Joel Eriksson
Vulnerability researcher, exploit developer and reverse-engineer. Have spoken at BlackHat, DefCon and the RSA conference. CTF player. Puzzle solver (Cicada 3301, Boxen)

ARM payload development

As I mentioned on Twitter earlier (@OwariDa, @ClevCode), using the excellent Hex-Rays ARM decompiler turned out to be quite handy for verifying the payload I’m developing and injecting into the XMM6260-based baseband in my Samsung S3 (GT-i9300). Rebooting my phone due to baseband crashes can be a bit time consuming. :D

The specific research I’m doing at the moment will be kept private, but for those who find the subject interesting I can give you the following simple example. It decompiles, as expected, to v12345678(“Hello World\n”). v12345678 = function @ address 0x12345678. 0xbadc0ded and 0xdeadbeef are used as markers, to make it possible to easily extract the payload from the object file.

.syntax unified
.code 16

.byte 0xba, 0xdc, 0x0d, 0xed /* marker */

push {lr}
adr r0, hello
ldr r1, print
blx r1
pop {pc}

.align 4

print: .word 0x12345678 /* append |1 if thumb */
hello: .asciz "Hello World\n"

.byte 0xde, 0xad, 0xbe, 0xef /* marker */

How to extract the payload and sending it to your custom injector tool:

je@isis:~$ arm-elf-gcc -c -o code.o code.s && xxd -p code.o \
  | perl -pne 's/\n//g' | perl -pne 's/.*badc0ded(.*)deadbeef.*/$1\n/g'
je@isis:~$ echo 00b503a00149884700bd00007856341248656c6c6f20576f726c640a00 \
  | xxd -p -r | evil-injector-pwn # ;)

PS. Just in case anyone accustomed to x86 assembly wonders; Yes, the code above is position independent on ARM. No need for jump/call/pop-techniques. ;)