[*] Binary protection state of php-fpm
Full RELRO No Canary found NX enabled No PIE No RPATH No RUNPATH No Symbols
[*] Function mmap tear down of php-fpm
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/1568982-13971496.squashfs_v4_le_extract/usr/bin/php-fpm @ 0x543e50 */
| #include <stdint.h>
|
; (fcn) sym._php_stream_copy_to_stream_ex () | void php_stream_copy_to_stream_ex () {
0x00543e50 lui gp, 0x1d |
0x00543e54 addiu gp, gp, 0x3a00 |
0x00543e58 addu gp, gp, t9 | gp += t9;
0x00543e5c addiu sp, sp, -0x20e0 |
0x00543e60 sw gp, 0x18(sp) | *(arg_18h) = gp;
0x00543e64 sw fp, 0x20d8(sp) | *(arg_20d8h) = fp;
0x00543e68 sw s3, 0x20c4(sp) | *(arg_20c4h) = s3;
0x00543e6c sw s0, 0x20b8(sp) | *(arg_20b8h) = s0;
0x00543e70 sw ra, 0x20dc(sp) | *(arg_20dch) = ra;
0x00543e74 sw s7, 0x20d4(sp) | *(arg_20d4h) = s7;
0x00543e78 sw s6, 0x20d0(sp) | *(arg_20d0h) = s6;
0x00543e7c sw s5, 0x20cc(sp) | *(arg_20cch) = s5;
0x00543e80 sw s4, 0x20c8(sp) | *(arg_20c8h) = s4;
0x00543e84 sw s2, 0x20c0(sp) | *(arg_20c0h) = s2;
0x00543e88 sw s1, 0x20bc(sp) | *(arg_20bch) = s1;
0x00543e8c move s0, a0 | s0 = a0;
0x00543e90 move fp, a1 | fp = a1;
0x00543e94 move s3, a2 | s3 = a2;
| if (a3 != 0) {
0x00543e98 bnez a3, 0x543eb4 | goto label_4;
| }
0x00543e9c addiu s2, sp, 0x20b0 | s2 = sp + 0x20b0;
| if (s3 != 0) {
| do {
0x00543ea0 bnez s3, 0x543ebc | goto label_5;
| }
0x00543ea4 nop |
0x00543ea8 sw zero, (s2) | *(s2) = 0;
| label_2:
0x00543eac move v0, zero | v0 = 0;
0x00543eb0 b 0x543f00 | goto label_0;
| label_4:
0x00543eb4 move s2, a3 | s2 = a3;
0x00543eb8 b 0x543ea0 |
| } while (1);
| label_5:
0x00543ebc addiu v0, zero, -1 | v0 = -1;
0x00543ec0 lw t9, -0x796c(gp) | t9 = sym._php_stream_stat;
| if (s3 == v0) {
0x00543ec4 bne s3, v0, 0x543ecc |
0x00543ec8 move s3, zero | s3 = 0;
| }
0x00543ecc addiu a1, sp, 0x2020 | a1 = sp + 0x2020;
0x00543ed0 move a0, s0 | a0 = s0;
0x00543ed4 bal 0x542860 | sym_php_stream_stat ();
0x00543ed8 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 != 0) {
0x00543edc bnez v0, 0x543f30 | goto label_6;
| }
0x00543ee0 lw v1, 0x2050(sp) | v1 = *(arg_2050h);
0x00543ee4 lw v1, 0x2034(sp) | v1 = *(arg_2034h);
| if (v1 != 0) {
0x00543ee8 bnez v1, 0x543f30 | goto label_6;
| }
0x00543eec ori a0, zero, 0x8000 | a0 = 0x8000;
0x00543ef0 andi v1, v1, 0xf000 | v1 &= 0xf000;
| if (v1 != a0) {
0x00543ef4 bne v1, a0, 0x543f30 | goto label_6;
| }
0x00543ef8 nop |
0x00543efc sw zero, (s2) | *(s2) = 0;
| do {
| label_0:
0x00543f00 lw ra, 0x20dc(sp) | ra = *(arg_20dch);
0x00543f04 lw fp, 0x20d8(sp) | fp = *(arg_20d8h);
0x00543f08 lw s7, 0x20d4(sp) | s7 = *(arg_20d4h);
0x00543f0c lw s6, 0x20d0(sp) | s6 = *(arg_20d0h);
0x00543f10 lw s5, 0x20cc(sp) | s5 = *(arg_20cch);
0x00543f14 lw s4, 0x20c8(sp) | s4 = *(arg_20c8h);
0x00543f18 lw s3, 0x20c4(sp) | s3 = *(arg_20c4h);
0x00543f1c lw s2, 0x20c0(sp) | s2 = *(arg_20c0h);
