Hacklog #5: Hacking the rootkit
A first look at su(1)
So I now have access to the full filesystem mounted under /system on the phone. As I stated in the very first post, I have a special interest in /system/xbin/su. Based on the file's name and permissions, I have a strong expectation it can be used to acquire superuser privileges.
I extracted the file using PYaffs and proceeded to inspect it.
517-mboyer@marylou:~/Hacks/Nam-Phone_G40C [master:I±R=]$ stat su
File: ‘su’
Size: 9820 Blocks: 24 IO Block: 4096 regular file
Device: fe01h/65025d Inode: 1070451 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ mboyer) Gid: ( 1000/ mboyer)
Access: 2014-08-16 11:27:56.659942421 +0100
Modify: 2014-08-02 10:23:16.973937402 +0100
Change: 2014-08-02 10:23:16.973937402 +0100
Birth: -
503-mboyer@marylou:~/Hacks/Nam-Phone_G40C [master:I±R=]$ file su
su: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
That's par for the course, there's nothing in the output of file(1) here I'd call surprising.
Building binutils for ARM
I've spent some time poking around ELF binaries in my day and so my first port of call was to build the excellent GNU Binutils package for the target architecture:
./configure --prefix=$HOME/Hacks/Nam-Phone_G40C/binutils_ARM/ --disable-nls --target=arm-none-elf && make
cd ../..
ls
cd -
make installA closer look
Since I aim to find out what it is exactly this su does, the first order of business was to find out more about the dynamic symbols it references. It's a fairly small file, weighing in at 9820 bytes and so it makes sense that much of what it does is factored out in external libraries. If these symbol refer to well-known API calls, then this would allow me to make inferences regarding the behaviour and function of the program.
Time to break out my ARM build of nm(1)!
578-mboyer@marylou:~/Hacks/Nam-Phone_G40C [master:I±R=]$ export PATH="$PWD/binutils_ARM/arm-none-elf/bin:${PATH}"
581-mboyer@marylou:~/Hacks/Nam-Phone_G40C [master:I±R=]$ nm -CD ~/Hacks/Nam-Phone_G40C/su
U accept
U __aeabi_unwind_cpp_pr0
U atexit
U atoi
U bind
U bsd_signal
0000b200 A __bss_end__
0000b200 A _bss_end__
0000a1dc A __bss_start
0000a1dc A __bss_start__
0000a1d0 D __data_start
0000a1e0 B __dso_handle
0000a1dc A _edata
0000b200 A _end
0000b200 A __end__
U __errno
U execlp
U execvp
00009ce8 A __exidx_end
00009c8d A __exidx_start
U exit
0000a010 T __FINI_ARRAY__
U free
U getppid
0000a008 T __INIT_ARRAY__
U __libc_init
U listen
U malloc
U memcpy
U memset
U mkdir
U mktemp
U property_get
U putchar
U puts
U read
U select
U setgid
U setuid
U snprintf
U socket
U sprintf
00080000 A _stack
U __stack_chk_fail
U __stack_chk_guard
U stat
U strcmp
U strcpy
U unlink
U android::defaultServiceManager()
00008ed0 W android::sp<android::IBinder>::~sp()
U android::Parcel::writeInt32(int)
U android::Parcel::writeString16(unsigned short const*, unsigned int)
U android::Parcel::writeString16(android::String16 const&)
U android::Parcel::writeStrongBinder(android::sp<android::IBinder> const&)
U android::Parcel::writeInterfaceToken(android::String16 const&)
U android::Parcel::Parcel()
U android::Parcel::~Parcel()
U android::String16::String16(char const*)
U android::String16::~String16()
U android::Parcel::dataPosition() const
U android::Parcel::setDataPosition(unsigned int) const
U android::RefBase::decStrong(void const*) const
There are some C++ symbols in there that look like they belong to some sort of Android API. The rest look like fairly common C standard library stuff. What's of particular interest here is the presence of socket(3) and bind(3). These are a strong indication that this program does sockety stuff.
Deconstructing the binary
Come feel the ARMs around you
As shown in the output of file(1) above, my su is compiled for the ARM CPU in my phone. I've dealt with x86, SPARC, m68k and even Z80 assembly at various points in the past, but this is the first time I'm going to have to wade through ARM code.
Or Thumb-2 code, rather:
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x8ea0
Start of program headers: 52 (bytes into file)
Start of section headers: 8940 (bytes into file)
Flags: 0x5000000, Version5 EABI
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 7
Size of section headers: 40 (bytes)
Number of section headers: 22
Section header string table index: 21
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 00008114 000114 000013 00 A 0 0 1
[ 2] .hash HASH 00008128 000128 00019c 04 A 3 0 4
[ 3] .dynsym DYNSYM 000082c4 0002c4 000400 10 A 4 0 4
[ 4] .dynstr STRTAB 000086c4 0006c4 00041f 00 A 0 0 1
[ 5] .rel.plt REL 00008ae4 000ae4 000170 08 A 3 2 4
[ 6] .rel.dyn REL 00008c54 000c54 000008 08 A 3 2 4
[ 7] .plt PROGBITS 00008c5c 000c5c 00023c 00 AX 0 0 4
[ 8] .text PROGBITS 00008ea0 000ea0 000b84 00 AX 0 0 16
[ 9] .rodata PROGBITS 00009a24 001a24 000269 01 AMS 0 0 1
[10] .ARM.exidx ARM_EXIDX 00009c90 001c90 000058 08 A 8 0 4
[11] .preinit_array PREINIT_ARRAY 0000a000 002000 000008 00 WA 0 0 1
[12] .init_array INIT_ARRAY 0000a008 002008 000008 00 WA 0 0 1
[13] .fini_array FINI_ARRAY 0000a010 002010 000008 00 WA 0 0 1
[14] .ctors PROGBITS 0000a018 002018 000008 00 WA 0 0 1
[15] .dynamic DYNAMIC 0000a020 002020 0000e8 08 WA 4 0 4
[16] .got PROGBITS 0000a108 002108 0000c8 00 WA 0 0 4
[17] .data PROGBITS 0000a1d0 0021d0 00000c 00 WA 0 0 4
[18] .bss NOBITS 0000a1e0 0021e0 001020 00 WA 0 0 16
[19] .note.gnu.gold-ve NOTE 00000000 0021e0 000018 00 0 0 4
[20] .ARM.attributes ARM_ATTRIBUTES 00000000 0021f8 000032 00 0 0 1
[21] .shstrtab STRTAB 00000000 00222a 0000c2 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x00008034 0x00008034 0x000e0 0x000e0 R 0x4
INTERP 0x000114 0x00008114 0x00008114 0x00013 0x00013 R 0x1
[Requesting program interpreter: /system/bin/linker]
LOAD 0x000000 0x00008000 0x00008000 0x01ce8 0x01ce8 R E 0x1000
LOAD 0x002000 0x0000a000 0x0000a000 0x001dc 0x01200 RW 0x1000
DYNAMIC 0x002020 0x0000a020 0x0000a020 0x000e8 0x000e8 RW 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0
EXIDX 0x001c90 0x00009c90 0x00009c90 0x00058 0x00058 R 0x4
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .hash .dynsym .dynstr .rel.plt .rel.dyn .plt .text .rodata .ARM.exidx
03 .preinit_array .init_array .fini_array .ctors .dynamic .got .data .bss
04 .dynamic
05
06 .ARM.exidx
Dynamic section at offset 0x2020 contains 29 entries:
Tag Type Name/Value
0x00000003 (PLTGOT) 0xa10c
0x00000002 (PLTRELSZ) 368 (bytes)
0x00000017 (JMPREL) 0x8ae4
0x00000014 (PLTREL) REL
0x00000011 (REL) 0x8c54
0x00000012 (RELSZ) 8 (bytes)
0x00000013 (RELENT) 8 (bytes)
0x00000015 (DEBUG) 0x0
0x00000006 (SYMTAB) 0x82c4
0x0000000b (SYMENT) 16 (bytes)
0x00000005 (STRTAB) 0x86c4
0x0000000a (STRSZ) 1055 (bytes)
0x00000004 (HASH) 0x8128
0x00000001 (NEEDED) Shared library: [liblog.so]
0x00000001 (NEEDED) Shared library: [libsqlite.so]
0x00000001 (NEEDED) Shared library: [libcutils.so]
0x00000001 (NEEDED) Shared library: [libbinder.so]
0x00000001 (NEEDED) Shared library: [libutils.so]
0x00000001 (NEEDED) Shared library: [libc.so]
0x00000001 (NEEDED) Shared library: [libstdc++.so]
0x00000001 (NEEDED) Shared library: [libm.so]
0x00000020 (PREINIT_ARRAY) 0xa000
0x00000021 (PREINIT_ARRAYSZ) 0x8
0x00000019 (INIT_ARRAY) 0xa008
0x0000001b (INIT_ARRAYSZ) 8 (bytes)
0x0000001a (FINI_ARRAY) 0xa010
0x0000001c (FINI_ARRAYSZ) 8 (bytes)
0x0000001e (FLAGS)
0x00000000 (NULL) 0x0
Relocation section '.rel.plt' at offset 0xae4 contains 46 entries:
Offset Info Type Sym.Value Sym. Name
0000a118 00003416 R_ARM_JUMP_SLOT 00000000 __libc_init
0000a11c 00002516 R_ARM_JUMP_SLOT 00000000 _ZNK7android7RefBase9d
0000a120 00001a16 R_ARM_JUMP_SLOT 00000000 memset
0000a124 00001f16 R_ARM_JUMP_SLOT 00000000 property_get
0000a128 00001b16 R_ARM_JUMP_SLOT 00000000 atoi
0000a12c 00003116 R_ARM_JUMP_SLOT 00000000 _ZN7android21defaultSe
0000a130 00002f16 R_ARM_JUMP_SLOT 00000000 _ZN7android8String16C1
0000a134 00002616 R_ARM_JUMP_SLOT 00000000 _ZN7android8String16D1
0000a138 00002a16 R_ARM_JUMP_SLOT 00000000 _ZN7android6ParcelC1Ev
0000a13c 00002d16 R_ARM_JUMP_SLOT 00000000 _ZN7android6Parcel19wr
0000a140 00002e16 R_ARM_JUMP_SLOT 00000000 _ZN7android6Parcel17wr
0000a144 00002716 R_ARM_JUMP_SLOT 00000000 _ZN7android6Parcel13wr
0000a148 00002916 R_ARM_JUMP_SLOT 00000000 _ZN7android6Parcel10wr
0000a14c 00003216 R_ARM_JUMP_SLOT 00000000 _ZN7android6Parcel13wr
0000a150 00003016 R_ARM_JUMP_SLOT 00000000 _ZNK7android6Parcel12d
0000a154 00002816 R_ARM_JUMP_SLOT 00000000 _ZNK7android6Parcel15s
0000a158 00002b16 R_ARM_JUMP_SLOT 00000000 _ZN7android6ParcelD1Ev
0000a15c 00000216 R_ARM_JUMP_SLOT 00000000 __stack_chk_fail
0000a160 00003e16 R_ARM_JUMP_SLOT 00000000 puts
0000a164 00003d16 R_ARM_JUMP_SLOT 00000000 putchar
0000a168 00003516 R_ARM_JUMP_SLOT 00000000 exit
0000a16c 00002016 R_ARM_JUMP_SLOT 00000000 socket
0000a170 00000a16 R_ARM_JUMP_SLOT 00000000 strcpy
0000a174 00003c16 R_ARM_JUMP_SLOT 00000000 mktemp
0000a178 00000516 R_ARM_JUMP_SLOT 00000000 snprintf
0000a17c 00001d16 R_ARM_JUMP_SLOT 00000000 unlink
0000a180 00002116 R_ARM_JUMP_SLOT 00000000 bind
0000a184 00000416 R_ARM_JUMP_SLOT 00000000 __errno
0000a188 00002216 R_ARM_JUMP_SLOT 00000000 listen
0000a18c 00002416 R_ARM_JUMP_SLOT 00000000 select
0000a190 00002316 R_ARM_JUMP_SLOT 00000000 accept
0000a194 00000616 R_ARM_JUMP_SLOT 00000000 strcmp
0000a198 00003816 R_ARM_JUMP_SLOT 00000000 execvp
0000a19c 00003916 R_ARM_JUMP_SLOT 00000000 execlp
0000a1a0 00000816 R_ARM_JUMP_SLOT 00000000 free
0000a1a4 00001c16 R_ARM_JUMP_SLOT 00000000 read
0000a1a8 00000b16 R_ARM_JUMP_SLOT 00000000 malloc
0000a1ac 00000716 R_ARM_JUMP_SLOT 00000000 memcpy
0000a1b0 00003716 R_ARM_JUMP_SLOT 00000000 setgid
0000a1b4 00003616 R_ARM_JUMP_SLOT 00000000 getppid
0000a1b8 00000916 R_ARM_JUMP_SLOT 00000000 sprintf
0000a1bc 00001e16 R_ARM_JUMP_SLOT 00000000 stat
0000a1c0 00003316 R_ARM_JUMP_SLOT 00000000 mkdir
0000a1c4 00003a16 R_ARM_JUMP_SLOT 00000000 setuid
0000a1c8 00003b16 R_ARM_JUMP_SLOT 00000000 bsd_signal
0000a1cc 00003f16 R_ARM_JUMP_SLOT 00000000 atexit
Relocation section '.rel.dyn' at offset 0xc54 contains 1 entries:
Offset Info Type Sym.Value Sym. Name
0000a108 00000315 R_ARM_GLOB_DAT 00000000 __stack_chk_guard
Unwind table index '.ARM.exidx' at offset 0x1c90 contains 11 entries:
0x9a1c: 0x1 [cantunwind]
0x8ed0: 0x80a8b0b0
Compact model index: 0
0xa8 pop {r4, r14}
0xb0 finish
0xb0 finish
0x8eec: 0x80b0b0b0
Compact model index: 0
0xb0 finish
0xb0 finish
0xb0 finish
0x8ef4: 0x803eafb0
Compact model index: 0
0x3e vsp = vsp + 252
0xaf pop {r4, r5, r6, r7, r8, r9, r10, r11, r14}
0xb0 finish
0x9534: 0x80a8b0b0
Compact model index: 0
0xa8 pop {r4, r14}
0xb0 finish
0xb0 finish
0x958c: 0x801eafb0
Compact model index: 0
0x1e vsp = vsp + 124
0xaf pop {r4, r5, r6, r7, r8, r9, r10, r11, r14}
0xb0 finish
0x966c: 0x8023aab0
Compact model index: 0
0x23 vsp = vsp + 144
0xaa pop {r4, r5, r6, r14}
0xb0 finish
0x96d0: 0x80aab0b0
Compact model index: 0
0xaa pop {r4, r5, r6, r14}
0xb0 finish
0xb0 finish
0x9754: 0x80a8b0b0
Compact model index: 0
0xa8 pop {r4, r14}
0xb0 finish
0xb0 finish
0x97ac: 0x80aab0b0
Compact model index: 0
0xaa pop {r4, r5, r6, r14}
0xb0 finish
0xb0 finish
0x97d8: 0x802c3fab
Compact model index: 0
0x2c vsp = vsp + 180
0x3f vsp = vsp + 256
0xab pop {r4, r5, r6, r7, r14}
Symbol table '.dynsym' contains 64 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 00000000 0 FUNC GLOBAL DEFAULT UND __aeabi_unwind_cpp_pr0
2: 00000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail
3: 00000000 0 OBJECT GLOBAL DEFAULT UND __stack_chk_guard
4: 00000000 0 FUNC GLOBAL DEFAULT UND __errno
5: 00000000 0 FUNC GLOBAL DEFAULT UND snprintf
6: 00000000 0 FUNC GLOBAL DEFAULT UND strcmp
7: 00000000 0 FUNC GLOBAL DEFAULT UND memcpy
8: 00000000 0 FUNC GLOBAL DEFAULT UND free
9: 00000000 0 FUNC GLOBAL DEFAULT UND sprintf
10: 00000000 0 FUNC GLOBAL DEFAULT UND strcpy
11: 00000000 0 FUNC GLOBAL DEFAULT UND malloc
12: 0000a1e0 0 NOTYPE GLOBAL DEFAULT 18 __dso_handle
13: 0000a008 0 NOTYPE GLOBAL DEFAULT 12 __INIT_ARRAY__
14: 0000a010 0 NOTYPE GLOBAL DEFAULT 13 __FINI_ARRAY__
15: 00009c8d 0 NOTYPE GLOBAL DEFAULT ABS __exidx_start
16: 00009ce8 0 NOTYPE GLOBAL DEFAULT ABS __exidx_end
17: 0000a1d0 0 NOTYPE GLOBAL DEFAULT 17 __data_start
18: 0000a1dc 0 NOTYPE GLOBAL DEFAULT ABS _edata
19: 0000a1dc 0 NOTYPE GLOBAL DEFAULT ABS __bss_start
20: 0000a1dc 0 NOTYPE GLOBAL DEFAULT ABS __bss_start__
21: 0000b200 0 NOTYPE GLOBAL DEFAULT ABS _bss_end__
22: 0000b200 0 NOTYPE GLOBAL DEFAULT ABS __bss_end__
23: 0000b200 0 NOTYPE GLOBAL DEFAULT ABS __end__
24: 0000b200 0 NOTYPE GLOBAL DEFAULT ABS _end
25: 00080000 0 NOTYPE GLOBAL DEFAULT ABS _stack
26: 00000000 0 FUNC GLOBAL DEFAULT UND memset
27: 00000000 0 FUNC GLOBAL DEFAULT UND atoi
28: 00000000 0 FUNC GLOBAL DEFAULT UND read
29: 00000000 0 FUNC GLOBAL DEFAULT UND unlink
30: 00000000 0 FUNC GLOBAL DEFAULT UND stat
31: 00000000 0 FUNC GLOBAL DEFAULT UND property_get
32: 00000000 0 FUNC GLOBAL DEFAULT UND socket
33: 00000000 0 FUNC GLOBAL DEFAULT UND bind
34: 00000000 0 FUNC GLOBAL DEFAULT UND listen
35: 00000000 0 FUNC GLOBAL DEFAULT UND accept
36: 00000000 0 FUNC GLOBAL DEFAULT UND select
37: 00000000 0 FUNC GLOBAL DEFAULT UND _ZNK7android7RefBase9decS
38: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android8String16D1Ev
39: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android6Parcel13write
40: 00000000 0 FUNC GLOBAL DEFAULT UND _ZNK7android6Parcel15setD
41: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android6Parcel10write
42: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android6ParcelC1Ev
43: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android6ParcelD1Ev
44: 00008ed1 26 FUNC WEAK DEFAULT 8 _ZN7android2spINS_7IBinde
45: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android6Parcel19write
46: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android6Parcel17write
47: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android8String16C1EPK
48: 00000000 0 FUNC GLOBAL DEFAULT UND _ZNK7android6Parcel12data
49: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android21defaultServi
50: 00000000 0 FUNC GLOBAL DEFAULT UND _ZN7android6Parcel13write
51: 00000000 0 FUNC GLOBAL DEFAULT UND mkdir
52: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_init
53: 00000000 0 FUNC GLOBAL DEFAULT UND exit
54: 00000000 0 FUNC GLOBAL DEFAULT UND getppid
55: 00000000 0 FUNC GLOBAL DEFAULT UND setgid
56: 00000000 0 FUNC GLOBAL DEFAULT UND execvp
57: 00000000 0 FUNC GLOBAL DEFAULT UND execlp
58: 00000000 0 FUNC GLOBAL DEFAULT UND setuid
59: 00000000 0 FUNC GLOBAL DEFAULT UND bsd_signal
60: 00000000 0 FUNC GLOBAL DEFAULT UND mktemp
61: 00000000 0 FUNC GLOBAL DEFAULT UND putchar
62: 00000000 0 FUNC GLOBAL DEFAULT UND puts
63: 00000000 0 FUNC GLOBAL DEFAULT UND atexit
Histogram for bucket list length (total of 37 buckets):
Length Number % of total Coverage
0 6 ( 16.2%)
1 13 ( 35.1%) 20.6%
2 8 ( 21.6%) 46.0%
3 6 ( 16.2%) 74.6%
4 4 ( 10.8%) 100.0%
No version information found in this file.
