[*] Binary protection state of ubiformat
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function strcpy tear down of ubiformat
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/ubiformat @ 0x18c58 */
| #include <stdint.h>
|
| #define BIT_MASK(t,v) ((t)(-((v)!= 0)))&(((t)-1)>>((sizeof(t)*CHAR_BIT)-(v)))
|
; (fcn) fcn.00018c58 () | void fcn_00018c58 (char * arg1, int32_t arg2) {
| int32_t var_0h;
| int32_t var_4h;
| int32_t var_8h;
| int32_t var_8h_2;
| int32_t var_10h;
| int32_t var_10h_2;
| int32_t var_18h;
| int32_t var_1ch;
| int32_t var_20h;
| int32_t var_24h;
| int32_t var_28h;
| int32_t var_2ch;
| int32_t var_38h;
| int32_t var_48h;
| int32_t var_58h;
| int32_t var_58h_2;
| int32_t var_a0h;
| char * src;
| int32_t var_144h;
| r0 = arg1;
| r1 = arg2;
0x00018c58 push {r4, r5, r6, r7, r8, sb, lr} |
0x00018c5c sub sp, sp, 0x144 |
0x00018c60 mov r2, 0 | r2 = 0;
0x00018c64 mov r3, 0 | r3 = 0;
0x00018c68 mov r4, r1 | r4 = r1;
0x00018c6c add r1, sp, 0x38 | r1 += var_38h;
0x00018c70 mov r6, r0 | r6 = r0;
0x00018c74 strd r2, r3, [sp, 0x10] | __asm ("strd r2, r3, [var_10h]");
0x00018c78 bl 0x10bd4 | r0 = stat64 ();
0x00018c7c cmp r0, 0 |
| if (r0 != 0) {
0x00018c80 beq 0x18ce8 |
0x00018c84 bl 0x10d78 | errno_location ();
0x00018c88 ldr r8, [pc, 0x450] |
0x00018c8c mov r3, r6 | r3 = r6;
0x00018c90 ldr r2, [pc, 0x44c] | r2 = stderr;
0x00018c94 ldr r1, [pc, 0x44c] | r1 = "libmtd";
0x00018c98 ldr r7, [r0] | r7 = *(r0);
0x00018c9c mov r5, r0 | r5 = r0;
0x00018ca0 ldr r0, [r8] | r0 = *(0x190dc);
0x00018ca4 bl 0x10c7c | fprintf (r0, "libmtd", r2, r3, r4, r5);
0x00018ca8 mov r0, r7 | r0 = r7;
0x00018cac ldr r8, [r8] | r8 = *(0x190dc);
0x00018cb0 bl 0x10bc8 | strerror (r0);
0x00018cb4 ldr r3, [pc, 0x430] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00018cb8 str r7, [sp] | *(sp) = r7;
0x00018cbc mov r2, 8 | r2 = 8;
0x00018cc0 ldr r1, [pc, 0x428] | r1 = *(0x190ec);
0x00018cc4 str r0, [sp, 4] | var_4h = r0;
0x00018cc8 mov r0, r8 | r0 = r8;
0x00018ccc bl 0x10c7c | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n");
0x00018cd0 ldr r3, [r5] | r3 = *(r5);
0x00018cd4 cmp r3, 2 |
| if (r3 != 2) {
0x00018cd8 bne 0x18ce8 | goto label_5;
| }
0x00018cdc ldr r1, [pc, 0x400] | r1 = stderr;
0x00018ce0 ldr r0, [pc, 0x40c] | r0 = "_serror__d___s_";
0x00018ce4 bl 0x10bbc | printf ("_serror__d___s_", r1);
| }
| label_5:
0x00018ce8 ldr r3, [sp, 0x48] | r3 = var_48h;
0x00018cec and r3, r3, 0xf000 | r3 &= 0xf000;
0x00018cf0 cmp r3, 0x2000 |
| if (r3 == 0x2000) {
0x00018cf4 beq 0x18d24 | goto label_6;
| }
0x00018cf8 bl 0x10d78 | errno_location ();
0x00018cfc mov r3, 0x16 | r3 = 0x16;
0x00018d00 ldr r2, [pc, 0x3dc] | r2 = stderr;
0x00018d04 ldr r1, [pc, 0x3ec] | r1 = "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n";
0x00018d08 str r3, [r0] | *(r0) = r3;
0x00018d0c ldr r0, [pc, 0x3cc] |
0x00018d10 mov r3, r6 | r3 = r6;
