From 4e16c21015053de0b1890ef065a780122333718b Mon Sep 17 00:00:00 2001 From: Kevin Thomas Date: Sun, 7 Jun 2026 08:26:29 -0400 Subject: [PATCH] Updated WEEK07 --- WEEK07/WEEK07.md | 111 ++++++++++++++++----------------- WEEK07/slides/WEEK07-IMG00.svg | 79 +++++++++++++++++++++++ WEEK07/slides/WEEK07-IMG01.svg | 63 +++++++++++++++++++ WEEK07/slides/WEEK07-IMG02.svg | 85 +++++++++++++++++++++++++ WEEK07/slides/WEEK07-IMG03.svg | 66 ++++++++++++++++++++ WEEK07/slides/WEEK07-IMG04.svg | 80 ++++++++++++++++++++++++ WEEK07/slides/WEEK07-IMG05.svg | 53 ++++++++++++++++ WEEK07/slides/WEEK07-IMG06.svg | 65 +++++++++++++++++++ WEEK07/slides/WEEK07-IMG07.svg | 71 +++++++++++++++++++++ WEEK07/slides/WEEK07-IMG08.svg | 68 ++++++++++++++++++++ WEEK07/slides/WEEK07-IMG09.svg | 63 +++++++++++++++++++ WEEK07/slides/WEEK07-IMG10.svg | 88 ++++++++++++++++++++++++++ 12 files changed, 835 insertions(+), 57 deletions(-) create mode 100644 WEEK07/slides/WEEK07-IMG00.svg create mode 100644 WEEK07/slides/WEEK07-IMG01.svg create mode 100644 WEEK07/slides/WEEK07-IMG02.svg create mode 100644 WEEK07/slides/WEEK07-IMG03.svg create mode 100644 WEEK07/slides/WEEK07-IMG04.svg create mode 100644 WEEK07/slides/WEEK07-IMG05.svg create mode 100644 WEEK07/slides/WEEK07-IMG06.svg create mode 100644 WEEK07/slides/WEEK07-IMG07.svg create mode 100644 WEEK07/slides/WEEK07-IMG08.svg create mode 100644 WEEK07/slides/WEEK07-IMG09.svg create mode 100644 WEEK07/slides/WEEK07-IMG10.svg diff --git a/WEEK07/WEEK07.md b/WEEK07/WEEK07.md index f17abab..e0b2f18 100644 --- a/WEEK07/WEEK07.md +++ b/WEEK07/WEEK07.md @@ -230,8 +230,8 @@ The Pico SDK uses a struct to represent each I2C controller: ```c struct i2c_inst { - i2c_hw_t *hw; // Pointer to hardware registers - bool restart_on_next; // SDK internal flag + i2c_hw_t *hw; // Pointer to hardware registers + bool restart_on_next; // SDK internal flag }; ``` @@ -315,9 +315,9 @@ i2c_init(I2C_PORT, 100000); In assembly: ```assembly -ldr r0, [address of i2c1_inst] ; r0 = pointer to struct (first arg) -ldr r1, =0x186A0 ; r1 = 100000 (second arg) -bl i2c_init ; Call the function +ldr r0, [address of i2c1_inst] ; r0 = pointer to struct (first arg) +ldr r1, =0x186A0 ; r1 = 100000 (second arg) +bl i2c_init ; Call the function ``` --- @@ -499,10 +499,11 @@ x/54i 0x10000234 You should see output like: ``` - 0x10000234
: push {r3, lr} - 0x10000236 : bl 0x100037fc - 0x1000023a : ldr r1, [pc, #104] @ (0x100002a4 ) - 0x1000023c : ldr r0, [pc, #104] @ (0x100002a8 ) +(gdb) x/54i 0x10000234 + 0x10000234
: push {r3, lr} + 0x10000236 : bl 0x100037fc + 0x1000023a : ldr r1, [pc, #104] @ (0x100002a4 ) + 0x1000023c : ldr r0, [pc, #104] @ (0x100002a8 ) 0x1000023e : bl 0x10003cdc 0x10000242 : movs r1, #3 0x10000244 : movs r0, #2 @@ -521,28 +522,23 @@ You should see output like: 0x10000266 : movs r3, #8 0x10000268 : movs r2, #4 0x1000026a : movs r1, #39 @ 0x27 - 0x1000026c : - ldr r0, [pc, #56] @ (0x100002a8 ) + 0x1000026c : ldr r0, [pc, #56] @ (0x100002a8 ) 0x1000026e : bl 0x100002bc 0x10000272 : movs r1, #0 0x10000274 : mov r0, r1 0x10000276 : bl 0x100006f4 - 0x1000027a : - ldr r0, [pc, #48] @ (0x100002ac ) + 0x1000027a : ldr r0, [pc, #48] @ (0x100002ac ) 0x1000027c : bl 0x100007f0 0x10000280 : movs r0, #1 