Displaying notes found at file offset 0x000021e0 with length 0x00000018:
Owner Data size Description
GNU 0x00000008 NT_GNU_GOLD_VERSION (gold version)
Attribute Section: aeabi
File Attributes
Tag_CPU_name: "ARM v7"
Tag_CPU_arch: v7
Tag_CPU_arch_profile: Application
Tag_ARM_ISA_use: Yes
Tag_THUMB_ISA_use: Thumb-2
Tag_FP_arch: VFPv3
Tag_Advanced_SIMD_arch: NEONv1
Tag_ABI_PCS_wchar_t: 4
Tag_ABI_FP_denormal: Needed
Tag_ABI_FP_exceptions: Needed
Tag_ABI_FP_number_model: IEEE 754
Tag_ABI_align_needed: 8-byte
Tag_ABI_enum_size: int
Tag_ABI_HardFP_use: SP and DPThe thing about assembly is that it's a lot easier to read than it is to write. It's even easier when one focuses on reverse-engineering a small body of code! For that sort of job, the only thing one really needs is a passing familiarity with basic instructions (shifting values between registers, basic arithmetic and comparisons), memory access (reading and writing to memory, as opposed to the registers) and knowledge of how argument and return value passing work. The ARM documentation is pretty good for all of that and it's quite readable as well.
One thing I learned the hard way is that when an instruction references the program counter register pc, its value is that of the next instruction's offset, ie. the current instruction plus an offset of 2 bytes if running in Thumb mode or 4 bytes if running in ARM mode.
Disassembly
This is where the fun really begins. I want to get superuser privileges out of this binary. Just running su from an unprivileged interactive shell does not yield this result so I'm assuming that I need to do something else, possibly by means of a socket to trigger privilege escalation.
$ id
id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),10
15(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
$ su
su
$ id
id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),10
15(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
$ su -h
su -h
Usage: su [options]
Options:
-c,--command cmd run cmd.
-h,--help help
Author:huyanwei
Email:srclib@hotmail.com
$
I used objdump -Csd to dump all sections of the su executable and disassemble the .text section into human-readable ARM assembly in one go:
./su: file format elf32-littlearm
Contents of section .interp:
8114 2f737973 74656d2f 62696e2f 6c696e6b /system/bin/link
8124 657200 er.
Contents of section .hash:
8128 25000000 40000000 17000000 32000000 %...@.......2...
8138 31000000 33000000 01000000 00000000 1...3...........
8148 28000000 2d000000 2b000000 3b000000 (...-...+...;...
8158 3a000000 03000000 36000000 00000000 :.......6.......
8168 15000000 37000000 00000000 26000000 ....7.......&...
8178 3e000000 3f000000 2e000000 1c000000 >...?...........
8188 34000000 2c000000 2f000000 00000000 4...,.../.......
8198 00000000 3c000000 3d000000 35000000 ....<...=...5...
81a8 02000000 18000000 1a000000 00000000 ................
81b8 2a000000 39000000 0c000000 00000000 *...9...........
81c8 00000000 00000000 00000000 00000000 ................
81d8 00000000 00000000 00000000 00000000 ................
81e8 00000000 00000000 00000000 00000000 ................
81f8 00000000 00000000 00000000 0b000000 ................
8208 00000000 00000000 00000000 08000000 ................
8218 00000000 14000000 11000000 16000000 ................
8228 07000000 00000000 04000000 0a000000 ................
8238 13000000 12000000 00000000 00000000 ................
8248 10000000 00000000 00000000 05000000 ................
8258 1d000000 00000000 22000000 00000000 ........".......
8268 0d000000 27000000 00000000 21000000 ....'.......!...
8278 00000000 23000000 0f000000 24000000 ....#.......$...
8288 19000000 06000000 00000000 1b000000 ................
8298 30000000 0e000000 00000000 20000000 0........... ...
82a8 25000000 38000000 00000000 29000000 %...8.......)...
82b8 1f000000 1e000000 09000000 ............
Contents of section .dynsym:
82c4 00000000 00000000 00000000 00000000 ................
82d4 01000000 00000000 00000000 12000000 ................
82e4 18000000 00000000 00000000 12000000 ................
82f4 29000000 00000000 00000000 11000000 )...............
8304 3b000000 00000000 00000000 12000000 ;...............
8314 43000000 00000000 00000000 12000000 C...............
8324 4c000000 00000000 00000000 12000000 L...............
8334 53000000 00000000 00000000 12000000 S...............
8344 5a000000 00000000 00000000 12000000 Z...............
8354 5f000000 00000000 00000000 12000000 _...............
8364 67000000 00000000 00000000 12000000 g...............
8374 6e000000 00000000 00000000 12000000 n...............
8384 75000000 e0a10000 00000000 10001200 u...............
8394 82000000 08a00000 00000000 10000c00 ................
83a4 91000000 10a00000 00000000 10000d00 ................
83b4 a0000000 8d9c0000 00000000 1000f1ff ................
83c4 ae000000 e89c0000 00000000 1000f1ff ................
83d4 ba000000 d0a10000 00000000 10001100 ................
83e4 c7000000 dca10000 00000000 1000f1ff ................
83f4 ce000000 dca10000 00000000 1000f1ff ................
8404 da000000 dca10000 00000000 1000f1ff ................
8414 e8000000 00b20000 00000000 1000f1ff ................
8424 f3000000 00b20000 00000000 1000f1ff ................
8434 ff000000 00b20000 00000000 1000f1ff ................
8444 07010000 00b20000 00000000 1000f1ff ................
8454 0c010000 00000800 00000000 1000f1ff ................
8464 13010000 00000000 00000000 12000000 ................
8474 1a010000 00000000 00000000 12000000 ................
8484 1f010000 00000000 00000000 12000000 ................
8494 24010000 00000000 00000000 12000000 $...............
84a4 2b010000 00000000 00000000 12000000 +...............
84b4 30010000 00000000 00000000 12000000 0...............
84c4 3d010000 00000000 00000000 12000000 =...............
84d4 44010000 00000000 00000000 12000000 D...............
84e4 49010000 00000000 00000000 12000000 I...............
84f4 50010000 00000000 00000000 12000000 P...............
8504 57010000 00000000 00000000 12000000 W...............
8514 5e010000 00000000 00000000 12000000 ^...............
8524 81010000 00000000 00000000 12000000 ................
8534 9a010000 00000000 00000000 12000000 ................
8544 cc010000 00000000 00000000 12000000 ................
8554 f3010000 00000000 00000000 12000000 ................
8564 14020000 00000000 00000000 12000000 ................
8574 2b020000 00000000 00000000 12000000 +...............
8584 42020000 d18e0000 1a000000 22000800 B..........."...
8594 63020000 00000000 00000000 12000000 c...............
85a4 9b020000 00000000 00000000 12000000 ................
85b4 d9020000 00000000 00000000 12000000 ................
85c4 f4020000 00000000 00000000 12000000 ................
85d4 18030000 00000000 00000000 12000000 ................
85e4 3d030000 00000000 00000000 12000000 =...............
85f4 64030000 00000000 00000000 12000000 d...............
8604 6a030000 00000000 00000000 12000000 j...............
8614 76030000 00000000 00000000 12000000 v...............
8624 7b030000 00000000 00000000 12000000 {...............
8634 83030000 00000000 00000000 12000000 ................
8644 8a030000 00000000 00000000 12000000 ................
8654 91030000 00000000 00000000 12000000 ................
8664 98030000 00000000 00000000 12000000 ................
8674 9f030000 00000000 00000000 12000000 ................
8684 aa030000 00000000 00000000 12000000 ................
8694 b1030000 00000000 00000000 12000000 ................
86a4 b9030000 00000000 00000000 12000000 ................
86b4 be030000 00000000 00000000 12000000 ................
Contents of section .dynstr:
86c4 005f5f61 65616269 5f756e77 696e645f .__aeabi_unwind_
86d4 6370705f 70723000 5f5f7374 61636b5f cpp_pr0.__stack_
86e4 63686b5f 6661696c 005f5f73 7461636b chk_fail.__stack
86f4 5f63686b 5f677561 7264005f 5f657272 _chk_guard.__err
8704 6e6f0073 6e707269 6e746600 73747263 no.snprintf.strc
8714 6d70006d 656d6370 79006672 65650073 mp.memcpy.free.s
8724 7072696e 74660073 74726370 79006d61 printf.strcpy.ma
8734 6c6c6f63 005f5f64 736f5f68 616e646c lloc.__dso_handl
8744 65005f5f 494e4954 5f415252 41595f5f e.__INIT_ARRAY__
8754 005f5f46 494e495f 41525241 595f5f00 .__FINI_ARRAY__.
8764 5f5f6578 6964785f 73746172 74005f5f __exidx_start.__
8774 65786964 785f656e 64005f5f 64617461 exidx_end.__data
8784 5f737461 7274005f 65646174 61005f5f _start._edata.__
8794 6273735f 73746172 74005f5f 6273735f bss_start.__bss_
87a4 73746172 745f5f00 5f627373 5f656e64 start__._bss_end
87b4 5f5f005f 5f627373 5f656e64 5f5f005f __.__bss_end__._
87c4 5f656e64 5f5f005f 656e6400 5f737461 _end__._end._sta
87d4 636b006d 656d7365 74006174 6f690072 ck.memset.atoi.r
87e4 65616400 756e6c69 6e6b0073 74617400 ead.unlink.stat.
87f4 70726f70 65727479 5f676574 00736f63 property_get.soc
8804 6b657400 62696e64 006c6973 74656e00 ket.bind.listen.
8814 61636365 70740073 656c6563 74005f5a accept.select._Z
8824 4e4b3761 6e64726f 69643752 65664261 NK7android7RefBa
8834 73653964 65635374 726f6e67 45504b76 se9decStrongEPKv
8844 005f5a4e 37616e64 726f6964 38537472 ._ZN7android8Str
8854 696e6731 36443145 76005f5a 4e37616e ing16D1Ev._ZN7an
8864 64726f69 64365061 7263656c 31337772 droid6Parcel13wr
8874 69746553 7472696e 67313645 524b4e53 iteString16ERKNS
8884 5f385374 72696e67 31364500 5f5a4e4b _8String16E._ZNK
8894 37616e64 726f6964 36506172 63656c31 7android6Parcel1
88a4 35736574 44617461 506f7369 74696f6e 5setDataPosition
88b4 456a005f 5a4e3761 6e64726f 69643650 Ej._ZN7android6P
88c4 61726365 6c313077 72697465 496e7433 arcel10writeInt3
88d4 32456900 5f5a4e37 616e6472 6f696436 2Ei._ZN7android6
88e4 50617263 656c4331 4576005f 5a4e3761 ParcelC1Ev._ZN7a
88f4 6e64726f 69643650 61726365 6c443145 ndroid6ParcelD1E
8904 76005f5a 4e37616e 64726f69 64327370 v._ZN7android2sp
8914 494e535f 37494269 6e646572 45454431 INS_7IBinderEED1
8924 4576005f 5a4e3761 6e64726f 69643650 Ev._ZN7android6P
8934 61726365 6c313977 72697465 496e7465 arcel19writeInte
8944 72666163 65546f6b 656e4552 4b4e535f rfaceTokenERKNS_
8954 38537472 696e6731 3645005f 5a4e3761 8String16E._ZN7a
8964 6e64726f 69643650 61726365 6c313777 ndroid6Parcel17w
8974 72697465 5374726f 6e674269 6e646572 riteStrongBinder
8984 45524b4e 535f3273 70494e53 5f374942 ERKNS_2spINS_7IB
8994 696e6465 72454545 005f5a4e 37616e64 inderEEE._ZN7and
89a4 726f6964 38537472 696e6731 36433145 roid8String16C1E
89b4 504b6300 5f5a4e4b 37616e64 726f6964 PKc._ZNK7android
89c4 36506172 63656c31 32646174 61506f73 6Parcel12dataPos
89d4 6974696f 6e457600 5f5a4e37 616e6472 itionEv._ZN7andr
89e4 6f696432 31646566 61756c74 53657276 oid21defaultServ
89f4 6963654d 616e6167 65724576 005f5a4e iceManagerEv._ZN
8a04 37616e64 726f6964 36506172 63656c31 7android6Parcel1
8a14 33777269 74655374 72696e67 31364550 3writeString16EP
8a24 4b746a00 6d6b6469 72005f5f 6c696263 Ktj.mkdir.__libc
8a34 5f696e69 74006578 69740067 65747070 _init.exit.getpp
8a44 69640073 65746769 64006578 65637670 id.setgid.execvp
8a54 00657865 636c7000 73657475 69640062 .execlp.setuid.b
8a64 73645f73 69676e61 6c006d6b 74656d70 sd_signal.mktemp
8a74 00707574 63686172 00707574 73006174 .putchar.puts.at
8a84 65786974 006c6962 6c6f672e 736f006c exit.liblog.so.l
8a94 69627371 6c697465 2e736f00 6c696263 ibsqlite.so.libc
8aa4 7574696c 732e736f 006c6962 62696e64 utils.so.libbind
8ab4 65722e73 6f006c69 62757469 6c732e73 er.so.libutils.s
8ac4 6f006c69 62632e73 6f006c69 62737464 o.libc.so.libstd
8ad4 632b2b2e 736f006c 69626d2e 736f00 c++.so.libm.so.
Contents of section .rel.plt:
8ae4 18a10000 16340000 1ca10000 16250000 .....4.......%..
8af4 20a10000 161a0000 24a10000 161f0000 .......$.......
8b04 28a10000 161b0000 2ca10000 16310000 (.......,....1..
8b14 30a10000 162f0000 34a10000 16260000 0..../..4....&..
8b24 38a10000 162a0000 3ca10000 162d0000 8....*..<....-..
8b34 40a10000 162e0000 44a10000 16270000 @.......D....'..
8b44 48a10000 16290000 4ca10000 16320000 H....)..L....2..
8b54 50a10000 16300000 54a10000 16280000 P....0..T....(..
8b64 58a10000 162b0000 5ca10000 16020000 X....+..\.......
8b74 60a10000 163e0000 64a10000 163d0000 `....>..d....=..
8b84 68a10000 16350000 6ca10000 16200000 h....5..l.... ..
8b94 70a10000 160a0000 74a10000 163c0000 p.......t....<..
8ba4 78a10000 16050000 7ca10000 161d0000 x.......|.......
8bb4 80a10000 16210000 84a10000 16040000 .....!..........
8bc4 88a10000 16220000 8ca10000 16240000 .....".......$..
8bd4 90a10000 16230000 94a10000 16060000 .....#..........
8be4 98a10000 16380000 9ca10000 16390000 .....8.......9..
8bf4 a0a10000 16080000 a4a10000 161c0000 ................
8c04 a8a10000 160b0000 aca10000 16070000 ................
8c14 b0a10000 16370000 b4a10000 16360000 .....7.......6..
8c24 b8a10000 16090000 bca10000 161e0000 ................
8c34 c0a10000 16330000 c4a10000 163a0000 .....3.......:..
8c44 c8a10000 163b0000 cca10000 163f0000 .....;.......?..
Contents of section .rel.dyn:
8c54 08a10000 15030000 ........
Contents of section .plt:
8c5c 04e02de5 04e09fe5 0ee08fe0 08f0bee5 ..-.............
8c6c a0140000 00c68fe2 01ca8ce2 a0f4bce5 ................
8c7c 00c68fe2 01ca8ce2 98f4bce5 00c68fe2 ................
8c8c 01ca8ce2 90f4bce5 00c68fe2 01ca8ce2 ................
8c9c 88f4bce5 00c68fe2 01ca8ce2 80f4bce5 ................
8cac 00c68fe2 01ca8ce2 78f4bce5 00c68fe2 ........x.......
8cbc 01ca8ce2 70f4bce5 00c68fe2 01ca8ce2 ....p...........
8ccc 68f4bce5 00c68fe2 01ca8ce2 60f4bce5 h...........`...
8cdc 00c68fe2 01ca8ce2 58f4bce5 00c68fe2 ........X.......
8cec 01ca8ce2 50f4bce5 00c68fe2 01ca8ce2 ....P...........
8cfc 48f4bce5 00c68fe2 01ca8ce2 40f4bce5 H...........@...
8d0c 00c68fe2 01ca8ce2 38f4bce5 00c68fe2 ........8.......
8d1c 01ca8ce2 30f4bce5 00c68fe2 01ca8ce2 ....0...........
8d2c 28f4bce5 00c68fe2 01ca8ce2 20f4bce5 (........... ...
8d3c 00c68fe2 01ca8ce2 18f4bce5 00c68fe2 ................
8d4c 01ca8ce2 10f4bce5 00c68fe2 01ca8ce2 ................
8d5c 08f4bce5 00c68fe2 01ca8ce2 00f4bce5 ................
8d6c 00c68fe2 01ca8ce2 f8f3bce5 00c68fe2 ................
8d7c 01ca8ce2 f0f3bce5 00c68fe2 01ca8ce2 ................
8d8c e8f3bce5 00c68fe2 01ca8ce2 e0f3bce5 ................
8d9c 00c68fe2 01ca8ce2 d8f3bce5 00c68fe2 ................
8dac 01ca8ce2 d0f3bce5 00c68fe2 01ca8ce2 ................
8dbc c8f3bce5 00c68fe2 01ca8ce2 c0f3bce5 ................
8dcc 00c68fe2 01ca8ce2 b8f3bce5 00c68fe2 ................
8ddc 01ca8ce2 b0f3bce5 00c68fe2 01ca8ce2 ................
8dec a8f3bce5 00c68fe2 01ca8ce2 a0f3bce5 ................
8dfc 00c68fe2 01ca8ce2 98f3bce5 00c68fe2 ................
8e0c 01ca8ce2 90f3bce5 00c68fe2 01ca8ce2 ................
8e1c 88f3bce5 00c68fe2 01ca8ce2 80f3bce5 ................
8e2c 00c68fe2 01ca8ce2 78f3bce5 00c68fe2 ........x.......
8e3c 01ca8ce2 70f3bce5 00c68fe2 01ca8ce2 ....p...........
8e4c 68f3bce5 00c68fe2 01ca8ce2 60f3bce5 h...........`...
8e5c 00c68fe2 01ca8ce2 58f3bce5 00c68fe2 ........X.......
8e6c 01ca8ce2 50f3bce5 00c68fe2 01ca8ce2 ....P...........
8e7c 48f3bce5 00c68fe2 01ca8ce2 40f3bce5 H...........@...
8e8c 00c68fe2 01ca8ce2 38f3bce5 ........8...
Contents of section .text:
8ea0 0d00a0e1 0010a0e3 04208fe2 04308fe2 ......... ...0..
