[*] Binary protection state of kmod
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols
[*] Function strcpy tear down of kmod
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-80367616.squashfs_v4_le_extract/usr/bin/kmod @ 0xedd0 */
| #include <stdint.h>
|
; (fcn) fcn.0000edd0 () | void fcn_0000edd0 (int16_t arg_2000h, int16_t arg_4000h, char * dest) {
| int16_t var_4h_2;
| int16_t var_14h;
| int16_t var_0h;
| int16_t var_4h;
| int16_t var_0h_2;
| char * src;
| int16_t var_40h;
| int32_t var_40h_2;
| int16_t var_7ch;
| int16_t var_80h;
| r0 = dest;
0x0000edd0 ldr r2, [pc, 0x70] |
0x0000edd2 ldr r3, [pc, 0x74] | r3 = *(0xee4a);
0x0000edd4 push {r4, lr} |
0x0000edd6 sub sp, 0x80 |
0x0000edd8 add r2, pc | r2 = 0x1dc20;
0x0000edda add r1, sp, 0x10 | r1 += src;
0x0000eddc mov r4, r0 | r4 = r0;
0x0000edde ldr r3, [r2, r3] |
0x0000ede0 ldr r0, [r0, 8] | r0 = *((r0 + 8));
0x0000ede2 ldr r3, [r3] | r3 = *(0x1dc20);
0x0000ede4 str r3, [sp, 0x7c] | var_7ch = r3;
0x0000ede6 mov.w r3, 0 | r3 = 0;
0x0000edea blx 0x1dcc | r0 = strcpy (r0, r1)
0x0000edee cmp r0, 0 |
| if (r0 < 0) {
0x0000edf0 blt 0xee36 | goto label_3;
| }
0x0000edf2 ldr r0, [r4, 8] | r0 = *((r4 + 8));
0x0000edf4 movs r3, 2 | r3 = 2;
0x0000edf6 ldrd r1, r2, [sp, 0x40] | __asm ("ldrd r1, r2, [var_40h]");
0x0000edf8 asrs r0, r2, 8 | r0 = r2 >> 8;
0x0000edfa vmov.i32 d16, 0 | __asm ("vmov.i32 d16, 0");
0x0000edfe strd r1, r2, [r4, 0x10] | __asm ("strd r1, r2, [r4, 0x10]");
0x0000ee02 movs r2, 1 | r2 = 1;
0x0000ee04 str r0, [sp] | *(sp) = r0;
0x0000ee06 movs r0, 0 | r0 = 0;
0x0000ee08 vstr d16, [sp, 8] | __asm ("vstr d16, [sp, 8]");
0x0000ee0c blx 0x1ecc | fcn_00001ecc ();
0x0000ee10 str r0, [r4, 0x18] | *((r4 + 0x18)) = r0;
0x0000ee12 adds r0, 1 | r0++;
0x0000ee14 ittt ne |
| if (r0 == 1) {
0x0000ee16 movne r3, 1 | r3 = 1;
| }
| if (r0 == 1) {
0x0000ee18 movne r0, 0 | r0 = 0;
| }
| if (r0 == 1) {
0x0000ee1a strbne r3, [r4, 0xc] | *((r4 + 0xc)) = r3;
| }
0x0000ee1c beq 0xee36 |
| while (1) {
0x0000ee1e ldr r2, [pc, 0x2c] |
0x0000ee20 ldr r3, [pc, 0x24] | r3 = *(0xee48);
0x0000ee22 add r2, pc | r2 = 0x1dc74;
0x0000ee24 ldr r3, [r2, r3] | r3 = *(0x1dc74);
0x0000ee26 ldr r2, [r3] | r2 = *(0x1dc74);
0x0000ee28 ldr r3, [sp, 0x7c] | r3 = var_7ch;
0x0000ee2a eors r2, r3 | r2 ^= r3;
0x0000ee2c mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x0000ee30 bne 0xee40 | goto label_4;
| }
0x0000ee32 add sp, 0x80 |
0x0000ee34 pop {r4, pc} |
| label_3:
0x0000ee36 blx 0x207c | r0 = fcn_0000207c ();
0x0000ee3a ldr r0, [r0] | r0 = *(r0);
0x0000ee3c rsbs r0, r0, 0 | r0 -= ;
0x0000ee3e b 0xee1e |
| }
| label_4:
0x0000ee40 blx 0x1ed8 | fcn_00001ed8 ();
0x0000ee44 str r0, [sp, 0x80] | var_80h = r0;
0x0000ee46 movs r0, r0 |
0x0000ee48 lsls r4, r4, 7 | r4 <<= 7;
0x0000ee4a movs r0, r0 |
