[*] Binary protection state of php-cgi
Full RELRO No Canary found NX enabled No PIE No RPATH No RUNPATH No Symbols
[*] Function mmap tear down of php-cgi
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/1568982-13971496.squashfs_v4_le_extract/usr/bin/php-cgi @ 0x5449f0 */
| #include <stdint.h>
|
; (fcn) sym._php_stream_copy_to_stream_ex () | void php_stream_copy_to_stream_ex () {
0x005449f0 lui gp, 0x1c |
0x005449f4 addiu gp, gp, -0x2750 |
0x005449f8 addu gp, gp, t9 | gp += t9;
0x005449fc addiu sp, sp, -0x20e0 |
0x00544a00 sw gp, 0x18(sp) | *(arg_18h) = gp;
0x00544a04 sw fp, 0x20d8(sp) | *(arg_20d8h) = fp;
0x00544a08 sw s3, 0x20c4(sp) | *(arg_20c4h) = s3;
0x00544a0c sw s0, 0x20b8(sp) | *(arg_20b8h) = s0;
0x00544a10 sw ra, 0x20dc(sp) | *(arg_20dch) = ra;
0x00544a14 sw s7, 0x20d4(sp) | *(arg_20d4h) = s7;
0x00544a18 sw s6, 0x20d0(sp) | *(arg_20d0h) = s6;
0x00544a1c sw s5, 0x20cc(sp) | *(arg_20cch) = s5;
0x00544a20 sw s4, 0x20c8(sp) | *(arg_20c8h) = s4;
0x00544a24 sw s2, 0x20c0(sp) | *(arg_20c0h) = s2;
0x00544a28 sw s1, 0x20bc(sp) | *(arg_20bch) = s1;
0x00544a2c move s0, a0 | s0 = a0;
0x00544a30 move fp, a1 | fp = a1;
0x00544a34 move s3, a2 | s3 = a2;
| if (a3 != 0) {
0x00544a38 bnez a3, 0x544a54 | goto label_4;
| }
0x00544a3c addiu s2, sp, 0x20b0 | s2 = sp + 0x20b0;
| do {
| if (s3 != 0) {
0x00544a40 bnez s3, 0x544a5c | goto label_5;
| }
0x00544a44 nop |
0x00544a48 sw zero, (s2) | *(s2) = 0;
| label_2:
0x00544a4c move v0, zero | v0 = 0;
0x00544a50 b 0x544aa0 | goto label_0;
| label_4:
0x00544a54 move s2, a3 | s2 = a3;
0x00544a58 b 0x544a40 |
| } while (1);
| label_5:
0x00544a5c addiu v0, zero, -1 | v0 = -1;
0x00544a60 lw t9, -0x7970(gp) | t9 = sym._php_stream_stat;
| if (s3 == v0) {
0x00544a64 bne s3, v0, 0x544a6c |
0x00544a68 move s3, zero | s3 = 0;
| }
0x00544a6c addiu a1, sp, 0x2020 | a1 = sp + 0x2020;
0x00544a70 move a0, s0 | a0 = s0;
0x00544a74 bal 0x543400 | sym_php_stream_stat ();
0x00544a78 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 != 0) {
0x00544a7c bnez v0, 0x544ad0 | goto label_6;
| }
0x00544a80 lw v1, 0x2050(sp) | v1 = *(arg_2050h);
0x00544a84 lw v1, 0x2034(sp) | v1 = *(arg_2034h);
| if (v1 != 0) {
0x00544a88 bnez v1, 0x544ad0 | goto label_6;
| }
0x00544a8c ori a0, zero, 0x8000 | a0 = 0x8000;
0x00544a90 andi v1, v1, 0xf000 | v1 &= 0xf000;
| if (v1 != a0) {
0x00544a94 bne v1, a0, 0x544ad0 | goto label_6;
| }
0x00544a98 nop |
0x00544a9c sw zero, (s2) | *(s2) = 0;
| do {
| label_0:
0x00544aa0 lw ra, 0x20dc(sp) | ra = *(arg_20dch);
0x00544aa4 lw fp, 0x20d8(sp) | fp = *(arg_20d8h);
0x00544aa8 lw s7, 0x20d4(sp) | s7 = *(arg_20d4h);
0x00544aac lw s6, 0x20d0(sp) | s6 = *(arg_20d0h);
0x00544ab0 lw s5, 0x20cc(sp) | s5 = *(arg_20cch);
0x00544ab4 lw s4, 0x20c8(sp) | s4 = *(arg_20c8h);
0x00544ab8 lw s3, 0x20c4(sp) | s3 = *(arg_20c4h);
0x00544abc lw s2, 0x20c0(sp) | s2 = *(arg_20c0h);