8eb0 6effffea d80200ea 00a00000 08a00000 n...............
8ec0 10a00000 18a00000 0000a0e1 0000a0e1 ................
8ed0 10b50446 036833b1 1a682146 52f80c0c ...F.h3..h!FR...
8ee0 1818fff7 ccee2046 10bd00bf 00230360 ...... F.....#.`
8ef0 704700bf 2de9f04f dff8f092 bfb0bc4d pG..-..O.......M
8f00 80467d44 0f4655f8 09603021 92462691 .F}D.FU..`0!.F&.
8f10 32680021 3d9227a8 5822fff7 b6ee26ac 2h.!=.'.X"....&.
8f20 b4482146 7844b44a 7a4423ae fff7b2ee .H!FxD.JzD#.....
8f30 2046fff7 b6ee0446 25a8fff7 b8eeddf8 F.....F%.......
8f40 94b0ae49 dbf80000 7944d0f8 14903046 ...I....yD....0F
8f50 fff7b2ee 24a85946 3246c847 3046fff7 ....$.YF2F.G0F..
8f60 b2ee249b 13b94ff0 ff3722e1 0eae3046 ..$...O..7"...0F
8f70 fff7aeee 02a8fff7 acee0df1 8809a049 ...............I
8f80 48467944 fff798ee 49463046 fff7a6ee HFyD....IF0F....
8f90 4846fff7 98ee0df1 84094846 fff7a6ff HF........HF....
8fa0 49463046 fff7a0ee 4846fff7 91ff0df1 IF0F....HF......
8fb0 80099449 48467944 fff77eee 49463046 ...IHFyD..~.IF0F
8fc0 fff798ee 4846fff7 7eee0021 3046fff7 ....HF..~..!0F..
8fd0 98ee0021 30460a46 fff798ee 00213046 ...!0F.F.....!0F
8fe0 fff78eee 032c04dd 00213046 0a46fff7 .....,...!0F.F..
8ff0 8eee0021 0eae0a46 3046fff7 88ee0021 ...!...F0F.....!
9000 3046fff7 7eee062c 09dd0021 3046fff7 0F..~..,...!0F..
9010 78ee0e2c 03dd3046 0021fff7 72ee0eac x..,..0F.!..r...
9020 4ff0ff31 20461fae fff76aee 2046fff7 O..1 F....j. F..
9030 74ee6d49 81462046 fff762ee 07212046 t.mI.F F..b..! F
9040 fff75eee 00212046 fff75aee 30466e49 ..^..! F..Z.0FnI
9050 7944fff7 32ee3146 2046fff7 4cee3046 yD..2.1F F..L.0F
9060 fff730ee 00212046 1eaefff7 4aee3046 ..0..! F....J.0F
9070 4146fff7 22ee3146 2046fff7 3cee3046 AF..".1F F..<.0F
9080 fff720ee 00212046 1daefff7 3aee3046 .. ..! F....:.0F
9090 5e497944 fff710ee 31462046 fff72aee ^IyD....1F F..*.
90a0 3046fff7 10ee0121 2046fff7 2aee3946 0F.....! F..*.9F
90b0 20461caf fff724ee 00212046 fff720ee F....$..! F.. .
90c0 38465349 7944fff7 f8ed3946 2046fff7 8FSIyD....9F F..
90d0 12ee3846 fff7f6ed 01212046 1baffff7 ..8F.....! F....
90e0 10ee5146 2046fff7 0cee2046 fff714ee ..QF F.... F....
90f0 a9f10401 06462046 fff714ee c9eb0601 .....F F........
9100 2046fff7 feed3146 20461aae fff70aee F....1F F......
9110 00212046 0a46fff7 faed4ff0 ff312046 .! F.F....O..1 F
9120 fff7eeed 3846fff7 e1fe3946 2046fff7 ....8F....9F F..
9130 dced3846 fff7ccfe 4ff0ff31 2046fff7 ..8F....O..1 F..
9140 e0ed0021 20460a46 fff7e0ed 4ff0ff31 ...! F.F....O..1
9150 2046fff7 d6ed3046 2e497944 fff7aced F....0F.IyD....
9160 31462046 fff7c6ed 3046fff7 aced0021 1F F....0F.....!
9170 204602ae fff7c4ed 00212046 fff7c0ed F.......! F....
9180 4ff0ff31 2046fff7 bced2498 00210368 O..1 F....$..!.h
9190 22460091 0e215f69 3346b847 0028b4bf "F...!_i3F.G.(..
91a0 4ff0ff37 00273046 fff7c2ed 2046fff7 O..7.'0F.... F..
91b0 c0ed24a8 fff78cfe 259b33b1 1a6825a9 ..$.....%.3..h%.
91c0 52f80c0c 1818fff7 5aed3d99 dff81cc0 R.......Z.=.....
91d0 384655f8 0c201368 994201d0 fff7aeed 8FU.. .h.B......
91e0 3fb0bde8 f08f00bf 424e444c fcffffff ?.......BNDL....
91f0 06120000 fc0a0000 0d0b0000 ef0a0000 ................
9200 be0a0000 a70a0000 350a0000 ff090000 ........5.......
9210 d1090000 3f090000 2de9f04f dff8e892 ....?...-..O....
9220 bfb0ba4d 80467d44 0f4655f8 09603021 ...M.F}D.FU..`0!
9230 92462691 32680021 3d9227a8 5822fff7 .F&.2h.!=.'.X"..
9240 24ed26ac b2482146 7844b24a 7a4423ae $.&..H!FxD.JzD#.
9250 fff720ed 2046fff7 24ed0446 25a8fff7 .. . F..$..F%...
9260 26edddf8 94b0ac49 dbf80000 7944d0f8 &......I....yD..
9270 14903046 fff720ed 24a85946 3246c847 ..0F.. .$.YF2F.G
9280 3046fff7 20ed249b 13b94ff0 ff371fe1 0F.. .$...O..7..
9290 0fae3046 fff71ced 03a8fff7 1aed0df1 ..0F............
92a0 88099e49 48467944 fff706ed 49463046 ...IHFyD....IF0F
92b0 fff714ed 4846fff7 06ed0df1 84094846 ....HF........HF
92c0 fff714fe 49463046 fff70eed 4846fff7 ....IF0F....HF..
92d0 fffd0df1 80099249 48467944 fff7ecec .......IHFyD....
92e0 49463046 fff706ed 4846fff7 ecec0021 IF0F....HF.....!
92f0 3046fff7 06ed0021 30460a46 fff706ed 0F.....!0F.F....
9300 00213046 fff7fcec 032c04dd 00213046 .!0F.....,...!0F
9310 0a46fff7 fcec0021 0fae0a46 3046fff7 .F.....!...F0F..
9320 f6ec0021 3046fff7 ecec062c 09dd0021 ...!0F.....,...!
9330 3046fff7 e6ec0e2c 03dd3046 0021fff7 0F.....,..0F.!..
9340 e0ec0fac 4ff0ff31 20461fae fff7d8ec ....O..1 F......
9350 2046fff7 e2ec6b49 81462046 fff7d0ec F....kI.F F....
9360 07212046 fff7ccec 00212046 fff7c8ec .! F.....! F....
9370 30466c49 7944fff7 a0ec3146 2046fff7 0FlIyD....1F F..
9380 baec3046 fff79eec 01212046 1eaefff7 ..0F.....! F....
9390 b8ec4146 2046fff7 b4ec0021 2046fff7 ..AF F.....! F..
93a0 b0ec3046 60497944 fff786ec 31462046 ..0F`IyD....1F F
93b0 fff7a0ec 3046fff7 86ec0121 2046fff7 ....0F.....! F..
93c0 a0ec3946 20461daf fff79aec 00212046 ..9F F.......! F
93d0 fff796ec 38465549 7944fff7 6eec3946 ....8FUIyD..n.9F
93e0 2046fff7 88ec3846 fff76cec 01212046 F....8F..l..! F
93f0 1caffff7 86ec5146 2046fff7 82ec2046 ......QF F.... F
9400 fff78aec a9f10401 06462046 fff78aec .........F F....
9410 c9eb0601 2046fff7 74ec3146 20461bae .... F..t.1F F..
9420 fff780ec 00212046 0a46fff7 70ec4ff0 .....! F.F..p.O.
9430 ff312046 fff764ec 3846fff7 57fd3946 .1 F..d.8F..W.9F
9440 2046fff7 52ec3846 fff742fd 4ff0ff31 F..R.8F..B.O..1
9450 2046fff7 56ec0021 20460a46 fff756ec F..V..! F.F..V.
9460 4ff0ff31 2046fff7 4cec3046 30497944 O..1 F..L.0F0IyD
9470 fff722ec 31462046 fff73cec 3046fff7 ..".1F F..<.0F..
9480 22ec0021 20460a46 fff740ec 00212046 "..! F.F..@..! F
9490 03aefff7 36ec0021 2046fff7 32ec4ff0 ....6..! F..2.O.
94a0 ff312046 fff72cec 24980021 03682246 .1 F..,.$..!.h"F
94b0 00910e21 5f693346 b8470028 b4bf4ff0 ...!_i3F.G.(..O.
94c0 ff370027 3046fff7 34ec2046 fff730ec .7.'0F..4. F..0.
94d0 24a8fff7 fdfc259b 33b11a68 25a952f8 $.....%.3..h%.R.
94e0 0c0c1818 fff7caeb 3d99dff8 1cc03846 ........=.....8F
94f0 55f80c20 13689942 01d0fff7 20ec3fb0 U.. .h.B.... .?.
9500 bde8f08f 424e444c fcffffff e20e0000 ....BNDL........
9510 d8070000 e9070000 cb070000 9a070000 ................
9520 e9070000 78070000 eb060000 bd060000 ....x...........
9530 2b060000 10b50f48 7844fff7 06ec0e48 +......HxD.....H
9540 7844fff7 02ec0d48 7844fff7 feeb0c48 xD.....HxD.....H
9550 7844fff7 faeb0a20 fff7fceb 09487844 xD..... .....HxD
9560 fff7f2eb 08487844 fff7eeeb 0020fff7 .....HxD..... ..
9570 f8eb00bf c1050000 cd050000 ce050000 ................
9580 e3050000 ee050000 f6050000 2de9f04f ............-..O
9590 30499fb0 0022304d 7d446858 03680120 0I..."0M}DhX.h.
95a0 01461d93 fff7e2eb 04460028 b8bf4ff0 .F.......F.(..O.
95b0 ff3440db 0df10409 284fdff8 a480294e .4@.....(O....)N
95c0 dff8a4a0 7f44f844 7e4409f1 020bfa44 .....D.D~D.....D
95d0 00216e22 4846fff7 58eb4146 38464ff0 .!n"HF..X.AF8FO.
95e0 0102adf8 0420fff7 c8eb3846 fff7caeb ..... ....8F....
95f0 6c210346 524646f8 f80c5846 fff7c8eb l!.FRFF...XF....
9600 56f8f80c fff7caeb 6e222046 4946fff7 V.......n" FIF..
9610 cceb0028 07dafff7 ceeb0368 622bd7d0 ...(.......hb+..
9620 6ff00104 07e02046 0121fff7 caeb0028 o..... F.!.....(
9630 b8bf6ff0 02041d99 dff818c0 204655f8 ..o......... FU.
9640 0c301a68 914201d0 fff778eb 1fb0bde8 .0.h.B....x.....
9650 f08f00bf fcffffff 700b0000 280c0000 ........p...(...
9660 af050000 1c1d0000 e8050000 70b58022 ............p.."
9670 a4b00546 1e2402ae 22943046 00242146 ...F.$..".0F.$!F
9680 2394fff7 02eb6b11 01210df1 900c05f0 #.....k..!......
9690 1f020ceb 830011fa 02f222ab 50f8881c ..........".P...
96a0 0a433146 40f8882c 681c0093 22462346 .C1F@..,h..."F#F
96b0 fff78ceb a04206dd 28462146 2246fff7 .....B..(F!F"F..
96c0 8ceba042 01da4ff0 ff3024b0 70bd00bf ...B..O..0$.p...
96d0 70b50020 184b7b44 5a681968 fff79cfd p.. .K{DZh.h....
96e0 164b7b44 53f8f42c 022a1bdd 53f8f04c .K{DS..,.*..S..L
96f0 13496568 79442846 fff774eb 28b11149 .IehyD(F..t.(..I
9700 28467944 fff76eeb 60b904f1 0801a068 (FyD..n.`......h
9710 fff76eeb 00280cda 0b487844 fff714eb ..n..(...HxD....
9720 012007e0 09480a49 78447944 0022fff7 . ...H.IxDyD."..
9730 66eb0020 70bd00bf f60a0000 021c0000 f.. p...........
9740 c5040000 ba040000 ac040000 b4040000 ................
9750 c1040000 10b5054b 4ff0ff30 7b441968 .......KO..0{D.h
9760 5a68fff7 59fd0120 10bd00bf 700a0000 Zh..Y.. ....p...
9770 10b5074c 7c4454f8 f80cfff7 10eb54f8 ...L|DT.......T.
9780 f00c20b1 fff740eb 002344f8 f03c10bd .. ...@..#D..<..
9790 701b0000 10b5fff7 ebff10bd 10b50446 p..............F
97a0 fff7e6ff 2046fff7 dcea00bf 70b50546 .... F......p..F
97b0 0c462846 fff75aff 00280adb 3f222146 .F(F..Z..(..?"!F
97c0 fff728eb 002804db f3d00023 23541846 ..(..(.....##T.F
97d0 01e04ff0 ff3070bd f0b50646 edb07a4d ..O..0p....F..zM
97e0 0f467d44 79496858 022e0368 6b930ed1 .F}DyIhX...hk...
97f0 7c687749 20467944 fff7f4ea 28b17549 |hwI FyD....(.uI
9800 20467944 fff7eeea 08b9fff7 93fe721c FyD..........r.
9810 714c9000 7c4444f8 f46cfff7 02eb44f8 qL..|DD..l....D.
9820 f00c88b1 54f8f42c 511c8a00 0021fff7 ....T..,Q....!..
9830 2cea54f8 f43c54f8 f00c9a00 3946fff7 ,.T..<T.....9F..
9840 f6ea012e 03dc12e0 44f8f40c abe06349 ........D.....cI
9850 78687944 fff7c6ea 064640b9 60487844 xhyD.....F@.`HxD
9860 fff772ea 3046fff7 e8ea58b3 2de0fff7 ..r.0F....X.-...
9870 eaea1bae 00214ff4 80725a4c 7c446060 .....!O..rZL|D``
9880 3046fff7 02ea6268 30465749 79446f46 0F....bh0FWIyDoF
9890 fff7deea 30466946 fff7e0ea 4022069e ....0FiF....@"..
98a0 00212660 5bae3046 fff7eee9 4ff4fc71 .!&`[.0F....O..q
98b0 4e487844 fff7d8ea fff768fe a0600028 NHxD......h..`.(
98c0 33da2de0 fff7d6ea 10b14948 78441be0 3.-.......IHxD..
98d0 54f8f40c 03281add 54f8f04c 4549a668 T....(..T..LEI.h
98e0 79443046 fff77eea 28b14349 30467944 yD0F..~.(.CI0FyD
98f0 fff778ea 58b904f1 0c01e068 fff778ea ..x.X......h..x.
9900 002853da 3d487844 fff71eea 06e03c48 .(S.=HxD......<H
9910 3c497844 79440022 fff770ea 012046e0 <IxDyD."..p.. F.
9920 fff718ff 4ff0ff30 41e06268 2168364f ....O..0A.bh!h6O
9930 7f4457f8 f80c354d fff7dcfa 7d440120 .DW...5M....}D.
9940 2946fff7 9eea0d20 2946fff7 9aea0f20 )F..... )F.....
9950 2946fff7 96ea2946 0620fff7 92ea2c48 )F....)F. ....,H
9960 7844fff7 94eaa068 3146fff7 1fff0028 xD.....h1F.....(
9970 08da6ff0 01002168 6268fff7 4dfc0120 ..o...!hbh..M..
9980 fff7eee9 23493046 7944fff7 2cea50b1 ....#I0FyD..,.P.
9990 21493046 7944fff7 26ea0446 18b9fff7 !I0FyD..&..F....
99a0 97fe2046 ece7fff7 d5fee8e7 00206b99 .. F......... k.
99b0 dff818c0 55f80c20 13689942 01d0fff7 ....U.. .h.B....
99c0 bee96db0 f0bd00bf 26090000 fcffffff ..m.....&.......
99d0 f8030000 ef030000 d01a0000 a6030000 ................
99e0 a7030000 50090000 98030000 7b030000 ....P.......{...
99f0 8d030000 d9020000 ce020000 65030000 ............e...
9a00 ca020000 d7020000 b4190000 5dfeffff ............]...
9a10 31feffff f6020000 ef020000 04f01fe5 1...............
9a20 d9970000 ....
Contents of section .rodata:
9a24 726f2e62 75696c64 2e766572 73696f6e ro.build.version
9a34 2e73646b 00300061 63746976 69747900 .sdk.0.activity.
9a44 616e6472 6f69642e 6170702e 49416374 android.app.IAct
9a54 69766974 794d616e 61676572 00737263 ivityManager.src
9a64 6c69622e 68757961 6e776569 2e706572 lib.huyanwei.per
9a74 6d697373 696f6e67 72616e74 2e726571 missiongrant.req
9a84 75657374 00736f63 6b65745f 61646472 uest.socket_addr
9a94 00756964 00706964 00737263 6c69622e .uid.pid.srclib.
9aa4 68757961 6e776569 2e706572 6d697373 huyanwei.permiss
9ab4 696f6e67 72616e74 2e62726f 61646361 iongrant.broadca
9ac4 73740073 72636c69 622e6875 79616e77 st.srclib.huyanw
9ad4 65692e70 65726d69 7373696f 6e677261 ei.permissiongra
9ae4 6e742e72 6573706f 6e736500 6772616e nt.response.gran
9af4 745f7265 73756c74 00557361 67653a20 t_result.Usage:
9b04 7375205b 6f707469 6f6e735d 004f7074 su [options].Opt
9b14 696f6e73 3a002020 2d632c2d 2d636f6d ions:. -c,--com
9b24 6d616e64 20636d64 20207275 6e20636d mand cmd run cm
9b34 642e0020 202d682c 2d2d6865 6c702020 d.. -h,--help
9b44 20202020 20202068 656c7000 41757468 help.Auth
9b54 6f723a68 7579616e 77656900 456d6169 or:huyanwei.Emai
9b64 6c3a7372 636c6962 40686f74 6d61696c l:srclib@hotmail
9b74 2e636f6d 002f6461 74612f64 6174612f .com./data/data/
9b84 7372636c 69622e68 7579616e 7765692e srclib.huyanwei.
9b94 7065726d 69737369 6f6e6772 616e742f permissiongrant/
9ba4 2e736f63 6b65742e 7372636c 69622e58 .socket.srclib.X
9bb4 58585858 58002573 002d6300 2d2d636f XXXXX.%s.-c.--co
9bc4 6d6d616e 64007375 202d6320 636f6d6d mmand.su -c comm
9bd4 616e6420 6572726f 722e0d00 2f737973 and error.../sys
9be4 74656d2f 62696e2f 73680073 68002d68 tem/bin/sh.sh.-h
9bf4 002d2d68 656c7000 2a236875 79616e77 .--help.*#huyanw
9c04 6569232a 00687579 616e7765 69206772 ei#*.huyanwei gr
9c14 616e7420 73756363 65737366 756c202e ant successful .