0x0000ee4c ldrh r6, [r2, 0x3e] | r6 = *((r2 + 0x3e));
0x0000ee4e movs r0, r0 |
0x0000ee50 ldr r2, [pc, 0xe8] |
0x0000ee52 ldr r3, [pc, 0xec] | r3 = *(0xef42);
0x0000ee54 push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr} |
0x0000ee58 sub sp, 0xc |
0x0000ee5a add r2, pc | r2 = 0x1dd9a;
0x0000ee5c mov r8, r0 | r8 = r0;
0x0000ee5e movs r4, 0 | r4 = 0;
0x0000ee60 ldr r3, [r2, r3] |
0x0000ee62 ldr r3, [r3] | r3 = *(0x1dd9a);
0x0000ee64 str r3, [sp, 4] | var_4h = r3;
0x0000ee66 mov.w r3, 0 | r3 = 0;
0x0000ee68 lsls r0, r0, 0xc | r0 <<= 0xc;
0x0000ee6a blx 0x207c | fcn_0000207c ();
0x0000ee6e ldr r1, [pc, 0xd4] |
0x0000ee70 mov sl, r0 | sl = r0;
0x0000ee72 str r4, [r0] | *(r0) = r4;
0x0000ee74 ldr.w r0, [r8, 8] | r0 = *((r8 + 8));
0x0000ee78 add r1, pc | r1 = 0x1ddc2;
0x0000ee7a blx 0x1d50 | fcn_00001d50 ();
0x0000ee7e str.w r0, [r8, 4] | __asm ("str.w r0, [r8, 4]");
0x0000ee82 cmp r0, 0 |
| if (r0 == 0) {
0x0000ee84 beq 0xef26 | goto label_5;
| }
0x0000ee86 mov.w r3, -1 | r3 = -1;
0x0000ee8a mov r7, r4 | r7 = r4;
0x0000ee8c mov r6, r4 | r6 = r4;
0x0000ee8e mov sb, r4 | sb = r4;
0x0000ee90 mov r5, r4 | r5 = r4;
0x0000ee92 mov fp, r4 |
0x0000ee94 str.w r3, [r8, 8] | __asm ("str.w r3, [r8, 8]");
0x0000ee98 b 0xeeb2 |
| while (fp != sb) {
| label_0:
0x0000ee9a ldr.w r0, [r8, 4] | r0 = *((r8 + 4));
0x0000ee9e subs r2, r6, r5 | r2 = r6 - r5;
0x0000eea0 adds r1, r7, r5 | r1 = r7 + r5;
0x0000eea2 blx 0x1f94 | r0 = putc (r0, r1);
0x0000eea6 subs r4, r0, 0 | r4 = r0 - 0;
| if (r4 == r0) {
0x0000eea8 beq 0xeed6 | goto label_6;
| }
| if (r4 < r0) {
0x0000eeaa blt 0xef06 | goto label_7;
| }
0x0000eeac adds r5, r4, r5 | r5 = r4 + r5;
0x0000eeae adc.w fp, fp, r4, asr 31 | __asm ("adc.w fp, fp, r4, asr 31");
0x0000eeb2 cmp fp, sb |
0x0000eeb4 it eq |
| if (fp == sb) {
0x0000eeb6 cmpeq r5, r6 | __asm ("cmpeq r5, r6");
| }
0x0000eeb8 bne 0xee9a |
| }
0x0000eeba add.w r4, r6, 0x400000 | r4 = r6 + 0x400000;
0x0000eebe mov r0, r7 | r0 = r7;
0x0000eec0 mov r1, r4 | r1 = r4;
0x0000eec2 blx 0x200c | r0 = lzma_stream_decoder ();
| if (r0 == 0) {
0x0000eec6 cbz r0, 0xef30 | goto label_8;
| }
0x0000eec8 adds.w r6, r6, 0x400000 | r6 += 0x400000;
0x0000eecc mov r7, r0 | r7 = r0;
0x0000eece mov r6, r4 | r6 = r4;
0x0000eed0 adc sb, sb, 0 | __asm ("adc sb, sb, 0");
0x0000eed4 b 0xee9a | goto label_0;
| label_6:
0x0000eed6 str.w r7, [r8, 0x18] | __asm ("str.w r7, [r8, 0x18]");
0x0000eeda mov r7, r4 | r7 = r4;
0x0000eedc str.w r5, [r8, 0x10] | __asm ("str.w r5, [r8, 0x10]");
0x0000eee0 str.w fp, [r8, 0x14] | __asm ("str.w fp, [r8, 0x14]");
| do {
| label_1:
0x0000eee4 mov r0, r7 | r0 = r7;
0x0000eee6 blx 0x1cb0 | fcn_00001cb0 ();
0x0000eeea ldr r2, [pc, 0x5c] |
0x0000eeec ldr r3, [pc, 0x50] | r3 = *(0xef40);
0x0000eeee add r2, pc | r2 = 0x1de3c;
