implicit_flush.c

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <sys/mman.h>
#include <sys/wait.h>

int funTime1()
{
    int r;
    __asm__ ("mov r5, #2;"
             "1: mov r4, #0;"
             "mov r6, #1;"
             "strb r6, [pc, #-0x10];"
             "subs r5, #1;"
             "bne 1b;"
             "mov %0, r4;"
             : "=r" (r) 
             :   
             :"r4", "r5", "r6"
             );  
    return r;
}

int funTime2(pid_t pid)
{
    int r, status;
    __asm__ ("mov r5, #2;"
             "1: mov r4, #0;"
             "mov r6, #1;"
             "strb r6, [pc, #-0x10];"
             "mov r0, %1;"
             "mov r1, %2;"
             "mov r2, #0;"
             "mov r3, #0;"
             "mov r7, #114;"
             "swi 0x0;"
             "subs r5, #1;"
             "bne 1b;"
             "mov %0, r4;"
             : "=r" (r) 
             : "r" (pid), "r" (&status)
             :"r0", "r1", "r2", "r3", "r4", "r5", "r6", "r7"
             );  
    return r;
}

int main()
{
    pid_t child;
    int status;
    void *exec_space = mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
                            MAP_PRIVATE|MAP_ANONYMOUS,-1,0);
    memcpy(exec_space, (void*) funTime1, 200);
    printf("r = %d\n", ((int(*)())exec_space)());
    memcpy(exec_space, (void*) funTime2, 200);
    child = fork();
    if(child == 0)
    {
        sleep(0);
        if(system("ls -al / 1>0") == -1)
            printf("Exec failed.\n");
    }
    else
    {
        printf("r = %d\n", ((int(*)(pid_t))exec_space)(child));
    }
}

ARM implicit cache flushing. See discussion here: www.reddit.com/r/ReverseEngineering/comments/2lr670/a_dynamic_binary_instrumentation_engine_for_the/