0x00544ac0 lw s1, 0x20bc(sp) | s1 = *(arg_20bch);
0x00544ac4 lw s0, 0x20b8(sp) | s0 = *(arg_20b8h);
0x00544ac8 addiu sp, sp, 0x20e0 |
0x00544acc jr ra | return v0;
| label_6:
0x00544ad0 lw v0, 8(s0) | v0 = *((s0 + 2));
0x00544ad4 addiu s6, sp, 0x20 | s6 = sp + 0x20;
| if (v0 != 0) {
0x00544ad8 bnez v0, 0x544b84 | goto label_7;
| }
0x00544adc lw v0, 0x14(s0) | v0 = *((s0 + 5));
0x00544ae0 move s1, zero | s1 = 0;
| if (v0 != 0) {
0x00544ae4 bnez v0, 0x544b88 | goto label_1;
| }
0x00544ae8 lw t9, -0x7a5c(gp) | t9 = sym._php_stream_set_option;
0x00544aec move a3, zero | a3 = 0;
0x00544af0 move a2, zero | a2 = 0;
0x00544af4 addiu a1, zero, 9 | a1 = 9;
0x00544af8 move a0, s0 | a0 = s0;
0x00544afc bal 0x544340 | sym_php_stream_set_option ();
0x00544b00 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 != 0) {
0x00544b04 bnez v0, 0x544b84 | goto label_7;
| }
0x00544b08 lw t9, -0x7a28(gp) | t9 = sym._php_stream_tell;
0x00544b0c move a0, s0 | a0 = s0;
0x00544b10 bal 0x544114 | sym_php_stream_tell ();
0x00544b14 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00544b18 sw s6, 0x10(sp) | *(arg_10h) = s6;
0x00544b1c addiu a3, zero, 2 | a3 = 2;
0x00544b20 lw t9, -0x792c(gp) | t9 = sym._php_stream_mmap_range
0x00544b24 move a2, s3 | a2 = s3;
0x00544b28 move a1, v0 | a1 = v0;
0x00544b2c move a0, s0 | a0 = s0;
0x00544b30 bal 0x5517b0 | sym_php_stream_mmap_range ()
0x00544b34 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x00544b38 beqz v0, 0x544b84 | goto label_7;
| }
0x00544b3c lw t9, -0x7a64(gp) | t9 = sym._php_stream_write;
0x00544b40 lw a2, 0x20(sp) | a2 = *(arg_20h);
0x00544b44 move a1, v0 | a1 = v0;
0x00544b48 move a0, fp | a0 = fp;
0x00544b4c bal 0x543f04 | sym_php_stream_write ();
0x00544b50 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00544b54 lw a1, 0x20(sp) | a1 = *(arg_20h);
0x00544b58 move a0, s0 | a0 = s0;
0x00544b5c lw t9, -0x685c(gp) | t9 = sym._php_stream_mmap_unmap_ex
0x00544b60 move s1, v0 | s1 = v0;
0x00544b64 bal 0x551874 | sym_php_stream_mmap_unmap_ex ()
0x00544b68 lw v0, 0x20(sp) | v0 = *(arg_20h);
0x00544b6c sw s1, (s2) | *(s2) = s1;
| if (v0 == 0) {
0x00544b70 beqz v0, 0x544be8 | goto label_8;
| }
0x00544b74 xor v0, v0, s1 | v0 ^= s1;
0x00544b78 sltu v0, zero, v0 | v0 = (0 < v0) ? 1 : 0;
| label_3:
0x00544b7c negu v0, v0 | __asm ("negu v0, v0");
0x00544b80 b 0x544aa0 |
| } while (1);
| label_7:
0x00544b84 move s1, zero | s1 = 0;
| label_1:
0x00544b88 addiu a2, zero, 0x2000 | a2 = 0x2000;
| if (s3 != 0) {
0x00544b8c beqz s3, 0x544ba0 |
0x00544b90 subu a2, s3, s1 | __asm ("subu a2, s3, s1");
0x00544b94 sltiu v0, a2, 0x2000 | v0 = (a2 < 0x2000) ? 1 : 0;
0x00544b98 addiu v1, zero, 0x2000 | v1 = 0x2000;
| if (v0 == 0) {
0x00544b9c movz a2, v1, v0 | a2 = v1;
| goto label_9;
| }
| }
| label_9:
0x00544ba0 lw t9, -0x7a60(gp) | t9 = sym._php_stream_read;