9c24 2e2e0d00 2f70726f 632f2564 002f6461 ..../proc/%d./da
9c34 74612f64 6174612f 7372636c 69622e68 ta/data/srclib.h
9c44 7579616e 7765692e 7065726d 69737369 uyanwei.permissi
9c54 6f6e6772 616e742f 00737520 73776974 ongrant/.su swit
9c64 63682065 72726f72 2e0d0073 7520636f ch error...su co
9c74 6d6d616e 64206572 726f722e 0d004445 mmand error...DE
9c84 4e590041 4c4c4f57 00 NY.ALLOW.
Contents of section .ARM.exidx:
9c90 8cfdff7f 01000000 38f2ff7f b0b0a880 ........8.......
9ca0 4cf2ff7f b0b0b080 4cf2ff7f b0af3e80 L.......L.....>.
9cb0 84f8ff7f b0b0a880 d4f8ff7f b0af1e80 ................
9cc0 acf9ff7f b0aa2380 08faff7f b0b0aa80 ......#.........
9cd0 84faff7f b0b0a880 d4faff7f b0b0aa80 ................
9ce0 f8faff7f ab3f2c80 .....?,.
Contents of section .preinit_array:
a000 ffffffff 00000000 ........
Contents of section .init_array:
a008 ffffffff 00000000 ........
Contents of section .fini_array:
a010 ffffffff 00000000 ........
Contents of section .ctors:
a018 ffffffff 00000000 ........
Contents of section .dynamic:
a020 03000000 0ca10000 02000000 70010000 ............p...
a030 17000000 e48a0000 14000000 11000000 ................
a040 11000000 548c0000 12000000 08000000 ....T...........
a050 13000000 08000000 15000000 00000000 ................
a060 06000000 c4820000 0b000000 10000000 ................
a070 05000000 c4860000 0a000000 1f040000 ................
a080 04000000 28810000 01000000 c5030000 ....(...........
a090 01000000 cf030000 01000000 dc030000 ................
a0a0 01000000 e9030000 01000000 f6030000 ................
a0b0 01000000 02040000 01000000 0a040000 ................
a0c0 01000000 17040000 20000000 00a00000 ........ .......
a0d0 21000000 08000000 19000000 08a00000 !...............
a0e0 1b000000 08000000 1a000000 10a00000 ................
a0f0 1c000000 08000000 1e000000 00000000 ................
a100 00000000 00000000 ........
Contents of section .got:
a108 00000000 00000000 00000000 00000000 ................
a118 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a128 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a138 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a148 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a158 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a168 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a178 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a188 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a198 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a1a8 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a1b8 5c8c0000 5c8c0000 5c8c0000 5c8c0000 \...\...\...\...
a1c8 5c8c0000 5c8c0000 \...\...
Contents of section .data:
a1d0 ffffffff ffffffff ffffffff ............
Contents of section .note.gnu.gold-version:
0000 04000000 08000000 04000000 474e5500 ............GNU.
0010 676f6c64 20312e39 gold 1.9
Contents of section .ARM.attributes:
0000 41310000 00616561 62690001 27000000 A1...aeabi..'...
0010 0541524d 20763700 060a0741 08010902 .ARM v7....A....
0020 0a030c01 12041401 15011703 18011a02 ................
0030 1b03 ..
Disassembly of section .plt:
00008c5c <__libc_init@plt-0x14>:
8c5c: e52de004 push {lr} ; (str lr, [sp, #-4]!)
8c60: e59fe004 ldr lr, [pc, #4] ; 8c6c <__libc_init@plt-0x4>
8c64: e08fe00e add lr, pc, lr
8c68: e5bef008 ldr pc, [lr, #8]!
8c6c: 000014a0 andeq r1, r0, r0, lsr #9
00008c70 <__libc_init@plt>:
8c70: e28fc600 add ip, pc, #0, 12
8c74: e28cca01 add ip, ip, #4096 ; 0x1000
8c78: e5bcf4a0 ldr pc, [ip, #1184]! ; 0x4a0
00008c7c <android::RefBase::decStrong(void const*) const@plt>:
8c7c: e28fc600 add ip, pc, #0, 12
8c80: e28cca01 add ip, ip, #4096 ; 0x1000
8c84: e5bcf498 ldr pc, [ip, #1176]! ; 0x498
00008c88 <memset@plt>:
8c88: e28fc600 add ip, pc, #0, 12
8c8c: e28cca01 add ip, ip, #4096 ; 0x1000
8c90: e5bcf490 ldr pc, [ip, #1168]! ; 0x490
00008c94 <property_get@plt>:
8c94: e28fc600 add ip, pc, #0, 12
8c98: e28cca01 add ip, ip, #4096 ; 0x1000
8c9c: e5bcf488 ldr pc, [ip, #1160]! ; 0x488
00008ca0 <atoi@plt>:
8ca0: e28fc600 add ip, pc, #0, 12
8ca4: e28cca01 add ip, ip, #4096 ; 0x1000
8ca8: e5bcf480 ldr pc, [ip, #1152]! ; 0x480
00008cac <android::defaultServiceManager()@plt>:
8cac: e28fc600 add ip, pc, #0, 12
8cb0: e28cca01 add ip, ip, #4096 ; 0x1000
8cb4: e5bcf478 ldr pc, [ip, #1144]! ; 0x478
00008cb8 <android::String16::String16(char const*)@plt>:
8cb8: e28fc600 add ip, pc, #0, 12
8cbc: e28cca01 add ip, ip, #4096 ; 0x1000
8cc0: e5bcf470 ldr pc, [ip, #1136]! ; 0x470
00008cc4 <android::String16::~String16()@plt>:
8cc4: e28fc600 add ip, pc, #0, 12
8cc8: e28cca01 add ip, ip, #4096 ; 0x1000
8ccc: e5bcf468 ldr pc, [ip, #1128]! ; 0x468
00008cd0 <android::Parcel::Parcel()@plt>:
8cd0: e28fc600 add ip, pc, #0, 12
8cd4: e28cca01 add ip, ip, #4096 ; 0x1000
8cd8: e5bcf460 ldr pc, [ip, #1120]! ; 0x460
00008cdc <android::Parcel::writeInterfaceToken(android::String16 const&)@plt>:
8cdc: e28fc600 add ip, pc, #0, 12
8ce0: e28cca01 add ip, ip, #4096 ; 0x1000
8ce4: e5bcf458 ldr pc, [ip, #1112]! ; 0x458
00008ce8 <android::Parcel::writeStrongBinder(android::sp<android::IBinder> const&)@plt>:
8ce8: e28fc600 add ip, pc, #0, 12
8cec: e28cca01 add ip, ip, #4096 ; 0x1000
8cf0: e5bcf450 ldr pc, [ip, #1104]! ; 0x450
00008cf4 <android::Parcel::writeString16(android::String16 const&)@plt>:
8cf4: e28fc600 add ip, pc, #0, 12
8cf8: e28cca01 add ip, ip, #4096 ; 0x1000
8cfc: e5bcf448 ldr pc, [ip, #1096]! ; 0x448
00008d00 <android::Parcel::writeInt32(int)@plt>:
8d00: e28fc600 add ip, pc, #0, 12
8d04: e28cca01 add ip, ip, #4096 ; 0x1000
8d08: e5bcf440 ldr pc, [ip, #1088]! ; 0x440
00008d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>:
8d0c: e28fc600 add ip, pc, #0, 12
8d10: e28cca01 add ip, ip, #4096 ; 0x1000
8d14: e5bcf438 ldr pc, [ip, #1080]! ; 0x438
00008d18 <android::Parcel::dataPosition() const@plt>:
8d18: e28fc600 add ip, pc, #0, 12
8d1c: e28cca01 add ip, ip, #4096 ; 0x1000
8d20: e5bcf430 ldr pc, [ip, #1072]! ; 0x430
00008d24 <android::Parcel::setDataPosition(unsigned int) const@plt>:
8d24: e28fc600 add ip, pc, #0, 12
8d28: e28cca01 add ip, ip, #4096 ; 0x1000
8d2c: e5bcf428 ldr pc, [ip, #1064]! ; 0x428
00008d30 <android::Parcel::~Parcel()@plt>:
8d30: e28fc600 add ip, pc, #0, 12
8d34: e28cca01 add ip, ip, #4096 ; 0x1000
8d38: e5bcf420 ldr pc, [ip, #1056]! ; 0x420
00008d3c <__stack_chk_fail@plt>:
8d3c: e28fc600 add ip, pc, #0, 12
8d40: e28cca01 add ip, ip, #4096 ; 0x1000
8d44: e5bcf418 ldr pc, [ip, #1048]! ; 0x418
00008d48 <puts@plt>:
8d48: e28fc600 add ip, pc, #0, 12
8d4c: e28cca01 add ip, ip, #4096 ; 0x1000
8d50: e5bcf410 ldr pc, [ip, #1040]! ; 0x410
00008d54 <putchar@plt>:
8d54: e28fc600 add ip, pc, #0, 12
8d58: e28cca01 add ip, ip, #4096 ; 0x1000
8d5c: e5bcf408 ldr pc, [ip, #1032]! ; 0x408
00008d60 <exit@plt>:
8d60: e28fc600 add ip, pc, #0, 12
8d64: e28cca01 add ip, ip, #4096 ; 0x1000
8d68: e5bcf400 ldr pc, [ip, #1024]! ; 0x400
00008d6c <socket@plt>:
8d6c: e28fc600 add ip, pc, #0, 12
8d70: e28cca01 add ip, ip, #4096 ; 0x1000
8d74: e5bcf3f8 ldr pc, [ip, #1016]! ; 0x3f8
00008d78 <strcpy@plt>:
8d78: e28fc600 add ip, pc, #0, 12
8d7c: e28cca01 add ip, ip, #4096 ; 0x1000
8d80: e5bcf3f0 ldr pc, [ip, #1008]! ; 0x3f0
00008d84 <mktemp@plt>:
8d84: e28fc600 add ip, pc, #0, 12
8d88: e28cca01 add ip, ip, #4096 ; 0x1000
8d8c: e5bcf3e8 ldr pc, [ip, #1000]! ; 0x3e8
00008d90 <snprintf@plt>:
8d90: e28fc600 add ip, pc, #0, 12
8d94: e28cca01 add ip, ip, #4096 ; 0x1000
8d98: e5bcf3e0 ldr pc, [ip, #992]! ; 0x3e0
00008d9c <unlink@plt>:
8d9c: e28fc600 add ip, pc, #0, 12
8da0: e28cca01 add ip, ip, #4096 ; 0x1000
8da4: e5bcf3d8 ldr pc, [ip, #984]! ; 0x3d8
00008da8 <bind@plt>:
8da8: e28fc600 add ip, pc, #0, 12
8dac: e28cca01 add ip, ip, #4096 ; 0x1000
8db0: e5bcf3d0 ldr pc, [ip, #976]! ; 0x3d0
00008db4 <__errno@plt>:
8db4: e28fc600 add ip, pc, #0, 12
8db8: e28cca01 add ip, ip, #4096 ; 0x1000
8dbc: e5bcf3c8 ldr pc, [ip, #968]! ; 0x3c8
00008dc0 <listen@plt>:
8dc0: e28fc600 add ip, pc, #0, 12
8dc4: e28cca01 add ip, ip, #4096 ; 0x1000
8dc8: e5bcf3c0 ldr pc, [ip, #960]! ; 0x3c0
00008dcc <select@plt>:
8dcc: e28fc600 add ip, pc, #0, 12
8dd0: e28cca01 add ip, ip, #4096 ; 0x1000
8dd4: e5bcf3b8 ldr pc, [ip, #952]! ; 0x3b8
00008dd8 <accept@plt>:
8dd8: e28fc600 add ip, pc, #0, 12
8ddc: e28cca01 add ip, ip, #4096 ; 0x1000
8de0: e5bcf3b0 ldr pc, [ip, #944]! ; 0x3b0
00008de4 <strcmp@plt>:
8de4: e28fc600 add ip, pc, #0, 12
8de8: e28cca01 add ip, ip, #4096 ; 0x1000
8dec: e5bcf3a8 ldr pc, [ip, #936]! ; 0x3a8
00008df0 <execvp@plt>:
8df0: e28fc600 add ip, pc, #0, 12
8df4: e28cca01 add ip, ip, #4096 ; 0x1000
8df8: e5bcf3a0 ldr pc, [ip, #928]! ; 0x3a0
00008dfc <execlp@plt>:
8dfc: e28fc600 add ip, pc, #0, 12
8e00: e28cca01 add ip, ip, #4096 ; 0x1000
8e04: e5bcf398 ldr pc, [ip, #920]! ; 0x398
00008e08 <free@plt>:
8e08: e28fc600 add ip, pc, #0, 12
8e0c: e28cca01 add ip, ip, #4096 ; 0x1000
8e10: e5bcf390 ldr pc, [ip, #912]! ; 0x390
00008e14 <read@plt>:
8e14: e28fc600 add ip, pc, #0, 12
8e18: e28cca01 add ip, ip, #4096 ; 0x1000
8e1c: e5bcf388 ldr pc, [ip, #904]! ; 0x388
00008e20 <malloc@plt>:
8e20: e28fc600 add ip, pc, #0, 12
8e24: e28cca01 add ip, ip, #4096 ; 0x1000
8e28: e5bcf380 ldr pc, [ip, #896]! ; 0x380
00008e2c <memcpy@plt>:
8e2c: e28fc600 add ip, pc, #0, 12
8e30: e28cca01 add ip, ip, #4096 ; 0x1000
8e34: e5bcf378 ldr pc, [ip, #888]! ; 0x378
00008e38 <setgid@plt>:
8e38: e28fc600 add ip, pc, #0, 12
8e3c: e28cca01 add ip, ip, #4096 ; 0x1000
8e40: e5bcf370 ldr pc, [ip, #880]! ; 0x370
00008e44 <getppid@plt>:
8e44: e28fc600 add ip, pc, #0, 12
8e48: e28cca01 add ip, ip, #4096 ; 0x1000
8e4c: e5bcf368 ldr pc, [ip, #872]! ; 0x368
00008e50 <sprintf@plt>:
8e50: e28fc600 add ip, pc, #0, 12
8e54: e28cca01 add ip, ip, #4096 ; 0x1000
8e58: e5bcf360 ldr pc, [ip, #864]! ; 0x360
00008e5c <stat@plt>:
8e5c: e28fc600 add ip, pc, #0, 12
8e60: e28cca01 add ip, ip, #4096 ; 0x1000
8e64: e5bcf358 ldr pc, [ip, #856]! ; 0x358
00008e68 <mkdir@plt>:
8e68: e28fc600 add ip, pc, #0, 12
8e6c: e28cca01 add ip, ip, #4096 ; 0x1000
8e70: e5bcf350 ldr pc, [ip, #848]! ; 0x350
00008e74 <setuid@plt>:
8e74: e28fc600 add ip, pc, #0, 12
8e78: e28cca01 add ip, ip, #4096 ; 0x1000
8e7c: e5bcf348 ldr pc, [ip, #840]! ; 0x348
00008e80 <bsd_signal@plt>:
8e80: e28fc600 add ip, pc, #0, 12
8e84: e28cca01 add ip, ip, #4096 ; 0x1000
8e88: e5bcf340 ldr pc, [ip, #832]! ; 0x340
00008e8c <atexit@plt>:
8e8c: e28fc600 add ip, pc, #0, 12
8e90: e28cca01 add ip, ip, #4096 ; 0x1000
8e94: e5bcf338 ldr pc, [ip, #824]! ; 0x338
Disassembly of section .text:
00008ea0 <android::sp<android::IBinder>::~sp()-0x30>:
8ea0: e1a0000d mov r0, sp
8ea4: e3a01000 mov r1, #0
8ea8: e28f2004 add r2, pc, #4
8eac: e28f3004 add r3, pc, #4
8eb0: eaffff6e b 8c70 <__libc_init@plt>
8eb4: ea0002d8 b 9a1c <android::sp<android::IBinder>::~sp()+0xb4c>
8eb8: 0000a000 andeq sl, r0, r0
8ebc: 0000a008 andeq sl, r0, r8
8ec0: 0000a010 andeq sl, r0, r0, lsl r0
8ec4: 0000a018 andeq sl, r0, r8, lsl r0
8ec8: e1a00000 nop ; (mov r0, r0)
8ecc: e1a00000 nop ; (mov r0, r0)
00008ed0 <android::sp<android::IBinder>::~sp()>:
8ed0: b510 push {r4, lr}
8ed2: 4604 mov r4, r0
8ed4: 6803 ldr r3, [r0, #0]
8ed6: b133 cbz r3, 8ee6 <android::sp<android::IBinder>::~sp()+0x16>
8ed8: 681a ldr r2, [r3, #0]
8eda: 4621 mov r1, r4
8edc: f852 0c0c ldr.w r0, [r2, #-12]
8ee0: 1818 adds r0, r3, r0
8ee2: f7ff eecc blx 8c7c <android::RefBase::decStrong(void const*) const@plt>
8ee6: 4620 mov r0, r4
8ee8: bd10 pop {r4, pc}
8eea: bf00 nop
8eec: 2300 movs r3, #0
8eee: 6003 str r3, [r0, #0]
8ef0: 4770 bx lr
8ef2: bf00 nop
8ef4: e92d 4ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
8ef8: f8df 92f0 ldr.w r9, [pc, #752] ; 91ec <android::sp<android::IBinder>::~sp()+0x31c>
8efc: b0bf sub sp, #252 ; 0xfc
8efe: 4dbc ldr r5, [pc, #752] ; (91f0 <android::sp<android::IBinder>::~sp()+0x320>)
8f00: 4680 mov r8, r0
8f02: 447d add r5, pc
8f04: 460f mov r7, r1
8f06: f855 6009 ldr.w r6, [r5, r9]
8f0a: 2130 movs r1, #48 ; 0x30
8f0c: 4692 mov sl, r2
8f0e: 9126 str r1, [sp, #152] ; 0x98
8f10: 6832 ldr r2, [r6, #0]
8f12: 2100 movs r1, #0
8f14: 923d str r2, [sp, #244] ; 0xf4
8f16: a827 add r0, sp, #156 ; 0x9c
8f18: 2258 movs r2, #88 ; 0x58
8f1a: f7ff eeb6 blx 8c88 <memset@plt>
8f1e: ac26 add r4, sp, #152 ; 0x98
8f20: 48b4 ldr r0, [pc, #720] ; (91f4 <android::sp<android::IBinder>::~sp()+0x324>)
8f22: 4621 mov r1, r4
8f24: 4478 add r0, pc
8f26: 4ab4 ldr r2, [pc, #720] ; (91f8 <android::sp<android::IBinder>::~sp()+0x328>)
8f28: 447a add r2, pc
8f2a: ae23 add r6, sp, #140 ; 0x8c
8f2c: f7ff eeb2 blx 8c94 <property_get@plt>
8f30: 4620 mov r0, r4
8f32: f7ff eeb6 blx 8ca0 <atoi@plt>
8f36: 4604 mov r4, r0
8f38: a825 add r0, sp, #148 ; 0x94
8f3a: f7ff eeb8 blx 8cac <android::defaultServiceManager()@plt>
8f3e: f8dd b094 ldr.w fp, [sp, #148] ; 0x94
8f42: 49ae ldr r1, [pc, #696] ; (91fc <android::sp<android::IBinder>::~sp()+0x32c>)
8f44: f8db 0000 ldr.w r0, [fp]
8f48: 4479 add r1, pc
8f4a: f8d0 9014 ldr.w r9, [r0, #20]
8f4e: 4630 mov r0, r6
8f50: f7ff eeb2 blx 8cb8 <android::String16::String16(char const*)@plt>
8f54: a824 add r0, sp, #144 ; 0x90
8f56: 4659 mov r1, fp
8f58: 4632 mov r2, r6
8f5a: 47c8 blx r9
8f5c: 4630 mov r0, r6
8f5e: f7ff eeb2 blx 8cc4 <android::String16::~String16()@plt>
8f62: 9b24 ldr r3, [sp, #144] ; 0x90
8f64: b913 cbnz r3, 8f6c <android::sp<android::IBinder>::~sp()+0x9c>
8f66: f04f 37ff mov.w r7, #4294967295 ; 0xffffffff
