# Embedded Systems Reverse Engineering [Repository](https://github.com/mytechnotalent/Embedded-Hacking) ## Week 1 Introduction and Overview of Embedded Reverse Engineering: Ethics, Scoping, and Basic Concepts ### Non-Credit Practice Exercise 2: Find Strings in Ghidra #### Objective Learn how to locate and analyze strings in a binary, understanding where they are stored in memory and how they're used. #### Prerequisites - Ghidra installed with `0x0001_hello-world` project open - Basic familiarity with Ghidra's interface (from Exercise 1) - CodeBrowser window open with the binary loaded #### Task Description In this exercise, you'll find the "hello, world" string in the binary and determine: 1. **Where** it's located in memory (its address) 2. **How** it's used by the program 3. **What** format it's stored in #### Step-by-Step Instructions ##### Step 1: Open the Defined Strings Window 1. In the CodeBrowser menu, go to **Window** (top menu bar) 2. Look for and click on **Defined Strings** 3. A new window should appear showing all strings Ghidra found in the binary ##### Step 2: Understand the Strings Window The Defined Strings window shows: - **Address**: The memory location where the string starts - **String**: The actual text content - **Length**: How many bytes the string uses - **Defined**: Whether Ghidra has marked it as data ##### Step 3: Search for "hello, world" 1. In the Defined Strings window, look through the list to find `"hello, world"` 2. **Search method**: If the window has a search box at the top, you can type to filter. Otherwise, use **Ctrl+F** to open the search function 3. Once you find it, **click on it** to highlight the entry ##### Step 4: Record the Address When you find `"hello, world"`, note down: **String Address**: ________________ **Actual String Content**: ________________ **String Length**: ________________ bytes ##### Step 5: Double-Click to Navigate 1. **Double-click** on the `"hello, world"` entry in the Defined Strings window 2. Ghidra will automatically navigate you to that address in the CodeBrowser 3. You should see the string displayed in the **Listing** view (center panel) ##### Step 6: Examine the Listing View Now that you're at the string's location: 1. Look at the **Listing view** (center panel) where the string is shown 2. You'll see the string in **hex/ASCII** format 3. Notice how it appears in memory - each character takes one byte 4. Look for the string content: `hello, world\r\n` 5. What comes after the string? (Ghidra may show other data nearby) ##### Step 7: Look at the Cross-References To see where this string is **used**: 1. In the Listing view where the string is displayed, **right-click** on the string 2. Select **References** ? **Show References to** 3. A dialog should appear showing which functions/instructions reference this string 4. This tells you which parts of the code use this string ##### Step 8: Answer These Questions Based on what you found: ###### Question 1: Memory Location - What is the address of the "hello, world" string? __________ - Is it in Flash memory (starts with `0x100...`) or RAM (starts with `0x200...`)? __________ ###### Question 2: String Storage - How many bytes does the string take in memory? __________ - Can you count the characters? (h-e-l-l-o-,-space-w-o-r-l-d-\r-\n) ###### Question 3: References - How many times is this string referenced in the code? __________ - Which function(s) reference it? (Hint: Look at the cross-references) ###### Question 4: ASCII Encoding - How is the string encoded in memory? - Is each character one byte or more? __________ - What does `\r` and `\n` represent? (Hint: `\r` = carriage return, `\n` = newline) #### Expected Output You should be able to fill in a summary like: ``` String Found: "hello, world\r\n" Address: 0x________ Located in: [Flash / RAM] Total Size: ________ bytes Referenced by: [Function names] Used in: [How the program uses it] ``` #### Deeper Exploration (Optional Challenge) ##### Challenge 1: Follow the String Usage 1. From the cross-references you found, click on the instruction that uses the string 2. You should navigate to the `ldr` (load) instruction that loads the string's address into register `r0` 3. This is how the `printf` function gets the pointer to the string! ##### Challenge 2: Find Other Strings 1. Go back to the Defined Strings window 2. Look for other strings in the binary 3. Are there any other text strings besides "hello, world"? 4. If yes, where are they and what are they used for? ##### Challenge 3: Understand Little-Endian 1. When Ghidra shows the string address in the `ldr` instruction, it's showing a number 2. Look at the raw bytes of that address value 3. Notice how the bytes are stored in "backwards" order? That's little-endian! 4. Can you convert the hex bytes to the actual address? #### Questions for Reflection 1. **Why is the string stored in Flash memory?** Why not in RAM? 2. **How does `printf()` know where to find the string?** (Hint: The address is loaded into `r0`) 3. **What would happen if we didn't have the `\r\n` at the end?** How would the output look? 4. **Could we modify this string at runtime?** Why or why not? #### Tips and Hints - Strings in compiled binaries are often stored in read-only memory (Flash) to save RAM - The `\r` and `\n` characters are special: they're single bytes (0x0D and 0x0A in hex) - When you see a string in Ghidra's listing, the ASCII representation is shown on the right side - You can scroll left/right in the Listing view to see different representations (hex, ASCII, disassembly) #### Real-World Application Understanding where strings are stored is crucial for: - **Firmware modification**: Finding text messages to modify - **Reverse engineering**: Understanding what a program does by finding its strings - **Vulnerability analysis**: Finding format string bugs or hardcoded credentials - **Localization**: Finding where text needs to be translated #### Summary By completing this exercise, you've learned: 1. How to find strings in a binary using Ghidra's Defined Strings window 2. How to determine the memory address of a string 3. How to follow cross-references to see where strings are used 4. How strings are stored in memory and referenced in code 5. The relationship between C code (`printf()`) and assembly (`ldr`)