0x00544ba4 move a1, s6 | a1 = s6;
0x00544ba8 move a0, s0 | a0 = s0;
0x00544bac bal 0x5431dc | sym_php_stream_read ();
0x00544bb0 move s5, v0 | s5 = v0;
0x00544bb4 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x00544bb8 beqz v0, 0x544c08 | goto label_10;
| }
0x00544bbc move s4, v0 | s4 = v0;
0x00544bc0 move s7, s6 | s7 = s6;
| do {
0x00544bc4 lw t9, -0x7a64(gp) | t9 = sym._php_stream_write;
0x00544bc8 move a2, s4 | a2 = s4;
0x00544bcc move a1, s7 | a1 = s7;
0x00544bd0 move a0, fp | a0 = fp;
0x00544bd4 bal 0x543f04 | sym_php_stream_write ();
0x00544bd8 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x00544bdc bnez v0, 0x544bf0 |
0x00544be0 addu s1, s1, s4 | s1 += s4;
0x00544be4 sw s1, (s2) | *(s2) = s1;
| label_8:
0x00544be8 addiu v0, zero, -1 | v0 = -1;
0x00544bec b 0x544aa0 | goto label_0;
| }
0x00544bf0 subu s4, s4, v0 | __asm ("subu s4, s4, v0");
0x00544bf4 addu s7, s7, v0 | s7 += v0;
0x00544bf8 bnez s4, 0x544bc4 |
| } while (s4 != 0);
0x00544bfc addu s1, s1, s5 | s1 += s5;
| if (s3 != s1) {
0x00544c00 bne s3, s1, 0x544b88 | goto label_1;
| }
0x00544c04 nop |
| label_10:
0x00544c08 sw s1, (s2) | *(s2) = s1;
| if (s1 != 0) {
0x00544c0c bnez s1, 0x544a4c | goto label_2;
| }
0x00544c10 lbu v0, 0x38(s0) | v0 = *((s0 + 56));
0x00544c14 xori v0, v0, 8 | v0 ^= 8;
0x00544c18 ext v0, v0, 3, 1 | __asm ("ext v0, v0, 3, 1");
0x00544c1c b 0x544b7c | goto label_3;
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/1568982-13971496.squashfs_v4_le_extract/usr/bin/php-cgi @ 0x5444c8 */
| #include <stdint.h>
|
; (fcn) sym._php_stream_passthru () | void php_stream_passthru () {
0x005444c8 lui gp, 0x1c |
0x005444cc addiu gp, gp, -0x2228 |
0x005444d0 addu gp, gp, t9 | gp += t9;
0x005444d4 addiu sp, sp, -0x2038 |
0x005444d8 lw v0, 8(a0) | v0 = *((a0 + 2));
0x005444dc sw gp, 0x18(sp) | *(arg_18h) = gp;
0x005444e0 sw s3, 0x202c(sp) | *(arg_202ch) = s3;
0x005444e4 sw s1, 0x2024(sp) | *(arg_2024h) = s1;
0x005444e8 sw ra, 0x2034(sp) | *(arg_2034h) = ra;
0x005444ec sw s4, 0x2030(sp) | *(arg_2030h) = s4;
0x005444f0 sw s2, 0x2028(sp) | *(arg_2028h) = s2;
0x005444f4 sw s0, 0x2020(sp) | *(arg_2020h) = s0;
0x005444f8 move s1, a0 | s1 = a0;
0x005444fc addiu s3, sp, 0x20 | s3 = sp + 0x20;
| if (v0 != 0) {
0x00544500 bnez v0, 0x5445dc | goto label_1;
| }
0x00544504 lw v0, 0x14(a0) | v0 = *((a0 + 5));
0x00544508 lw t9, -0x7a5c(gp) | t9 = sym._php_stream_set_option;
| if (v0 != 0) {
0x0054450c bnez v0, 0x5445dc | goto label_1;
| }
0x00544510 move a3, zero | a3 = 0;
0x00544514 move a2, zero | a2 = 0;
0x00544518 addiu a1, zero, 9 | a1 = 9;
0x0054451c bal 0x544340 | sym_php_stream_set_option ();
0x00544520 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 != 0) {
0x00544524 bnez v0, 0x5445dc | goto label_1;
| }
0x00544528 lw t9, -0x7a28(gp) | t9 = sym._php_stream_tell;
0x0054452c move a0, s1 | a0 = s1;