8f6a: e122 b.n 91b2 <android::sp<android::IBinder>::~sp()+0x2e2>
8f6c: ae0e add r6, sp, #56 ; 0x38
8f6e: 4630 mov r0, r6
8f70: f7ff eeae blx 8cd0 <android::Parcel::Parcel()@plt>
8f74: a802 add r0, sp, #8
8f76: f7ff eeac blx 8cd0 <android::Parcel::Parcel()@plt>
8f7a: f10d 0988 add.w r9, sp, #136 ; 0x88
8f7e: 49a0 ldr r1, [pc, #640] ; (9200 <android::sp<android::IBinder>::~sp()+0x330>)
8f80: 4648 mov r0, r9
8f82: 4479 add r1, pc
8f84: f7ff ee98 blx 8cb8 <android::String16::String16(char const*)@plt>
8f88: 4649 mov r1, r9
8f8a: 4630 mov r0, r6
8f8c: f7ff eea6 blx 8cdc <android::Parcel::writeInterfaceToken(android::String16 const&)@plt>
8f90: 4648 mov r0, r9
8f92: f7ff ee98 blx 8cc4 <android::String16::~String16()@plt>
8f96: f10d 0984 add.w r9, sp, #132 ; 0x84
8f9a: 4648 mov r0, r9
8f9c: f7ff ffa6 bl 8eec <android::sp<android::IBinder>::~sp()+0x1c>
8fa0: 4649 mov r1, r9
8fa2: 4630 mov r0, r6
8fa4: f7ff eea0 blx 8ce8 <android::Parcel::writeStrongBinder(android::sp<android::IBinder> const&)@plt>
8fa8: 4648 mov r0, r9
8faa: f7ff ff91 bl 8ed0 <android::sp<android::IBinder>::~sp()>
8fae: f10d 0980 add.w r9, sp, #128 ; 0x80
8fb2: 4994 ldr r1, [pc, #592] ; (9204 <android::sp<android::IBinder>::~sp()+0x334>)
8fb4: 4648 mov r0, r9
8fb6: 4479 add r1, pc
8fb8: f7ff ee7e blx 8cb8 <android::String16::String16(char const*)@plt>
8fbc: 4649 mov r1, r9
8fbe: 4630 mov r0, r6
8fc0: f7ff ee98 blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
8fc4: 4648 mov r0, r9
8fc6: f7ff ee7e blx 8cc4 <android::String16::~String16()@plt>
8fca: 2100 movs r1, #0
8fcc: 4630 mov r0, r6
8fce: f7ff ee98 blx 8d00 <android::Parcel::writeInt32(int)@plt>
8fd2: 2100 movs r1, #0
8fd4: 4630 mov r0, r6
8fd6: 460a mov r2, r1
8fd8: f7ff ee98 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
8fdc: 2100 movs r1, #0
8fde: 4630 mov r0, r6
8fe0: f7ff ee8e blx 8d00 <android::Parcel::writeInt32(int)@plt>
8fe4: 2c03 cmp r4, #3
8fe6: dd04 ble.n 8ff2 <android::sp<android::IBinder>::~sp()+0x122>
8fe8: 2100 movs r1, #0
8fea: 4630 mov r0, r6
8fec: 460a mov r2, r1
8fee: f7ff ee8e blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
8ff2: 2100 movs r1, #0
8ff4: ae0e add r6, sp, #56 ; 0x38
8ff6: 460a mov r2, r1
8ff8: 4630 mov r0, r6
8ffa: f7ff ee88 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
8ffe: 2100 movs r1, #0
9000: 4630 mov r0, r6
9002: f7ff ee7e blx 8d00 <android::Parcel::writeInt32(int)@plt>
9006: 2c06 cmp r4, #6
9008: dd09 ble.n 901e <android::sp<android::IBinder>::~sp()+0x14e>
900a: 2100 movs r1, #0
900c: 4630 mov r0, r6
900e: f7ff ee78 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9012: 2c0e cmp r4, #14
9014: dd03 ble.n 901e <android::sp<android::IBinder>::~sp()+0x14e>
9016: 4630 mov r0, r6
9018: 2100 movs r1, #0
901a: f7ff ee72 blx 8d00 <android::Parcel::writeInt32(int)@plt>
901e: ac0e add r4, sp, #56 ; 0x38
9020: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
9024: 4620 mov r0, r4
9026: ae1f add r6, sp, #124 ; 0x7c
9028: f7ff ee6a blx 8d00 <android::Parcel::writeInt32(int)@plt>
902c: 4620 mov r0, r4
902e: f7ff ee74 blx 8d18 <android::Parcel::dataPosition() const@plt>
9032: 496d ldr r1, [pc, #436] ; (91e8 <android::sp<android::IBinder>::~sp()+0x318>)
9034: 4681 mov r9, r0
9036: 4620 mov r0, r4
9038: f7ff ee62 blx 8d00 <android::Parcel::writeInt32(int)@plt>
903c: 2107 movs r1, #7
903e: 4620 mov r0, r4
9040: f7ff ee5e blx 8d00 <android::Parcel::writeInt32(int)@plt>
9044: 2100 movs r1, #0
9046: 4620 mov r0, r4
9048: f7ff ee5a blx 8d00 <android::Parcel::writeInt32(int)@plt>
904c: 4630 mov r0, r6
904e: 496e ldr r1, [pc, #440] ; (9208 <android::sp<android::IBinder>::~sp()+0x338>)
9050: 4479 add r1, pc
9052: f7ff ee32 blx 8cb8 <android::String16::String16(char const*)@plt>
9056: 4631 mov r1, r6
9058: 4620 mov r0, r4
905a: f7ff ee4c blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
905e: 4630 mov r0, r6
9060: f7ff ee30 blx 8cc4 <android::String16::~String16()@plt>
9064: 2100 movs r1, #0
9066: 4620 mov r0, r4
9068: ae1e add r6, sp, #120 ; 0x78
906a: f7ff ee4a blx 8d00 <android::Parcel::writeInt32(int)@plt>
906e: 4630 mov r0, r6
9070: 4641 mov r1, r8
9072: f7ff ee22 blx 8cb8 <android::String16::String16(char const*)@plt>
9076: 4631 mov r1, r6
9078: 4620 mov r0, r4
907a: f7ff ee3c blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
907e: 4630 mov r0, r6
9080: f7ff ee20 blx 8cc4 <android::String16::~String16()@plt>
9084: 2100 movs r1, #0
9086: 4620 mov r0, r4
9088: ae1d add r6, sp, #116 ; 0x74
908a: f7ff ee3a blx 8d00 <android::Parcel::writeInt32(int)@plt>
908e: 4630 mov r0, r6
9090: 495e ldr r1, [pc, #376] ; (920c <android::sp<android::IBinder>::~sp()+0x33c>)
9092: 4479 add r1, pc
9094: f7ff ee10 blx 8cb8 <android::String16::String16(char const*)@plt>
9098: 4631 mov r1, r6
909a: 4620 mov r0, r4
909c: f7ff ee2a blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
90a0: 4630 mov r0, r6
90a2: f7ff ee10 blx 8cc4 <android::String16::~String16()@plt>
90a6: 2101 movs r1, #1
90a8: 4620 mov r0, r4
90aa: f7ff ee2a blx 8d00 <android::Parcel::writeInt32(int)@plt>
90ae: 4639 mov r1, r7
90b0: 4620 mov r0, r4
90b2: af1c add r7, sp, #112 ; 0x70
90b4: f7ff ee24 blx 8d00 <android::Parcel::writeInt32(int)@plt>
90b8: 2100 movs r1, #0
90ba: 4620 mov r0, r4
90bc: f7ff ee20 blx 8d00 <android::Parcel::writeInt32(int)@plt>
90c0: 4638 mov r0, r7
90c2: 4953 ldr r1, [pc, #332] ; (9210 <android::sp<android::IBinder>::~sp()+0x340>)
90c4: 4479 add r1, pc
90c6: f7ff edf8 blx 8cb8 <android::String16::String16(char const*)@plt>
90ca: 4639 mov r1, r7
90cc: 4620 mov r0, r4
90ce: f7ff ee12 blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
90d2: 4638 mov r0, r7
90d4: f7ff edf6 blx 8cc4 <android::String16::~String16()@plt>
90d8: 2101 movs r1, #1
90da: 4620 mov r0, r4
90dc: af1b add r7, sp, #108 ; 0x6c
90de: f7ff ee10 blx 8d00 <android::Parcel::writeInt32(int)@plt>
90e2: 4651 mov r1, sl
90e4: 4620 mov r0, r4
90e6: f7ff ee0c blx 8d00 <android::Parcel::writeInt32(int)@plt>
90ea: 4620 mov r0, r4
90ec: f7ff ee14 blx 8d18 <android::Parcel::dataPosition() const@plt>
90f0: f1a9 0104 sub.w r1, r9, #4
90f4: 4606 mov r6, r0
90f6: 4620 mov r0, r4
90f8: f7ff ee14 blx 8d24 <android::Parcel::setDataPosition(unsigned int) const@plt>
90fc: ebc9 0106 rsb r1, r9, r6
9100: 4620 mov r0, r4
9102: f7ff edfe blx 8d00 <android::Parcel::writeInt32(int)@plt>
9106: 4631 mov r1, r6
9108: 4620 mov r0, r4
910a: ae1a add r6, sp, #104 ; 0x68
910c: f7ff ee0a blx 8d24 <android::Parcel::setDataPosition(unsigned int) const@plt>
9110: 2100 movs r1, #0
9112: 4620 mov r0, r4
9114: 460a mov r2, r1
9116: f7ff edfa blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
911a: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
911e: 4620 mov r0, r4
9120: f7ff edee blx 8d00 <android::Parcel::writeInt32(int)@plt>
9124: 4638 mov r0, r7
9126: f7ff fee1 bl 8eec <android::sp<android::IBinder>::~sp()+0x1c>
912a: 4639 mov r1, r7
912c: 4620 mov r0, r4
912e: f7ff eddc blx 8ce8 <android::Parcel::writeStrongBinder(android::sp<android::IBinder> const&)@plt>
9132: 4638 mov r0, r7
9134: f7ff fecc bl 8ed0 <android::sp<android::IBinder>::~sp()>
9138: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
913c: 4620 mov r0, r4
913e: f7ff ede0 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9142: 2100 movs r1, #0
9144: 4620 mov r0, r4
9146: 460a mov r2, r1
9148: f7ff ede0 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
914c: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
9150: 4620 mov r0, r4
9152: f7ff edd6 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9156: 4630 mov r0, r6
9158: 492e ldr r1, [pc, #184] ; (9214 <android::sp<android::IBinder>::~sp()+0x344>)
915a: 4479 add r1, pc
915c: f7ff edac blx 8cb8 <android::String16::String16(char const*)@plt>
9160: 4631 mov r1, r6
9162: 4620 mov r0, r4
9164: f7ff edc6 blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
9168: 4630 mov r0, r6
916a: f7ff edac blx 8cc4 <android::String16::~String16()@plt>
916e: 2100 movs r1, #0
9170: 4620 mov r0, r4
9172: ae02 add r6, sp, #8
9174: f7ff edc4 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9178: 2100 movs r1, #0
917a: 4620 mov r0, r4
917c: f7ff edc0 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9180: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
9184: 4620 mov r0, r4
9186: f7ff edbc blx 8d00 <android::Parcel::writeInt32(int)@plt>
918a: 9824 ldr r0, [sp, #144] ; 0x90
918c: 2100 movs r1, #0
918e: 6803 ldr r3, [r0, #0]
9190: 4622 mov r2, r4
9192: 9100 str r1, [sp, #0]
9194: 210e movs r1, #14
9196: 695f ldr r7, [r3, #20]
9198: 4633 mov r3, r6
919a: 47b8 blx r7
919c: 2800 cmp r0, #0
919e: bfb4 ite lt
91a0: f04f 37ff movlt.w r7, #4294967295 ; 0xffffffff
91a4: 2700 movge r7, #0
91a6: 4630 mov r0, r6
91a8: f7ff edc2 blx 8d30 <android::Parcel::~Parcel()@plt>
91ac: 4620 mov r0, r4
91ae: f7ff edc0 blx 8d30 <android::Parcel::~Parcel()@plt>
91b2: a824 add r0, sp, #144 ; 0x90
91b4: f7ff fe8c bl 8ed0 <android::sp<android::IBinder>::~sp()>
91b8: 9b25 ldr r3, [sp, #148] ; 0x94
91ba: b133 cbz r3, 91ca <android::sp<android::IBinder>::~sp()+0x2fa>
91bc: 681a ldr r2, [r3, #0]
91be: a925 add r1, sp, #148 ; 0x94
91c0: f852 0c0c ldr.w r0, [r2, #-12]
91c4: 1818 adds r0, r3, r0
91c6: f7ff ed5a blx 8c7c <android::RefBase::decStrong(void const*) const@plt>
91ca: 993d ldr r1, [sp, #244] ; 0xf4
91cc: f8df c01c ldr.w ip, [pc, #28] ; 91ec <android::sp<android::IBinder>::~sp()+0x31c>
91d0: 4638 mov r0, r7
91d2: f855 200c ldr.w r2, [r5, ip]
91d6: 6813 ldr r3, [r2, #0]
91d8: 4299 cmp r1, r3
91da: d001 beq.n 91e0 <android::sp<android::IBinder>::~sp()+0x310>
91dc: f7ff edae blx 8d3c <__stack_chk_fail@plt>
91e0: b03f add sp, #252 ; 0xfc
91e2: e8bd 8ff0 ldmia.w sp!, {r4, r5, r6, r7, r8, r9, sl, fp, pc}
91e6: bf00 nop
91e8: 4e42 ldr r6, [pc, #264] ; (92f4 <android::sp<android::IBinder>::~sp()+0x424>)
91ea: 4c44 ldr r4, [pc, #272] ; (92fc <android::sp<android::IBinder>::~sp()+0x42c>)
91ec: fffc ffff ; <UNDEFINED> instruction: 0xfffcffff
91f0: 1206 asrs r6, r0, #8
91f2: 0000 movs r0, r0
91f4: 0afc lsrs r4, r7, #11
91f6: 0000 movs r0, r0
91f8: 0b0d lsrs r5, r1, #12
91fa: 0000 movs r0, r0
91fc: 0aef lsrs r7, r5, #11
91fe: 0000 movs r0, r0
9200: 0abe lsrs r6, r7, #10
9202: 0000 movs r0, r0
9204: 0aa7 lsrs r7, r4, #10
9206: 0000 movs r0, r0
9208: 0a35 lsrs r5, r6, #8
920a: 0000 movs r0, r0
920c: 09ff lsrs r7, r7, #7
920e: 0000 movs r0, r0
9210: 09d1 lsrs r1, r2, #7
9212: 0000 movs r0, r0
9214: 093f lsrs r7, r7, #4
9216: 0000 movs r0, r0
9218: e92d 4ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
921c: f8df 92e8 ldr.w r9, [pc, #744] ; 9508 <android::sp<android::IBinder>::~sp()+0x638>
9220: b0bf sub sp, #252 ; 0xfc
9222: 4dba ldr r5, [pc, #744] ; (950c <android::sp<android::IBinder>::~sp()+0x63c>)
9224: 4680 mov r8, r0
9226: 447d add r5, pc
9228: 460f mov r7, r1
922a: f855 6009 ldr.w r6, [r5, r9]
922e: 2130 movs r1, #48 ; 0x30
9230: 4692 mov sl, r2
9232: 9126 str r1, [sp, #152] ; 0x98
9234: 6832 ldr r2, [r6, #0]
9236: 2100 movs r1, #0
9238: 923d str r2, [sp, #244] ; 0xf4
923a: a827 add r0, sp, #156 ; 0x9c
923c: 2258 movs r2, #88 ; 0x58
923e: f7ff ed24 blx 8c88 <memset@plt>
9242: ac26 add r4, sp, #152 ; 0x98
9244: 48b2 ldr r0, [pc, #712] ; (9510 <android::sp<android::IBinder>::~sp()+0x640>)
9246: 4621 mov r1, r4
9248: 4478 add r0, pc
924a: 4ab2 ldr r2, [pc, #712] ; (9514 <android::sp<android::IBinder>::~sp()+0x644>)
924c: 447a add r2, pc
924e: ae23 add r6, sp, #140 ; 0x8c
9250: f7ff ed20 blx 8c94 <property_get@plt>
9254: 4620 mov r0, r4
9256: f7ff ed24 blx 8ca0 <atoi@plt>
925a: 4604 mov r4, r0
925c: a825 add r0, sp, #148 ; 0x94
925e: f7ff ed26 blx 8cac <android::defaultServiceManager()@plt>
9262: f8dd b094 ldr.w fp, [sp, #148] ; 0x94
9266: 49ac ldr r1, [pc, #688] ; (9518 <android::sp<android::IBinder>::~sp()+0x648>)
9268: f8db 0000 ldr.w r0, [fp]
926c: 4479 add r1, pc
926e: f8d0 9014 ldr.w r9, [r0, #20]
9272: 4630 mov r0, r6
9274: f7ff ed20 blx 8cb8 <android::String16::String16(char const*)@plt>
9278: a824 add r0, sp, #144 ; 0x90
927a: 4659 mov r1, fp
927c: 4632 mov r2, r6
927e: 47c8 blx r9
9280: 4630 mov r0, r6
9282: f7ff ed20 blx 8cc4 <android::String16::~String16()@plt>
9286: 9b24 ldr r3, [sp, #144] ; 0x90
9288: b913 cbnz r3, 9290 <android::sp<android::IBinder>::~sp()+0x3c0>
928a: f04f 37ff mov.w r7, #4294967295 ; 0xffffffff
928e: e11f b.n 94d0 <android::sp<android::IBinder>::~sp()+0x600>
9290: ae0f add r6, sp, #60 ; 0x3c
9292: 4630 mov r0, r6
9294: f7ff ed1c blx 8cd0 <android::Parcel::Parcel()@plt>
9298: a803 add r0, sp, #12
929a: f7ff ed1a blx 8cd0 <android::Parcel::Parcel()@plt>
929e: f10d 0988 add.w r9, sp, #136 ; 0x88
92a2: 499e ldr r1, [pc, #632] ; (951c <android::sp<android::IBinder>::~sp()+0x64c>)
92a4: 4648 mov r0, r9
92a6: 4479 add r1, pc
92a8: f7ff ed06 blx 8cb8 <android::String16::String16(char const*)@plt>
92ac: 4649 mov r1, r9
92ae: 4630 mov r0, r6
92b0: f7ff ed14 blx 8cdc <android::Parcel::writeInterfaceToken(android::String16 const&)@plt>
92b4: 4648 mov r0, r9
92b6: f7ff ed06 blx 8cc4 <android::String16::~String16()@plt>
92ba: f10d 0984 add.w r9, sp, #132 ; 0x84
92be: 4648 mov r0, r9
92c0: f7ff fe14 bl 8eec <android::sp<android::IBinder>::~sp()+0x1c>
92c4: 4649 mov r1, r9
92c6: 4630 mov r0, r6
92c8: f7ff ed0e blx 8ce8 <android::Parcel::writeStrongBinder(android::sp<android::IBinder> const&)@plt>
92cc: 4648 mov r0, r9