0x00543f20 lw s1, 0x20bc(sp) | s1 = *(arg_20bch);
0x00543f24 lw s0, 0x20b8(sp) | s0 = *(arg_20b8h);
0x00543f28 addiu sp, sp, 0x20e0 |
0x00543f2c jr ra | return v0;
| label_6:
0x00543f30 lw v0, 8(s0) | v0 = *((s0 + 2));
0x00543f34 addiu s6, sp, 0x20 | s6 = sp + 0x20;
| if (v0 != 0) {
0x00543f38 bnez v0, 0x543fe4 | goto label_7;
| }
0x00543f3c lw v0, 0x14(s0) | v0 = *((s0 + 5));
0x00543f40 move s1, zero | s1 = 0;
| if (v0 != 0) {
0x00543f44 bnez v0, 0x543fe8 | goto label_1;
| }
0x00543f48 lw t9, -0x7a58(gp) | t9 = sym._php_stream_set_option;
0x00543f4c move a3, zero | a3 = 0;
0x00543f50 move a2, zero | a2 = 0;
0x00543f54 addiu a1, zero, 9 | a1 = 9;
0x00543f58 move a0, s0 | a0 = s0;
0x00543f5c bal 0x5437a0 | sym_php_stream_set_option ();
0x00543f60 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 != 0) {
0x00543f64 bnez v0, 0x543fe4 | goto label_7;
| }
0x00543f68 lw t9, -0x7a24(gp) | t9 = sym._php_stream_tell;
0x00543f6c move a0, s0 | a0 = s0;
0x00543f70 bal 0x543574 | sym_php_stream_tell ();
0x00543f74 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00543f78 sw s6, 0x10(sp) | *(arg_10h) = s6;
0x00543f7c addiu a3, zero, 2 | a3 = 2;
0x00543f80 lw t9, -0x7928(gp) | t9 = sym._php_stream_mmap_range
0x00543f84 move a2, s3 | a2 = s3;
0x00543f88 move a1, v0 | a1 = v0;
0x00543f8c move a0, s0 | a0 = s0;
0x00543f90 bal 0x550c10 | sym_php_stream_mmap_range ()
0x00543f94 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x00543f98 beqz v0, 0x543fe4 | goto label_7;
| }
0x00543f9c lw t9, -0x7a60(gp) | t9 = sym._php_stream_write;
0x00543fa0 lw a2, 0x20(sp) | a2 = *(arg_20h);
0x00543fa4 move a1, v0 | a1 = v0;
0x00543fa8 move a0, fp | a0 = fp;
0x00543fac bal 0x543364 | sym_php_stream_write ();
0x00543fb0 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00543fb4 lw a1, 0x20(sp) | a1 = *(arg_20h);
0x00543fb8 move a0, s0 | a0 = s0;
0x00543fbc lw t9, -0x6834(gp) | t9 = sym._php_stream_mmap_unmap_ex
0x00543fc0 move s1, v0 | s1 = v0;
0x00543fc4 bal 0x550cd4 | sym_php_stream_mmap_unmap_ex ()
0x00543fc8 lw v0, 0x20(sp) | v0 = *(arg_20h);
0x00543fcc sw s1, (s2) | *(s2) = s1;
| if (v0 == 0) {
0x00543fd0 beqz v0, 0x544048 | goto label_8;
| }
0x00543fd4 xor v0, v0, s1 | v0 ^= s1;
0x00543fd8 sltu v0, zero, v0 | v0 = (0 < v0) ? 1 : 0;
| label_3:
0x00543fdc negu v0, v0 | __asm ("negu v0, v0");
0x00543fe0 b 0x543f00 |
| } while (1);
| label_7:
0x00543fe4 move s1, zero | s1 = 0;
| label_1:
0x00543fe8 addiu a2, zero, 0x2000 | a2 = 0x2000;
| if (s3 != 0) {
0x00543fec beqz s3, 0x544000 |
0x00543ff0 subu a2, s3, s1 | __asm ("subu a2, s3, s1");
0x00543ff4 sltiu v0, a2, 0x2000 | v0 = (a2 < 0x2000) ? 1 : 0;
0x00543ff8 addiu v1, zero, 0x2000 | v1 = 0x2000;
| if (v0 == 0) {
0x00543ffc movz a2, v1, v0 | a2 = v1;
| goto label_9;
| }
| }
| label_9:
0x00544000 lw t9, -0x7a5c(gp) | t9 = sym._php_stream_read;