0x00544530 bal 0x544114 | sym_php_stream_tell ();
0x00544534 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00544538 sw s3, 0x10(sp) | *(arg_10h) = s3;
0x0054453c addiu a3, zero, 2 | a3 = 2;
0x00544540 lw t9, -0x792c(gp) | t9 = sym._php_stream_mmap_range
0x00544544 move a2, zero | a2 = 0;
0x00544548 move a1, v0 | a1 = v0;
0x0054454c move a0, s1 | a0 = s1;
0x00544550 bal 0x5517b0 | sym_php_stream_mmap_range ()
0x00544554 move s4, v0 | s4 = v0;
0x00544558 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x0054455c beqz v0, 0x5445dc | goto label_1;
| }
0x00544560 lui s2, 0x7fff | s2 = 0x7fff0000;
0x00544564 move s0, zero | s0 = 0;
0x00544568 ori s2, s2, 0xffff | s2 |= 0xffff;
0x0054456c lui s3, 0x8000 | s3 = 0x80000000;
0x00544570 lw v0, 0x20(sp) | v0 = *(arg_20h);
| do {
0x00544574 lw t9, -0x7980(gp) | t9 = sym.php_output_write;
0x00544578 subu v0, v0, s0 | __asm ("subu v0, v0, s0");
0x0054457c sltu a1, v0, s3 | a1 = (v0 < s3) ? 1 : 0;
| if (a1 != 0) {
0x00544580 movz v0, s2, a1 | v0 = s2;
| }
0x00544584 move a1, v0 | a1 = v0;
0x00544588 addu a0, s4, s0 | a0 = s4 + s0;
0x0054458c bal 0x540638 | sym_php_output_write ();
0x00544590 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00544594 lw a1, 0x20(sp) | a1 = *(arg_20h);
| if (v0 == 0) {
0x00544598 beqz v0, 0x5445ac | goto label_2;
| }
0x0054459c addu s0, s0, v0 | s0 += v0;
0x005445a0 sltu v0, s0, a1 | v0 = (s0 < a1) ? 1 : 0;
0x005445a4 lw v0, 0x20(sp) | v0 = *(arg_20h);
0x005445a8 bnez v0, 0x544574 |
| } while (v0 != 0);
| label_2:
0x005445ac lw t9, -0x685c(gp) | t9 = sym._php_stream_mmap_unmap_ex
0x005445b0 move a0, s1 | a0 = s1;
0x005445b4 bal 0x551874 | sym_php_stream_mmap_unmap_ex ()
| do {
0x005445b8 lw ra, 0x2034(sp) | ra = *(arg_2034h);
0x005445bc move v0, s0 | v0 = s0;
0x005445c0 lw s4, 0x2030(sp) | s4 = *(arg_2030h);
0x005445c4 lw s3, 0x202c(sp) | s3 = *(arg_202ch);
0x005445c8 lw s2, 0x2028(sp) | s2 = *(arg_2028h);
0x005445cc lw s1, 0x2024(sp) | s1 = *(arg_2024h);
0x005445d0 lw s0, 0x2020(sp) | s0 = *(arg_2020h);
0x005445d4 addiu sp, sp, 0x2038 |
0x005445d8 jr ra | return v0;
| label_1:
0x005445dc move s0, zero | s0 = 0;
| label_0:
0x005445e0 lw t9, -0x7a60(gp) | t9 = sym._php_stream_read;
0x005445e4 addiu a2, zero, 0x2000 | a2 = 0x2000;
0x005445e8 move a1, s3 | a1 = s3;
0x005445ec move a0, s1 | a0 = s1;
0x005445f0 bal 0x5431dc | sym_php_stream_read ();
0x005445f4 move s2, v0 | s2 = v0;
0x005445f8 lw gp, 0x18(sp) | gp = *(arg_18h);
0x005445fc beqz v0, 0x5445b8 |
| } while (v0 == 0);
0x00544600 lw t9, -0x7980(gp) | t9 = sym.php_output_write;
0x00544604 move a1, s2 | a1 = s2;
0x00544608 move a0, s3 | a0 = s3;
0x0054460c bal 0x540638 | sym_php_output_write ();
0x00544610 addu s0, s0, s2 | s0 += s2;
0x00544614 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00544618 b 0x5445e0 | goto label_0;
| }
[*] Function mmap used 9 times php-cgi
