Hi all. I'll begin by saying I'm an amateur in assembly language and I've been learning much of it as I go. I'm used to high level languages like Java, so this is a marked difference. I'm trying to write a small assembly program that will essentially execute a shell command to enable adb. The intended use of this programprogram, or rather, shellcode, is to be do exploit testing for myselfmyself, so, I've intentionally written it in such a way that is least likely to produce null bytes in the output. Code below.
Shellcode:
.section .text.global _start
/* Reference of registers: R0 = adr_shell R1 = adr_argv R2 = adr_env R3 = NULL R4 = 'X' R6 = our argument to replace_X R7 = system call register*/
_start: .code 32 @ Stage up for going into THUMB mode add r3, pc, #1 bx r3 .code 16 @ Set the registers to reference our ascii arguments ldr r0, =adr_shell ldr r1, =adr_argv ldr r2, =adr_env @ Set our null register and our 'X' eor r3, r3, r3 @ R3 = NULL ldr r4, ='X' @ Replace 'X' in adr_shell with null byte mov r6, r0 @ Set up our replace_X argument bl replace_X @ Replace 'X' in adr_argv with null byte mov r6, r1 @ Set up our replace_X argument bl replace_X @ Replace 'X' in adr_env with null byte mov r6, r2 @ Set up our replace_X argument bl replace_X @ Do system call w/ execve call number mov r7, #11 @ execve(shell, argv, env) svc #1 @ system call
adr_shell: .ascii "/system/bin/shX"adr_argv: .ascii "setprop persist.sys.usb.config adbX"adr_env: .ascii "PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbinX"
@ Look for 'X' in R6 and replace it with R3replace_X: cmp r4, #[r6] @ If condition above sets Not Equal flag in CSPR, Then R6++ and loop itt ne addne r6, #1 bne replace_x strb r3, [r6] b lr
The error I get with the GNU assembler is:
shellcode.s: Assembler messages:shellcode.s:56: Error: Thumb does not support conditional executionshellcode.s:57: Error: branch must be last instruction in IT block -- `bne replace_x'shellcode.s:59: Error: instruction not allowed in IT block -- `strb r3,[r6]'
But why?? I thought an IT block was specifically for Thumb state? Can anyone clarify to me what I'm doing wrong here?
Hi Naggafin
Are you still looking for help with this question?
Yes,absolutely. I've even got myself a book in ARM assembly to tackle this. If you have any insights on it I'd certainly appreciate your input (: