For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:
.section .text
.global _start
_start:
.code 32
# Thumb-Mode on
add r6, pc, #1
bx r6
.code 16
# _write()
mov r2, #7
mov r1, pc
add r1, #12
mov r0, $0x1
mov r7, $0x4
svc 0
# _exit()
sub r0, r0, r0
mov r7, $0x1
svc 0
.ascii "Osanda\n"
After assembling and linking this would be output from objdump:
write: file format elf32-littlearm
Disassembly of section .text:
00008054 <_start>:
8054: e28f6001 add r6, pc, #1
8058: e12fff16 bx r6
805c: 2207 movs r2, #7
805e: 4679 mov r1, pc
8060: 310c adds r1, #12
8062: 2001 movs r0, #1
8064: 2704 movs r7, #4
8066: df00 svc 0
8068: 1a00 subs r0, r0, r0
806a: 2701 movs r7, #1
806c: df00 svc 0
806e: 734f .short 0x734f
8070: 61646e61 .word 0x61646e61
8074: 0a .byte 0x0a
So I made this one line command so that it would work with ARM binaries.
[code language=”bash”]
for i in $(objdump -d binary |
grep "^ "|
awk -F"[\t]" ‘{print $2}’); do
echo -n ${i:6:2}${i:4:2}${i:2:2}${i:0:2};done|
sed ‘s/.\{2\}/\\x&/g’
[/code]
$ for i in $(objdump -d write | grep "^ "|awk -F"[\t]" '{print $2}'); do echo -n ${i:6:2}${i:4:2}${i:2:2}${i:0:2};done| sed 's/.\{2\}/\\x&/g' \x01\x60\x8f\xe2\x16\xff\x2f\xe1\x07\x22\x79\x46\x0c\x31\x01\x20\x04\x27\x00\xdf\x00\x1a\x01\x27\x00\xdf\x4f\x73\x61\x6e\x64\x61\x0a
[code language=”C”]
#include <stdio.h>
#include <string.h>
char *shellcode =
"\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x07\x22\x79\x46\x0c\x31\x01"
"\x20\x04\x27\x00\xdf\x00\x1a\x01\x27\x00\xdf\x4f\x73\x61\x6e"
"\x64\x61\x0a";
int main(void) {
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}
[/code]
$ cc -o write.o write $ ./write Length: 18 Osanda $
In Commandlinefu
http://www.commandlinefu.com/commands/view/14336/get-shellcode-from-arm-binaries