[*] Binary protection state of lighttpd-angel
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function printf tear down of lighttpd-angel
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/lighttpd-angel @ 0x10598 */
| #include <stdint.h>
|
; (fcn) main () | int32_t main (int32_t arg2) {
| int32_t var_8h;
| int32_t var_ch;
| void * s;
| int32_t var_18h;
| int32_t var_24h;
| r1 = arg2;
| /* [10] -r-x section size 972 named .text */
0x00010598 ldr r3, [pc, 0x1c8] | r3 = *(0x10764);
0x0001059c push {r4, r5, r6, r7, r8, sb, lr} |
0x000105a0 ldr r5, [pc, 0x1c4] | r5 = "_usr_sbin_lighttpd";
0x000105a4 sub sp, sp, 0x24 |
0x000105a8 mov r2, 0x10 | r2 = 0x10;
0x000105ac str r3, [r1] | *(r1) = r3;
0x000105b0 add r0, sp, r2 | r0 = sp + r2;
0x000105b4 mov r7, r1 | r7 = r1;
0x000105b8 mov r1, 0 | r1 = 0;
0x000105bc bl 0x1055c | memset (r0, r1, r2);
0x000105c0 mov r4, 1 | r4 = 1;
0x000105c4 mov r2, 0 | r2 = 0;
0x000105c8 add r1, sp, 0xc | r1 += var_ch;
0x000105cc mov r0, 0xd | r0 = 0xd;
0x000105d0 str r4, [sp, 0xc] | var_ch = r4;
0x000105d4 bl 0x10544 | sigaction ();
0x000105d8 mov r2, 0 | r2 = 0;
0x000105dc add r1, sp, 0xc | r1 += var_ch;
0x000105e0 mov r0, 0xa | r0 = 0xa;
0x000105e4 bl 0x10544 | sigaction ();
0x000105e8 ldr r3, [pc, 0x180] | r3 = *(0x1076c);
0x000105ec add r0, sp, 0x18 | r0 += var_18h;
0x000105f0 str r3, [sp, 0xc] | var_ch = r3;
0x000105f4 bl 0x104d8 | sigemptyset ();
0x000105f8 mov r3, 4 | r3 = 4;
0x000105fc mov r2, 0 | r2 = 0;
0x00010600 add r1, sp, 0xc | r1 += var_ch;
0x00010604 mov r0, 2 | r0 = 2;
0x00010608 str r3, [sp, 0x10] | s = r3;
0x0001060c bl 0x10544 | sigaction ();
0x00010610 mov r2, 0 | r2 = 0;
0x00010614 add r1, sp, 0xc | r1 += var_ch;
0x00010618 mov r0, 0xf | r0 = 0xf;
0x0001061c bl 0x10544 | sigaction ();
0x00010620 mov r2, 0 | r2 = 0;
0x00010624 add r1, sp, 0xc | r1 += var_ch;
0x00010628 mov r0, 0xa | r0 = 0xa;
0x0001062c bl 0x10544 | sigaction ();
0x00010630 mov r2, 0 | r2 = 0;
0x00010634 add r1, sp, 0xc | r1 += var_ch;
0x00010638 mov r0, r4 | r0 = r4;
0x0001063c bl 0x10544 | sigaction ();
0x00010640 mov r2, 0 | r2 = 0;
0x00010644 add r1, sp, 0xc | r1 += var_ch;
0x00010648 mov r0, 0xe | r0 = 0xe;
0x0001064c bl 0x10544 | sigaction ();
0x00010650 mov r2, 0 | r2 = 0;
0x00010654 add r1, sp, 0xc | r1 += var_ch;
0x00010658 mov r0, 0x11 | r0 = 0x11;
0x0001065c bl 0x10544 | sigaction ();
0x00010660 ldr r8, [pc, 0x10c] | r8 = *(0x10770);
0x00010664 mov r6, r5 | r6 = r5;
| do {
| label_0:
0x00010668 ldr r3, [r5, 4] | r3 = *((r5 + 4));
0x0001066c mov sb, 0 | sb = 0;
0x00010670 cmp r3, sb |
0x00010674 str sb, [sp, 8] | var_8h = sb;
| if (r3 != sb) {
0x00010678 beq 0x106b4 |
