Last active
August 29, 2015 14:09
-
-
Save haxelion/623f984422345b1a2dfa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdlib.h> | |
#include <stdio.h> | |
#include <unistd.h> | |
#include <time.h> | |
#include <sys/mman.h> | |
#include <sys/wait.h> | |
int funTime1() | |
{ | |
int r; | |
__asm__ ("mov r5, #2;" | |
"1: mov r4, #0;" | |
"mov r6, #1;" | |
"strb r6, [pc, #-0x10];" | |
"subs r5, #1;" | |
"bne 1b;" | |
"mov %0, r4;" | |
: "=r" (r) | |
: | |
:"r4", "r5", "r6" | |
); | |
return r; | |
} | |
int funTime2(pid_t pid) | |
{ | |
int r, status; | |
__asm__ ("mov r5, #2;" | |
"1: mov r4, #0;" | |
"mov r6, #1;" | |
"strb r6, [pc, #-0x10];" | |
"mov r0, %1;" | |
"mov r1, %2;" | |
"mov r2, #0;" | |
"mov r3, #0;" | |
"mov r7, #114;" | |
"swi 0x0;" | |
"subs r5, #1;" | |
"bne 1b;" | |
"mov %0, r4;" | |
: "=r" (r) | |
: "r" (pid), "r" (&status) | |
:"r0", "r1", "r2", "r3", "r4", "r5", "r6", "r7" | |
); | |
return r; | |
} | |
int main() | |
{ | |
pid_t child; | |
int status; | |
void *exec_space = mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, | |
MAP_PRIVATE|MAP_ANONYMOUS,-1,0); | |
memcpy(exec_space, (void*) funTime1, 200); | |
printf("r = %d\n", ((int(*)())exec_space)()); | |
memcpy(exec_space, (void*) funTime2, 200); | |
child = fork(); | |
if(child == 0) | |
{ | |
sleep(0); | |
if(system("ls -al / 1>0") == -1) | |
printf("Exec failed.\n"); | |
} | |
else | |
{ | |
printf("r = %d\n", ((int(*)(pid_t))exec_space)(child)); | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ARM implicit cache flushing. See discussion here: www.reddit.com/r/ReverseEngineering/comments/2lr670/a_dynamic_binary_instrumentation_engine_for_the/