I suspect the problem is a bug in the function below (in pseudocode from disassembly). It seems to take a file permission set as an argument and return a specific permission set based on that. The return value is then used as part of a call to chmod. I'm not certain what the intended logic is, but it seems that an input that is user writable: input & 0x80 != 0 and group executable: input & 0x8 != 0 results in a return value of 774, which is suspicious since the bug we see is a missing the other executable bit. A return of 775 would make more sense. function sub_4c013a { input = rdi; result = 0x0; if ((input & 0x80) != 0x0) { result = 0x1b4; } else { if ((input & 0x1) != 0x0) { result = 0x124; } } if ((input & 0x8) != 0x0) { result = result | 0x48; } return result; } I suspect this: result | 0x48 # 0110 should be this: result | 0x49 # 0111