0x00544004 move a1, s6 | a1 = s6;
0x00544008 move a0, s0 | a0 = s0;
0x0054400c bal 0x54263c | sym_php_stream_read ();
0x00544010 move s5, v0 | s5 = v0;
0x00544014 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x00544018 beqz v0, 0x544068 | goto label_10;
| }
0x0054401c move s4, v0 | s4 = v0;
0x00544020 move s7, s6 | s7 = s6;
| do {
0x00544024 lw t9, -0x7a60(gp) | t9 = sym._php_stream_write;
0x00544028 move a2, s4 | a2 = s4;
0x0054402c move a1, s7 | a1 = s7;
0x00544030 move a0, fp | a0 = fp;
0x00544034 bal 0x543364 | sym_php_stream_write ();
0x00544038 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x0054403c bnez v0, 0x544050 |
0x00544040 addu s1, s1, s4 | s1 += s4;
0x00544044 sw s1, (s2) | *(s2) = s1;
| label_8:
0x00544048 addiu v0, zero, -1 | v0 = -1;
0x0054404c b 0x543f00 | goto label_0;
| }
0x00544050 subu s4, s4, v0 | __asm ("subu s4, s4, v0");
0x00544054 addu s7, s7, v0 | s7 += v0;
0x00544058 bnez s4, 0x544024 |
| } while (s4 != 0);
0x0054405c addu s1, s1, s5 | s1 += s5;
| if (s3 != s1) {
0x00544060 bne s3, s1, 0x543fe8 | goto label_1;
| }
0x00544064 nop |
| label_10:
0x00544068 sw s1, (s2) | *(s2) = s1;
| if (s1 != 0) {
0x0054406c bnez s1, 0x543eac | goto label_2;
| }
0x00544070 lbu v0, 0x38(s0) | v0 = *((s0 + 56));
0x00544074 xori v0, v0, 8 | v0 ^= 8;
0x00544078 ext v0, v0, 3, 1 | __asm ("ext v0, v0, 3, 1");
0x0054407c b 0x543fdc | goto label_3;
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/1568982-13971496.squashfs_v4_le_extract/usr/bin/php-fpm @ 0x543928 */
| #include <stdint.h>
|
; (fcn) sym._php_stream_passthru () | void php_stream_passthru () {
0x00543928 lui gp, 0x1d |
0x0054392c addiu gp, gp, 0x3f28 |
0x00543930 addu gp, gp, t9 | gp += t9;
0x00543934 addiu sp, sp, -0x2038 |
0x00543938 lw v0, 8(a0) | v0 = *((a0 + 2));
0x0054393c sw gp, 0x18(sp) | *(arg_18h) = gp;
0x00543940 sw s3, 0x202c(sp) | *(arg_202ch) = s3;
0x00543944 sw s1, 0x2024(sp) | *(arg_2024h) = s1;
0x00543948 sw ra, 0x2034(sp) | *(arg_2034h) = ra;
0x0054394c sw s4, 0x2030(sp) | *(arg_2030h) = s4;
0x00543950 sw s2, 0x2028(sp) | *(arg_2028h) = s2;
0x00543954 sw s0, 0x2020(sp) | *(arg_2020h) = s0;
0x00543958 move s1, a0 | s1 = a0;
0x0054395c addiu s3, sp, 0x20 | s3 = sp + 0x20;
| if (v0 != 0) {
0x00543960 bnez v0, 0x543a3c | goto label_1;
| }
0x00543964 lw v0, 0x14(a0) | v0 = *((a0 + 5));
0x00543968 lw t9, -0x7a58(gp) | t9 = sym._php_stream_set_option;
| if (v0 != 0) {
0x0054396c bnez v0, 0x543a3c | goto label_1;
| }
0x00543970 move a3, zero | a3 = 0;
0x00543974 move a2, zero | a2 = 0;
0x00543978 addiu a1, zero, 9 | a1 = 9;
0x0054397c bal 0x5437a0 | sym_php_stream_set_option ();
0x00543980 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 != 0) {
0x00543984 bnez v0, 0x543a3c | goto label_1;
| }
0x00543988 lw t9, -0x7a24(gp) | t9 = sym._php_stream_tell;
0x0054398c move a0, s1 | a0 = s1;