0x10000282 : movs r1, #0 0x10000284 : bl 0x100006f4 - 0x10000288 : - ldr r0, [pc, #36] @ (0x100002b0 ) + 0x10000288 : ldr r0, [pc, #36] @ (0x100002b0 ) 0x1000028a : bl 0x100007f0 0x1000028e : movs r1, #42 @ 0x2a - 0x10000290 : - ldr r0, [pc, #32] @ (0x100002b4 ) + 0x10000290 : ldr r0, [pc, #32] @ (0x100002b4 ) 0x10000292 : bl 0x1000398c <__wrap_printf> 0x10000296 : movw r1, #1337 @ 0x539 - 0x1000029a : - ldr r0, [pc, #28] @ (0x100002b8 ) + 0x1000029a : ldr r0, [pc, #28] @ (0x100002b8 ) 0x1000029c : bl 0x1000398c <__wrap_printf> 0x100002a0 : b.n 0x1000028e 0x100002a2 : nop @@ -567,20 +563,6 @@ b *0x10000234 c ``` -GDB responds: -``` -Breakpoint 1 at 0x10000234: file C:/Users/assem.KEVINTHOMAS/OneDrive/Documents/Embedded-Hacking/0x0017_constants/0x0017_constants.c, line 16. -Note: automatically using hardware breakpoints for read-only addresses. -(gdb) c -Continuing. - -Thread 1 "rp2350.cm0" hit Breakpoint 1, main () - at C:/Users/assem.KEVINTHOMAS/OneDrive/Documents/Embedded-Hacking/0x0017_constants/0x0017_constants.c:16 -16 stdio_init_all(); -``` - -> **Note:** If GDB says `The program is not being run.` when you type `c`, the target hasn't been started yet. Use `monitor reset halt` first, then `c` to continue to your breakpoint. - ### Step 6: Find the #define Constant (FAV_NUM) Step through to the printf call and examine the registers: @@ -592,7 +574,7 @@ x/20i 0x1000028e Look for: ``` ... -0x1000028e : movs r1, #42 @ 0x2a + 0x1000028e : movs r1, #42 @ 0x2a ... ``` @@ -610,7 +592,7 @@ Look for this instruction: ``` ... -0x10000296 : movw r1, #1337 @ 0x539 + 0x10000296 : movw r1, #1337 @ 0x539 ... ``` @@ -643,7 +625,22 @@ These are the values that `ldr rN, [pc, #offset]` instructions load: | `0x100002b4` | `0x10003EFC` | "FAV_NUM: %d\r\n" format str | | `0x100002b8` | `0x10003F0C` | "OTHER_FAV_NUM: %d\r\n" fmt | -> Tip: **Why does the disassembly at `0x100002a4` show `strh r0, [r4, #52]` instead of data?** Same reason as Week 6 - GDB's `x/i` tries to decode raw data as instructions. Use `x/wx` to see the actual word values. +> Tip: **Why does the disassembly at `0x100002a4` show `strh r0, [r4, #52]` instead of data?** Same reason as Week 6 - GDB's `x/i` tries to decode raw data as instructions. Use `x/wx` to see the actual word values or we can also use `x/x`. + +```gdb +(gdb) x/x 0x100002a4 +0x100002a4 : 0x000186a0 +(gdb) x/x 0x100002a8 +0x100002a8 : 0x2000062c +(gdb) x/x 0x100002ac +0x100002ac : 0x10003ee8 +(gdb) x/x 0x100002b0 +0x100002b0 : 0x10003ef0 +(gdb) x/x 0x100002b4 +0x100002b4 : 0x10003efc +(gdb) x/x 0x100002b8 +0x100002b8 : 0x10003f0c +``` ### Step 9: Examine the I2C Struct @@ -668,7 +665,7 @@ x/s 0x10003ee8 Output: ``` -0x10003ee8: "Reverse" +0x10003ee8: "Reverse" ``` ``` @@ -677,16 +674,19 @@ x/s 0x10003ef0 Output: ``` -0x10003ef0: "Engineering" +0x10003ef0: "Engineering" ``` ### Step 11: Step Through I2C Initialization -Use `si` to step through instructions and watch the I2C setup: +Step through instructions and watch the I2C setup: -``` -si -i r r0 r1 +```gdb +(gdb) b *0x1000023e +(gdb) c +(gdb) i r r0 r1 +r0 0x2000062c 536872492 +r1 0x186a0 100000 ``` --- @@ -701,14 +701,14 @@ From GDB, we discovered something interesting - **both constants ended up as ins **For FAV_NUM (42) - a `#define` macro:** ``` -0x1000028e: movs r1, #42 @ 0x2a +0x1000028e <+90>: movs r1, #42 @ 0x2a ``` The value 42 is embedded directly in a 16-bit Thumb instruction. This is expected - `#define` is text replacement, so the compiler never sees `FAV_NUM`, only `42`. **For OTHER_FAV_NUM (1337) - a `const` variable:** ``` -0x10000296: movw r1, #1337 @ 0x539 +0x10000296 <+98>: movw r1, #1337 @ 0x539 ``` The value 1337 is ALSO embedded directly in an instruction - but this time a 32-bit Thumb-2 `movw` because the value doesn't fit in 8 bits. @@ -752,10 +752,10 @@ We found the LCD strings in flash memory: ```gdb (gdb) x/s 0x10003ee8 -0x10003ee8: "Reverse" +0x10003ee8: "Reverse" (gdb) x/s 0x10003ef0 -0x10003ef0: "Engineering" +0x10003ef0: "Engineering" ``` These are stored consecutively in the `.rodata` section. Note the addresses - we'll need them for patching. @@ -795,7 +795,7 @@ From our GDB analysis, we know the instruction at `0x1000028e` is: movs r1, #0x2a -> bytes: 2a 21 ``` -In HxD, navigate to file offset `0x28E` and verify you see the byte `2A` followed by `21`. +In HxD, use **Ctrl+G** to navigate to file offset `28E` and verify you see the byte `2A` followed by `21`. > ?? **How Thumb encoding works:** In `movs r1, #imm8`, the immediate value is the first byte, and the opcode `21` is the second byte. So the bytes `2a 21` encode `movs r1, #0x2a` (42). If you wanted to change this to 43, you'd change `2A` to `2B`. @@ -812,11 +812,11 @@ This is the 32-bit Thumb-2 encoding of `movw r1, #0x539` (1337). The bytes break ``` +-----------------------------------------------------------------+ -| movw r1, #0x539 -> bytes: 40 F2 39 51 | +| movw r1, #0x539 -> bytes: 40 F2 39 51 | | | -| Byte 0: 0x40 -?? | -| Byte 1: 0xF2 -+ First halfword (opcode + upper imm bits) | -| Byte 2: 0x39 ---- Lower 8 bits of immediate (imm8) ?? CHANGE | +| Byte 0: 0x40 -?? | +| Byte 1: 0xF2 -+ First halfword (opcode + upper imm bits) | +| Byte 2: 0x39 ---- Lower 8 bits of immediate (imm8) ?? CHANGE | | Byte 3: 0x51 ---- Destination register (r1) + upper imm bits | | | | imm16 = 0x0539 = 1337 decimal | @@ -962,9 +962,9 @@ The numbers are unchanged - we only patched the LCD string! ``` +-----------------------------------------------------------------+ -| I2C_PORT -> i2c1 -> &i2c1_inst -> i2c_inst_t | +| I2C_PORT -> i2c1 -> &i2c1_inst -> i2c_inst_t | | | | -| +-- hw -> i2c_hw_t * | +| +-- hw -> i2c_hw_t * | | | +-- 0x40098000 | | | | | +-- restart_on_next (bool) | @@ -1071,7 +1071,4 @@ The numbers are unchanged - we only patched the LCD string! **Remember:** When you see complex nested structures in a binary, take your time to understand the hierarchy. Use GDB to examine struct layouts in memory and trace pointer chains. And always remember - even "constants" can be hacked! -Happy hacking! ? - - - +Happy hacking! ? \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG00.svg b/WEEK07/slides/WEEK07-IMG00.svg new file mode 100644 index 0000000..427c6f7 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG00.