[*] Binary protection state of connmand
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function sprintf tear down of connmand
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/connmand @ 0x25134 */
| #include <stdint.h>
|
; (fcn) fcn.00025134 () | void fcn_00025134 (int32_t arg1, int32_t arg2) {
| int32_t var_0h;
| int32_t var_ch;
| char * var_10h;
| void * var_18h;
| int32_t var_28h;
| void * s;
| int32_t var_30h;
| int32_t var_48h;
| r0 = arg1;
| r1 = arg2;
0x00025134 push {r4, r5, r6, r7, r8, sb, sl, lr} |
0x00025138 subs r5, r0, 0 | r5 = r0 - 0;
0x0002513c sub sp, sp, 0x48 |
0x00025140 bne 0x2514c |
| while (r4 == r0) {
| label_0:
0x00025144 mov r0, 0 | r0 = 0;
0x00025148 b 0x25308 | goto label_3;
0x0002514c mov r0, 0x18 | r0 = 0x18;
0x00025150 mov r8, r3 | r8 = r3;
0x00025154 mov r6, r2 | r6 = r2;
0x00025158 mov r7, r1 | r7 = r1;
0x0002515c bl 0x1bff0 | r0 = g_try_malloc0 ();
0x00025160 subs r4, r0, 0 | r4 = r0 - 0;
0x00025164 beq 0x25144 |
| }
0x00025168 mov r0, r7 | r0 = r7;
0x0002516c bl 0x1c470 | g_strdup ();
0x00025170 mov r2, 0x1c | r2 = 0x1c;
0x00025174 mov r1, 0 | r1 = 0;
0x00025178 strh r6, [r4, 8] | *((r4 + 8)) = r6;
0x0002517c str r8, [r4, 0xc] | *((r4 + 0xc)) = r8;
0x00025180 str r5, [r4] | *(r4) = r5;
0x00025184 str r0, [r4, 4] | *((r4 + 4)) = r0;
0x00025188 add r0, sp, 0x2c | r0 += s;
0x0002518c bl 0x1bb4c | memset (r0, r1, r2);
0x00025190 mov r3, 2 | r3 = 2;
0x00025194 str r3, [sp, 0x30] | var_30h = r3;
0x00025198 ldr r3, [pc, 0x170] | r3 = *(0x2530c);
0x0002519c mov r2, r6 | r2 = r6;
0x000251a0 ldr r1, [pc, 0x16c] | r1 = *(0x25310);
0x000251a4 add r0, sp, 0x10 | r0 += var_10h;
0x000251a8 str r3, [sp, 0x28] | var_28h = r3;
0x000251ac bl 0x1c50c | sprintf (r0, r1, r2)
0x000251b0 add r3, sp, 0xc | r3 += var_ch;
0x000251b4 add r2, sp, 0x28 | r2 += var_28h;
0x000251b8 add r1, sp, 0x10 | r1 += var_10h;
0x000251bc ldr r0, [r4, 4] | r0 = *((r4 + 4));
0x000251c0 bl 0x1c374 | r0 = getaddrinfo ();
0x000251c4 subs sl, r0, 0 | sl = r0 - 0;
| if (sl != r0) {
0x000251c8 bne 0x251f0 | goto label_2;
| }
0x000251cc ldr r3, [sp, 0xc] | r3 = var_ch;
0x000251d0 cmp r3, 0 |
| if (r3 == 0) {
0x000251d4 beq 0x251f0 | goto label_2;
| }
0x000251d8 ldmib r3, {r0, r1, r2} | __asm ("ldmib r3, {r0, r1, r2}");
0x000251dc bl 0x1c1e8 | r0 = socket (r0, r1, r2);
0x000251e0 subs r6, r0, 0 | r6 = r0 - 0;
0x000251e4 bge 0x251fc |
| while (1) {
0x000251e8 ldr r0, [sp, 0xc] | r0 = var_ch;
0x000251ec bl 0x1b708 | freeaddrinfo ();
| label_2:
0x000251f0 mov r0, r4 | r0 = r4;
0x000251f4 bl 0x2434c | fcn_0002434c (r0);
0x000251f8 b 0x25144 | goto label_0;
0x000251fc ldr r3, [r4] | r3 = *(r4);