0x00543990 bal 0x543574 | sym_php_stream_tell ();
0x00543994 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00543998 sw s3, 0x10(sp) | *(arg_10h) = s3;
0x0054399c addiu a3, zero, 2 | a3 = 2;
0x005439a0 lw t9, -0x7928(gp) | t9 = sym._php_stream_mmap_range
0x005439a4 move a2, zero | a2 = 0;
0x005439a8 move a1, v0 | a1 = v0;
0x005439ac move a0, s1 | a0 = s1;
0x005439b0 bal 0x550c10 | sym_php_stream_mmap_range ()
0x005439b4 move s4, v0 | s4 = v0;
0x005439b8 lw gp, 0x18(sp) | gp = *(arg_18h);
| if (v0 == 0) {
0x005439bc beqz v0, 0x543a3c | goto label_1;
| }
0x005439c0 lui s2, 0x7fff | s2 = 0x7fff0000;
0x005439c4 move s0, zero | s0 = 0;
0x005439c8 ori s2, s2, 0xffff | s2 |= 0xffff;
0x005439cc lui s3, 0x8000 | s3 = 0x80000000;
0x005439d0 lw v0, 0x20(sp) | v0 = *(arg_20h);
| do {
0x005439d4 lw t9, -0x797c(gp) | t9 = sym.php_output_write;
0x005439d8 subu v0, v0, s0 | __asm ("subu v0, v0, s0");
0x005439dc sltu a1, v0, s3 | a1 = (v0 < s3) ? 1 : 0;
| if (a1 != 0) {
0x005439e0 movz v0, s2, a1 | v0 = s2;
| }
0x005439e4 move a1, v0 | a1 = v0;
0x005439e8 addu a0, s4, s0 | a0 = s4 + s0;
0x005439ec bal 0x53fa98 | sym_php_output_write ();
0x005439f0 lw gp, 0x18(sp) | gp = *(arg_18h);
0x005439f4 lw a1, 0x20(sp) | a1 = *(arg_20h);
| if (v0 == 0) {
0x005439f8 beqz v0, 0x543a0c | goto label_2;
| }
0x005439fc addu s0, s0, v0 | s0 += v0;
0x00543a00 sltu v0, s0, a1 | v0 = (s0 < a1) ? 1 : 0;
0x00543a04 lw v0, 0x20(sp) | v0 = *(arg_20h);
0x00543a08 bnez v0, 0x5439d4 |
| } while (v0 != 0);
| label_2:
0x00543a0c lw t9, -0x6834(gp) | t9 = sym._php_stream_mmap_unmap_ex
0x00543a10 move a0, s1 | a0 = s1;
0x00543a14 bal 0x550cd4 | sym_php_stream_mmap_unmap_ex ()
| do {
0x00543a18 lw ra, 0x2034(sp) | ra = *(arg_2034h);
0x00543a1c move v0, s0 | v0 = s0;
0x00543a20 lw s4, 0x2030(sp) | s4 = *(arg_2030h);
0x00543a24 lw s3, 0x202c(sp) | s3 = *(arg_202ch);
0x00543a28 lw s2, 0x2028(sp) | s2 = *(arg_2028h);
0x00543a2c lw s1, 0x2024(sp) | s1 = *(arg_2024h);
0x00543a30 lw s0, 0x2020(sp) | s0 = *(arg_2020h);
0x00543a34 addiu sp, sp, 0x2038 |
0x00543a38 jr ra | return v0;
| label_1:
0x00543a3c move s0, zero | s0 = 0;
| label_0:
0x00543a40 lw t9, -0x7a5c(gp) | t9 = sym._php_stream_read;
0x00543a44 addiu a2, zero, 0x2000 | a2 = 0x2000;
0x00543a48 move a1, s3 | a1 = s3;
0x00543a4c move a0, s1 | a0 = s1;
0x00543a50 bal 0x54263c | sym_php_stream_read ();
0x00543a54 move s2, v0 | s2 = v0;
0x00543a58 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00543a5c beqz v0, 0x543a18 |
| } while (v0 == 0);
0x00543a60 lw t9, -0x797c(gp) | t9 = sym.php_output_write;
0x00543a64 move a1, s2 | a1 = s2;
0x00543a68 move a0, s3 | a0 = s3;
0x00543a6c bal 0x53fa98 | sym_php_output_write ();
0x00543a70 addu s0, s0, s2 | s0 += s2;
0x00543a74 lw gp, 0x18(sp) | gp = *(arg_18h);
0x00543a78 b 0x543a40 | goto label_0;
| }
[*] Function mmap used 9 times php-fpm