92ce: f7ff fdff bl 8ed0 <android::sp<android::IBinder>::~sp()>
92d2: f10d 0980 add.w r9, sp, #128 ; 0x80
92d6: 4992 ldr r1, [pc, #584] ; (9520 <android::sp<android::IBinder>::~sp()+0x650>)
92d8: 4648 mov r0, r9
92da: 4479 add r1, pc
92dc: f7ff ecec blx 8cb8 <android::String16::String16(char const*)@plt>
92e0: 4649 mov r1, r9
92e2: 4630 mov r0, r6
92e4: f7ff ed06 blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
92e8: 4648 mov r0, r9
92ea: f7ff ecec blx 8cc4 <android::String16::~String16()@plt>
92ee: 2100 movs r1, #0
92f0: 4630 mov r0, r6
92f2: f7ff ed06 blx 8d00 <android::Parcel::writeInt32(int)@plt>
92f6: 2100 movs r1, #0
92f8: 4630 mov r0, r6
92fa: 460a mov r2, r1
92fc: f7ff ed06 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
9300: 2100 movs r1, #0
9302: 4630 mov r0, r6
9304: f7ff ecfc blx 8d00 <android::Parcel::writeInt32(int)@plt>
9308: 2c03 cmp r4, #3
930a: dd04 ble.n 9316 <android::sp<android::IBinder>::~sp()+0x446>
930c: 2100 movs r1, #0
930e: 4630 mov r0, r6
9310: 460a mov r2, r1
9312: f7ff ecfc blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
9316: 2100 movs r1, #0
9318: ae0f add r6, sp, #60 ; 0x3c
931a: 460a mov r2, r1
931c: 4630 mov r0, r6
931e: f7ff ecf6 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
9322: 2100 movs r1, #0
9324: 4630 mov r0, r6
9326: f7ff ecec blx 8d00 <android::Parcel::writeInt32(int)@plt>
932a: 2c06 cmp r4, #6
932c: dd09 ble.n 9342 <android::sp<android::IBinder>::~sp()+0x472>
932e: 2100 movs r1, #0
9330: 4630 mov r0, r6
9332: f7ff ece6 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9336: 2c0e cmp r4, #14
9338: dd03 ble.n 9342 <android::sp<android::IBinder>::~sp()+0x472>
933a: 4630 mov r0, r6
933c: 2100 movs r1, #0
933e: f7ff ece0 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9342: ac0f add r4, sp, #60 ; 0x3c
9344: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
9348: 4620 mov r0, r4
934a: ae1f add r6, sp, #124 ; 0x7c
934c: f7ff ecd8 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9350: 4620 mov r0, r4
9352: f7ff ece2 blx 8d18 <android::Parcel::dataPosition() const@plt>
9356: 496b ldr r1, [pc, #428] ; (9504 <android::sp<android::IBinder>::~sp()+0x634>)
9358: 4681 mov r9, r0
935a: 4620 mov r0, r4
935c: f7ff ecd0 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9360: 2107 movs r1, #7
9362: 4620 mov r0, r4
9364: f7ff eccc blx 8d00 <android::Parcel::writeInt32(int)@plt>
9368: 2100 movs r1, #0
936a: 4620 mov r0, r4
936c: f7ff ecc8 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9370: 4630 mov r0, r6
9372: 496c ldr r1, [pc, #432] ; (9524 <android::sp<android::IBinder>::~sp()+0x654>)
9374: 4479 add r1, pc
9376: f7ff eca0 blx 8cb8 <android::String16::String16(char const*)@plt>
937a: 4631 mov r1, r6
937c: 4620 mov r0, r4
937e: f7ff ecba blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
9382: 4630 mov r0, r6
9384: f7ff ec9e blx 8cc4 <android::String16::~String16()@plt>
9388: 2101 movs r1, #1
938a: 4620 mov r0, r4
938c: ae1e add r6, sp, #120 ; 0x78
938e: f7ff ecb8 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9392: 4641 mov r1, r8
9394: 4620 mov r0, r4
9396: f7ff ecb4 blx 8d00 <android::Parcel::writeInt32(int)@plt>
939a: 2100 movs r1, #0
939c: 4620 mov r0, r4
939e: f7ff ecb0 blx 8d00 <android::Parcel::writeInt32(int)@plt>
93a2: 4630 mov r0, r6
93a4: 4960 ldr r1, [pc, #384] ; (9528 <android::sp<android::IBinder>::~sp()+0x658>)
93a6: 4479 add r1, pc
93a8: f7ff ec86 blx 8cb8 <android::String16::String16(char const*)@plt>
93ac: 4631 mov r1, r6
93ae: 4620 mov r0, r4
93b0: f7ff eca0 blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
93b4: 4630 mov r0, r6
93b6: f7ff ec86 blx 8cc4 <android::String16::~String16()@plt>
93ba: 2101 movs r1, #1
93bc: 4620 mov r0, r4
93be: f7ff eca0 blx 8d00 <android::Parcel::writeInt32(int)@plt>
93c2: 4639 mov r1, r7
93c4: 4620 mov r0, r4
93c6: af1d add r7, sp, #116 ; 0x74
93c8: f7ff ec9a blx 8d00 <android::Parcel::writeInt32(int)@plt>
93cc: 2100 movs r1, #0
93ce: 4620 mov r0, r4
93d0: f7ff ec96 blx 8d00 <android::Parcel::writeInt32(int)@plt>
93d4: 4638 mov r0, r7
93d6: 4955 ldr r1, [pc, #340] ; (952c <android::sp<android::IBinder>::~sp()+0x65c>)
93d8: 4479 add r1, pc
93da: f7ff ec6e blx 8cb8 <android::String16::String16(char const*)@plt>
93de: 4639 mov r1, r7
93e0: 4620 mov r0, r4
93e2: f7ff ec88 blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
93e6: 4638 mov r0, r7
93e8: f7ff ec6c blx 8cc4 <android::String16::~String16()@plt>
93ec: 2101 movs r1, #1
93ee: 4620 mov r0, r4
93f0: af1c add r7, sp, #112 ; 0x70
93f2: f7ff ec86 blx 8d00 <android::Parcel::writeInt32(int)@plt>
93f6: 4651 mov r1, sl
93f8: 4620 mov r0, r4
93fa: f7ff ec82 blx 8d00 <android::Parcel::writeInt32(int)@plt>
93fe: 4620 mov r0, r4
9400: f7ff ec8a blx 8d18 <android::Parcel::dataPosition() const@plt>
9404: f1a9 0104 sub.w r1, r9, #4
9408: 4606 mov r6, r0
940a: 4620 mov r0, r4
940c: f7ff ec8a blx 8d24 <android::Parcel::setDataPosition(unsigned int) const@plt>
9410: ebc9 0106 rsb r1, r9, r6
9414: 4620 mov r0, r4
9416: f7ff ec74 blx 8d00 <android::Parcel::writeInt32(int)@plt>
941a: 4631 mov r1, r6
941c: 4620 mov r0, r4
941e: ae1b add r6, sp, #108 ; 0x6c
9420: f7ff ec80 blx 8d24 <android::Parcel::setDataPosition(unsigned int) const@plt>
9424: 2100 movs r1, #0
9426: 4620 mov r0, r4
9428: 460a mov r2, r1
942a: f7ff ec70 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
942e: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
9432: 4620 mov r0, r4
9434: f7ff ec64 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9438: 4638 mov r0, r7
943a: f7ff fd57 bl 8eec <android::sp<android::IBinder>::~sp()+0x1c>
943e: 4639 mov r1, r7
9440: 4620 mov r0, r4
9442: f7ff ec52 blx 8ce8 <android::Parcel::writeStrongBinder(android::sp<android::IBinder> const&)@plt>
9446: 4638 mov r0, r7
9448: f7ff fd42 bl 8ed0 <android::sp<android::IBinder>::~sp()>
944c: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
9450: 4620 mov r0, r4
9452: f7ff ec56 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9456: 2100 movs r1, #0
9458: 4620 mov r0, r4
945a: 460a mov r2, r1
945c: f7ff ec56 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
9460: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
9464: 4620 mov r0, r4
9466: f7ff ec4c blx 8d00 <android::Parcel::writeInt32(int)@plt>
946a: 4630 mov r0, r6
946c: 4930 ldr r1, [pc, #192] ; (9530 <android::sp<android::IBinder>::~sp()+0x660>)
946e: 4479 add r1, pc
9470: f7ff ec22 blx 8cb8 <android::String16::String16(char const*)@plt>
9474: 4631 mov r1, r6
9476: 4620 mov r0, r4
9478: f7ff ec3c blx 8cf4 <android::Parcel::writeString16(android::String16 const&)@plt>
947c: 4630 mov r0, r6
947e: f7ff ec22 blx 8cc4 <android::String16::~String16()@plt>
9482: 2100 movs r1, #0
9484: 4620 mov r0, r4
9486: 460a mov r2, r1
9488: f7ff ec40 blx 8d0c <android::Parcel::writeString16(unsigned short const*, unsigned int)@plt>
948c: 2100 movs r1, #0
948e: 4620 mov r0, r4
9490: ae03 add r6, sp, #12
9492: f7ff ec36 blx 8d00 <android::Parcel::writeInt32(int)@plt>
9496: 2100 movs r1, #0
9498: 4620 mov r0, r4
949a: f7ff ec32 blx 8d00 <android::Parcel::writeInt32(int)@plt>
949e: f04f 31ff mov.w r1, #4294967295 ; 0xffffffff
94a2: 4620 mov r0, r4
94a4: f7ff ec2c blx 8d00 <android::Parcel::writeInt32(int)@plt>
94a8: 9824 ldr r0, [sp, #144] ; 0x90
94aa: 2100 movs r1, #0
94ac: 6803 ldr r3, [r0, #0]
94ae: 4622 mov r2, r4
94b0: 9100 str r1, [sp, #0]
94b2: 210e movs r1, #14
94b4: 695f ldr r7, [r3, #20]
94b6: 4633 mov r3, r6
94b8: 47b8 blx r7
94ba: 2800 cmp r0, #0
94bc: bfb4 ite lt
94be: f04f 37ff movlt.w r7, #4294967295 ; 0xffffffff
94c2: 2700 movge r7, #0
94c4: 4630 mov r0, r6
94c6: f7ff ec34 blx 8d30 <android::Parcel::~Parcel()@plt>
94ca: 4620 mov r0, r4
94cc: f7ff ec30 blx 8d30 <android::Parcel::~Parcel()@plt>
94d0: a824 add r0, sp, #144 ; 0x90
94d2: f7ff fcfd bl 8ed0 <android::sp<android::IBinder>::~sp()>
94d6: 9b25 ldr r3, [sp, #148] ; 0x94
94d8: b133 cbz r3, 94e8 <android::sp<android::IBinder>::~sp()+0x618>
94da: 681a ldr r2, [r3, #0]
94dc: a925 add r1, sp, #148 ; 0x94
94de: f852 0c0c ldr.w r0, [r2, #-12]
94e2: 1818 adds r0, r3, r0
94e4: f7ff ebca blx 8c7c <android::RefBase::decStrong(void const*) const@plt>
94e8: 993d ldr r1, [sp, #244] ; 0xf4
94ea: f8df c01c ldr.w ip, [pc, #28] ; 9508 <android::sp<android::IBinder>::~sp()+0x638>
94ee: 4638 mov r0, r7
94f0: f855 200c ldr.w r2, [r5, ip]
94f4: 6813 ldr r3, [r2, #0]
94f6: 4299 cmp r1, r3
94f8: d001 beq.n 94fe <android::sp<android::IBinder>::~sp()+0x62e>
94fa: f7ff ec20 blx 8d3c <__stack_chk_fail@plt>
94fe: b03f add sp, #252 ; 0xfc
9500: e8bd 8ff0 ldmia.w sp!, {r4, r5, r6, r7, r8, r9, sl, fp, pc}
9504: 4e42 ldr r6, [pc, #264] ; (9610 <android::sp<android::IBinder>::~sp()+0x740>)
9506: 4c44 ldr r4, [pc, #272] ; (9618 <android::sp<android::IBinder>::~sp()+0x748>)
9508: fffc ffff ; <UNDEFINED> instruction: 0xfffcffff
950c: 0ee2 lsrs r2, r4, #27
950e: 0000 movs r0, r0
9510: 07d8 lsls r0, r3, #31
9512: 0000 movs r0, r0
9514: 07e9 lsls r1, r5, #31
9516: 0000 movs r0, r0
9518: 07cb lsls r3, r1, #31
951a: 0000 movs r0, r0
951c: 079a lsls r2, r3, #30
951e: 0000 movs r0, r0
9520: 07e9 lsls r1, r5, #31
9522: 0000 movs r0, r0
9524: 0778 lsls r0, r7, #29
9526: 0000 movs r0, r0
9528: 06eb lsls r3, r5, #27
952a: 0000 movs r0, r0
952c: 06bd lsls r5, r7, #26
952e: 0000 movs r0, r0
9530: 062b lsls r3, r5, #24
9532: 0000 movs r0, r0
9534: b510 push {r4, lr}
9536: 480f ldr r0, [pc, #60] ; (9574 <android::sp<android::IBinder>::~sp()+0x6a4>)
9538: 4478 add r0, pc
953a: f7ff ec06 blx 8d48 <puts@plt>
953e: 480e ldr r0, [pc, #56] ; (9578 <android::sp<android::IBinder>::~sp()+0x6a8>)
9540: 4478 add r0, pc
9542: f7ff ec02 blx 8d48 <puts@plt>
9546: 480d ldr r0, [pc, #52] ; (957c <android::sp<android::IBinder>::~sp()+0x6ac>)
9548: 4478 add r0, pc
954a: f7ff ebfe blx 8d48 <puts@plt>
954e: 480c ldr r0, [pc, #48] ; (9580 <android::sp<android::IBinder>::~sp()+0x6b0>)
9550: 4478 add r0, pc
9552: f7ff ebfa blx 8d48 <puts@plt>
9556: 200a movs r0, #10
9558: f7ff ebfc blx 8d54 <putchar@plt>
955c: 4809 ldr r0, [pc, #36] ; (9584 <android::sp<android::IBinder>::~sp()+0x6b4>)
955e: 4478 add r0, pc
9560: f7ff ebf2 blx 8d48 <puts@plt>
9564: 4808 ldr r0, [pc, #32] ; (9588 <android::sp<android::IBinder>::~sp()+0x6b8>)
9566: 4478 add r0, pc
9568: f7ff ebee blx 8d48 <puts@plt>
956c: 2000 movs r0, #0
956e: f7ff ebf8 blx 8d60 <exit@plt>
9572: bf00 nop
9574: 05c1 lsls r1, r0, #23
9576: 0000 movs r0, r0
9578: 05cd lsls r5, r1, #23
957a: 0000 movs r0, r0
957c: 05ce lsls r6, r1, #23
957e: 0000 movs r0, r0
9580: 05e3 lsls r3, r4, #23
9582: 0000 movs r0, r0
9584: 05ee lsls r6, r5, #23
9586: 0000 movs r0, r0
9588: 05f6 lsls r6, r6, #23
958a: 0000 movs r0, r0
958c: e92d 4ff0 stmdb sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
9590: 4930 ldr r1, [pc, #192] ; (9654 <android::sp<android::IBinder>::~sp()+0x784>)
9592: b09f sub sp, #124 ; 0x7c
9594: 2200 movs r2, #0
9596: 4d30 ldr r5, [pc, #192] ; (9658 <android::sp<android::IBinder>::~sp()+0x788>)
9598: 447d add r5, pc
959a: 5868 ldr r0, [r5, r1]
959c: 6803 ldr r3, [r0, #0]
959e: 2001 movs r0, #1
95a0: 4601 mov r1, r0
95a2: 931d str r3, [sp, #116] ; 0x74
95a4: f7ff ebe2 blx 8d6c <socket@plt>
95a8: 4604 mov r4, r0
95aa: 2800 cmp r0, #0
95ac: bfb8 it lt
95ae: f04f 34ff movlt.w r4, #4294967295 ; 0xffffffff
95b2: db40 blt.n 9636 <android::sp<android::IBinder>::~sp()+0x766>
95b4: f10d 0904 add.w r9, sp, #4
95b8: 4f28 ldr r7, [pc, #160] ; (965c <android::sp<android::IBinder>::~sp()+0x78c>)
95ba: f8df 80a4 ldr.w r8, [pc, #164] ; 9660 <android::sp<android::IBinder>::~sp()+0x790>
95be: 4e29 ldr r6, [pc, #164] ; (9664 <android::sp<android::IBinder>::~sp()+0x794>)
95c0: f8df a0a4 ldr.w sl, [pc, #164] ; 9668 <android::sp<android::IBinder>::~sp()+0x798>
95c4: 447f add r7, pc
95c6: 44f8 add r8, pc
95c8: 447e add r6, pc
95ca: f109 0b02 add.w fp, r9, #2
95ce: 44fa add sl, pc
95d0: 2100 movs r1, #0
95d2: 226e movs r2, #110 ; 0x6e
95d4: 4648 mov r0, r9
95d6: f7ff eb58 blx 8c88 <memset@plt>
95da: 4641 mov r1, r8
95dc: 4638 mov r0, r7
95de: f04f 0201 mov.w r2, #1
95e2: f8ad 2004 strh.w r2, [sp, #4]
95e6: f7ff ebc8 blx 8d78 <strcpy@plt>
95ea: 4638 mov r0, r7
95ec: f7ff ebca blx 8d84 <mktemp@plt>
95f0: 216c movs r1, #108 ; 0x6c
95f2: 4603 mov r3, r0
95f4: 4652 mov r2, sl
95f6: f846 0cf8 str.w r0, [r6, #-248]
95fa: 4658 mov r0, fp
95fc: f7ff ebc8 blx 8d90 <snprintf@plt>
9600: f856 0cf8 ldr.w r0, [r6, #-248]
9604: f7ff ebca blx 8d9c <unlink@plt>
9608: 226e movs r2, #110 ; 0x6e
960a: 4620 mov r0, r4
960c: 4649 mov r1, r9
960e: f7ff ebcc blx 8da8 <bind@plt>
9612: 2800 cmp r0, #0
9614: da07 bge.n 9626 <android::sp<android::IBinder>::~sp()+0x756>
9616: f7ff ebce blx 8db4 <__errno@plt>
961a: 6803 ldr r3, [r0, #0]
961c: 2b62 cmp r3, #98 ; 0x62
961e: d0d7 beq.n 95d0 <android::sp<android::IBinder>::~sp()+0x700>
9620: f06f 0401 mvn.w r4, #1
9624: e007 b.n 9636 <android::sp<android::IBinder>::~sp()+0x766>
9626: 4620 mov r0, r4
9628: 2101 movs r1, #1
962a: f7ff ebca blx 8dc0 <listen@plt>
962e: 2800 cmp r0, #0
9630: bfb8 it lt
9632: f06f 0402 mvnlt.w r4, #2
9636: 991d ldr r1, [sp, #116] ; 0x74
9638: f8df c018 ldr.w ip, [pc, #24] ; 9654 <android::sp<android::IBinder>::~sp()+0x784>
963c: 4620 mov r0, r4
963e: f855 300c ldr.w r3, [r5, ip]
9642: 681a ldr r2, [r3, #0]
9644: 4291 cmp r1, r2
9646: d001 beq.n 964c <android::sp<android::IBinder>::~sp()+0x77c>