0x00025200 ldr sb, [r3, 0x14] | sb = *((r3 + 0x14));
0x00025204 cmp sb, 0 |
| if (sb <= 0) {
0x00025208 ble 0x25278 | goto label_4;
| }
0x0002520c mov r2, 9 | r2 = 9;
0x00025210 ldr r1, [pc, 0x100] | r1 = "_d";
0x00025214 ldr r0, [r4, 4] | r0 = *((r4 + 4));
0x00025218 bl 0x1b6e4 | r0 = strncmp (r0, "_d", r2);
0x0002521c cmp r0, 0 |
| if (r0 == 0) {
0x00025220 beq 0x25278 | goto label_4;
| }
0x00025224 mov r8, 0x10 | r8 = 0x10;
0x00025228 mov r2, r8 | r2 = r8;
0x0002522c mov r1, sl | r1 = sl;
0x00025230 add r0, sp, 0x18 | r0 += var_18h;
0x00025234 bl 0x1bb4c | memset (r0, r1, r2);
0x00025238 add r1, sp, 0x18 | r1 += var_18h;
0x0002523c mov r0, sb | r0 = sb;
0x00025240 bl 0x1b978 | r0 = if_indextoname ();
0x00025244 cmp r0, 0 |
| if (r0 == 0) {
0x00025248 beq 0x25278 | goto label_4;
| }
0x0002524c str r8, [sp] | *(sp) = r8;
0x00025250 add r3, sp, 0x18 | r3 += var_18h;
0x00025254 mov r2, 0x19 | r2 = 0x19;
0x00025258 mov r1, 1 | r1 = 1;
0x0002525c mov r0, r6 | r0 = r6;
0x00025260 bl 0x1bdd4 | r0 = setsockopt ();
0x00025264 cmp r0, 0 |
| if (r0 >= 0) {
0x00025268 bge 0x25278 | goto label_4;
| }
| label_1:
0x0002526c mov r0, r6 | r0 = r6;
0x00025270 bl 0x1b66c | close (r0);
0x00025274 b 0x251e8 |
| }
| label_4:
0x00025278 ldr r3, [sp, 0xc] | r3 = var_ch;
0x0002527c mov r0, r6 | r0 = r6;
0x00025280 ldr r2, [r3, 0x10] | r2 = *((r3 + 0x10));
0x00025284 ldr r1, [r3, 0x14] | r1 = *((r3 + 0x14));
0x00025288 bl 0x1c578 | r0 = connect (r0, r1, r2);
0x0002528c cmp r0, 0 |
| if (r0 < 0) {
0x00025290 blt 0x2526c | goto label_1;
| }
0x00025294 ldr r0, [sp, 0xc] | r0 = var_ch;
0x00025298 bl 0x1b708 | freeaddrinfo ();
0x0002529c mov r0, r6 | r0 = r6;
0x000252a0 bl 0x1be10 | r0 = g_io_channel_unix_new ();
0x000252a4 cmp r0, 0 |
0x000252a8 str r0, [r4, 0x10] | *((r4 + 0x10)) = r0;
| if (r0 == 0) {
0x000252ac bne 0x252bc |
0x000252b0 mov r0, r6 | r0 = r6;
0x000252b4 bl 0x1b66c | close (r0);
0x000252b8 b 0x251f0 | goto label_2;
| }
0x000252bc mov r1, 1 | r1 = 1;
0x000252c0 bl 0x1bcc0 | g_io_channel_set_close_on_unref ();
0x000252c4 mov r3, r4 | r3 = r4;
0x000252c8 ldr r2, [pc, 0x4c] | r2 = "_27.0.0.1";
0x000252cc mov r1, 0x39 | r1 = 0x39;
0x000252d0 ldr r0, [r4, 0x10] | r0 = *((r4 + 0x10));
0x000252d4 bl 0x1c194 | g_io_add_watch ();
0x000252d8 mov r1, r4 | r1 = r4;
0x000252dc str r0, [r4, 0x14] | *((r4 + 0x14)) = r0;
0x000252e0 ldr r0, [r5, 0x18] | r0 = *((r5 + 0x18));
0x000252e4 bl 0x1b48c | g_list_append ();
0x000252e8 ldr r3, [pc, 0x30] | r3 = *(0x2531c);
0x000252ec ldr r2, [pc, 0x30] | r2 = "setting_nameserver__s";
0x000252f0 ldr r1, [pc, 0x30] | r1 = "g_resolv_add_nameserver";