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + 4F 70 65 6E 4F 43 44 + 10 00 02 34 08 B5 01 + 47 44 42 20 52 45 56 + 20 08 20 00 FF AA 00 + 52 50 32 33 35 30 00 + 0A 0A 0F 12 12 1A 1A + 41 52 4D 76 38 2D 4D + 00 FF 41 00 D4 FF 88 + 47 48 49 44 52 41 00 + FF 00 40 C0 C0 C0 00 + + + + + + + + + + + + +Embedded Systems +Reverse Engineering + + + + + +// WEEK 07 + + +Constants in Embedded Systems: +Debugging and Hacking Constants +w/ 1602 LCD I2C Basics + + + + + +George Mason University + + + +RP2350 // ARM Cortex-M33 + diff --git a/WEEK07/slides/WEEK07-IMG01.svg b/WEEK07/slides/WEEK07-IMG01.svg new file mode 100644 index 0000000..bbe54c4 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG01.svg @@ -0,0 +1,63 @@ + + + + +#define vs const +Preprocessor Macros vs Constant Variables + + + +#define FAV_NUM 42 + +Preprocessor text replacement +Happens BEFORE compilation +No memory allocated +Cannot take address (&) + +In Binary: + +movs r1, #42 @ 0x2a + +16-bit Thumb instruction +Value embedded as immediate +Compiler sees only "42" + + + +const int OTHER_FAV_NUM=1337 + +Creates real variable +Theoretically in .rodata +Has an address (if needed) +Type-checked by compiler + +In Binary: + +movw r1, #1337 @ 0x539 + +32-bit Thumb-2 instruction +Also embedded as immediate! +Compiler optimized it away + + + +KEY INSIGHT: +Both ended up as instruction immediates! +The compiler saw &OTHER_FAV_NUM is never used, so it +optimized const the same way as #define -- no memory load needed. +Lesson: const is a source-level concept -- not guaranteed in binary + + + + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG02.svg b/WEEK07/slides/WEEK07-IMG02.svg new file mode 100644 index 0000000..d798cd5 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG02.svg @@ -0,0 +1,85 @@ + + + + +I2C Protocol +Two-Wire Serial Communication + + + +What is I2C? +Two-wire serial protocol +SDA += Serial Data +SCL += Serial Clock +Open-drain with pull-up resistors + + + +I2C Bus + +Pico + + +SDA +SCL + +LCD +GPIO 2 = SDA, GPIO 3 = SCL +Pull-ups hold lines HIGH + + + +Common I2C Addresses (7-bit) + +0x27 +LCD + +0x3F +LCD Alt + +0x48 +Sensor + +0x50 +EEPROM + + + +I2C Transaction Flow + +START +--> + +Address +--> + +ACK +--> + +Data +--> + +ACK +--> + +STOP + +Master sends START, then 7-bit address + R/W bit +Slave responds with ACK, then data bytes follow + + + + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG03.svg b/WEEK07/slides/WEEK07-IMG03.svg new file mode 100644 index 0000000..d69b142 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG03.svg @@ -0,0 +1,66 @@ + + + + +C Structs & typedef +Grouping Related Data in C + + + +Struct Definition + +typedef struct { +i2c_hw_t *hw; +bool restart_on_next; +} i2c_inst_t; +typedef creates an alias +so we can write: i2c_inst_t var; +instead of: struct { ... } var; + + + +Memory Layout +i2c_inst_t at 0x2000062C + + +Offset 0x00 +hw += 0x40098000 +i2c_hw_t* (4 bytes) + + +Offset 0x04 +restart_on_next += 0x00 (false) +bool (1 byte) + +Total struct size: 8 bytes +hw points to I2C1 registers + + + +Forward Declaration + +struct i2c_inst; +// tells compiler: this type exists, define later + + + +Why Structs Matter in RE +GDB shows raw memory -- you must recognize struct layouts +x/2wx 0x2000062c shows: 0x40098000 0x00000000 + + + + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG04.svg b/WEEK07/slides/WEEK07-IMG04.svg new file mode 