0x0001067c bl 0x10538 | fork ();
0x00010680 str r0, [r5] | *(r5) = r0;
0x00010684 ldr r3, [r5] | r3 = *(r5);
0x00010688 cmp r3, 0 |
| if (r3 == 0) {
0x0001068c bne 0x106a4 |
0x00010690 mov r1, r7 | r1 = r7;
0x00010694 ldr r0, [r7] | r0 = *(r7);
0x00010698 bl 0x10580 | execvp ();
0x0001069c mov r0, 1 | r0 = 1;
0x000106a0 bl 0x10574 | exit (r0);
| }
0x000106a4 ldr r4, [r5] | r4 = *(r5);
0x000106a8 cmn r4, 1 |
| if (r4 == 1) {
0x000106ac beq 0x106e8 | goto label_1;
| }
0x000106b0 str sb, [r5, 4] | *((r5 + 4)) = sb;
| }
0x000106b4 ldr r0, [r6] | r0 = *(r6);
0x000106b8 mov r2, 0 | r2 = 0;
0x000106bc add r1, sp, 8 | r1 += var_8h;
0x000106c0 bl 0x104cc | r0 = waitpid ();
0x000106c4 cmn r0, 1 |
| if (r0 != 1) {
0x000106c8 bne 0x106f4 | goto label_2;
| }
0x000106cc bl 0x10568 | r0 = errno_location ();
0x000106d0 ldr r3, [r0] | r3 = *(r0);
0x000106d4 cmp r3, 0xa |
0x000106d8 bne 0x10668 |
| } while (r3 != 0xa);
0x000106dc ldr r4, [r6, 4] | r4 = *((r6 + 4));
0x000106e0 cmp r4, 0 |
| if (r4 != 0) {
0x000106e4 bne 0x10668 | goto label_0;
| }
| do {
| label_1:
0x000106e8 mov r0, r4 | r0 = r4;
0x000106ec add sp, sp, 0x24 |
0x000106f0 pop {r4, r5, r6, r7, r8, sb, pc} |
| label_2:
0x000106f4 ldr r3, [sp, 8] | r3 = var_8h;
0x000106f8 ands r4, r3, 0x7f | r4 = r3 & 0x7f;
| if (r4 != r3) {
0x000106fc bne 0x1072c | goto label_3;
| }
0x00010700 ldr r2, [r6] | r2 = *(r6);
0x00010704 ldr r0, [pc, 0x6c] |
0x00010708 asr r3, r3, 8 | r3 >>= 8;
0x0001070c and r3, r3, 0xff | r3 &= 0xff;
0x00010710 stm sp, {r2, r3} | *(sp) = r2;
| *((sp + 4)) = r3;
0x00010714 ldr r1, [pc, 0x60] | r1 = stderr;
0x00010718 mov r3, 0x94 | r3 = 0x94;
0x0001071c ldr r2, [pc, 0x5c] | r2 = "_s._d:_child__pid_d__exited_normally_with_exitcode:__d";
0x00010720 ldr r0, [r0] | r0 = *(0x10774);
0x00010724 bl 0x10508 | fprintf (r0, r1, r2, r3)
0x00010728 b 0x106e8 |
| } while (1);
| label_3:
0x0001072c and r3, r3, r8 | r3 &= r8;
0x00010730 sub r3, r3, 1 | r3--;
0x00010734 cmp r3, 0xfe |
| if (r3 > 0xfe) {
0x00010738 bhi 0x10668 | goto label_0;
| }
0x0001073c ldr r3, [r6] | r3 = *(r6);
0x00010740 ldr r0, [pc, 0x30] |
0x00010744 stm sp, {r3, r4} | *(sp) = r3;
| *((sp + 4)) = r4;
0x00010748 ldr r2, [pc, 0x30] | r2 = "_s._d:_child__pid_d__exited_normally_with_exitcode:__d";
0x0001074c mov r3, 0x9c | r3 = 0x9c;
0x00010750 ldr r1, [pc, 0x2c] | r1 = "lighttpd-angel.c";
0x00010754 ldr r0, [r0] | r0 = *(0x10774);
0x00010758 bl 0x10508 | fprintf (r0, "lighttpd-angel.c", "_s._d:_child__pid_d__exited_normally_with_exitcode:__d", r3)
0x0001075c mov r3, 1 | r3 = 1;
0x00010760 str r3, [r6, 4] | *((r6 + 4)) = r3;
0x00010764 b 0x10668 | goto label_0;
| }
[*] Function printf used 3 times lighttpd-angel