0x000252f4 str r0, [r5, 0x18] | *((r5 + 0x18)) = r0;
0x000252f8 mov r0, r5 | r0 = r5;
0x000252fc str r7, [sp] | *(sp) = r7;
0x00025300 bl 0x24598 | fcn_00024598 (r0, r1, r2);
0x00025304 mov r0, 1 | r0 = 1;
| label_3:
0x00025308 add sp, sp, 0x48 |
0x0002530c pop {r4, r5, r6, r7, r8, sb, sl, pc} |
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/connmand @ 0x4811c */
| #include <stdint.h>
|
; (fcn) sym.connman_inet_create_tunnel () | void connman_inet_create_tunnel (int32_t arg1) {
| char * s;
| int32_t var_10h;
| int32_t var_20h;
| r0 = arg1;
0x0004811c push {r4, r5, r6, r7, r8, lr} |
0x00048120 ldr r1, [pc, 0xbc] | r1 = *(0x481e0);
0x00048124 sub sp, sp, 0x20 |
0x00048128 mov r6, r0 | r6 = r0;
0x0004812c ldr r0, [pc, 0xb4] | r0 = "___add__s";
0x00048130 bl 0x1ba2c | r0 = open64 ();
0x00048134 subs r4, r0, 0 | r4 = r0 - 0;
| if (r4 < r0) {
0x00048138 bge 0x48164 |
0x0004813c bl 0x1c770 | r0 = errno_location ();
0x00048140 ldr r0, [r0] | r0 = *(r0);
0x00048144 rsb r4, r0, 0 | r4 = r0 - ;
0x00048148 bl 0x1b798 | r0 = strerror (r0);
0x0004814c mov r1, r0 | r1 = r0;
0x00048150 ldr r0, [pc, 0x94] | r0 = "_dev_net_tun";
0x00048154 bl 0x2ac70 | connman_error ();
| label_0:
0x00048158 mov r0, r4 | r0 = r4;
0x0004815c add sp, sp, 0x20 |
0x00048160 pop {r4, r5, r6, r7, r8, pc} |
| }
0x00048164 mov r2, 0x20 | r2 = 0x20;
0x00048168 mov r1, 0 | r1 = 0;
0x0004816c mov r0, sp | r0 = sp;
0x00048170 bl 0x1bb4c | memset (r0, r1, r2);
0x00048174 ldr r7, [pc, 0x74] | r7 = "Failed to open /dev/net/tun: %s";
0x00048178 ldr r3, [pc, 0x74] | r3 = "tun%d";
0x0004817c ldr r8, [pc, 0x74] | r8 = *(0x481f4);
0x00048180 mov r5, 0 | r5 = 0;
0x00048184 strh r3, [sp, 0x10] | var_10h = r3;
| do {
0x00048188 mov r2, r5 | r2 = r5;
0x0004818c mov r1, r7 | r1 = r7;
0x00048190 mov r0, sp | r0 = sp;
0x00048194 bl 0x1c50c | sprintf (r0, r1, r2)
0x00048198 mov r2, sp | r2 = sp;
0x0004819c mov r1, r8 | r1 = r8;
0x000481a0 mov r0, r4 | r0 = r4;
0x000481a4 bl 0x1c35c | r0 = ioctl (r0, r1);
0x000481a8 cmp r0, 0 |
| if (r0 == 0) {
0x000481ac beq 0x481d4 | goto label_1;
| }
0x000481b0 add r5, r5, 1 | r5++;
0x000481b4 cmp r5, 0x100 |
0x000481b8 bne 0x48188 |
| } while (r5 != 0x100);
0x000481bc ldr r0, [pc, 0x38] | r0 = *(0x481f8);
0x000481c0 bl 0x2ac70 | connman_error ();
0x000481c4 mov r0, r4 | r0 = r4;
0x000481c8 bl 0x1b66c | close (r0);
0x000481cc mvn r4, 0x12 | r4 = ~0x12;
0x000481d0 b 0x48158 | goto label_0;
| label_1:
0x000481d4 mov r0, sp | r0 = sp;
0x000481d8 bl 0x1c470 | g_strdup ();
0x000481dc str r0, [r6] | *(r6) = r0;
0x000481e0 b 0x48158 | goto label_0;
| }
[*] Function sprintf used 3 times connmand
