# Embedded Systems Reverse Engineering
[Repository](https://github.com/mytechnotalent/Embedded-Hacking)

## Week 2
Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2

### Non-Credit Practice Exercise 3: Examine Memory Around Your String

#### Objective
Inspect the byte-level layout of your injected string in SRAM and correlate bytes to characters.

#### Prerequisites
- Pico 2 connected with OpenOCD, GDB, and a serial monitor ready
- `build\0x0001_hello-world.elf` flashed and running
- Ability to break before `__wrap_puts` at `0x1000023c`
- A payload already written to SRAM (e.g., at `0x20000000` from Exercise 1)

#### Task Description
You will use `x/20b` to view the bytes surrounding your injected string, decode the characters, and confirm the presence of control characters and the null terminator.

#### Step-by-Step Instructions

##### Step 1: Connect and Halt

```gdb
(gdb) target extended-remote :3333
(gdb) monitor reset halt
```

##### Step 2: Break Before `puts()` and Run

```gdb
(gdb) b *0x1000023c
(gdb) c
```

##### Step 3: Ensure a String Exists in SRAM
If needed, re-inject a payload:

```gdb
(gdb) set {char[14]} 0x20000000 = {'h','a','c','k','y',',',' ','w','o','r','l','d','\r','\0'}
(gdb) set $r0 = 0x20000000
```

##### Step 4: Examine Bytes Around the String

```gdb
(gdb) x/20b 0x20000000
```

##### Step 5: Decode the Output
- Map each byte to ASCII: e.g., `0x68` ? `h`, `0x0d` ? `\r`, `0x00` ? `\0`.
- Note any bytes before/after the string to ensure you did not overwrite adjacent data.

##### Step 6: Resume Execution

```gdb
(gdb) c
```

#### Expected Output
- A byte dump where the sequence matches your string (`68 61 63 6b 79 2c 20 77 6f 72 6c 64 0d 00`).
- Confirmation of the carriage return (`0x0d`) and null terminator (`0x00`).
- Stable program output in PuTTY after resuming.

#### Questions for Reflection

###### Question 1: Which bytes mark the end of the printable string, and why are they needed?

###### Question 2: How would misaligned writes show up in the byte view?

###### Question 3: What risks arise if you overwrite bytes immediately after your string?

#### Tips and Hints
- Use `x/20bx` if you prefer hex with ASCII side-by-side.
- Keep the dump length modest (20 bytes) to avoid clutter while still seeing context.
- If the bytes look incorrect, re-run the injection command to reset the buffer.

#### Next Steps
- Try viewing a different address (e.g., `0x20001000`) to compare layouts.
- Experiment with longer strings and observe how the byte dump grows.
- Move on to Exercise 4 to automate the hack workflow.