0x00018d14 ldr r0, [r0] | r0 = *(0x190dc);
0x00018d18 bl 0x10c7c | fprintf (r0, "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n", r2, r3);
| do {
| label_0:
0x00018d1c mvn r5, 0 | r5 = ~0;
0x00018d20 b 0x18e08 | goto label_4;
| label_6:
0x00018d24 mov r2, 0x100 | r2 = 0x100;
0x00018d28 mov r1, 0 | r1 = 0;
0x00018d2c mov r0, r4 | r0 = r4;
0x00018d30 bl 0x10d18 | memset (r0, r1, r2);
0x00018d34 ldrd r8, sb, [sp, 0x58] | __asm ("ldrd r8, sb, [var_58h]");
0x00018d38 mov r1, sb | r1 = sb;
0x00018d3c mov r0, r8 | r0 = r8;
0x00018d40 bl 0x10c04 | gnu_dev_major ();
0x00018d44 mov r1, sb | r1 = sb;
0x00018d48 mov r5, r0 | r5 = r0;
0x00018d4c str r0, [r4, 4] | *((r4 + 4)) = r0;
0x00018d50 mov r0, r8 | r0 = r8;
0x00018d54 bl 0x10c4c | gnu_dev_minor ();
0x00018d58 cmp r5, 0x5a |
0x00018d5c str r0, [r4, 8] | *((r4 + 8)) = r0;
| if (r5 == 0x5a) {
0x00018d60 beq 0x18d9c | goto label_7;
| }
0x00018d64 bl 0x10d78 | errno_location ();
0x00018d68 mov r3, 0x16 | r3 = 0x16;
0x00018d6c ldr r2, [pc, 0x370] | r2 = stderr;
0x00018d70 ldr r1, [pc, 0x384] | r1 = "%s: error!: \"%s\" is not a character device\n";
0x00018d74 str r3, [r0] | *(r0) = r3;
0x00018d78 mov r3, 0x5a | r3 = 0x5a;
0x00018d7c str r3, [sp, 4] | var_4h = r3;
0x00018d80 ldr r0, [pc, 0x358] |
0x00018d84 ldr r3, [r4, 4] | r3 = *((r4 + 4));
0x00018d88 str r3, [sp] | *(sp) = r3;
0x00018d8c mov r3, r6 | r3 = r6;
0x00018d90 ldr r0, [r0] | r0 = *(0x190dc);
0x00018d94 bl 0x10c7c | fprintf (r0, "%s: error!: \"%s\" is not a character device\n", r2, r3);
0x00018d98 b 0x18d1c |
| } while (1);
| label_7:
0x00018d9c add r0, r0, r0, lsr 31 | r0 += (r0 >> 31);
0x00018da0 asr r0, r0, 1 | r0 >>= 1;
0x00018da4 str r0, [r4] | *(r4) = r0;
0x00018da8 mov r1, 0 | r1 = 0;
0x00018dac mov r0, r6 | r0 = r6;
0x00018db0 bl 0x10d30 | r0 = open64 ();
0x00018db4 cmn r0, 1 |
0x00018db8 mov r5, r0 | r5 = r0;
| if (r0 == 1) {
0x00018dbc bne 0x18e14 |
0x00018dc0 bl 0x10d78 | errno_location ();
0x00018dc4 ldr r7, [pc, 0x314] | r7 = *(0x190dc);
0x00018dc8 mov r3, r6 | r3 = r6;
0x00018dcc ldr r2, [pc, 0x310] | r2 = stderr;
0x00018dd0 ldr r1, [pc, 0x310] | r1 = "libmtd";
0x00018dd4 ldr r4, [r0] | r4 = *(r0);
0x00018dd8 ldr r0, [r7] | r0 = *(0x190dc);
0x00018ddc bl 0x10c7c | fprintf (r0, "libmtd", r2, r3, r4);
0x00018de0 mov r0, r4 | r0 = r4;
0x00018de4 ldr r6, [r7] | r6 = *(0x190dc);
0x00018de8 bl 0x10bc8 | strerror (r0);
0x00018dec str r4, [sp] | *(sp) = r4;
0x00018df0 ldr r3, [pc, 0x2f4] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00018df4 mov r2, 8 | r2 = 8;
0x00018df8 ldr r1, [pc, 0x2f0] | r1 = *(0x190ec);
0x00018dfc str r0, [sp, 4] | var_4h = r0;
0x00018e00 mov r0, r6 | r0 = r6;
0x00018e04 bl 0x10c7c | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_4:
0x00018e08 mov r0, r5 | r0 = r5;
0x00018e0c add sp, sp, 0x144 |
0x00018e10 pop {r4, r5, r6, r7, r8, sb, pc} |
| }