9648: f7ff eb78 blx 8d3c <__stack_chk_fail@plt>
964c: b01f add sp, #124 ; 0x7c
964e: e8bd 8ff0 ldmia.w sp!, {r4, r5, r6, r7, r8, r9, sl, fp, pc}
9652: bf00 nop
9654: fffc ffff ; <UNDEFINED> instruction: 0xfffcffff
9658: 0b70 lsrs r0, r6, #13
965a: 0000 movs r0, r0
965c: 0c28 lsrs r0, r5, #16
965e: 0000 movs r0, r0
9660: 05af lsls r7, r5, #22
9662: 0000 movs r0, r0
9664: 1d1c adds r4, r3, #4
9666: 0000 movs r0, r0
9668: 05e8 lsls r0, r5, #23
966a: 0000 movs r0, r0
966c: b570 push {r4, r5, r6, lr}
966e: 2280 movs r2, #128 ; 0x80
9670: b0a4 sub sp, #144 ; 0x90
9672: 4605 mov r5, r0
9674: 241e movs r4, #30
9676: ae02 add r6, sp, #8
9678: 9422 str r4, [sp, #136] ; 0x88
967a: 4630 mov r0, r6
967c: 2400 movs r4, #0
967e: 4621 mov r1, r4
9680: 9423 str r4, [sp, #140] ; 0x8c
9682: f7ff eb02 blx 8c88 <memset@plt>
9686: 116b asrs r3, r5, #5
9688: 2101 movs r1, #1
968a: f10d 0c90 add.w ip, sp, #144 ; 0x90
968e: f005 021f and.w r2, r5, #31
9692: eb0c 0083 add.w r0, ip, r3, lsl #2
9696: fa11 f202 lsls.w r2, r1, r2
969a: ab22 add r3, sp, #136 ; 0x88
969c: f850 1c88 ldr.w r1, [r0, #-136]
96a0: 430a orrs r2, r1
96a2: 4631 mov r1, r6
96a4: f840 2c88 str.w r2, [r0, #-136]
96a8: 1c68 adds r0, r5, #1
96aa: 9300 str r3, [sp, #0]
96ac: 4622 mov r2, r4
96ae: 4623 mov r3, r4
96b0: f7ff eb8c blx 8dcc <select@plt>
96b4: 42a0 cmp r0, r4
96b6: dd06 ble.n 96c6 <android::sp<android::IBinder>::~sp()+0x7f6>
96b8: 4628 mov r0, r5
96ba: 4621 mov r1, r4
96bc: 4622 mov r2, r4
96be: f7ff eb8c blx 8dd8 <accept@plt>
96c2: 42a0 cmp r0, r4
96c4: da01 bge.n 96ca <android::sp<android::IBinder>::~sp()+0x7fa>
96c6: f04f 30ff mov.w r0, #4294967295 ; 0xffffffff
96ca: b024 add sp, #144 ; 0x90
96cc: bd70 pop {r4, r5, r6, pc}
96ce: bf00 nop
96d0: b570 push {r4, r5, r6, lr}
96d2: 2000 movs r0, #0
96d4: 4b18 ldr r3, [pc, #96] ; (9738 <android::sp<android::IBinder>::~sp()+0x868>)
96d6: 447b add r3, pc
96d8: 685a ldr r2, [r3, #4]
96da: 6819 ldr r1, [r3, #0]
96dc: f7ff fd9c bl 9218 <android::sp<android::IBinder>::~sp()+0x348>
96e0: 4b16 ldr r3, [pc, #88] ; (973c <android::sp<android::IBinder>::~sp()+0x86c>)
96e2: 447b add r3, pc
96e4: f853 2cf4 ldr.w r2, [r3, #-244]
96e8: 2a02 cmp r2, #2
96ea: dd1b ble.n 9724 <android::sp<android::IBinder>::~sp()+0x854>
96ec: f853 4cf0 ldr.w r4, [r3, #-240]
96f0: 4913 ldr r1, [pc, #76] ; (9740 <android::sp<android::IBinder>::~sp()+0x870>)
96f2: 6865 ldr r5, [r4, #4]
96f4: 4479 add r1, pc
96f6: 4628 mov r0, r5
96f8: f7ff eb74 blx 8de4 <strcmp@plt>
96fc: b128 cbz r0, 970a <android::sp<android::IBinder>::~sp()+0x83a>
96fe: 4911 ldr r1, [pc, #68] ; (9744 <android::sp<android::IBinder>::~sp()+0x874>)
9700: 4628 mov r0, r5
9702: 4479 add r1, pc
9704: f7ff eb6e blx 8de4 <strcmp@plt>
9708: b960 cbnz r0, 9724 <android::sp<android::IBinder>::~sp()+0x854>
970a: f104 0108 add.w r1, r4, #8
970e: 68a0 ldr r0, [r4, #8]
9710: f7ff eb6e blx 8df0 <execvp@plt>
9714: 2800 cmp r0, #0
9716: da0c bge.n 9732 <android::sp<android::IBinder>::~sp()+0x862>
9718: 480b ldr r0, [pc, #44] ; (9748 <android::sp<android::IBinder>::~sp()+0x878>)
971a: 4478 add r0, pc
971c: f7ff eb14 blx 8d48 <puts@plt>
9720: 2001 movs r0, #1
9722: e007 b.n 9734 <android::sp<android::IBinder>::~sp()+0x864>
9724: 4809 ldr r0, [pc, #36] ; (974c <android::sp<android::IBinder>::~sp()+0x87c>)
9726: 490a ldr r1, [pc, #40] ; (9750 <android::sp<android::IBinder>::~sp()+0x880>)
9728: 4478 add r0, pc
972a: 4479 add r1, pc
972c: 2200 movs r2, #0
972e: f7ff eb66 blx 8dfc <execlp@plt>
9732: 2000 movs r0, #0
9734: bd70 pop {r4, r5, r6, pc}
9736: bf00 nop
9738: 0af6 lsrs r6, r6, #11
973a: 0000 movs r0, r0
973c: 1c02 adds r2, r0, #0
973e: 0000 movs r0, r0
9740: 04c5 lsls r5, r0, #19
9742: 0000 movs r0, r0
9744: 04ba lsls r2, r7, #18
9746: 0000 movs r0, r0
9748: 04ac lsls r4, r5, #18
974a: 0000 movs r0, r0
974c: 04b4 lsls r4, r6, #18
974e: 0000 movs r0, r0
9750: 04c1 lsls r1, r0, #19
9752: 0000 movs r0, r0
9754: b510 push {r4, lr}
9756: 4b05 ldr r3, [pc, #20] ; (976c <android::sp<android::IBinder>::~sp()+0x89c>)
9758: f04f 30ff mov.w r0, #4294967295 ; 0xffffffff
975c: 447b add r3, pc
975e: 6819 ldr r1, [r3, #0]
9760: 685a ldr r2, [r3, #4]
9762: f7ff fd59 bl 9218 <android::sp<android::IBinder>::~sp()+0x348>
9766: 2001 movs r0, #1
9768: bd10 pop {r4, pc}
976a: bf00 nop
976c: 0a70 lsrs r0, r6, #9
976e: 0000 movs r0, r0
9770: b510 push {r4, lr}
9772: 4c07 ldr r4, [pc, #28] ; (9790 <android::sp<android::IBinder>::~sp()+0x8c0>)
9774: 447c add r4, pc
9776: f854 0cf8 ldr.w r0, [r4, #-248]
977a: f7ff eb10 blx 8d9c <unlink@plt>
977e: f854 0cf0 ldr.w r0, [r4, #-240]
9782: b120 cbz r0, 978e <android::sp<android::IBinder>::~sp()+0x8be>
9784: f7ff eb40 blx 8e08 <free@plt>
9788: 2300 movs r3, #0
978a: f844 3cf0 str.w r3, [r4, #-240]
978e: bd10 pop {r4, pc}
9790: 1b70 subs r0, r6, r5
9792: 0000 movs r0, r0
9794: b510 push {r4, lr}
9796: f7ff ffeb bl 9770 <android::sp<android::IBinder>::~sp()+0x8a0>
979a: bd10 pop {r4, pc}
979c: b510 push {r4, lr}
979e: 4604 mov r4, r0
97a0: f7ff ffe6 bl 9770 <android::sp<android::IBinder>::~sp()+0x8a0>
97a4: 4620 mov r0, r4
97a6: f7ff eadc blx 8d60 <exit@plt>
97aa: bf00 nop
97ac: b570 push {r4, r5, r6, lr}
97ae: 4605 mov r5, r0
97b0: 460c mov r4, r1
97b2: 4628 mov r0, r5
97b4: f7ff ff5a bl 966c <android::sp<android::IBinder>::~sp()+0x79c>
97b8: 2800 cmp r0, #0
97ba: db0a blt.n 97d2 <android::sp<android::IBinder>::~sp()+0x902>
97bc: 223f movs r2, #63 ; 0x3f
97be: 4621 mov r1, r4
97c0: f7ff eb28 blx 8e14 <read@plt>
97c4: 2800 cmp r0, #0
97c6: db04 blt.n 97d2 <android::sp<android::IBinder>::~sp()+0x902>
97c8: d0f3 beq.n 97b2 <android::sp<android::IBinder>::~sp()+0x8e2>
97ca: 2300 movs r3, #0
97cc: 5423 strb r3, [r4, r0]
97ce: 4618 mov r0, r3
97d0: e001 b.n 97d6 <android::sp<android::IBinder>::~sp()+0x906>
97d2: f04f 30ff mov.w r0, #4294967295 ; 0xffffffff
97d6: bd70 pop {r4, r5, r6, pc}
97d8: b5f0 push {r4, r5, r6, r7, lr}
97da: 4606 mov r6, r0
97dc: b0ed sub sp, #436 ; 0x1b4
97de: 4d7a ldr r5, [pc, #488] ; (99c8 <android::sp<android::IBinder>::~sp()+0xaf8>)
97e0: 460f mov r7, r1
97e2: 447d add r5, pc
97e4: 4979 ldr r1, [pc, #484] ; (99cc <android::sp<android::IBinder>::~sp()+0xafc>)
97e6: 5868 ldr r0, [r5, r1]
97e8: 2e02 cmp r6, #2
97ea: 6803 ldr r3, [r0, #0]
97ec: 936b str r3, [sp, #428] ; 0x1ac
97ee: d10e bne.n 980e <android::sp<android::IBinder>::~sp()+0x93e>
97f0: 687c ldr r4, [r7, #4]
97f2: 4977 ldr r1, [pc, #476] ; (99d0 <android::sp<android::IBinder>::~sp()+0xb00>)
97f4: 4620 mov r0, r4
97f6: 4479 add r1, pc
97f8: f7ff eaf4 blx 8de4 <strcmp@plt>
97fc: b128 cbz r0, 980a <android::sp<android::IBinder>::~sp()+0x93a>
97fe: 4975 ldr r1, [pc, #468] ; (99d4 <android::sp<android::IBinder>::~sp()+0xb04>)
9800: 4620 mov r0, r4
9802: 4479 add r1, pc
9804: f7ff eaee blx 8de4 <strcmp@plt>
9808: b908 cbnz r0, 980e <android::sp<android::IBinder>::~sp()+0x93e>
980a: f7ff fe93 bl 9534 <android::sp<android::IBinder>::~sp()+0x664>
980e: 1c72 adds r2, r6, #1
9810: 4c71 ldr r4, [pc, #452] ; (99d8 <android::sp<android::IBinder>::~sp()+0xb08>)
9812: 0090 lsls r0, r2, #2
9814: 447c add r4, pc
9816: f844 6cf4 str.w r6, [r4, #-244]
981a: f7ff eb02 blx 8e20 <malloc@plt>
981e: f844 0cf0 str.w r0, [r4, #-240]
9822: b188 cbz r0, 9848 <android::sp<android::IBinder>::~sp()+0x978>
9824: f854 2cf4 ldr.w r2, [r4, #-244]
9828: 1c51 adds r1, r2, #1
982a: 008a lsls r2, r1, #2
982c: 2100 movs r1, #0
982e: f7ff ea2c blx 8c88 <memset@plt>
9832: f854 3cf4 ldr.w r3, [r4, #-244]
9836: f854 0cf0 ldr.w r0, [r4, #-240]
983a: 009a lsls r2, r3, #2
983c: 4639 mov r1, r7
983e: f7ff eaf6 blx 8e2c <memcpy@plt>
9842: 2e01 cmp r6, #1
9844: dc03 bgt.n 984e <android::sp<android::IBinder>::~sp()+0x97e>
9846: e012 b.n 986e <android::sp<android::IBinder>::~sp()+0x99e>
9848: f844 0cf4 str.w r0, [r4, #-244]
984c: e0ab b.n 99a6 <android::sp<android::IBinder>::~sp()+0xad6>
984e: 4963 ldr r1, [pc, #396] ; (99dc <android::sp<android::IBinder>::~sp()+0xb0c>)
9850: 6878 ldr r0, [r7, #4]
9852: 4479 add r1, pc
9854: f7ff eac6 blx 8de4 <strcmp@plt>
9858: 4606 mov r6, r0
985a: b940 cbnz r0, 986e <android::sp<android::IBinder>::~sp()+0x99e>
985c: 4860 ldr r0, [pc, #384] ; (99e0 <android::sp<android::IBinder>::~sp()+0xb10>)
985e: 4478 add r0, pc
9860: f7ff ea72 blx 8d48 <puts@plt>
9864: 4630 mov r0, r6
9866: f7ff eae8 blx 8e38 <setgid@plt>
986a: b358 cbz r0, 98c4 <android::sp<android::IBinder>::~sp()+0x9f4>
986c: e02d b.n 98ca <android::sp<android::IBinder>::~sp()+0x9fa>
986e: f7ff eaea blx 8e44 <getppid@plt>
9872: ae1b add r6, sp, #108 ; 0x6c
9874: 2100 movs r1, #0
9876: f44f 7280 mov.w r2, #256 ; 0x100
987a: 4c5a ldr r4, [pc, #360] ; (99e4 <android::sp<android::IBinder>::~sp()+0xb14>)
987c: 447c add r4, pc
987e: 6060 str r0, [r4, #4]
9880: 4630 mov r0, r6
9882: f7ff ea02 blx 8c88 <memset@plt>
9886: 6862 ldr r2, [r4, #4]
9888: 4630 mov r0, r6
988a: 4957 ldr r1, [pc, #348] ; (99e8 <android::sp<android::IBinder>::~sp()+0xb18>)
988c: 4479 add r1, pc
988e: 466f mov r7, sp
9890: f7ff eade blx 8e50 <sprintf@plt>
9894: 4630 mov r0, r6
9896: 4669 mov r1, sp
9898: f7ff eae0 blx 8e5c <stat@plt>
989c: 2240 movs r2, #64 ; 0x40
989e: 9e06 ldr r6, [sp, #24]
98a0: 2100 movs r1, #0
98a2: 6026 str r6, [r4, #0]
98a4: ae5b add r6, sp, #364 ; 0x16c
98a6: 4630 mov r0, r6
98a8: f7ff e9ee blx 8c88 <memset@plt>
98ac: f44f 71fc mov.w r1, #504 ; 0x1f8
98b0: 484e ldr r0, [pc, #312] ; (99ec <android::sp<android::IBinder>::~sp()+0xb1c>)
98b2: 4478 add r0, pc
98b4: f7ff ead8 blx 8e68 <mkdir@plt>
98b8: f7ff fe68 bl 958c <android::sp<android::IBinder>::~sp()+0x6bc>
98bc: 60a0 str r0, [r4, #8]
98be: 2800 cmp r0, #0
98c0: da33 bge.n 992a <android::sp<android::IBinder>::~sp()+0xa5a>
98c2: e02d b.n 9920 <android::sp<android::IBinder>::~sp()+0xa50>
98c4: f7ff ead6 blx 8e74 <setuid@plt>
98c8: b110 cbz r0, 98d0 <android::sp<android::IBinder>::~sp()+0xa00>
98ca: 4849 ldr r0, [pc, #292] ; (99f0 <android::sp<android::IBinder>::~sp()+0xb20>)
98cc: 4478 add r0, pc
98ce: e01b b.n 9908 <android::sp<android::IBinder>::~sp()+0xa38>
98d0: f854 0cf4 ldr.w r0, [r4, #-244]
98d4: 2803 cmp r0, #3
98d6: dd1a ble.n 990e <android::sp<android::IBinder>::~sp()+0xa3e>
98d8: f854 4cf0 ldr.w r4, [r4, #-240]
98dc: 4945 ldr r1, [pc, #276] ; (99f4 <android::sp<android::IBinder>::~sp()+0xb24>)
98de: 68a6 ldr r6, [r4, #8]
98e0: 4479 add r1, pc
98e2: 4630 mov r0, r6
98e4: f7ff ea7e blx 8de4 <strcmp@plt>
98e8: b128 cbz r0, 98f6 <android::sp<android::IBinder>::~sp()+0xa26>
98ea: 4943 ldr r1, [pc, #268] ; (99f8 <android::sp<android::IBinder>::~sp()+0xb28>)
98ec: 4630 mov r0, r6
98ee: 4479 add r1, pc
98f0: f7ff ea78 blx 8de4 <strcmp@plt>
98f4: b958 cbnz r0, 990e <android::sp<android::IBinder>::~sp()+0xa3e>
98f6: f104 010c add.w r1, r4, #12
98fa: 68e0 ldr r0, [r4, #12]
98fc: f7ff ea78 blx 8df0 <execvp@plt>
9900: 2800 cmp r0, #0
9902: da53 bge.n 99ac <android::sp<android::IBinder>::~sp()+0xadc>
9904: 483d ldr r0, [pc, #244] ; (99fc <android::sp<android::IBinder>::~sp()+0xb2c>)
9906: 4478 add r0, pc
9908: f7ff ea1e blx 8d48 <puts@plt>
990c: e006 b.n 991c <android::sp<android::IBinder>::~sp()+0xa4c>
990e: 483c ldr r0, [pc, #240] ; (9a00 <android::sp<android::IBinder>::~sp()+0xb30>)
9910: 493c ldr r1, [pc, #240] ; (9a04 <android::sp<android::IBinder>::~sp()+0xb34>)
9912: 4478 add r0, pc
9914: 4479 add r1, pc
9916: 2200 movs r2, #0
9918: f7ff ea70 blx 8dfc <execlp@plt>
991c: 2001 movs r0, #1
991e: e046 b.n 99ae <android::sp<android::IBinder>::~sp()+0xade>
9920: f7ff ff18 bl 9754 <android::sp<android::IBinder>::~sp()+0x884>
9924: f04f 30ff mov.w r0, #4294967295 ; 0xffffffff
9928: e041 b.n 99ae <android::sp<android::IBinder>::~sp()+0xade>
992a: 6862 ldr r2, [r4, #4]
992c: 6821 ldr r1, [r4, #0]
992e: 4f36 ldr r7, [pc, #216] ; (9a08 <android::sp<android::IBinder>::~sp()+0xb38>)
9930: 447f add r7, pc
9932: f857 0cf8 ldr.w r0, [r7, #-248]
9936: 4d35 ldr r5, [pc, #212] ; (9a0c <android::sp<android::IBinder>::~sp()+0xb3c>)
9938: f7ff fadc bl 8ef4 <android::sp<android::IBinder>::~sp()+0x24>
993c: 447d add r5, pc
993e: 2001 movs r0, #1
9940: 4629 mov r1, r5
9942: f7ff ea9e blx 8e80 <bsd_signal@plt>
9946: 200d movs r0, #13
9948: 4629 mov r1, r5
994a: f7ff ea9a blx 8e80 <bsd_signal@plt>
994e: 200f movs r0, #15
9950: 4629 mov r1, r5
9952: f7ff ea96 blx 8e80 <bsd_signal@plt>
9956: 4629 mov r1, r5
9958: 2006 movs r0, #6
995a: f7ff ea92 blx 8e80 <bsd_signal@plt>
995e: 482c ldr r0, [pc, #176] ; (9a10 <android::sp<android::IBinder>::~sp()+0xb40>)
9960: 4478 add r0, pc
9962: f7ff ea94 blx 8e8c <atexit@plt>
9966: 68a0 ldr r0, [r4, #8]
9968: 4631 mov r1, r6
996a: f7ff ff1f bl 97ac <android::sp<android::IBinder>::~sp()+0x8dc>
996e: 2800 cmp r0, #0
9970: da08 bge.n 9984 <android::sp<android::IBinder>::~sp()+0xab4>
9972: f06f 0001 mvn.w r0, #1
9976: 6821 ldr r1, [r4, #0]
9978: 6862 ldr r2, [r4, #4]
997a: f7ff fc4d bl 9218 <android::sp<android::IBinder>::~sp()+0x348>
997e: 2001 movs r0, #1
9980: f7ff e9ee blx 8d60 <exit@plt>
9984: 4923 ldr r1, [pc, #140] ; (9a14 <android::sp<android::IBinder>::~sp()+0xb44>)
9986: 4630 mov r0, r6
9988: 4479 add r1, pc
998a: f7ff ea2c blx 8de4 <strcmp@plt>
998e: b150 cbz r0, 99a6 <android::sp<android::IBinder>::~sp()+0xad6>
9990: 4921 ldr r1, [pc, #132] ; (9a18 <android::sp<android::IBinder>::~sp()+0xb48>)
9992: 4630 mov r0, r6
9994: 4479 add r1, pc
9996: f7ff ea26 blx 8de4 <strcmp@plt>
999a: 4604 mov r4, r0
