_start(
_unknown_ __eax, // r0
_unknown_ __ebx, // r1
_unknown_ __edx // r3
)
{// addr = 0x08048278
_unknown_ _v8; // _cfa_fffffff8
_unknown_ _t3; // _t3
intOrPtr* _t4; // _t4
_unknown_ _t5; // _t5
_unknown_ _t7; // _t7
_unknown_ _t8; // _t8
signed int _t9; // _t9
__edx = __edx;
_t5 = __ebx;
_t3 = __eax;
_pop(__esi);
__ecx = __esp;
__esp = __esp & 240;
_push(_t3);
_push(__esp);
_push(__edx);
_push(_fini);
_push(_init);
_push(__ecx);
_push(__esi);
_push(main);
__libc_start_main();
asm("hlt ");
_push(0);
_t9 = __esp;
_push(_t5);
_push(_t3);
L2();
_pop(__ebx);
_t4 = *((intOrPtr*)(_t5 + 0x123a));
if(_t4 != 0) {
*_t4();
}
__esp = _t9;
_pop(__ebp);
return;
}
_start()
{
ebp = 0;
(restore)esi;
ecx = esp;
esp = esp & -16;
(save)eax;
(save)esp;
(save)edx;
(save)_fini;
(save)_init;
(save)ecx;
(save)esi;
(save)main;
__libc_start_main();
asm("hlt");
}
/* This is the true entry point for untrusted code.
It's called with the normal C ABI, taking one argument.
This is a pointer to stack space containing these words:
[0] cleanup function pointer (always NULL in actual startup)
[1] envc, count of envp[] pointers
[2] argc, count of argv[] pointers
[3] argv[0..argc] pointers, argv[argc] being NULL
[3+argc] envp[0..envc] pointers, envp[envc] being NULL
[3+argc+envc] auxv[] pairs
*/
void
_start (uint32_t *info)
{
void (*rtld_fini) (void) = (void (*) (void)) info[0];
int argc = info[2];
char **argv = (void *) &info[3];
int (*main_ptr)(int argc, char **argv, char **envp) = &__nacl_main;
if (main_ptr == NULL)
main_ptr = &main;
/* The generic code actually assumes that envp follows argv
and that auxv follows envp. */
__libc_start_main (main_ptr, argc, argv,
&__libc_csu_init, &__libc_csu_fini, rtld_fini,
__builtin_frame_address (0));
/* That should not return. Make sure we crash if it did. */
while (1) *(volatile int *) 0;
}
// ais3_crackme.c
// Generated by decompiling ais3_crackme
// using Reko decompiler version 0.6.2.0.
#include "ais3_crackme.h"
void _init()
{
call_gmon_start();
return;
}
void _start(word64 rax, * rdx, word64 qwArg00, word32 dwArg04)
{
__align(fp + 0x08);
word64 rax_21 = DPB(rax, __libc_start_main(&globals->t4005C5, qwArg00, fp + 0x08, &globals->t400620, &globals->t4006B0, rdx, DPB(qwArg00, fp + 0x04, 0)), 0);
__hlt();
}
void call_gmon_start()
{
word64 rax_4 = globals->qw600FE0;
if (rax_4 != 0x00)
{
word64 rsp_17;
byte SCZO_18;
word64 rax_19;
byte SZO_20;
byte C_21;
byte Z_22;
word32 eax_23;
#include "ls.h"
void _init()
{
word64 rax_4 = *&globals->qw619FF8;
if (rax_4 != 0x00)
{
word64 rsp_15;
byte SCZO_16;
word64 rax_17;
byte SZO_18;
byte C_19;
byte Z_20;
__gmon_start__();
}
return;
}
void fn0000000000404890(word64 rax, * rdx, word64 qwArg00, word32 dwArg04)
{
__align(fp + 0x08);
word64 rax_21 = DPB(rax, __libc_start_main(&globals->t4028C0, qwArg00, fp + 0x08, &globals->t411E60, &globals->t411ED0, rdx, DPB(qwArg00, fp + 0x04, 0)), 0);
__hlt();
}
void _fini()
{
return;
}
void __cstart(long *p)
{
int argc = p[0];
char **argv = (void *)(p+1);
__libc_start_main(main, argc, argv, _init, _fini, 0);
}
void fn08048300(code * * edx, word32 dwArg00)
{
__align(fp + 0x00000004);
__libc_start_main(&globals->ptr8048410, dwArg00, fp + 0x00000004, &globals->ptr804829C, &globals->ptr8048690, edx, fp - 0x00000004);
__hlt();
}
_Noreturn void __dls2(unsigned char *base, size_t *sp)
{
__libc_start_main(main, *sp, (void *)(sp+1), _init, _fini, 0);
}
void fn08048278(code * * edx, word32 dwArg00)
{
__align(fp + 0x00000004);
__libc_start_main(&globals->ptr804835D, dwArg00, fp + 0x00000004, &globals->ptr8048390, &globals->ptr80483C0, edx, fp - 0x00000004);
__hlt();
}
void
_start(void)
{
// WARNING: __hart_self_on_entry must be read before
// anything is register-allocated!
int id = __hart_self_on_entry;
static int init = 0;
// For dynamically-linked programs, the first time through,
// __hart_self_on_entry could be clobbered (on x86), because
// the linker will have overwritten eax. Happily, the first
// time through, we know we are vcore 0. Subsequent entries
// into this routine do not have this problem.
if(init == 0)
id = 0;
// threads besides thread 0 must acquire a TCB.
if(id != 0)
{
TLS_INIT_TP(__hart_thread_control_blocks[id],0);
hart_entry();
hart_yield();
failmsg("why did hart_yield() return?");
goto diediedie;
}
if(init)
{
failmsg("why did thread 0 re-enter _start?");
goto diediedie;
}
init = 1;
extern int main(int,char**,char**);
extern void __libc_csu_init(int,char**,char**);
extern void __libc_csu_fini(void);
extern void __libc_start_main(typeof(&main),int,char**,
typeof(&__libc_csu_init),
typeof(&__libc_csu_fini),
void*,void*);
char** argv = (char**)alloca(sizeof(__procinfo.argp));
memcpy(argv,__procinfo.argp,sizeof(__procinfo.argp));
char* argbuf = (char*)alloca(sizeof(__procinfo.argbuf));
memcpy(argbuf,__procinfo.argbuf,sizeof(__procinfo.argbuf));
for(int i = 0; i < PROCINFO_MAX_ARGP; i++)
if(argv[i])
argv[i] += argbuf - __procinfo.argbuf;
int argc = 0;
while(argv[argc])
argc++;
extern char** _environ;
_environ = argv+argc+1;
__libc_start_main(&main,argc,argv,&__libc_csu_init,&__libc_csu_fini,0,0);
failmsg("why did main() return?");
diediedie:
abort();
#ifdef ABORT_INSTRUCTION
ABORT_INSTRUCTION;
#endif
while(1);
}