0x00018e14 add r2, sp, 0x18 | r2 += var_18h;
0x00018e18 ldr r1, [pc, 0x2e0] | r1 = "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n";
0x00018e1c bl 0x10bb0 | r0 = ioctl (r0, "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n");
0x00018e20 subs r8, r0, 0 | r8 = r0 - 0;
| if (r8 == r0) {
0x00018e24 beq 0x18e78 | goto label_8;
| }
0x00018e28 bl 0x10d78 | errno_location ();
0x00018e2c ldr r6, [pc, 0x2ac] |
0x00018e30 ldr r2, [pc, 0x2ac] | r2 = stderr;
0x00018e34 ldr r1, [pc, 0x2c8] | r1 = *(0x19100);
0x00018e38 ldr r4, [r0] | r4 = *(r0);
0x00018e3c ldr r0, [r6] | r0 = *(0x190dc);
0x00018e40 bl 0x10c7c | fprintf (r0, r1, r2, r3, r4, r5, r6);
0x00018e44 mov r0, r4 | r0 = r4;
0x00018e48 ldr r6, [r6] | r6 = *(0x190dc);
0x00018e4c bl 0x10bc8 | strerror (r0);
0x00018e50 ldr r3, [pc, 0x294] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00018e54 ldr r1, [pc, 0x294] | r1 = *(0x190ec);
0x00018e58 mov r2, 8 | r2 = 8;
0x00018e5c str r4, [sp] | *(sp) = r4;
0x00018e60 str r0, [sp, 4] | var_4h = r0;
0x00018e64 mov r0, r6 | r0 = r6;
| do {
| label_1:
0x00018e68 bl 0x10c7c | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_2:
0x00018e6c mov r0, r5 | r0 = r5;
0x00018e70 bl 0x10dcc | close (r0);
0x00018e74 b 0x18d1c | goto label_0;
| label_8:
0x00018e78 add r2, sp, 0x10 | r2 += var_10h;
0x00018e7c ldr r1, [pc, 0x284] | r1 = "_s:_error_:_MEMGETINFO_ioctl_request_failed";
0x00018e80 mov r0, r5 | r0 = r5;
0x00018e84 bl 0x10bb0 | r0 = ioctl (r0, "_s:_error_:_MEMGETINFO_ioctl_request_failed");
0x00018e88 cmn r0, 1 |
| if (r0 == 1) {
0x00018e8c ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if (r0 == 1) {
0x00018e90 orrne r3, r3, 2 | r3 |= 2;
| }
| if (r0 != 1) {
0x00018e94 bne 0x18ef0 | goto label_9;
| }
0x00018e98 bl 0x10d78 | r0 = errno_location ();
0x00018e9c ldr r7, [r0] | r7 = *(r0);
0x00018ea0 cmp r7, 0x5f |
| if (r7 != 0x5f) {
0x00018ea4 streq r8, [r0] | *(r0) = r8;
| }
| if (r7 != 0x5f) {
0x00018ea8 ldrbeq r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
0x00018eac biceq r3, r3, 2 | __asm ("biceq r3, r3, 2");
| if (r7 == 0x5f) {
0x00018eb0 beq 0x18ef0 | goto label_9;
| }
0x00018eb4 ldr r4, [pc, 0x224] |
0x00018eb8 ldr r2, [pc, 0x224] | r2 = stderr;
0x00018ebc ldr r1, [pc, 0x248] | r1 = *(0x19108);
0x00018ec0 ldr r0, [r4] | r0 = *(0x190dc);
0x00018ec4 bl 0x10c7c | fprintf (r0, r1, r2, r3, r4);
0x00018ec8 mov r0, r7 | r0 = r7;
0x00018ecc ldr r4, [r4] | r4 = *(0x190dc);
0x00018ed0 bl 0x10bc8 | strerror (r0);
0x00018ed4 str r7, [sp] | *(sp) = r7;
0x00018ed8 ldr r3, [pc, 0x20c] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00018edc mov r2, 8 | r2 = 8;
0x00018ee0 ldr r1, [pc, 0x208] | r1 = *(0x190ec);
0x00018ee4 str r0, [sp, 4] | var_4h = r0;
0x00018ee8 mov r0, r4 | r0 = r4;
0x00018eec b 0x18e68 |
| } while (1);
| label_9:
0x00018ef0 strb r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