100644 index 0000000..927fd8c --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG04.svg @@ -0,0 +1,80 @@ + + + + +Pico SDK Macro Chain +From I2C_PORT to Hardware Registers + + + +Macro Expansion Chain + + + +I2C_PORT +#define I2C_PORT i2c1 + + +--> + + + +i2c1 +#define i2c1 (&i2c1_inst) + + +--> + + + +&i2c1_inst +Address of global struct + + +Struct Contents at 0x2000062C + +i2c_inst_t i2c1_inst = { +.hw = (i2c_hw_t *)0x40098000, +.restart_on_next = false +}; + + +Hardware Register Access + + +i2c1_inst.hw +--> +i2c1_hw +--> +(i2c_hw_t*)0x40098000 + +I2C1_BASE = 0x40098000 +I2C0_BASE = 0x40090000 +Direct memory-mapped I/O to RP2350 peripheral + + + +FULL CHAIN: +I2C_PORT +--> +i2c1 +--> +&i2c1_inst +--> +0x40098000 +Macro --> Macro --> Struct pointer --> HW register base + + + + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG05.svg b/WEEK07/slides/WEEK07-IMG05.svg new file mode 100644 index 0000000..de2e153 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG05.svg @@ -0,0 +1,53 @@ + + + + +Source Code +0x0017_constants.c + + + + + +//--- Defines and Constants --- +#define FAV_NUM 42 +#define I2C_PORT i2c1 +#define I2C_SDA_PIN 2 +#define I2C_SCL_PIN 3 +const int OTHER_FAV_NUM = 1337; + +//--- Main Loop --- +lcd_set_cursor(0, 0); +lcd_puts("Reverse"); +lcd_set_cursor(1, 0); +lcd_puts("Engineering"); + +//--- Serial Output Loop --- +printf("FAV_NUM: %d\r\n", FAV_NUM); +printf("OTHER_FAV_NUM: %d\r\n", OTHER_FAV_NUM); + + + +LCD Output +Line 0: "Reverse" +Line 1: "Engineering" + + +Serial Output +FAV_NUM: 42 +OTHER_FAV_NUM: 1337 + + + + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG06.svg b/WEEK07/slides/WEEK07-IMG06.svg new file mode 100644 index 0000000..738b366 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG06.svg @@ -0,0 +1,65 @@ + + + + +GDB Analysis +Disassembly of main() at 0x10000234 + + + +Key Instructions from x/54i 0x10000234 + + +push {r3, lr} +// save return addr +bl stdio_init_all +// init serial +ldr r1, [pc, #104] +// r1 = 100000 (baud) +ldr r0, [pc, #104] +// r0 = &i2c1_inst +bl i2c_init +// init I2C at 100kHz +movs r0, #2 +// GPIO 2 (SDA) +bl gpio_set_function +// set pin to I2C +movs r1, #39 +// 0x27 = LCD addr +bl lcd_i2c_init +// init LCD device + +b.n 0x1000028e +// infinite loop start +... +AAPCS: r0-r3 = first 4 args, r0 = return value + + + +Literal Pool at 0x100002A4 + + +0x000186A0 +I2C baudrate (100000) +0x2000062C +&i2c1_inst struct in RAM +0x10003EE8 +"Reverse" string in flash +0x10003EF0 +"Engineering" string in flash +0x10003EFC +"FAV_NUM: %d\r\n" +0x10003F0C +"OTHER_FAV_NUM: %d\r\n" + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG07.svg b/WEEK07/slides/WEEK07-IMG07.svg new file mode 100644 index 0000000..7862b21 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG07.svg @@ -0,0 +1,71 @@ + + + + +Instruction Encoding +movs (16-bit Thumb) vs movw (32-bit Thumb-2) + + + +movs r1, #42 (FAV_NUM) +At address 0x1000028E + + +Bytes: 2A 21 + +2A = immediate value (42) +21 = opcode (movs r1) +16-bit Thumb instruction +Fits values 0-255 in 8 bits +File offset: 0x28E + + + +movw r1, #1337 (OTHER_FAV) +At address 0x10000296 + + +Bytes: 40 F2 39 51 + +40 F2 = opcode (first halfword) +39 = imm8 (lower 8 bits) +51 = dest reg + upper imm +32-bit Thumb-2 instruction +File offset: 0x296 + + + +movw Byte Layout (40 F2 39 51) + + +40 F2 +Opcode + upper imm + + +39 +imm8 (lower 8 bits) + + +51 +Dest reg (r1) + bits + +imm16 = 0x539 += 1337 decimal + + + +Why movw instead of movs? +1337 > 255 -- does not fit in 8-bit movs immediate +movw encodes 0-65535 in 32-bit instruction + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG08.svg b/WEEK07/slides/WEEK07-IMG08.svg new file mode 100644 index 0000000..9f8ea92 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG08.svg @@ -0,0 +1,68 @@ + + + + +I2C Struct in Memory +Examining i2c1_inst at 0x2000062C + + + +GDB Memory Dump + +x/2wx 0x2000062c: +0x40098000 +0x00000000 + + + +i2c_inst_t Struct Layout + + + +Offset 0x00 | 4 bytes +i2c_hw_t *hw += 0x40098000 + + +--> + + + +I2C1 HW Registers +Base: 0x40098000 (MMIO) + + + +Offset 0x04 | 1 byte +bool restart_on_next += false + +I2C0 base = 0x40090000 +I2C1 base = 0x40098000 + + + +String Literals in Flash (.rodata) + + +x/s 0x10003ee8: +"Reverse" + + +x/s 0x10003ef0: +"Engineering" + +Stored consecutively in .rodata (flash) +These addresses are targets for patching + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG09.svg b/WEEK07/slides/WEEK07-IMG09.svg new file mode 100644 index 0000000..5934306 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG09.svg @@ -0,0 +1,63 @@ + + + + +Hacking the Binary +Patching LCD Text: "Reverse" --> "Exploit" + + + +File Offset Formula +file_offset = address - 0x10000000 +Binary loaded at 0x10000000 + + + +Hack: Change LCD String +Address 0x10003EE8 --> File offset 0x3EE8 + +Original: + +52 65 76 65 72 73 65 00 +"Reverse" + +Patched: + +45 78 70 6C 6F 69 74 00 +"Exploit" + +Same length (7 chars) -- null terminator stays + + + +Flash the Hacked Binary + + +python uf2conv.py build\patched.bin + +1. +Save patched .bin file +2. +Convert to .uf2 format +3. +Hold BOOTSEL, plug in Pico +4. +Drag hacked.uf2 to drive + + + +LCD now shows: "Exploit" +instead of "Reverse" +No source code needed! + \ No newline at end of file diff --git a/WEEK07/slides/WEEK07-IMG10.svg b/WEEK07/slides/WEEK07-IMG10.svg new file mode 100644 index 0000000..e6df942 --- /dev/null +++ b/WEEK07/slides/WEEK07-IMG10.svg @@ -0,0 +1,88 @@ + + + + +I2C & Macro Exploitation +Constants, I2C, Structs, and Hacking + + + +Key Concepts + +#define +Text replacement, no memory +const +Variable in .rodata (maybe) +I2C +Two-wire: SDA + SCL +struct +Groups related data fields +typedef +Creates type alias +AAPCS +r0-r3 args, r0 return +movs +16-bit, imm 0-255 +movw +32-bit, imm 0-65535 +Literal Pool +Large consts after code + + + +Key Addresses + +0x10000234 +main() entry +0x1000028E +FAV_NUM (movs) +0x10000296 +OTHER_FAV_NUM (movw) +0x10003EE8 +"Reverse" string +0x10003EF0 +"Engineering" string +0x40098000 +I2C1 HW base +0x2000062C +i2c1_inst struct + +file_offset = addr - 0x10000000 +String patches must be same length + + + +Macro Chain +I2C_PORT +--> +i2c1 +--> +&i2c1_inst +--> +0x40098000 + + + +Binary Hack Result +LCD: "Reverse" --> +"Exploit" +Patched at 0x3EE8 +Compiler may optimize const same as #define + + + +TAKEAWAY: +const is a source-level concept. +In binary, everything can change! + \ No newline at end of file