CalvinBackup/Embedded-Hacking
1
0
Fork 0
mirror of https://github.com/mytechnotalent/Embedded-Hacking.git synced 2026-04-01 17:10:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Embedded-Hacking/WEEK01/WEEK01-01.md
Kevin Thomas 1457a4bb8e Refactor E and S
2026-03-19 15:01:07 -04:00

4.7 KiB
Raw Permalink Blame History

Embedded Systems Reverse Engineering

Repository

Week 1

Introduction and Overview of Embedded Reverse Engineering: Ethics, Scoping, and Basic Concepts

Non-Credit Practice Exercise 1: Explore in Ghidra

Objective

Learn how to navigate Ghidra's Symbol Tree to find and analyze functions, specifically examining the stdio_init_all function.

Prerequisites

  • Ghidra installed and running
  • 0x0001_hello-world project already created and imported in Ghidra
  • The 0x0001_hello-world.elf file already imported and analyzed

Task Description

Your goal is to explore the stdio_init_all function in Ghidra and understand what it does based on:

  1. Its decompiled code
  2. The functions it calls
  3. The variables it accesses

Step-by-Step Instructions

Step 1: Open Your Ghidra Project
  1. Launch Ghidra on your computer
  2. In the Ghidra Project Manager window, you should see your 0x0001_hello-world project
  3. If you don't see it, create a new project or open an existing one
  4. Double-click on the project to open it
Step 2: Access the Symbol Tree

In the CodeBrowser window that opens:

  • Look at the left side panel - you should see several tabs
  • Find and click on the Symbol Tree tab (it might be labeled "Symbol Tree" or showing a tree icon)
  • If you don't see it, go to Window → Symbol Tree in the menu
Step 3: Expand the Functions List
  1. In the Symbol Tree, look for a folder or section labeled Functions
  2. Click the arrow/triangle next to "Functions" to expand it
  3. This will show you a list of all the functions that Ghidra identified in the binary
Step 4: Find the stdio_init_all Function
  1. In the expanded Functions list, scroll through to find stdio_init_all
  2. Alternative method: If the list is long, you can use Search → For Address or Label from the menu and type stdio_init_all to jump directly to it
  3. Once you find it, click on it to navigate to that function in the CodeBrowser
Step 5: Examine the Decompiled Code

Once you've navigated to stdio_init_all:

  • On the right side of the window, you should see the Decompile view
  • This shows the C-like code that Ghidra has reconstructed from the assembly
  • Read through the decompiled code carefully
Step 6: Answer These Questions

Based on what you see in the decompiled code, answer the following:

Question 1: What does the function return?

Look at the return type at the top of the function. Is it void, int, bool, or something else?

Question 2: What parameters does it take?

Look at the function signature. Does it take any parameters? (Hint: Look for anything inside the parentheses)

Question 3: What functions does it call?

Look for function calls within stdio_init_all. What other functions does it call? List them:

  • Function 1: ________________
  • Function 2: ________________
  • Function 3: ________________ (There may be more or fewer)
Question 4: What's the purpose?

Based on the functions it calls and the overall structure, what do you think stdio_init_all() is setting up? Think about what "stdio" stands for:

  • std = Standard
  • io = Input/Output

What types of I/O might be getting initialized?

Step 7: Explore Called Functions (Optional Challenge)

If you want to go deeper:

  1. In the Decompile view, click on one of the functions that stdio_init_all calls
  2. Ghidra will navigate to that function
  3. Look at what that function does
  4. Can you build a picture of what's being initialized?

Expected Output

You should be able to write a brief summary like:

stdio_init_all() returns: [your answer]
It takes [number] parameters
It calls the following functions: [list them]
Based on these calls, I believe it initializes: [your analysis]

Questions for Reflection

  1. Why would we need to initialize standard I/O before using printf()?
  2. Can you find other functions in the Symbol Tree that might be related to I/O?
  3. How does this function support the printf("hello, world\r\n") call in main?

Tips and Hints

  • If you see a function name you don't recognize, you can right-click on it to see more options
  • The Decompile view is your best friend - it shows you what code is doing in an almost-C format
  • Don't worry if some variable names are automatic (like local_4 or param_1) - that's normal when symbols aren't available
  • You can collapse/expand sections in the Decompile view by clicking the arrows next to braces {}

Next Steps

After completing this exercise, you'll have a better understanding of:

  • How to navigate Ghidra's interface
  • How to find functions using the Symbol Tree
  • How to read decompiled code
  • How initialization functions work in embedded systems
Reference in New Issue View Git Blame Copy Permalink