0x00018ef4 ldr r3, [sp, 0x28] | r3 = var_28h;
0x00018ef8 ldrb r7, [sp, 0x18] | r7 = var_18h;
0x00018efc ldr r0, [sp, 0x20] | r0 = var_20h;
0x00018f00 ldr r2, [sp, 0x24] | r2 = var_24h;
0x00018f04 ldr ip, [sp, 0x2c] | ip = var_2ch;
0x00018f08 mov r1, 0 | r1 = 0;
0x00018f0c cmp r3, 0 |
0x00018f10 str r7, [r4, 0xc] | *((r4 + 0xc)) = r7;
0x00018f14 strd r0, r1, [r4, 0xd8] | __asm ("strd r0, r1, [r4, 0xd8]");
0x00018f18 str r2, [r4, 0xe4] | *((r4 + 0xe4)) = r2;
0x00018f1c str r3, [r4, 0xe8] | *((r4 + 0xe8)) = r3;
0x00018f20 str ip, [r4, 0xf0] | *((r4 + 0xf0)) = ip;
| if (r3 > 0) {
0x00018f24 bgt 0x18f48 | goto label_10;
| }
0x00018f28 str r3, [sp, 4] | var_4h = r3;
0x00018f2c str r6, [sp] | *(sp) = r6;
0x00018f30 ldr r2, [pc, 0x1ac] | r2 = stderr;
0x00018f34 ldr r3, [r4] | r3 = *(r4);
0x00018f38 ldr r1, [pc, 0x1d0] | r1 = "%s: error!: MEMGETBADBLOCK ioctl failed\n";
| do {
0x00018f3c ldr r0, [pc, 0x19c] |
0x00018f40 ldr r0, [r0] | r0 = *(0x190dc);
0x00018f44 b 0x18e68 | goto label_1;
| label_10:
0x00018f48 cmp r2, r3 |
0x00018f4c cmpge r2, 0 | __asm ("cmpge r2, 0");
| if (r2 > r3) {
0x00018f50 bgt 0x18f6c | goto label_11;
| }
0x00018f54 str r2, [sp, 4] | var_4h = r2;
0x00018f58 str r6, [sp] | *(sp) = r6;
0x00018f5c ldr r2, [pc, 0x180] | r2 = stderr;
0x00018f60 ldr r3, [r4] | r3 = *(r4);
0x00018f64 ldr r1, [pc, 0x1a8] | r1 = "_s:_error_:_mtd_d___s__has_insane_min._I_O_unit_size__d";
0x00018f68 b 0x18f3c |
| } while (1);
| label_11:
0x00018f6c orrs r3, r0, r1 | r3 = r0 | r1;
| if (r3 != r0) {
0x00018f70 beq 0x18f84 |
0x00018f74 asr r3, r2, 0x1f | r3 = r2 >> 0x1f;
0x00018f78 cmp r0, r2 |
0x00018f7c sbcs ip, r1, r3 | __asm ("sbcs ip, r1, r3");
| if (r0 >= r2) {
0x00018f80 bge 0x18fa8 | goto label_12;
| }
| }
0x00018f84 strd r0, r1, [sp, 8] | __asm ("strd r0, r1, [var_8h]");
0x00018f88 ldr r0, [pc, 0x150] |
0x00018f8c str r6, [sp] | *(sp) = r6;
0x00018f90 ldr r2, [pc, 0x14c] | r2 = stderr;
0x00018f94 ldr r3, [r4] | r3 = *(r4);
0x00018f98 ldr r1, [pc, 0x178] | r1 = "%s: error!: mtd%d (%s) has insane eraseblock size %d\n";
0x00018f9c ldr r0, [r0] | r0 = *(0x190dc);
0x00018fa0 bl 0x10c7c | fprintf (r0, "%s: error!: mtd%d (%s) has insane eraseblock size %d\n", r2, r3, r4, r5, r6);
0x00018fa4 b 0x18e6c | goto label_2;
| label_12:
0x00018fa8 bl 0x19ad0 | fcn_00019ad0 (r0);
0x00018fac str r0, [r4, 0xe0] | *((r4 + 0xe0)) = r0;
0x00018fb0 cmp r7, 8 |
| if (r7 > 8) {
| /* switch table (9 cases) at 0x18fbc */
0x00018fb4 ldrls pc, [pc, r7, lsl 2] | offset_0 = r7 << 2;
| pc = *((pc + offset_0));
| }
0x00018fb8 b 0x18e6c | goto label_2;
0x00018fe0 ldr r0, [pc, 0xf8] |
0x00018fe4 str r6, [sp] | *(sp) = r6;
0x00018fe8 ldr r2, [pc, 0xf4] | r2 = stderr;
0x00018fec ldr r3, [r4] | r3 = *(r4);
0x00018ff0 ldr r1, [pc, 0x124] | r1 = "%s: error!: mtd%d (%s) has insane size %lld\n";
0x00018ff4 ldr r0, [r0] | r0 = *(0x190dc);