0x0000eef0 ldr r3, [r2, r3] | r3 = *(0x1de3c);
0x0000eef2 ldr r2, [r3] | r2 = *(0x1de3c);
0x0000eef4 ldr r3, [sp, 4] | r3 = var_4h;
0x0000eef6 eors r2, r3 | r2 ^= r3;
0x0000eef8 mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x0000eefc bne 0xef38 | goto label_9;
| }
0x0000eefe mov r0, r4 | r0 = r4;
0x0000ef00 add sp, 0xc |
0x0000ef02 pop.w {r4, r5, r6, r7, r8, sb, sl, fp, pc} |
| label_7:
0x0000ef06 ldr.w r0, [r8, 4] | r0 = *((r8 + 4));
0x0000ef0a mov r1, sp | r1 = sp;
0x0000ef0c blx 0x1e6c | fcn_00001e6c ();
0x0000ef10 ldr r3, [sp] | r3 = *(sp);
0x0000ef12 adds r3, 1 | r3++;
0x0000ef14 it ne |
| if (r3 == 1) {
0x0000ef16 mvnne r4, 0x15 | r4 = ~0x15;
| }
| if (r3 == 1) {
0x0000ef1a beq 0xef30 | goto label_8;
| }
| label_2:
0x0000ef1c ldr.w r0, [r8, 4] | r0 = *((r8 + 4));
0x0000ef20 blx 0x1bdc | fcn_00001bdc ();
0x0000ef24 b 0xeee4 |
| } while (1);
| label_5:
0x0000ef26 ldr.w r4, [sl] | r4 = *(sl);
0x0000ef2a mov r7, r0 | r7 = r0;
0x0000ef2c rsbs r4, r4, 0 | r4 -= ;
0x0000ef2e b 0xeee4 | goto label_1;
| label_8:
0x0000ef30 ldr.w r4, [sl] | r4 = *(sl);
0x0000ef34 rsbs r4, r4, 0 | r4 -= ;
0x0000ef36 b 0xef1c | goto label_2;
| label_9:
0x0000ef38 blx 0x1ed8 | fcn_00001ed8 ();
0x0000ef3c ldrh r6, [r3, 0x3c] | r6 = *((r3 + 0x3c));
0x0000ef3e movs r0, r0 |
0x0000ef40 lsls r4, r4, 7 | r4 <<= 7;
0x0000ef42 movs r0, r0 |
0x0000ef44 ldr r4, [r4, 0x18] | r4 = *((r4 + 0x18));
0x0000ef46 movs r0, r0 |
0x0000ef48 ldrh r2, [r1, 0x38] | r2 = *((r1 + 0x38));
0x0000ef4a movs r0, r0 |
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/patool_extraction/rootfs.img_unblob_extracted/rootfs.img_extract/0-80367616.squashfs_v4_le_extract/usr/bin/kmod @ 0x11588 */
| #include <stdint.h>
|
; (fcn) fcn.00011588 () | void fcn_00011588 (int16_t arg1) {
| int16_t var_0h;
| char * src;
| int16_t var_80h;
| int16_t var_1060h;
| r0 = arg1;
0x00011588 blmi 0xe63e70 | __asm ("blmi aav.0x00006866");
0x0001158c push {r4, r5, r6, lr} |
0x0001158e sub.w sp, sp, 0x1080 |
0x00011592 add r2, pc | r2 += pc;
0x00011594 add.w r1, sp, 0x1060 | r1 += var_1060h;
0x00011598 adds r1, 0x1c | r1 += 0x1c;
0x0001159a mov r5, r0 | r5 = r0;
0x0001159c ldr r3, [r2, r3] | r3 = *((r2 + r3));
0x0001159e ldr r3, [r3] | r3 = *(r3);
0x000115a0 str r3, [r1] | *(r1) = r3;
0x000115a2 mov.w r3, 0 | r3 = 0;
0x000115a6 bl 0xa158 | r0 = fcn_0000a158 (r0);
0x000115aa mov r4, r0 | r4 = r0;
0x000115ac blx 0x1d74 | r0 = fcn_00001d74 ();
0x000115b0 add.w r3, r0, 0x19 | r3 = r0 + 0x19;
0x000115b4 cmp.w r3, 0x1000 |
| if (r3 >= 0x1000) {
0x000115b8 bhs 0x11638 | goto label_1;
| }
0x000115ba ldr r3, [pc, 0xb8] |
0x000115bc add r6, sp, 0x80 | r6 += var_80h;
0x000115be ldr r1, [pc, 0xb8] |
0x000115c0 movs r2, 1 | r2 = 1;
0x000115c2 add r3, pc | r3 = 0x22c3c;