999c: b918 cbnz r0, 99a6 <android::sp<android::IBinder>::~sp()+0xad6>
999e: f7ff fe97 bl 96d0 <android::sp<android::IBinder>::~sp()+0x800>
99a2: 4620 mov r0, r4
99a4: e7ec b.n 9980 <android::sp<android::IBinder>::~sp()+0xab0>
99a6: f7ff fed5 bl 9754 <android::sp<android::IBinder>::~sp()+0x884>
99aa: e7e8 b.n 997e <android::sp<android::IBinder>::~sp()+0xaae>
99ac: 2000 movs r0, #0
99ae: 996b ldr r1, [sp, #428] ; 0x1ac
99b0: f8df c018 ldr.w ip, [pc, #24] ; 99cc <android::sp<android::IBinder>::~sp()+0xafc>
99b4: f855 200c ldr.w r2, [r5, ip]
99b8: 6813 ldr r3, [r2, #0]
99ba: 4299 cmp r1, r3
99bc: d001 beq.n 99c2 <android::sp<android::IBinder>::~sp()+0xaf2>
99be: f7ff e9be blx 8d3c <__stack_chk_fail@plt>
99c2: b06d add sp, #436 ; 0x1b4
99c4: bdf0 pop {r4, r5, r6, r7, pc}
99c6: bf00 nop
99c8: 0926 lsrs r6, r4, #4
99ca: 0000 movs r0, r0
99cc: fffc ffff ; <UNDEFINED> instruction: 0xfffcffff
99d0: 03f8 lsls r0, r7, #15
99d2: 0000 movs r0, r0
99d4: 03ef lsls r7, r5, #15
99d6: 0000 movs r0, r0
99d8: 1ad0 subs r0, r2, r3
99da: 0000 movs r0, r0
99dc: 03a6 lsls r6, r4, #14
99de: 0000 movs r0, r0
99e0: 03a7 lsls r7, r4, #14
99e2: 0000 movs r0, r0
99e4: 0950 lsrs r0, r2, #5
99e6: 0000 movs r0, r0
99e8: 0398 lsls r0, r3, #14
99ea: 0000 movs r0, r0
99ec: 037b lsls r3, r7, #13
99ee: 0000 movs r0, r0
99f0: 038d lsls r5, r1, #14
99f2: 0000 movs r0, r0
99f4: 02d9 lsls r1, r3, #11
99f6: 0000 movs r0, r0
99f8: 02ce lsls r6, r1, #11
99fa: 0000 movs r0, r0
99fc: 0365 lsls r5, r4, #13
99fe: 0000 movs r0, r0
9a00: 02ca lsls r2, r1, #11
9a02: 0000 movs r0, r0
9a04: 02d7 lsls r7, r2, #11
9a06: 0000 movs r0, r0
9a08: 19b4 adds r4, r6, r6
9a0a: 0000 movs r0, r0
9a0c: fe5d ffff mrc2 15, 2, pc, cr13, cr15, {7}
9a10: fe31 ffff mrc2 15, 1, pc, cr1, cr15, {7}
9a14: 02f6 lsls r6, r6, #11
9a16: 0000 movs r0, r0
9a18: 02ef lsls r7, r5, #11
9a1a: 0000 movs r0, r0
9a1c: f004 e51f ; <UNDEFINED> instruction: 0xf004e51f
9a20: 97d9 str r7, [sp, #868] ; 0x364
...I can see there are human-readable strings in the .rodata section. It's very likely that constant function call arguments are to be found in this section.
Reverse-engineering is largely an exercise in pattern identification and in this way it is one step removed from pathological pareidolia. Something Gestalt something something bicameral mind. This is why reliable information is so valuable in this process - it's what anchors us to the reality of the system under study.
So yeah. I'll have to watch out for addresses that point to .rodata.
The .text section in this file is large enough that figuring it out in its entirety would be a protracted exercise. Since what I really want is for this su to give me a root shell, I've decided to start from somewhere I know implements this behaviour I want and work my way back until I find out how I can trigger that.
I know thanks to nm(1) that my su has a linker table entry for setuid(3). The output of objdump very conveniently includes the names of PLT entries after the bl and blx function call instructions. As it happens, there's only one call to setuid, so I know that no matter what, I want to execute the instruction at offset 0x98c4.
All that's left to do now is work my way up until I can figure out how I can cause su to execute this call. I've chosen to focus on the section of code in .text between this call and the first function header found before it, in this case the push {r4, r5, r6, r7, lr} at offset 0x97d8. Here's the relevant section of disassembled ARM code:
97d8: b5f0 push {r4, r5, r6, r7, lr}
97da: 4606 mov r6, r0
97dc: b0ed sub sp, #436 ; 0x1b4
97de: 4d7a ldr r5, [pc, #488] ; (99c8 <android::sp<android::IBinder>::~sp()+0xaf8>)
97e0: 460f mov r7, r1
97e2: 447d add r5, pc
97e4: 4979 ldr r1, [pc, #484] ; (99cc <android::sp<android::IBinder>::~sp()+0xafc>)
97e6: 5868 ldr r0, [r5, r1]
97e8: 2e02 cmp r6, #2
97ea: 6803 ldr r3, [r0, #0]
97ec: 936b str r3, [sp, #428] ; 0x1ac
97ee: d10e bne.n 980e <android::sp<android::IBinder>::~sp()+0x93e>
97f0: 687c ldr r4, [r7, #4]
97f2: 4977 ldr r1, [pc, #476] ; (99d0 <android::sp<android::IBinder>::~sp()+0xb00>)
97f4: 4620 mov r0, r4
97f6: 4479 add r1, pc
97f8: f7ff eaf4 blx 8de4 <strcmp@plt>
97fc: b128 cbz r0, 980a <android::sp<android::IBinder>::~sp()+0x93a>
97fe: 4975 ldr r1, [pc, #468] ; (99d4 <android::sp<android::IBinder>::~sp()+0xb04>)
9800: 4620 mov r0, r4
9802: 4479 add r1, pc
9804: f7ff eaee blx 8de4 <strcmp@plt>
9808: b908 cbnz r0, 980e <android::sp<android::IBinder>::~sp()+0x93e>
980a: f7ff fe93 bl 9534 <android::sp<android::IBinder>::~sp()+0x664>
980e: 1c72 adds r2, r6, #1
9810: 4c71 ldr r4, [pc, #452] ; (99d8 <android::sp<android::IBinder>::~sp()+0xb08>)
9812: 0090 lsls r0, r2, #2
9814: 447c add r4, pc
9816: f844 6cf4 str.w r6, [r4, #-244]
981a: f7ff eb02 blx 8e20 <malloc@plt>
981e: f844 0cf0 str.w r0, [r4, #-240]
9822: b188 cbz r0, 9848 <android::sp<android::IBinder>::~sp()+0x978>
9824: f854 2cf4 ldr.w r2, [r4, #-244]
9828: 1c51 adds r1, r2, #1
982a: 008a lsls r2, r1, #2
982c: 2100 movs r1, #0
982e: f7ff ea2c blx 8c88 <memset@plt>
9832: f854 3cf4 ldr.w r3, [r4, #-244]
9836: f854 0cf0 ldr.w r0, [r4, #-240]
983a: 009a lsls r2, r3, #2
983c: 4639 mov r1, r7
983e: f7ff eaf6 blx 8e2c <memcpy@plt>
9842: 2e01 cmp r6, #1
9844: dc03 bgt.n 984e <android::sp<android::IBinder>::~sp()+0x97e>
9846: e012 b.n 986e <android::sp<android::IBinder>::~sp()+0x99e>
9848: f844 0cf4 str.w r0, [r4, #-244]
984c: e0ab b.n 99a6 <android::sp<android::IBinder>::~sp()+0xad6>
984e: 4963 ldr r1, [pc, #396] ; (99dc <android::sp<android::IBinder>::~sp()+0xb0c>)
9850: 6878 ldr r0, [r7, #4]
9852: 4479 add r1, pc
9854: f7ff eac6 blx 8de4 <strcmp@plt>
9858: 4606 mov r6, r0
985a: b940 cbnz r0, 986e <android::sp<android::IBinder>::~sp()+0x99e>
985c: 4860 ldr r0, [pc, #384] ; (99e0 <android::sp<android::IBinder>::~sp()+0xb10>)
985e: 4478 add r0, pc
9860: f7ff ea72 blx 8d48 <puts@plt>
9864: 4630 mov r0, r6
9866: f7ff eae8 blx 8e38 <setgid@plt>
986a: b358 cbz r0, 98c4 <android::sp<android::IBinder>::~sp()+0x9f4>
986c: e02d b.n 98ca <android::sp<android::IBinder>::~sp()+0x9fa>
986e: f7ff eaea blx 8e44 <getppid@plt>
9872: ae1b add r6, sp, #108 ; 0x6c
9874: 2100 movs r1, #0
9876: f44f 7280 mov.w r2, #256 ; 0x100
987a: 4c5a ldr r4, [pc, #360] ; (99e4 <android::sp<android::IBinder>::~sp()+0xb14>)
987c: 447c add r4, pc
987e: 6060 str r0, [r4, #4]
9880: 4630 mov r0, r6
9882: f7ff ea02 blx 8c88 <memset@plt>
9886: 6862 ldr r2, [r4, #4]
9888: 4630 mov r0, r6
988a: 4957 ldr r1, [pc, #348] ; (99e8 <android::sp<android::IBinder>::~sp()+0xb18>)
988c: 4479 add r1, pc
988e: 466f mov r7, sp
9890: f7ff eade blx 8e50 <sprintf@plt>
9894: 4630 mov r0, r6
9896: 4669 mov r1, sp
9898: f7ff eae0 blx 8e5c <stat@plt>
989c: 2240 movs r2, #64 ; 0x40
989e: 9e06 ldr r6, [sp, #24]
98a0: 2100 movs r1, #0
98a2: 6026 str r6, [r4, #0]
98a4: ae5b add r6, sp, #364 ; 0x16c
98a6: 4630 mov r0, r6
98a8: f7ff e9ee blx 8c88 <memset@plt>
98ac: f44f 71fc mov.w r1, #504 ; 0x1f8
98b0: 484e ldr r0, [pc, #312] ; (99ec <android::sp<android::IBinder>::~sp()+0xb1c>)
98b2: 4478 add r0, pc
98b4: f7ff ead8 blx 8e68 <mkdir@plt>
98b8: f7ff fe68 bl 958c <android::sp<android::IBinder>::~sp()+0x6bc>
98bc: 60a0 str r0, [r4, #8]
98be: 2800 cmp r0, #0
98c0: da33 bge.n 992a <android::sp<android::IBinder>::~sp()+0xa5a>
98c2: e02d b.n 9920 <android::sp<android::IBinder>::~sp()+0xa50>
98c4: f7ff ead6 blx 8e74 <setuid@plt> ; <--- I want this!
98c8: b110 cbz r0, 98d0 <android::sp<android::IBinder>::~sp()+0xa00>
98ca: 4849 ldr r0, [pc, #292] ; (99f0 <android::sp<android::IBinder>::~sp()+0xb20>)
98cc: 4478 add r0, pc
98ce: e01b b.n 9908 <android::sp<android::IBinder>::~sp()+0xa38>Scratching the Turing turntable
The instruction immediately preceding the call to setuid is a b.n unconditional branch and the one before that is a bge.n conditional branch. This is a pattern typical of compiled code that is found at the "seams" between sequences of instructions compiled from different control flow branches. The upshot is that if and when the ARM CPU executes the instruction at offset 0x98c4, it must be after it's jumped there from somewhere else.
Sure enough, there's a cbz conditional branching instruction that points here at offset 0x986a:
985c: 4860 ldr r0, [pc, #384] ; (99e0 <android::sp<android::IBinder>::~sp()+0xb10>)
985e: 4478 add r0, pc
9860: f7ff ea72 blx 8d48 <puts@plt>
9864: 4630 mov r0, r6
9866: f7ff eae8 blx 8e38 <setgid@plt>
986a: b358 cbz r0, 98c4 <android::sp<android::IBinder>::~sp()+0x9f4>So that makes sense, right? First we set the effective Group ID with setgid(3) then if that returned 0, we move on to the effective UID. We even reuse the 0 return code from setgid as setuid's argument.
The GID is loaded into r0 from r6 at 0x9864. Before that, there's a call to puts(3). The argument given to puts in r0 is *0x99e0(==0x03a7) + 0x985e + 0x4 == 0x9c09, which points to a string in .rodata: "huyanwei grant successful ...\n". Looks like I'm on the right track, alright!
This call to puts(3) is preceded by a call to strcmp(3) and a cbnz conditional branch instruction:
984e: 4963 ldr r1, [pc, #396] ; (99dc <android::sp<android::IBinder>::~sp()+0xb0c>)
9850: 6878 ldr r0, [r7, #4]
9852: 4479 add r1, pc
9854: f7ff eac6 blx 8de4 <strcmp@plt>
9858: 4606 mov r6, r0
985a: b940 cbnz r0, 986e <android::sp<android::IBinder>::~sp()+0x99e>This is very promising, as it means a zero return value in this call to strcmp is what triggers the privilege escalation performed by setgid then setuid.
So what are we comparing, and against what? The second argument passed to strcmp in r1 is a static char* with a value of *0x99dc(==0x03a6) + 0x9852 + 0x4 == 0x9bfc. This once again points to a string in .rodata with the value "*#huyanwei#*". This includes the name of the author and looks like some sort of hardcoded passphrase. But what are we comparing against this value? The immediate answer is *(r7+4) but what is at that address?
To find out more, I searched for instructions before the call to strcmp that involve the r7 register. There's a mov r1, r7 at offset 0x983c where we use r7 as the second argument in a call to memcpy(3), ie. as the source. Before that, we have the following:
97f0: 687c ldr r4, [r7, #4]
97f2: 4977 ldr r1, [pc, #476] ; (99d0 <android::sp<android::IBinder>::~sp()+0xb00>)
97f4: 4620 mov r0, r4
97f6: 4479 add r1, pc
97f8: f7ff eaf4 blx 8de4 <strcmp@plt>
97fc: b128 cbz r0, 980a <android::sp<android::IBinder>::~sp()+0x93a>
97fe: 4975 ldr r1, [pc, #468] ; (99d4 <android::sp<android::IBinder>::~sp()+0xb04>)
9800: 4620 mov r0, r4
9802: 4479 add r1, pc
9804: f7ff eaee blx 8de4 <strcmp@plt>
9808: b908 cbnz r0, 980e <android::sp<android::IBinder>::~sp()+0x93e>
980a: f7ff fe93 bl 9534 <android::sp<android::IBinder>::~sp()+0x664>So we copy *(r7 + 4) - the same address we'll later compare against *#huyanwei#* to decide whether to escalate privileges - into r4 and then r0. This becomes the first argument passed in another call to strcmp at offset 0x97f8. What's the second argument, then? *0x99d0 (==0x3f8) + 0x97f6 + 4 == 0x9bf2, which points to a string in .rodata: "-h".
Wait a minute! That looks a lot like one of the CLI options documented in the usage message, doesn't it? If *(r7 + 4) is indeed equal to "-h" then we jump to 0x980a, else we compare that address again, this time to *0x99d4 (==0x3ef) + 0x9802 + 4 == 0x9bf5. Once again, this points to .rodata and this time to "--help".
I can now reasonably infer that r7 + 4 points to the first CLI argument given to su. Considering we have mov r7, r1 at offset 0x97e0 immediately after the function header, this would mean that -GASP!- r1 was argv when the function was called!
Since we're looking at 32-bit ARM code, argv + 4 == argv[1]. This would make the function starting at 0x97d8 the program's main and r0 our argc.
Let's try it out
I tried running su with *#huyanwei#* as the first argument on the CLI:
...and it worked. Yay!
Now what?
So I've finally obtained superuser privileges on my phone. I did this by leveraging a rootkit that was present out of the box rather than writing a proper exploit. The whole experience was a bit hollow - I really expected to have to figure out what su does with sockets and build a program that would trigger escalation in this way. I was looking forward to that. Instead, I got there by feeding it a magic string as a CLI argument. It's expedient but a bit disappointing all the same. For a moment there, I... I believed. And I wanted more.
I did a teeny bit of searching online and there are pages that reference the author's name, Huyan Wei. They are mostly in Chinese however, which I cannot read. I chose not to spend too much time searching for third-party information as I know from bitter experience that nothing kills momentum on a little project like this quite like stumbling upon the answers.
As things stand I thought I should recap the objectives I set in the first hacklog:
- ✔ Gain superuser privileges
- ✔ Access the full filesystem (superuser privilege lets me access the full filesystem)
- ✘ Investigate the presence of
su(1),tcpdump(1)
So far, this project has been more about hacking than it has been about forensics. Now that I have unfettered access to the device, I expect this to change and future posts to focus more on the what than the how do I get access.