0x00018ff8 bl 0x10c7c | fprintf (r0, "%s: error!: mtd%d (%s) has insane size %lld\n", r2, r3, r4, r5, r6);
0x00018ffc b 0x18e6c | goto label_2;
0x00019000 ldr r1, [pc, 0x118] | r1 = "_s:_error_:_mtd_d___s__is_removable_and_is_not_present";
| label_3:
0x00019004 add r0, r4, 0x10 | r0 = r4 + 0x10;
0x00019008 bl 0x10ba4 | strcpy (r0, "_s:_error_:_mtd_d___s__is_removable_and_is_not_present")
0x0001900c ldr r3, [sp, 0x1c] | r3 = var_1ch;
0x00019010 mov r0, r5 | r0 = r5;
0x00019014 tst r3, 0x400 |
| if ((r3 & 0x400) == 0) {
0x00019018 ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if ((r3 & 0x400) == 0) {
0x0001901c orrne r3, r3, 1 | r3 |= 1;
| }
| if ((r3 & 0x400) == 0) {
0x00019020 strbne r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
| }
0x00019024 ldr r3, [r4, 0xe8] | r3 = *((r4 + 0xe8));
0x00019028 str r3, [r4, 0xec] | *((r4 + 0xec)) = r3;
0x0001902c bl 0x10dcc | close (r0);
0x00019030 mov r0, r6 | r0 = r6;
0x00019034 bl 0x18a8c | r0 = fcn_00018a8c (r0);
0x00019038 bic r0, r0, r0, asr 31 | r0 = BIT_MASK (r0, r0);
0x0001903c str r0, [r4, 0xf4] | *((r4 + 0xf4)) = r0;
0x00019040 add r0, sp, 0xa0 | r0 += var_a0h;
0x00019044 bl 0x187b0 | fcn_000187b0 (r0);
0x00019048 subs r5, r0, 0 | r5 -= var_a0h;
| if (r5 != var_a0h) {
0x0001904c bne 0x18d1c | goto label_0;
| }
| do {
0x00019050 add r0, sp, 0xa0 | r0 += var_a0h;
0x00019054 bl 0x1864c | r0 = fcn_0001864c (r0);
0x00019058 cmp r0, 0 |
| if (r0 == 0) {
0x0001905c bne 0x190c0 |
0x00019060 ldr r3, [pc, 0xbc] | r3 = "ram";
0x00019064 ldr r0, [pc, 0x74] |
0x00019068 str r3, [sp] | *(sp) = r3;
0x0001906c ldr r2, [pc, 0x70] | r2 = stderr;
0x00019070 ldr r3, [r4] | r3 = *(r4);
0x00019074 ldr r1, [pc, 0xac] | r1 = "_proc_mtd";
0x00019078 ldr r0, [r0] | r0 = *(0x190dc);
0x0001907c bl 0x10c7c | r0 = fprintf (r0, "_proc_mtd", r2, "ram");
0x00019080 bl 0x10d78 | errno_location ();
0x00019084 mov r3, 2 | r3 = 2;
0x00019088 str r3, [r0] | *(r0) = r3;
0x0001908c b 0x18d1c | goto label_0;
0x00019090 ldr r1, [pc, 0x94] | r1 = "_s:_error_:_mtd_d_not_found_in___s_";
0x00019094 b 0x19004 | goto label_3;
0x00019098 ldr r1, [pc, 0x90] | r1 = *(0x1912c);
0x0001909c b 0x19004 | goto label_3;
0x000190a0 ldr r1, [pc, 0x8c] | r1 = *(0x19130);
0x000190a4 b 0x19004 | goto label_3;
0x000190a8 ldr r1, [pc, 0x88] | r1 = "nand";
0x000190ac b 0x19004 | goto label_3;
0x000190b0 ldr r1, [pc, 0x84] | r1 = "mlc_nand";
0x000190b4 b 0x19004 | goto label_3;
0x000190b8 ldr r1, [pc, 0x80] | r1 = "dataflash";
0x000190bc b 0x19004 | goto label_3;
| }
0x000190c0 ldr r3, [r4] | r3 = *(r4);
0x000190c4 ldr r2, [sp, 0xa0] | r2 = var_a0h;
0x000190c8 cmp r2, r3 |
0x000190cc bne 0x19050 |
| } while (r2 != r3);
0x000190d0 add r1, sp, 0xb0 | r1 += src;
0x000190d4 add r0, r4, 0x51 | r0 = r4 + 0x51;
0x000190d8 bl 0x10ba4 | strcpy (r0, r1)
0x000190dc b 0x18e08 | goto label_4;
| }
[*] Function strcpy used 3 times ubiformat
