Embedded-Hacking/WEEK01/WEEK01-02.md

Embedded Systems Reverse Engineering

Repository

Week 1

Introduction and Overview of Embedded Reverse Engineering: Ethics, Scoping, and Basic Concepts

Non-Credit Practice Exercise 2: Find Strings in Ghidra

Objective

Learn how to locate and analyze strings in a binary, understanding where they are stored in memory and how they're used.

Prerequisites

• Ghidra installed with 0x0001_hello-world project open
• Basic familiarity with Ghidra's interface (from Exercise 1)
• CodeBrowser window open with the binary loaded

Task Description

In this exercise, you'll find the "hello, world" string in the binary and determine:

1. Where it's located in memory (its address)
2. How it's used by the program
3. What format it's stored in

Step-by-Step Instructions

Step 1: Open the Defined Strings Window

1. In the CodeBrowser menu, go to Window (top menu bar)
2. Look for and click on Defined Strings
3. A new window should appear showing all strings Ghidra found in the binary

Step 2: Understand the Strings Window

The Defined Strings window shows:

• Address: The memory location where the string starts
• String: The actual text content
• Length: How many bytes the string uses
• Defined: Whether Ghidra has marked it as data

Step 3: Search for "hello, world"

1. In the Defined Strings window, look through the list to find "hello, world"
2. Search method: If the window has a search box at the top, you can type to filter. Otherwise, use Ctrl+F to open the search function
3. Once you find it, click on it to highlight the entry

Step 4: Record the Address

When you find "hello, world", note down:

String Address: ________________

Actual String Content: ________________

String Length: ________________ bytes

Step 5: Double-Click to Navigate

1. Double-click on the "hello, world" entry in the Defined Strings window
2. Ghidra will automatically navigate you to that address in the CodeBrowser
3. You should see the string displayed in the Listing view (center panel)

Step 6: Examine the Listing View

Now that you're at the string's location:

1. Look at the Listing view (center panel) where the string is shown
2. You'll see the string in hex/ASCII format
3. Notice how it appears in memory - each character takes one byte
4. Look for the string content: hello, world\r\n
5. What comes after the string? (Ghidra may show other data nearby)

Step 7: Look at the Cross-References

To see where this string is used:

1. In the Listing view where the string is displayed, right-click on the string
2. Select References ? Show References to
3. A dialog should appear showing which functions/instructions reference this string
4. This tells you which parts of the code use this string

Step 8: Answer These Questions

Based on what you found:

Question 1: Memory Location

• What is the address of the "hello, world" string? __________
• Is it in Flash memory (starts with 0x100...) or RAM (starts with 0x200...)? __________

Question 2: String Storage

• How many bytes does the string take in memory? __________
• Can you count the characters? (h-e-l-l-o-,-space-w-o-r-l-d-\r-\n)

Question 3: References

• How many times is this string referenced in the code? __________
• Which function(s) reference it? (Hint: Look at the cross-references)

Question 4: ASCII Encoding

• How is the string encoded in memory?
• Is each character one byte or more? __________
• What does \r and \n represent? (Hint: \r = carriage return, \n = newline)

Expected Output

You should be able to fill in a summary like:

String Found: "hello, world\r\n"
Address: 0x________
Located in: [Flash / RAM]
Total Size: ________ bytes
Referenced by: [Function names]
Used in: [How the program uses it]

Deeper Exploration (Optional Challenge)

Challenge 1: Follow the String Usage

1. From the cross-references you found, click on the instruction that uses the string
2. You should navigate to the ldr (load) instruction that loads the string's address into register r0
3. This is how the printf function gets the pointer to the string!

Challenge 2: Find Other Strings

1. Go back to the Defined Strings window
2. Look for other strings in the binary
3. Are there any other text strings besides "hello, world"?
4. If yes, where are they and what are they used for?

Challenge 3: Understand Little-Endian

1. When Ghidra shows the string address in the ldr instruction, it's showing a number
2. Look at the raw bytes of that address value
3. Notice how the bytes are stored in "backwards" order? That's little-endian!
4. Can you convert the hex bytes to the actual address?

Questions for Reflection

1. Why is the string stored in Flash memory? Why not in RAM?
2. How does printf() know where to find the string? (Hint: The address is loaded into r0)
3. What would happen if we didn't have the \r\n at the end? How would the output look?
4. Could we modify this string at runtime? Why or why not?

Tips and Hints

• Strings in compiled binaries are often stored in read-only memory (Flash) to save RAM
• The \r and \n characters are special: they're single bytes (0x0D and 0x0A in hex)
• When you see a string in Ghidra's listing, the ASCII representation is shown on the right side
• You can scroll left/right in the Listing view to see different representations (hex, ASCII, disassembly)

Real-World Application

Understanding where strings are stored is crucial for:

• Firmware modification: Finding text messages to modify
• Reverse engineering: Understanding what a program does by finding its strings
• Vulnerability analysis: Finding format string bugs or hardcoded credentials
• Localization: Finding where text needs to be translated

Summary

By completing this exercise, you've learned:

1. How to find strings in a binary using Ghidra's Defined Strings window
2. How to determine the memory address of a string
3. How to follow cross-references to see where strings are used
4. How strings are stored in memory and referenced in code
5. The relationship between C code (printf()) and assembly (ldr)