汇编
.global _start
.section .text
_start:
/* push b'/dev/zero\x00' */
/* Set x14 = 8243129037239968815 = 0x72657a2f7665642f */
mov x14, #25647
movk x14, #30309, lsl #16
movk x14, #31279, lsl #0x20
movk x14, #29285, lsl #0x30
mov x15, #111
stp x14, x15, [sp, #-16]!
/* call openat(-100, 'sp', 'O_RDONLY', 0) */
/* Set x0 = -100 = -0x64 */
mov x0, #65436
movk x0, #65535, lsl #16
movk x0, #65535, lsl #0x20
movk x0, #65535, lsl #0x30
add x1, sp, xzr, lsl #4
mov x2, xzr
mov x3, xzr
mov x8, #56
svc #0x1234
/* ioctl(fd='x0', request=65537, vararg_0=168) */
/* Set x1 = 65537 = 0x10001 */
mov x1, #10001
mov x2, #168
/* call ioctl() */
mov x8, #29
svc #0x1234
/* exit(status=0) */
mov x0, xzr
/* call exit() */
mov x8, #93
svc #0x1234
shell脚本
#!/bin/bash
if [ $
then
echo "just need one argv"
exit 1
fi
:<<!
if [ -d tmp ]
then
echo tmp exist
else
mkdir tmp
fi
!
as -o $1.o $1.s
ld -o $1 $1.o
objdump -d $1 | grep 00
objcopy -O binary $1 $1.bin
hexdump -v -e '"\\""x" 1/1 "%02x" ""' $1.bin && echo
生成结果
hexdump -v -e '"\\""x" 1/1 "%02x" ""' test.bin && echo > 1.txt
\xee\x85\x8c\xd2\xae\xcc\xae\xf2\xee\x45\xcf\xf2
\xae\x4c\xee\xf2\xef\x0d\x80\xd2\xee\x3f\xbf\xa9
\x80\xf3\x9f\xd2\xe0\xff\xbf\xf2\xe0\xff\xdf\xf2
\xe0\xff\xff\xf2\xe1\x73\x3f\x8b\xe2\x03\x1f\xaa
\xe3\x03\x1f\xaa\x08\x07\x80\xd2\x81\x46\x02\xd4
\x21\xe2\x84\xd2\x02\x15\x80\xd2\xa8\x03\x80\xd2
\x81\x46\x02\xd4\xe0\x03\x1f\xaa\xa8\x0b\x80\xd2
\x81\x46\x02\xd4