0x000115c4 strd r4, r3, [sp, 4] | __asm ("strd r4, r3, [sp, 4]");
0x000115c8 add r1, pc | r1 = 0x22c46;
0x000115ca mov.w r3, 0x1000 | r3 = 0x1000;
0x000115ce subs r4, r6, 4 | r4 = r6 - 4;
0x000115d0 mov r0, r4 | r0 = r4;
0x000115d2 str r1, [sp] | *(sp) = r1;
0x000115d4 mov r1, r3 | r1 = r3;
0x000115d6 blx 0x1e24 | fcn_00001e24 ();
0x000115da mov r0, r4 | r0 = r4;
0x000115dc mov.w r1, 0x80000 | r1 = 0x80000;
0x000115e0 blx 0x1df0 | r0 = raise (r0);
0x000115e4 subs r4, r0, 0 | r4 = r0 - 0;
| if (r4 < r0) {
0x000115e6 blt 0x1165a | goto label_2;
| }
0x000115e8 add r1, sp, 0x10 | r1 += src;
0x000115ea blx 0x1dcc | r0 = strcpy (r0, r1)
0x000115ee cmp r0, 0 |
| if (r0 < 0) {
0x000115f0 blt 0x11646 | goto label_3;
| }
0x000115f2 movs r0, 0x30 | r0 = 0x30;
0x000115f4 blx 0x1ec0 | r0 = fcn_00001ec0 ();
| if (r0 == 0) {
0x000115f8 cbz r0, 0x11668 | goto label_4;
| }
0x000115fa ldr r2, [r6, -0x40] | r2 = *((r6 - 0x40));
0x000115fe movs r3, 0 | r3 = 0;
0x00011600 vmov.i32 q8, 0 | __asm ("vmov.i32 q8, 0");
0x00011604 strd r5, r4, [r0] | __asm ("strd r5, r4, [r0]");
0x00011608 str r3, [r0, 0x20] | *((r0 + 0x20)) = r3;
0x0001160a str r2, [r0, 8] | *((r0 + 8)) = r2;
0x0001160c vstr d16, [r0, 0x10] | __asm ("vstr d16, [r0, 0x10]");
0x00011610 vstr d17, [r0, 0x18] | __asm ("vstr d17, [r0, 0x18]");
0x00011614 strd r3, r3, [r0, 0x24] | __asm ("strd r3, r3, [r0, 0x24]");
| do {
0x00011618 ldr r2, [pc, 0x60] |
0x0001161a add.w r1, sp, 0x1060 | r1 += var_1060h;
0x0001161e ldr r3, [pc, 0x50] | r3 = *(0x11672);
0x00011620 adds r1, 0x1c | r1 += 0x1c;
0x00011622 add r2, pc | r2 = 0x22ca2;
0x00011624 ldr r3, [r2, r3] | r3 = *(0x22ca2);
0x00011626 ldr r2, [r3] | r2 = *(0x22ca2);
0x00011628 ldr r3, [r1] | r3 = *(r1);
0x0001162a eors r2, r3 | r2 ^= r3;
0x0001162c mov.w r3, 0 | r3 = 0;
| if (r2 != r3) {
0x00011630 bne 0x11664 | goto label_5;
| }
0x00011632 add.w sp, sp, 0x1080 |
0x00011636 pop {r4, r5, r6, pc} |
| label_1:
0x00011638 blx 0x207c | fcn_0000207c ();
0x0001163c movs r5, 0x24 | r5 = 0x24;
0x0001163e mov r3, r0 | r3 = r0;
| label_0:
0x00011640 movs r0, 0 | r0 = 0;
0x00011642 str r5, [r3] | *(r3) = r5;
0x00011644 b 0x11618 |
| } while (1);
| label_3:
0x00011646 blx 0x207c | r0 = fcn_0000207c ();
0x0001164a ldr r5, [r0] | r5 = *(r0);
| do {
0x0001164c mov r0, r4 | r0 = r4;
0x0001164e blx 0x1e60 | fcn_00001e60 ();
0x00011652 blx 0x207c | r0 = fcn_0000207c ();
0x00011656 mov r3, r0 | r3 = r0;
0x00011658 b 0x11640 | goto label_0;
| label_2:
0x0001165a blx 0x207c | r0 = fcn_0000207c ();
0x0001165e ldr r5, [r0] | r5 = *(r0);
0x00011660 mov r3, r0 | r3 = r0;
0x00011662 b 0x11640 | goto label_0;
| label_5:
0x00011664 blx 0x1ed8 | fcn_00001ed8 ();
| label_4:
0x00011668 movs r5, 0xc | r5 = 0xc;
0x0001166a b 0x1164c |
| } while (1);
| }
[*] Function strcpy used 3 times kmod
