//Function: echo_handler ->0x4199222 7 perm->5 // bad sp value at call has been detected, the output may be wrong! int __cdecl echo_handler(int sock) { char buffer[256]; // [rsp+10h] [rbp-100h] BYREF memset(buffer, 0, sizeof(buffer)); if ( recv(sock, &buffer[8], 0x400uLL, 0) <= 0 ) return 0; printf("Message from client: %s\n", buffer); if ( send(sock, "Hello from server\n", 0x12uLL, 0) <= 0 ) return 0; puts("Hello message sent"); return 1; } //Function: main ->0x4199683 7 perm->5 // bad sp value at call has been detected, the output may be wrong! int __fastcall main(int argc, const char **argv, const char **envp) { uint16_t v3; // ax char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF int addrlen; // [rsp+18h] [rbp-28h] BYREF int opt; // [rsp+1Ch] [rbp-24h] BYREF sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF int new_socket; // [rsp+38h] [rbp-8h] int server_fd; // [rsp+3Ch] [rbp-4h] opt = 1; addrlen = 16; server_fd = socket(2, 1, 0); if ( !server_fd ) { perror("socket failed"); exit(1); } if ( setsockopt(server_fd, 1, 15, &opt, 4u) ) { perror("setsockopt"); exit(1); } address.sin_family = 2; address.sin_addr.s_addr = 0; address.sin_port = htons(0x2AFFu); if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 ) { perror("bind failed"); exit(1); } if ( listen(server_fd, 3) < 0 ) { perror("listen"); exit(1); } printf("TCP server listening on port %d\n", 11007); new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen); if ( new_socket < 0 ) { perror("accept"); exit(1); } inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u); v3 = ntohs(address.sin_port); printf("Accept %s:%d\n", client_addr_str, v3); while ( echo_handler(new_socket) ) ; close(new_socket); return 0; } //Function: backdoor ->0x4200139 7 perm->5 // bad sp value at call has been detected, the output may be wrong! int __cdecl backdoor() { char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF dup2(4, 0); dup2(4, 1); dup2(4, 2); execve("/bin/sh", new_argv, new_envp); return 0; }