0x00036e22 ldr r3, [r4] | r3 = *(r4);
0x00036e24 sub sp, 8 |
0x00036e26 ldr.w r1, [ip, r1] |
0x00036e2a mov r0, sp | r0 = sp;
0x00036e2c ldr r1, [r1] | r1 = *(0x6dc8c);
0x00036e2e str r1, [sp, 4] | var_4h = r1;
0x00036e30 mov.w r1, 0 | r1 = 0;
0x00036e34 ldr r1, [r3] | r1 = *(r3);
0x00036e36 str r2, [sp] | *(sp) = r2;
0x00036e38 blx 0x17f90 | apr_pvsprintf ()
0x00036e3c ldr r0, [r4, 0xc] | r0 = *((r4 + 0xc));
| if (r0 != 0) {
0x00036e3e cbz r0, 0x36e4a |
0x00036e40 ldr r3, [r4] | r3 = *(r4);
0x00036e42 ldr r1, [sp] | r1 = *(sp);
0x00036e44 ldr r2, [r3] | r2 = *(r3);
0x00036e46 blx 0x18330 | fcn_00018330 ();
| }
0x00036e4a ldr r2, [pc, 0x24] |
0x00036e4c ldr r3, [pc, 0x1c] | r3 = *(0x36e6c);
0x00036e4e add r2, pc | r2 = 0x6dcc4;
0x00036e50 ldr r3, [r2, r3] | r3 = *(0x6dcc4);
0x00036e52 ldr r2, [r3] | r2 = *(0x6dcc4);
0x00036e54 ldr r3, [sp, 4] | r3 = var_4h;
0x00036e56 eors r2, r3 | r2 ^= r3;
0x00036e58 mov.w r3, 0 | r3 = 0;
| if (r2 == r3) {
0x00036e5c bne 0x36e62 |
0x00036e5e add sp, 8 |
0x00036e60 pop {r4, pc} |
| }
0x00036e62 blx 0x1845c | fcn_0001845c ();
0x00036e66 nop |
0x00036e68 ldrb r0, [r3, 0xc] | r0 = *((r3 + 0xc));
0x00036e6a movs r2, r0 | r2 = r0;
0x00036e6c lsls r0, r5, 0x18 | r0 = r5 << 0x18;
0x00036e6e movs r0, r0 |
0x00036e70 ldrb r2, [r5, 0xb] | r2 = *((r5 + 0xb));
0x00036e72 movs r2, r0 | r2 = r0;
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-80367616.squashfs_v4_le_extract/usr/sbin/httpd @ 0x37b98 */
| #include <stdint.h>
|
; (fcn) sym.ap_replace_stderr_log () | void ap_replace_stderr_log (int16_t arg_300h, int16_t arg_328h, int16_t arg1, int16_t arg2) {
| int16_t var_0h_2;
| int16_t var_4h_2;
| int16_t var_8h_2;
| int16_t var_ch;
| int16_t var_10h_3;
| int16_t var_18h_4;
| int16_t var_1ch;
| r0 = arg1;
| r1 = arg2;
0x00037b98 blmi 0x11ca4b4 | __asm ("blmi aav.0x00026d98");
0x00037b9c push {r4, r5, r6, r7, lr} |
0x00037b9e sub sp, 0x24 |
0x00037ba0 add r2, pc | r2 += pc;
0x00037ba2 ldr r6, [pc, 0x114] |
0x00037ba4 mov r7, r1 | r7 = r1;
0x00037ba6 mov r5, r0 | r5 = r0;
0x00037ba8 ldr r3, [r2, r3] | r3 = *((r2 + r3));
0x00037baa add r6, pc | r6 = 0x6f868;
0x00037bac ldr r3, [r3] | r3 = *(r3);
0x00037bae str r3, [sp, 0x1c] | var_1ch = r3;
0x00037bb0 mov.w r3, 0 | r3 = 0;
0x00037bb4 bl 0x3571c | r0 = ap_server_root_relative ();
0x00037bb8 mov r1, r0 | r1 = r0;
0x00037bba cmp r0, 0 |
| if (r0 == 0) {
0x00037bbc beq 0x37c84 | goto label_2;
| }
0x00037bbe movw r3, 0xfff | r3 = 0xfff;
0x00037bc2 movw r2, 0x400e | r2 = 0x400e;
0x00037bc6 add r0, sp, 0x18 | r0 += var_18h_4;
0x00037bc8 str r5, [sp] | *(sp) = r5;
0x00037bca blx 0x17fa8 | r0 = apr_procattr_error_check_set ();
0x00037bce mov r4, r0 | r4 = r0;
0x00037bd0 cmp r0, 0 |
| if (r0 != 0) {
0x00037bd2 bne 0x37c58 | goto label_3;
| }
0x00037bd4 ldr r3, [pc, 0xe4] |
0x00037bd6 add r3, pc | r3 = 0x6f896;
0x00037bd8 ldr r1, [r3, 0x10] | r1 = *(0x6f8a6);
0x00037bda cmp r1, 0 |
| if (r1 == 0) {
0x00037bdc beq 0x37c52 | goto label_4;
| }
| label_1:
0x00037bde ldr r6, [pc, 0xe0] |
0x00037be0 add r6, pc | r6 = 0x6f8a6;
0x00037be2 adds r0, r6, 4 | r0 = r6 + 4;
0x00037be4 blx 0x17f90 | r0 = apr_pvsprintf ()
0x00037be8 mov r4, r0 | r4 = r0;
0x00037bea cbz r0, 0x37c2c |
| while (r0 != 0) {
0x00037bec ldr r3, [r6, 0x10] | r3 = *((r6 + 0x10));
0x00037bee movs r2, 0 | r2 = 0;
0x00037bf0 ldr r1, [pc, 0xd0] |
0x00037bf2 ldr r0, [pc, 0xd4] |
0x00037bf4 cmp r5, r3 |
0x00037bf6 it eq |
| if (r5 != r3) {
0x00037bf8 moveq r3, 0 | r3 = 0;
| }
0x00037bfa add r1, pc | r1 = 0x6f8c2;
0x00037bfc it eq |
| if (r5 != r3) {
0x00037bfe streq r3, [r6, 0x10] | *((r6 + 0x10)) = r3;
| }
0x00037c00 add r0, pc | r0 = 0x6f8ce;
0x00037c02 str r1, [sp, 8] | var_8h_2 = r1;
0x00037c04 movs r3, 2 | r3 = 2;
0x00037c06 mov.w r1, 0x124 | r1 = 0x124;
0x00037c0a strd r4, r2, [sp] | __asm ("strd r4, r2, [sp]");
0x00037c0e bl 0x37b38 | ap_log_error_ ();
| label_0:
0x00037c12 ldr r2, [pc, 0xb8] |
0x00037c14 ldr r3, [pc, 0x9c] | r3 = *(0x37cb4);
0x00037c16 add r2, pc | r2 = 0x6f8e8;
0x00037c18 ldr r3, [r2, r3] | r3 = *(0x6f8e8);
0x00037c1a ldr r2, [r3] | r2 = *(0x6f8e8);
0x00037c1c ldr r3, [sp, 0x1c] | r3 = var_1ch;
0x00037c1e eors r2, r3 | r2 ^= r3;
0x00037c20 mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x00037c24 bne 0x37caa | goto label_5;
| }
0x00037c26 mov r0, r4 | r0 = r4;
0x00037c28 add sp, 0x24 |
0x00037c2a pop {r4, r5, r6, r7, pc} |
0x00037c2c ldr r0, [r6, 4] | r0 = *((r6 + 4));
0x00037c2e blx 0x178b0 | fcn_000178b0 ();
0x00037c32 ldr r2, [r6, 0x10] | r2 = *((r6 + 0x10));
0x00037c34 ldr r1, [sp, 0x18] | r1 = var_18h_4;
0x00037c36 ldr r0, [r6, 4] | r0 = *((r6 + 4));
0x00037c38 blx 0x18330 | r0 = fcn_00018330 ();
0x00037c3c mov r4, r0 | r4 = r0;
0x00037c3e cmp r0, 0 |
0x00037c40 bne 0x37bec |
| }
0x00037c42 ldr r0, [sp, 0x18] | r0 = var_18h_4;
0x00037c44 blx 0x188b4 | fcn_000188b4 ();
0x00037c48 ldr r3, [r6, 0x10] | r3 = *((r6 + 0x10));
0x00037c4a cmp r5, r3 |
0x00037c4c it eq |
| if (r5 != r3) {
0x00037c4e streq r4, [r6, 0x10] | *((r6 + 0x10)) = r4;
| }
0x00037c50 b 0x37c12 | goto label_0;
| label_4:
0x00037c52 mov r1, r5 | r1 = r5;
0x00037c54 str r5, [r3, 0x10] | *((r3 + 0x10)) = r5;
0x00037c56 b 0x37bde | goto label_1;
| label_3:
0x00037c58 ldr r1, [pc, 0x74] |
0x00037c5a ldr r2, [pc, 0x78] |
0x00037c5c str r7, [sp, 0x10] | var_10h_3 = r7;
0x00037c5e ldr r1, [r6, r1] | r1 = *((r6 + r1));
0x00037c60 add r2, pc | r2 = 0x6f93a;
0x00037c62 ldr r3, [pc, 0x74] | r3 = *(0x37cda);
0x00037c64 str r2, [sp, 8] | var_8h_2 = r2;
0x00037c66 ldr r2, [r1] | r2 = *(0x37cd0);
0x00037c68 ldr r0, [pc, 0x70] |
0x00037c6a str r2, [sp, 0xc] | var_ch = r2;
0x00037c6c movs r2, 0 | r2 = 0;
0x00037c6e ldr r1, [r6, r3] | r1 = *((r6 + r3));
0x00037c70 add r0, pc | r0 = 0x6f950;
0x00037c72 str r4, [sp] | *(sp) = r4;
0x00037c74 movs r3, 0x40 | r3 = 0x40;
0x00037c76 ldr r1, [r1] | r1 = *(0x37cd0);
0x00037c78 str r1, [sp, 4] | var_4h_2 = r1;
0x00037c7a movw r1, 0x103 | r1 = 0x103;
0x00037c7e bl 0x37b38 | ap_log_error_ ();
0x00037c82 b 0x37c12 | goto label_0;
| label_2:
0x00037c84 ldr r0, [pc, 0x58] |
0x00037c86 movw r4, 0x4e38 | r4 = 0x4e38;
0x00037c8a ldr r3, [pc, 0x4c] | r3 = *(0x37cda);
0x00037c8c mov r2, r1 | r2 = r1;
0x00037c8e str r7, [sp, 0xc] | var_ch = r7;
0x00037c90 movs r1, 0xfb | r1 = 0xfb;
0x00037c92 add r0, pc |
0x00037c94 str r0, [sp, 8] | var_8h_2 = r0;
0x00037c96 ldr r0, [r6, r3] | r0 = *((r6 + r3));
0x00037c98 movs r3, 0x42 | r3 = 0x42;
0x00037c9a str r4, [sp] | *(sp) = r4;
0x00037c9c ldr r0, [r0] | r0 = *(0x6f976);
0x00037c9e str r0, [sp, 4] | var_4h_2 = r0;
0x00037ca0 ldr r0, [pc, 0x40] |
0x00037ca2 add r0, pc | r0 = 0x6f98a;
0x00037ca4 bl 0x37b38 | ap_log_error_ ();
0x00037ca8 b 0x37c12 | goto label_0;
| label_5:
0x00037caa blx 0x1845c | fcn_0001845c ();
0x00037cae nop |
0x00037cb0 ldr r0, [r3, 0x58] | r0 = *((r3 + 0x58));
0x00037cb2 movs r2, r0 | r2 = r0;
0x00037cb4 lsls r0, r5, 0x18 | r0 = r5 << 0x18;
0x00037cb6 movs r0, r0 |
0x00037cb8 ldr r6, [r1, 0x58] | r6 = *((r1 + 0x58));
0x00037cba movs r2, r0 | r2 = r0;
0x00037cbc add r0, sp, 0x328 | r0 += arg_328h;
0x00037cbe movs r2, r0 | r2 = r0;
0x00037cc0 add r0, sp, 0x300 | r0 += arg_300h;
0x00037cc2 movs r2, r0 | r2 = r0;
0x00037cc4 stm r4!, {r1, r2, r3, r6, r7} | *(r4!) = r1;
| *((r4! + 4)) = r2;
| *((r4! + 8)) = r3;
| *((r4! + 12)) = r6;
| *((r4! + 16)) = r7;
0x00037cc6 movs r1, r0 | r1 = r0;
0x00037cc8 stm r4!, {r6} | *(r4!) = r6;
0x00037cca movs r1, r0 | r1 = r0;
0x00037ccc ldr r2, [r4, 0x50] | r2 = *((r4 + 0x50));
0x00037cce movs r2, r0 | r2 = r0;
0x00037cd0 lsls r4, r4, 0x1a | r4 <<= 0x1a;
0x00037cd2 movs r0, r0 |
0x00037cd4 stm r4!, {r3, r4, r5} | *(r4!) = r3;
| *((r4! + 4)) = r4;
| *((r4! + 8)) = r5;
0x00037cd6 movs r1, r0 | r1 = r0;
0x00037cd8 lsls r4, r2, 0x1a | r4 = r2 << 0x1a;
0x00037cda movs r0, r0 |
0x00037cdc stm r3!, {r4, r6, r7} | *(r3!) = r4;
| *((r3! + 4)) = r6;
| *((r3! + 8)) = r7;
0x00037cde movs r1, r0 | r1 = r0;
0x00037ce0 stm r3!, {r1, r2, r3, r4, r6, r7} | *(r3!) = r1;
| *((r3! + 4)) = r2;
| *((r3! + 8)) = r3;
| *((r3! + 12)) = r4;
| *((r3! + 16)) = r6;
| *((r3! + 20)) = r7;
0x00037ce2 movs r1, r0 | r1 = r0;
0x00037ce4 stm r3!, {r1, r2, r3, r4, r7} | *(r3!) = r1;
| *((r3! + 4)) = r2;
| *((r3! + 8)) = r3;
| *((r3! + 12)) = r4;
| *((r3! + 16)) = r7;
0x00037ce6 movs r1, r0 | r1 = r0;
| }
[*] Function sprintf used 3 times httpd
