If you want to keep the modified code or data for later analysis, you’ll need to copy it to the database. Hint: if the code you’re investigating has many syscalls and you don’t want to handle them one by one, put a breakpoint at the address 0000000C (ARM’s vector for syscalls). Thus we can conclude that the shellcode tries to execute a file at the path “/execme”. If you undefine code at 00010156 and make it a string (‘A’ key), it will look like following: If you trace or run until it, you can see that R7 becomes 0xB (sys_execve) and R0 points to 00010156.
Note: if you’re running Windows 7 or Vista, it’s recommended to use QEMU 0.11 or 0.10.50 (“Snapshot” on Takeda Toshiya’s page),Īs the older versions listen for GDB connections only over IPv6 and IDA can’t connect to it. If qemu-system-arm.exe is in a subdirectory, move it next to qemu.exe and all DLLs.
Download a recent version of QEMU with ARM support (e.g.Press C to start disassembly.īefore starting debug session, we need to set up automatic running of QEMU. IDA doesn’t know anything about this file so it didn’t create any code.
For example, enter 0x10000 in “ROM start address” and “Loading address” fields. However, since our shellcode is not address-dependent, we can choose any address. When you analyze a real firmware dumped from address 0, these settings are good. Since we know that the code is for ARM processor, choose ARM in the “Processor type” dropdown and click Set. IDA displays the following dialog when it doesn’t recognize the file format (as in this case): GaOP000QxFd0i8QCa129ATQC61BTQC0119OBQCA169OCQCa02800271execme22727Ĭopy this text to a new text file, remove all line breaks (i.e. The sample code is at the bottom of the article but here it is repeated: 80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80ARĨ0AR80AR80AR80AR80AR80AR80AR80AR80AR00OB00OR00SU00SE9PSB9PSR0pMB80SBcACPĭaDPqAGYyPDReaOPeaFPeaFPeaFPeaFPeaFPeaFPd0FU803R9pCRPP7R0P5BcPFE6PCBePFEīP3BlP5RYPFUVP3RAP5RWPFUXpFUx0GRcaFPaP7RAP5BIPFE8p4B0PMRGA5X9pWRAAAO8P4B So we will use the debugging feature to decode it. It is self-modifying and because of alphanumeric limitation can be quite hard to undestand. TargetĪs an example we will use shellcode from the article “Alphanumeric RISC ARM Shellcode” in Phrack 66.
In this tutorial we will show how to dynamically run code that can be difficult to analyze statically. It can be used to debug small code snippets directly from the database. IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator.