Updated WEEK09

This commit is contained in:
Kevin Thomas
2026-06-14 10:49:32 -04:00
parent db64f419ac
commit 93aa5d6cef
13 changed files with 948 additions and 52 deletions
+62 -44
View File
@@ -175,8 +175,8 @@ bool result = (x > y) && (y > x); // false AND true = false
Bitwise operators work on the binary representation of numbers:
```c
int x = 6; // Binary: 0b00000110
int result = x << 1; // Shift left by 1: 0b00001100 = 12
int x = 6; // Binary: 0b00000110
int result = x << 1; // Shift left by 1: 0b00001100 = 12
```
```
@@ -436,14 +436,14 @@ Let's trace through what happens to `x`:
| Variable x Through the Program |
| |
| Line | x value | Result |
| ------------------+---------+--------------------------------- |
| ------------------+---------+--------------------------------- |
| int x = 5; | 5 | x initialized to 5 |
| x * y | 5 | arithmetic = 5 * 10 = 50 |
| x++ | 5->6 | increment = 5 (then x becomes 6) |
| x++ | 5->6 | increment = 5 (then x becomes 6)|
| x > y | 6 | relational = (6 > 10) = false |
| (x>y) && (y>x) | 6 | logical = false && true = false |
| x << 1 | 6 | bitwise = 6 << 1 = 12 |
| x += 5 | 6->11 | assignment = 6 + 5 = 11 |
| x += 5 | 6->11 | assignment = 6 + 5 = 11 |
| |
+-----------------------------------------------------------------+
```
@@ -534,11 +534,11 @@ x/60i 0x10000234
You should see the operator calculations and function calls:
```
0x10000234: push {r4, r5, r6, r7, lr}
0x10000236: sub sp, #20
0x10000238: bl 0x10003014 ; stdio_init_all
0x1000023c: movs r0, #4 ; GPIO 4 for DHT11
0x1000023e: bl 0x100003b4 ; dht11_init
0x10000234 <main>: push {r4, r5, r6, r7, lr}
0x10000236 <main+2>: sub sp, #20
0x10000238 <main+4>: bl 0x10003384 <stdio_init_all>
0x1000023c <main+8>: movs r0, #4
0x1000023e <main+10>: bl 0x100002d4 <dht11_init>
...
```
@@ -549,20 +549,12 @@ b *0x10000234
c
```
GDB responds:
```
Breakpoint 1 at 0x10000234
Continuing.
Breakpoint 1, 0x10000234 in ?? ()
```
### Step 11: Find the Operator Calculations
The compiler likely optimized many of these calculations at compile time. Look for immediate values:
```
x/30i 0x10000240
x/32i 0x10000240
```
You may see values like:
@@ -576,7 +568,7 @@ You may see values like:
Set a breakpoint before the first printf and examine registers:
```
```gdb
b *0x10000262
c
i r r0 r1
@@ -584,18 +576,22 @@ i r r0 r1
You should see:
- `r0` = address of format string
- `r1` = value to print (50 for arithmetic_operator)
- `r1` = value to print
### Step 13: Examine the Format Strings
```
x/s 0x10003xxx
```gdb
x/s 0x10003978
```
Find the format strings like:
```
"arithmetic_operator: %d\r\n"
"increment_operator: %d\r\n"
Find the format strings and value for print:
```gdb
(gdb) x/s 0x10003978
0x10003978: "Humidity: %.1f%%, Temperature: %.1fA°C\r\n"
(gdb) x/x 0x4037cccc
0x4037cccc: 0x00
(gdb) x/x $r1
0x4037cccc: 0x00
...
```
@@ -603,23 +599,24 @@ Find the format strings like:
Find where dht11_read is called:
```
x/10i 0x100002a0
```gdb
(gdb) x/3i 0x1000029f
```
You'll see stack addresses being passed as arguments:
```
add r0, sp, #0x8 ; Address of hum variable
add r1, sp, #0xc ; Address of temp variable
bl dht11_read
0x1000029f <main+106>: add r1, sp, #12
0x100002a1 <main+108>: add r0, sp, #8
0x100002a3 <main+110>: bl 0x100002f4 <dht11_read>
```
### Step 15: Watch the Float Values
After dht11_read returns, examine the float values on the stack:
```
x/2fw $sp+8
```gdb
(gdb) x/2fw $sp+8
0x20081fe0: 62 23.7999992
```
This shows the humidity and temperature as floats.
@@ -628,7 +625,7 @@ This shows the humidity and temperature as floats.
Continue execution and watch the values:
```
```gdb
c
```
@@ -826,8 +823,8 @@ bl FUN_xxxxx ; sleep_ms
This is trickier! Look for a function call with TWO address arguments:
```assembly
add r0, sp, #0x8 ; Address of hum on stack
add r1, sp, #0xc ; Address of temp on stack
add r0, sp, #0x8 ; Address of hum on stack
bl FUN_xxxxx ; dht11_read
```
@@ -931,11 +928,11 @@ Navigate to the `dht11_read` function you identified earlier.
### Step 35: Find the Scaling Constant
At the end of the `dht11_read` function, look for floating-point instructions. You'll find instructions like:
At the end of the `dht11_read` function, and around `0x10000410`, look for floating-point instructions. You'll find instructions like:
```assembly
vfma.f32 s14, s12, s11 ; Fused multiply-add for humidity
vfma.f32 s15, s13, s11 ; Fused multiply-add for temperature
vfma.f32 s14, s12, s11 ; Fused multiply-add for humidity
vfma.f32 s15, s13, s11 ; Fused multiply-add for temperature
```
The constant `0.1` (at address `0x1000042c`) is loaded into register `s11` and used to scale the raw sensor readings.
@@ -1005,6 +1002,20 @@ new = struct.unpack('<f', bytes.fromhex('0000a040'))[0]
print(f"New: {new}") # 5.0
```
```python
>>> import struct
>>>
>>> # Original value
>>> original = struct.unpack('<f', bytes.fromhex('cdcccc3d'))[0]
>>> print(f"Original: {original}") # 0.1
Original: 0.10000000149011612
>>>
>>> # New value
>>> new = struct.unpack('<f', bytes.fromhex('0000a040'))[0]
>>> print(f"New: {new}") # 5.0
New: 5.0
```
---
## Part 19: Exporting and Testing
@@ -1012,7 +1023,7 @@ print(f"New: {new}") # 5.0
### Step 41: Export the Patched Binary
1. Click **File** -> **Export Program**
2. Set **Format** to **Binary**
2. Set **Format** to **Raw Bytes**
3. Navigate to your build directory
4. Name the file `0x001a_operators-h.bin`
5. Click **OK**
@@ -1034,6 +1045,16 @@ python ..\uf2conv.py build\0x001a_operators-h.bin --base 0x10000000 --family 0xe
You should see dramatically increased temperature readings!
```
Humidity: 60.0%, Temperature: 63.0°C
arithmetic_operator: 50
increment_operator: 5
relational_operator: 0
logical_operator: 0
bitwise_operator: 12
assignment_operator: 11
```
---
## Part 20: Summary and Review
@@ -1181,7 +1202,4 @@ By manipulating sensor readings, an attacker could:
**Remember:** The techniques you learned today can be used for good (security research, debugging) or bad (sabotage, fraud). Always use your skills ethically and legally. Understanding how attacks work helps us build more secure systems!
Happy hacking! ?
Happy hacking!